search

NCSC-NL / taranis3

Taranis
Other
59 stars 17 forks source link

Error enabling PostgreSQL when running bootstrap script #52

Closed Dix0r closed 2 years ago

Dix0r commented 2 years ago

Reading '/root/.cpan/Metadata' Database was generated on Wed, 22 Dec 2021 07:17:03 GMT

`

Tried to edit pga_hba.conf so that connections are allowed, but after rerunning the bootstrap script it gets replaced again.

root@ubuntusrv07:~# uname -a Linux ubuntusrv07 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Clean install on Ubuntu 20.04 LTS

markov2 commented 2 years ago

When you install taranis, it will add some lines to hba.conf, and it marks those lines with a comment. When you rerun installation, it will also only modify those lines (if needed). Other lines which you have in there are not touched.

Does your postgres run in some protective environment, like chroot or docker? Does it generate hba_conf from systemd tricks or whatever? I have no access to a recent Ubuntu.

You can test whether the configuration works when this succeeds. Run as user taranis the command psql --username 'taranis' --dbname 'taranis'

Success, MarkOv

Dix0r commented 2 years ago

No, this is just a clean Ubuntu install from iso. Not a protective environment.

Every time I edit pg_hba.conf and remove or edit lines and do a rerun of the bootstrap script the edited or added lines are commented and replaced with the lines below.

TYPE DB USER CIDR-ADDRESS METHOD OPTIONS

host all all 0.0.0.0/0 reject host all all ::0/0 reject

markov2 commented 2 years ago

The Taranis bootstrap script does not produce those lines.

You can disable the run of that modification by adding exit 0; to the beginning of ~taranis/sources/taranis-*/install/421.postgres-hba. Once a release is unpacked, the installation scripts will not be overwritten.

I still think there is some default Ubuntu protection mechanism on that file. There are a few wait that can have been implemented. I presume there is some user interface provided to configure postgresql access rules.

Dix0r commented 2 years ago

Tried to disable the script with exit 0; under the user taranis. That didn't work.

Decided to revert my snapshot to a fresh OS install and configure PostgreSQL by hand. It is running OK but after running the bootstrap script it breaks again.

DBI connect('dbname=postgres','postgres',...) failed: FATAL: Peer authentication failed for user "postgres" at /home/taranis/sources/taranis-3.7.5/install/422.postgres-startup line 38. Installation stopped

pga_hba.conf, bootstrap scripts comments the default configuration, after uncommenting them en restartin postgresql even no luck.

Trying to test the configuration under taranis user; 'taranis[3.7.5]@ubuntusrv07:~> psql --username 'taranis' --dbname 'taranis' psql: error: FATAL: role "taranis" does not exist'

PostgreSQL log:

2021-12-28 10:32:38.729 UTC [58893] postgres@postgres LOG: provided user name (postgres) and authenticated user name (root) do not match 2021-12-28 10:32:38.729 UTC [58893] postgres@postgres FATAL: Peer authentication failed for user "postgres" 2021-12-28 10:32:38.729 UTC [58893] postgres@postgres DETAIL: Connection matched pg_hba.conf line 8: "local all postgres peer"

Somehow the bootstrap script breaks PostgreSQL authentication. I'm in no way an expert with PostgreSQL, guess I need to dig a bit in the docs.

Dix0r commented 2 years ago

edited / configured pg_hba.conf, now the bootstrap scripts continues

markov2 commented 2 years ago

In that phase of the installation, the script logs-in to Postgresql with its default username to its default database, to be able to create the "taranis" user and "taranis" database. That name and database should always be present. Otherwise, try to change to use postgres and start psql. Success.