The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel update changed pg_hba.conf to samerole

Discussion in 'Database Discussions' started by vgv, Apr 16, 2013.

  1. vgv

    vgv Registered

    Joined:
    Mar 16, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    This morninig several of our cpanel websites using postgres started to fail with a pg_hba permission error. It looks like an update changed the pg_hba.conf file lines from "local all all md5" or "host all md5 ...." to "local all samerole md5" or "host all samerole ..."

    Anyone has experienced this? I never had this file overwritten with an update and it shouldn't be. Should I make this file immutable, or how else can I prevent this to happen?
     
  2. ffeingol

    ffeingol Well-Known Member
    PartnerNOC

    Joined:
    Nov 9, 2001
    Messages:
    215
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    We had the same issues this morning and had to revert the pg_hba.conf from backup.
     
  3. amber7

    amber7 Member

    Joined:
    Sep 20, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I had the same:
    $ psql -U username_dbuser -d username_dbname
    psql: FATAL: no pg_hba.conf entry for host "[local]", user "username_dbuser", database "username_dbname", SSL off

    Also reverted pg_hba.conf but cpanel likes to overwrite it regularily.
     
  4. LJH

    LJH Registered

    Joined:
    Apr 16, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Same problem here, I believe the script was:

    /cpanelsync/11.36.1.5/binaries/linux-x86_64/bin/setpostgresconfig.bz2

    [20130416.053531] [28870] *** Running setpostgresconfig ***
    [20130416.053531] [28870] ALTER ROLE
    [20130416.053531] [28870] *** Done setpostgresconfig ***
    [20130416.053531] [28870] *** Running rebuild-templates ***
    [20130416.053532] [28870] *** Done rebuild-templates ***

    Can't the update script back-up any configuration files before clobbering them?!?

    I might try to rename pg_hba.conf as a strategy to keep it safe from cpanel, but this won't work if it decides to overwrite postgresql.conf, too.
     
  5. noosalife

    noosalife Member

    Joined:
    Jan 13, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Same problem as others. The first time the fix took a little while to figure out, but now its quite easy (as I have had to do it twice in a week).

    Can someone from cPanel either get the bug in the updater fixed, or should I/we change the Release Tier.

    The servers I am having this problem with are both on "CURRENT" as the Release Tier, but there is no point dropping back to "Release" if the problem exists there as well.

    Currently they are sitting at WHM 11.36.1 (build 5) so this issue is relatively new or I would have posted/Googled about it years ago.
     
  6. cPanelMarco

    cPanelMarco Member
    Staff Member

    Joined:
    Jan 8, 2010
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Greetings,

    These changes are due to a security update:
    CPanelVersion1136 < AllDocumentation/ChangeLog < TWiki

    11.36.1.3
    2013-04-09
    ...
    [security] Fixed case 52598: Secure postgres database access using pg_hba.conf.

    cPanel/WHM updates now automatically secures the pg_hba.conf file, replacing local with samerole. This prevents any user from being able to access any database.

    For more information:
    PostgreSQL: Documentation: 8.1: Client Authentication

    You can preserve your own configuration by adding the following line to the file /var/lib/pgsql/data/pg_hba.conf:

    local samerole all md5

    I do understand the inconveniences here, my apologies. I have opened an internal case concerning a better method to make your own changes. The result of which might be a change to management of the pg_hba.conf file (case #65645), or an update to our documentation to clarify this.

    If anyone would like to offer feedback, could you post the most common configuration changes you will be making?
     
  7. Webrything

    Webrything Registered

    Joined:
    Apr 17, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We have had this issue 2 days in a row now. All our databases are administered remotely so it is essential that we allow remote access, which the new pg_hba.conf file keeps terminating (as well as causing all sites to break). I am at a loss as to why you would initiate such a change without consultation or announcement, given the damage it has done. Some sort of fix TODAY would be much appreciated.
     
  8. paparent

    paparent Registered

    Joined:
    Apr 18, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Hi !

    I have the same problem here. I have a custom configuration for my pg_hba.conf on two servers and it gets overwritten.

    I used the 'ident' method because I'm the only one on the server right now.. One solution would be to use password in my configuration file, but it needs to be the same of the account.

    More important: Some of the database aren't the same name of the user! so that doesn't fit with the 'samerole'.

    Anyway, I'm still new with postgresql but I really need it.

    What's the solution ?? it's the 3rd, and I received too much phone from my client so I need a workaround before 00:26 tonight.

    Thanks !

    PA
     
  9. Webrything

    Webrything Registered

    Joined:
    Apr 17, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The solution that I came up with (and which appears to have worked) is to change the attributes of the pg_hba.conf file to i and a, so that it cannot be moved, deleted or overwritten (only appended to if required).

    If you have ssh access you can do this with

    chattr +ia /var/lib/pgsql/data/pg_hba.conf

    If you do not have access get your web host to do it for you.

    This still should never have been necessary however!
     
  10. DavidGhedini

    DavidGhedini Registered

    Joined:
    Oct 18, 2011
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How about simply avoiding the whole Microsoft "try-to-outsmart-the-user" approach and just let us manage our own hba files? We were managing them just fine before cPanel tried to save us from ourselves.
     
  11. KMG-Rich

    KMG-Rich Registered

    Joined:
    Aug 27, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Agreed. This was an unwelcome change that messed up MANY sites across 3 of my servers. All was working fine and now all is not; even after changing pg_hba.conf back to the original settings.

    Please revert to the old behavior.
     
  12. mike_lang

    mike_lang Registered

    Joined:
    Apr 23, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have to agree with DavidGhedini & KMG-Rich. This decision took down my client's production system at 3:00 AM leaving our overseas customers out of service for several hours. Why would you ever overwrite someone's existing database connection configuration as part of an automated update? If you feel the need to make changes like this, you really need manual confirmation from an admin before proceeding with the change. The way this WHM update asked what I wanted to do about newly added features provides a good model in my opinion.

    As a side note, this last update also erased my configuration of phpPgAdmin. I have yet to figure out how to get it working again. What I thought was my old configuration does not even seem to be working now.
     
Loading...

Share This Page