Configuring File Permission Security Policies

Background

During its installation, the database sets permissions for its files, including files (such as log files) generated during the running process. File permissions are set as follows:

  • The permission of program directories in the database is set to 0750.

  • The permission for data file directories in the database is set to 0700.

    During openGauss deployment, the directory specified by the tmpMppdbPath parameter in the XML configuration file is created for storing .s.PGSQL.* files. If the parameter is not specified, the /tmp/$USER_mppdb directory is created. The directory and file permission is set to 0700.

  • The permissions of data files and audit logs of the database, as well as data files generated by other database programs, are set to 0600. The permission of run logs is equal to or lower than 0640 by default.

  • Common OS users are not allowed to modify or delete database files and log files.

Directory and File Permissions of Database Programs

Table 1 lists some of program directories and file permissions of the installed database.

Table 1 Program directories and file permissions

File or Directory

Parent Contents

Permissions

bin

-

0700

lib

-

0700

share

-

0700

data (database node/primary database node)

-

0700

base

Instance data directory

0700

global

Instance data directory

0700

pg_audit

Instance data directory (configurable)

0700

pg_log

Instance data directory (configurable)

0700

pg_xlog

Instance data directory

0700

postgresql.conf

Instance data directory

0600

pg_hba.conf

Instance data directory

0600

postmaster.opts

Instance data directory

0600

pg_ident.conf

Instance data directory

0600

gs_initdb

bin

0700

gs_dump

bin

0700

gs_ctl

bin

0700

gs_guc

bin

0700

gsql

bin

0700

archive_status

pg_xlog

0700

libpq.so.5.5

lib

0600

Suggestion

During the installation, the database automatically sets permissions for its files, including files (such as log files) generated during the running process. The specified permissions meet permission requirements in most scenarios. If you have any special requirements for the related permissions, you are advised to periodically check the permission settings to ensure that the permissions meet the product requirements.

Feedback
编组 3备份
    openGauss 2024-10-11 00:55:40
    cancel