[CalendarServer-dev] [debian] postgres database access

Fredrik Unger fred at tree.se
Wed Nov 14 03:05:00 PST 2012


I came onto some issues with database usage with calendarserver under debian.

Debian postgres is configured out of box like [1], using peer.
peer means if username matches access is allowed. 
The debian default user is caldavd, and database access using peer 
can be done using setting <string>:caldav:caldavd:::</string> in
<key>DSN</key> for postgres.

Now to access the database with this setting, the user also has to be caldavd.
I used calendarserver_bootstrap_database to install the database.
(@Debian-devel: debian specific patches in quilt format attached for 4.1.1 and trunk)

To get it to work I used DAEMON_OPTS="-u caldavd -g caldavd", eg twistd user/group.
When running as root, the database access will fail due to that root != caldavd for
the peer authentication.

There is a privelege "degradation" later in the code :

2012-11-14 10:56:48+0100 [-] [caldav-0]  [-] /usr/lib/python2.7/dist-packages/twisted/python/util.py:714: exceptions.UserWarning: tried to drop privileges and setuid 115 but uid is already 115; should we be root? Continuing.

But the code in my case runs anyway, as I am using port 8008, a non privileged port.

My main question is if database access can be done after droping to the caldavd user ?
or is there a reason to access the database as root ? 
If it is possible to drop to caldavd the DAEMON_OPTS can be dropped.
(I guess it is always good to drop privileges when accessing services :) )

One can adapt in different ways, going to using passwords.
Apple products may have other authentication, or other authentication
might be needed for multi server. 

I just wanted to try to explain the debian issues I ran into, so we can
decide what to prescribe on how to authenticate with the database.
Eg if the password method is needed or if peer can be used.


[1] /etc/postgresql/9.1/main/pg_hba.conf
# Database administrative login by Unix domain socket
local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: database-bootstrap-trunk.patch
Type: text/x-patch
Size: 2486 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/calendarserver-dev/attachments/20121114/7ec8a80c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: database-bootstrap-4.1.1.patch
Type: text/x-patch
Size: 2327 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/calendarserver-dev/attachments/20121114/7ec8a80c/attachment-0001.bin>

More information about the calendarserver-dev mailing list