Details
It is common to have more than one authorized individual administering the PostgreSQL service at the Operating System level. It is also quite common to permit login privileges to individuals on a PostgreSQL host who otherwise are not authorized to access the server’s data cluster and files. Administering the PostgreSQL data cluster, as opposed to its data, is to be accomplished via a localhost login of a regular UNIX user account. Access to the postgres superuser account is restricted in such a manner as to interdict unauthorized access. sudo satisfies the requirements by escalating ordinary user account privileges as the PostgreSQL RDBMS superuser.
Rationale:
Without sudo, there would be no capabilities to strictly control access to the superuser account nor to securely and authoritatively audit its use.
Solution
As superuser root, execute the following commands:
# echo ‘%dba ALL= /bin/su – postgres’ > /etc/sudoers.d/postgres
# chmod 600 /etc/sudoers.d/postgres
This grants any Operating System user that is a member of the dba group to use sudo su – postgres to become the postgres user.
Ensure that all Operating System user’s that need such access are members of the group.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.