14

cat /etc/passwd |grep postgre

postgres:x:115:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

apt-cache show postgresql

Package: postgresql
Priority: optional
Section: database
Installed-Size: 65
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>
Architecture: all
Source: postgresql-common (136)
Version: 9.1+136
Depends: postgresql-9.1
Filename: pool/main/p/postgresql-common/postgresql_9.1+136_all.deb
Size: 5468
MD5sum: 34f5a1373ad5cd0b6f5aa3e7af06c9e7
SHA1: 6f271758bd51c23614b12fd63fb711ecfa43e9e5
SHA256: e8921a22b560e81f57a2a00001e31ba1036f67a8e7f151bf8f977b4919fc559a

Can I replace that /bin/bash with /bin/false ?

Eric Carvalho
  • 55,453
Smile.Hunter
  • 8,705

3 Answers3

5

If a server admin uses sudo and is not careful about what environment and and umask this results in, working on the database may end up creating files in unintended locations or with unintended permissions.

Assigning a shell to the user enables admins to login as postgres and do the work on that users shell. Figuring out sudo as the source of unspecific server error messages would be too much of a headache.

If you do not need this, and are certain that you will never call postgres binaries in such error-prone way you can safely remove the shell:

usermod --shell /bin/false postgres

Keep in mind that, beign able to become root, you can still become anyone, including users without valid shells:

su --shell /bin/bash postgres

Authoritative source:

Sometimes you want to log in as that user to be able to do certain types of special administration or fixes. For example, if you ever need to run pg_resetxlog, you probably want to be logged in as postgres, unless you are very confident that your su or sudo invocations are correct and don't mess up the permissions of the database directory in strange ways. -- Peter Eisentraut, PostgreSQL dev

anx
  • 2,457
  • 2
  • 26
  • 38
4

There is a shell because we use PostgreSQL from the command line as the PostgreSQL user.

3

Postgres runs under a special operating system user account for security reasons. This account is created on your machine when the installer runs, and unless overridden on the command line, it will be called "postgres".

On Unix-like operating systems such as Linux and Mac OS X, the account is setup without a password and users generally never need to worry about it again. Source.

Also it's not a good practice to edit the passwd file manually. You should use the command:

sudo passwd postgres
ThiagoPonte
  • 1,966
  • 14
  • 24