Nuke docker.io

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-11 21:04:37 +00:00
parent bdaac67bf2
commit 10e0980f8f
23 changed files with 521 additions and 68 deletions
--- a/packages/docker/postgresql/allow-root.patch
+++ b/packages/docker/postgresql/allow-root.patch
@@ -0,0 +1,205 @@
+diff --git a/src/backend/main/main.c b/src/backend/main/main.c
+index e8effe50242..2065061b5bb 100644
+--- a/src/backend/main/main.c
+++ b/src/backend/main/main.c
+@@ -190,10 +190,6 @@ main(int argc, char *argv[])
+ 			do_check_root = false;
+ 	}
+ 
+-	/*
+-	 * Make sure we are not running as root, unless it's safe for the selected
+-	 * option.
+-	 */
+ 	if (do_check_root)
+ 		check_root(progname);
+ 
+@@ -445,41 +441,6 @@ help(const char *progname)
+ static void
+ check_root(const char *progname)
+ {
+-#ifndef WIN32
+-	if (geteuid() == 0)
+-	{
+-		write_stderr("\"root\" execution of the PostgreSQL server is not permitted.\n"
+-					 "The server must be started under an unprivileged user ID to prevent\n"
+-					 "possible system security compromise.  See the documentation for\n"
+-					 "more information on how to properly start the server.\n");
+-		exit(1);
+-	}
+-
+-	/*
+-	 * Also make sure that real and effective uids are the same. Executing as
+-	 * a setuid program from a root shell is a security hole, since on many
+-	 * platforms a nefarious subroutine could setuid back to root if real uid
+-	 * is root.  (Since nobody actually uses postgres as a setuid program,
+-	 * trying to actively fix this situation seems more trouble than it's
+-	 * worth; we'll just expend the effort to check for it.)
+-	 */
+-	if (getuid() != geteuid())
+-	{
+-		write_stderr("%s: real and effective user IDs must match\n",
+-					 progname);
+-		exit(1);
+-	}
+-#else							/* WIN32 */
+-	if (pgwin32_is_admin())
+-	{
+-		write_stderr("Execution of PostgreSQL by a user with administrative permissions is not\n"
+-					 "permitted.\n"
+-					 "The server must be started under an unprivileged user ID to prevent\n"
+-					 "possible system security compromises.  See the documentation for\n"
+-					 "more information on how to properly start the server.\n");
+-		exit(1);
+-	}
+-#endif							/* WIN32 */
+ }
+ 
+ /*
+diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
+index 21a0fe3ecd9..2aa44cc9ab8 100644
+--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
+@@ -815,15 +815,6 @@ get_id(void)
+ {
+ 	const char *username;
+ 
+-#ifndef WIN32
+-	if (geteuid() == 0)			/* 0 is root's uid */
+-	{
+-		pg_log_error("cannot be run as root");
+-		pg_log_error_hint("Please log in (using, e.g., \"su\") as the (unprivileged) user that will own the server process.");
+-		exit(1);
+-	}
+-#endif
+-
+ 	username = get_user_name_or_exit(progname);
+ 
+ 	return pg_strdup(username);
+diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c
+index a5a2d61165d..a4021734895 100644
+--- a/src/bin/pg_basebackup/pg_createsubscriber.c
+++ b/src/bin/pg_basebackup/pg_createsubscriber.c
+@@ -1977,20 +1977,6 @@ main(int argc, char **argv)
+ 	};
+ 	opt.recovery_timeout = 0;
+ 
+-	/*
+-	 * Don't allow it to be run as root. It uses pg_ctl which does not allow
+-	 * it either.
+-	 */
+-#ifndef WIN32
+-	if (geteuid() == 0)
+-	{
+-		pg_log_error("cannot be executed by \"root\"");
+-		pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
+-						  progname);
+-		exit(1);
+-	}
+-#endif
+-
+ 	get_restricted_token();
+ 
+ 	while ((c = getopt_long(argc, argv, "d:D:np:P:s:t:TU:v",
+diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c
+index 8a405ff122c..84195a3b8c6 100644
+--- a/src/bin/pg_ctl/pg_ctl.c
+++ b/src/bin/pg_ctl/pg_ctl.c
+@@ -2235,7 +2235,6 @@ main(int argc, char **argv)
+ 	/* Set restrictive mode mask until PGDATA permissions are checked */
+ 	umask(PG_MODE_MASK_OWNER);
+ 
+-	/* support --help and --version even if invoked as root */
+ 	if (argc > 1)
+ 	{
+ 		if (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0)
+@@ -2250,21 +2249,6 @@ main(int argc, char **argv)
+ 		}
+ 	}
+ 
+-	/*
+-	 * Disallow running as root, to forestall any possible security holes.
+-	 */
+-#ifndef WIN32
+-	if (geteuid() == 0)
+-	{
+-		write_stderr(_("%s: cannot be run as root\n"
+-					   "Please log in (using, e.g., \"su\") as the "
+-					   "(unprivileged) user that will\n"
+-					   "own the server process.\n"),
+-					 progname);
+-		exit(1);
+-	}
+-#endif
+-
+ 	env_wait = getenv("PGCTLTIMEOUT");
+ 	if (env_wait != NULL)
+ 		wait_seconds = atoi(env_wait);
+diff --git a/src/bin/pg_resetwal/pg_resetwal.c b/src/bin/pg_resetwal/pg_resetwal.c
+index 31bc0abff16..951de872d77 100644
+--- a/src/bin/pg_resetwal/pg_resetwal.c
+++ b/src/bin/pg_resetwal/pg_resetwal.c
+@@ -347,22 +347,6 @@ main(int argc, char *argv[])
+ 		exit(1);
+ 	}
+ 
+-	/*
+-	 * Don't allow pg_resetwal to be run as root, to avoid overwriting the
+-	 * ownership of files in the data directory. We need only check for root
+-	 * -- any other user won't have sufficient permissions to modify files in
+-	 * the data directory.
+-	 */
+-#ifndef WIN32
+-	if (geteuid() == 0)
+-	{
+-		pg_log_error("cannot be executed by \"root\"");
+-		pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
+-						  progname);
+-		exit(1);
+-	}
+-#endif
+-
+ 	get_restricted_token();
+ 
+ 	/* Set mask based on PGDATA permissions */
+diff --git a/src/bin/pg_rewind/pg_rewind.c b/src/bin/pg_rewind/pg_rewind.c
+index 2ce99d06d1d..33e0a61c360 100644
+--- a/src/bin/pg_rewind/pg_rewind.c
+++ b/src/bin/pg_rewind/pg_rewind.c
+@@ -270,22 +270,6 @@ main(int argc, char **argv)
+ 		exit(1);
+ 	}
+ 
+-	/*
+-	 * Don't allow pg_rewind to be run as root, to avoid overwriting the
+-	 * ownership of files in the data directory. We need only check for root
+-	 * -- any other user won't have sufficient permissions to modify files in
+-	 * the data directory.
+-	 */
+-#ifndef WIN32
+-	if (geteuid() == 0)
+-	{
+-		pg_log_error("cannot be executed by \"root\"");
+-		pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
+-						  progname);
+-		exit(1);
+-	}
+-#endif
+-
+ 	get_restricted_token();
+ 
+ 	/* Set mask based on PGDATA permissions */
+diff --git a/src/bin/pg_upgrade/option.c b/src/bin/pg_upgrade/option.c
+index 188dd8d8a8b..cdd032be0fc 100644
+--- a/src/bin/pg_upgrade/option.c
+++ b/src/bin/pg_upgrade/option.c
+@@ -104,10 +104,6 @@ parseCommandLine(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	/* Allow help and version to be run as root, so do the test here. */
+-	if (os_user_effective_id == 0)
+-		pg_fatal("%s: cannot be run as root", os_info.progname);
+-
+ 	while ((option = getopt_long(argc, argv, "b:B:cd:D:j:kNo:O:p:P:rs:U:v",
+ 								 long_options, &optindex)) != -1)
+ 	{
--- a/packages/docker/postgresql/default.nix
+++ b/packages/docker/postgresql/default.nix
@@ -0,0 +1,48 @@
+{ pkgs, ... }:
+let
+  postgresql = pkgs.postgresql.overrideAttrs (oldAttrs: {
+    patches = oldAttrs.patches or [ ] ++ [ ./allow-root.patch ];
+  });
+
+  entrypoint = pkgs.writeTextFile {
+    name = "entrypoint";
+    executable = true;
+    destination = "/bin/entrypoint";
+    text = builtins.readFile ./entrypoint.sh;
+  };
+in
+pkgs.dockerTools.buildImage {
+  name = "postgresql";
+  fromImage = import ../base { inherit pkgs; };
+
+  copyToRoot = pkgs.buildEnv {
+    name = "root";
+    paths = [
+      entrypoint
+      postgresql
+    ];
+    pathsToLink = [
+      "/bin"
+      "/lib"
+      "/share"
+    ];
+  };
+
+  runAsRoot = ''
+    ${pkgs.dockerTools.shadowSetup}
+    mkdir -p /etc/postgresql /var/lib/postgresql /run/postgresql
+    cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf
+    ${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf
+  '';
+
+  config = {
+    Entrypoint = [ "/bin/entrypoint" ];
+    WorkingDir = "/var/lib/postgresql";
+    ExposedPorts = {
+      "5432/tcp" = { };
+    };
+    Volumes = {
+      "/var/lib/postgresql/data" = { };
+    };
+  };
+}
--- a/packages/docker/postgresql/entrypoint.sh
+++ b/packages/docker/postgresql/entrypoint.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -o errexit
+set -o nounset
+
+POSTGRES_USER="${POSTGRES_USER:-postgres}"
+POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-postgres}"
+POSTGRES_DB="${POSTGRES_DB:-$POSTGRES_USER}"
+export PGDATA="${PGDATA:-/var/lib/postgresql/data}"
+
+mkdir -p /tmp
+LOG_PIPE="$(mktemp -u)"
+mkfifo "$LOG_PIPE"
+
+(
+  while IFS= read -r line; do
+    if echo "$line" | grep -qE "ERROR|FATAL|PANIC"; then
+      echo "$line" >&2
+    else
+      echo "$line"
+    fi
+  done < "$LOG_PIPE"
+) &
+LOG_PID=$!
+
+if [ ! -s "$PGDATA/PG_VERSION" ]; then
+  initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD")
+
+  auth_method=$(postgres -c config_file="/etc/postgresql/postgresql.conf" -C password_encryption)
+  POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}"
+  echo -e "\nhost all all all $POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf"
+
+  pg_ctl -w start
+
+  if ! psql --username="$POSTGRES_USER" -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = '$POSTGRES_DB'" | grep -q 1; then
+    psql --username="$POSTGRES_USER" -d postgres -c "CREATE DATABASE \"$POSTGRES_DB\";"
+  fi
+
+  pg_ctl -m fast -w stop
+fi
+
+trap "kill $LOG_PID" EXIT
+exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1