docker-images/postgres
1
0
Fork 0
mirror of https://github.com/docker-library/postgres.git synced 2025-07-28 10:42:06 +03:00
Code Activity

Update permissions from 777 to 1777

Browse Source 
This still supports the "arbitrary user" use case but with slightly tighter permissions on the end result.

This one is a little bit more "special" other images (due to the existing runtime/entrypoint modification of the directory modes) so I've tried to pick reasonable values for both halves.
This commit is contained in:
Tianon Gravi
2023-03-10 16:05:06 -08:00
parent 156d0659d0
commit 25b3034e9b
17 changed files with 34 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
11/alpine/Dockerfile generated
View File

@ -149,11 +149,11 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data ENV PGDATA /var/lib/postgresql/data
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data VOLUME /var/lib/postgresql/data
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/

4
11/alpine/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
11/bullseye/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
12/alpine/Dockerfile generated
View File

@ -149,11 +149,11 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data ENV PGDATA /var/lib/postgresql/data
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data VOLUME /var/lib/postgresql/data
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/

4
12/alpine/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
12/bullseye/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
13/alpine/Dockerfile generated
View File

@ -149,11 +149,11 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data ENV PGDATA /var/lib/postgresql/data
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data VOLUME /var/lib/postgresql/data
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/

4
13/alpine/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
13/bullseye/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
14/alpine/Dockerfile generated
View File

@ -152,11 +152,11 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data ENV PGDATA /var/lib/postgresql/data
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data VOLUME /var/lib/postgresql/data
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/

4
14/alpine/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
14/bullseye/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
15/alpine/Dockerfile generated
View File

@ -155,11 +155,11 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data ENV PGDATA /var/lib/postgresql/data
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data VOLUME /var/lib/postgresql/data
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/

4
15/alpine/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
15/bullseye/docker-entrypoint.sh generated
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

4
Dockerfile-alpine.template
View File

@ -161,11 +161,11 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data ENV PGDATA /var/lib/postgresql/data
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data VOLUME /var/lib/postgresql/data
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/

4
docker-entrypoint.sh
View File

@ -38,11 +38,11 @@ docker_create_db_directories() {
mkdir -p "$PGDATA" mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || : chmod 00700 "$PGDATA" || :
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || : mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || : chmod 03775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user # Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then