Details
First-time installs of PostgreSQL require the instantiation of the database cluster. A database cluster is a collection of databases that are managed by a single server instance.
Rationale:
For the purposes of security, PostgreSQL enforces ownership and permissions of the data cluster such that:
An initialized data cluster is owned by the UNIX account that created it.
The data cluster cannot be accessed by other UNIX user accounts.
The data-cluster cannot be created or owned by root
The PostgreSQL process cannot be invoked by root nor any UNIX user account other than the owner of the data cluster.
Incorrectly instantiating the data cluster will result in a failed installation.
Solution
Attempting to instantiate a data cluster to an existing non-empty directory will fail:
# whoami
root
# PGSETUP_INITDB_OPTIONS=’-k’ /usr/pgsql-14/bin/postgresql-14-setup initdb
Data directory is not empty!
In the case of a cluster instantiation failure, one must delete/remove the entire data cluster directory and repeat the initdb command:
# whoami
root
# rm -rf ~postgres/14
# PGSETUP_INITDB_OPTIONS=’-k’ /usr/pgsql-14/bin/postgresql-14-setup initdb
Initializing database … OK
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Media Protection.This control applies to the following type of system Unix.