cPanel update changed pg_hba.conf to samerole

[vgv]

This morninig several of our cpanel websites using postgres started to fail with a pg_hba permission error. It looks like an update changed the pg_hba.conf file lines from "local all all md5" or "host all md5 ...." to "local all samerole md5" or "host all samerole ..."

Anyone has experienced this? I never had this file overwritten with an update and it shouldn't be. Should I make this file immutable, or how else can I prevent this to happen?

 

[ffeingol]

We had the same issues this morning and had to revert the pg_hba.conf from backup.

 

[amber7]

I had the same:
$ psql -U username_dbuser -d username_dbname
psql: FATAL: no pg_hba.conf entry for host "[local]", user "username_dbuser", database "username_dbname", SSL off

Also reverted pg_hba.conf but cpanel likes to overwrite it regularily.

 

[LJH]

Same problem here, I believe the script was:

/cpanelsync/11.36.1.5/binaries/linux-x86_64/bin/setpostgresconfig.bz2

[20130416.053531] [28870] *** Running setpostgresconfig ***
[20130416.053531] [28870] ALTER ROLE
[20130416.053531] [28870] *** Done setpostgresconfig ***
[20130416.053531] [28870] *** Running rebuild-templates ***
[20130416.053532] [28870] *** Done rebuild-templates ***

Can't the update script back-up any configuration files before clobbering them?!?

I might try to rename pg_hba.conf as a strategy to keep it safe from cpanel, but this won't work if it decides to overwrite postgresql.conf, too.

 

[noosalife]

Same problem as others. The first time the fix took a little while to figure out, but now its quite easy (as I have had to do it twice in a week).

Can someone from cPanel either get the bug in the updater fixed, or should I/we change the Release Tier.

The servers I am having this problem with are both on "CURRENT" as the Release Tier, but there is no point dropping back to "Release" if the problem exists there as well.

Currently they are sitting at WHM 11.36.1 (build 5) so this issue is relatively new or I would have posted/Googled about it years ago.

 

[cPanelMarco]

Greetings,

These changes are due to a security update:
CPanelVersion1136 < AllDocumentation/ChangeLog < TWiki

11.36.1.3
2013-04-09
...
[security] Fixed case 52598: Secure postgres database access using pg_hba.conf.

cPanel/WHM updates now automatically secures the pg_hba.conf file, replacing local with samerole. This prevents any user from being able to access any database.

For more information:
PostgreSQL: Documentation: 8.1: Client Authentication

You can preserve your own configuration by adding the following line to the file /var/lib/pgsql/data/pg_hba.conf:

local samerole all md5

I do understand the inconveniences here, my apologies. I have opened an internal case concerning a better method to make your own changes. The result of which might be a change to management of the pg_hba.conf file (case #65645), or an update to our documentation to clarify this.

If anyone would like to offer feedback, could you post the most common configuration changes you will be making?

 

[Webrything]

We have had this issue 2 days in a row now. All our databases are administered remotely so it is essential that we allow remote access, which the new pg_hba.conf file keeps terminating (as well as causing all sites to break). I am at a loss as to why you would initiate such a change without consultation or announcement, given the damage it has done. Some sort of fix TODAY would be much appreciated.

 

[paparent]

Hi !

I have the same problem here. I have a custom configuration for my pg_hba.conf on two servers and it gets overwritten.

I used the 'ident' method because I'm the only one on the server right now.. One solution would be to use password in my configuration file, but it needs to be the same of the account.

More important: Some of the database aren't the same name of the user! so that doesn't fit with the 'samerole'.

Anyway, I'm still new with postgresql but I really need it.

What's the solution ?? it's the 3rd, and I received too much phone from my client so I need a workaround before 00:26 tonight.

Thanks !

PA

 

[Webrything]

Hi !


What's the solution ?? it's the 3rd, and I received too much phone from my client so I need a workaround before 00:26 tonight.

Thanks !

PA

The solution that I came up with (and which appears to have worked) is to change the attributes of the pg_hba.conf file to i and a, so that it cannot be moved, deleted or overwritten (only appended to if required).

If you have ssh access you can do this with

chattr +ia /var/lib/pgsql/data/pg_hba.conf

If you do not have access get your web host to do it for you.

This still should never have been necessary however!

 

[DavidGhedini]

If anyone would like to offer feedback, could you post the most common configuration changes you will be making?

How about simply avoiding the whole Microsoft "try-to-outsmart-the-user" approach and just let us manage our own hba files? We were managing them just fine before cPanel tried to save us from ourselves.

 

[KMG-Rich]

Agreed. This was an unwelcome change that messed up MANY sites across 3 of my servers. All was working fine and now all is not; even after changing pg_hba.conf back to the original settings.

Please revert to the old behavior.

 

[mike_lang]

I have to agree with DavidGhedini & KMG-Rich. This decision took down my client's production system at 3:00 AM leaving our overseas customers out of service for several hours. Why would you ever overwrite someone's existing database connection configuration as part of an automated update? If you feel the need to make changes like this, you really need manual confirmation from an admin before proceeding with the change. The way this WHM update asked what I wanted to do about newly added features provides a good model in my opinion.

As a side note, this last update also erased my configuration of phpPgAdmin. I have yet to figure out how to get it working again. What I thought was my old configuration does not even seem to be working now.