15

In my Debian Wheezy systems, I noticed that the postgres user 'postgres', the "PostgreSQL administrator", uses /bin/bash as shell. However, I cannot figure out why this is needed. Changing this to /bin/false still allows me to use the command psql.

So, why does the system user postgres require a shell, and does it have to be specifically /bin/bash?

Improve this question
1
  • 6
    This was required for the cronjob running pg_autovacuum.
    – Simon Richter
    CommentedSep 28, 2014 at 18:05

1 Answer 1

Reset to default
16

Check out Why does the 'bin' user need a login shell?

It says this pattern for system users is

  • Common in Debian, and not so much in other distributions.
  • Considered a bug / genuine security issue by several people.
  • Required in order to run cron jobs as that user, and perhaps also by some scripts if they use su -c to run as this user. It should be easy to check for these. Check for cron jobs belonging to psql. Check for scripts in the postgres package (dpkg-query -L) and grep them for use of su.

It's also suggested that if your main worry is some sort of abuse of this user involving SSH logins, it might be convenient to use AllowGroups in sshd_config. (Creating an sshlogin group, as recommended by the Ubuntu Server Guide).

The pattern was fixed in the base system earlier this year - see bug #274229. So if you think postgres could be fixed as well, it would be great to contact the package maintainers e.g. by filing a bug.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.