From 51a6938a44eaab83af90c5b7dfb08a6a66b0ad45 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 11 Dec 2024 18:51:53 +0100 Subject: [PATCH] nixos/doc: document how to allow-list tablespaces It was brought up that the restricted file-system access breaks tablespaces[1]. I'd argue that this is the desired behavior, the whole point of the hardening is the lock the service down and I don't consider tablespaces common enough to elevate privileges again. Especially since the workaround is trivial as shown in the diff. For completeness sake, this adds the necessary `ReadWritePaths` change to the postgresql section of the manual. This also adds a small correction about the state of `ensurePermissions`. [1] https://github.com/NixOS/nixpkgs/pull/344925#issuecomment-2521188907 --- nixos/modules/services/databases/postgresql.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/databases/postgresql.md b/nixos/modules/services/databases/postgresql.md index f055298499eb..ee906fb6a0be 100644 --- a/nixos/modules/services/databases/postgresql.md +++ b/nixos/modules/services/databases/postgresql.md @@ -45,9 +45,9 @@ By default, PostgreSQL stores its databases in {file}`/var/lib/postgresql/$psqlS ## Initializing {#module-services-postgres-initializing} -As of NixOS 23.11, +As of NixOS 24.05, `services.postgresql.ensureUsers.*.ensurePermissions` has been -deprecated, after a change to default permissions in PostgreSQL 15 +removed, after a change to default permissions in PostgreSQL 15 invalidated most of its previous use cases: - In psql < 15, `ALL PRIVILEGES` used to include `CREATE TABLE`, where @@ -375,6 +375,14 @@ several common hardening options from `systemd`, most notably: * A stricter default UMask (`0027`). * Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed. * Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user). + * When using [`TABLESPACE`](https://www.postgresql.org/docs/current/manage-ag-tablespaces.html)s, make sure to add the filesystem paths to `ReadWritePaths` like this: + ```nix + { + systemd.services.postgresql.serviceConfig.ReadWritePaths = [ + "/path/to/tablespace/location" + ]; + } + ``` The NixOS module also contains necessary adjustments for extensions from `nixpkgs` if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks