1.3 Ensure Data Cluster Initialized Successfully

Information

First-time installs of a given PostgreSQL major release require the instantiation of the database cluster. A database cluster is a collection of databases that are managed by a single server instance.

Rationale:

For the purposes of security, PostgreSQL enforces ownership and permissions of the data cluster such that:

An initialized data cluster is owned by the UNIX account that created it.

The data cluster cannot be accessed by other UNIX user accounts.

The data cluster cannot be created or owned by root

The PostgreSQL process cannot be invoked by root nor any UNIX user account other than the owner of the data cluster.

Incorrectly instantiating the data cluster will result in a failed installation.

Solution

Attempting to instantiate a data cluster to an existing non-empty directory will fail:

# whoami
root
# PGSETUP_INITDB_OPTIONS='-k' /usr/pgsql-16/bin/postgresql-16-setup initdb
Data directory is not empty!

In the case of a cluster instantiation failure, one must delete/remove the entire data cluster directory and repeat the initdb command:

# whoami
root
# rm -rf ~postgres/16
# PGSETUP_INITDB_OPTIONS='-k' /usr/pgsql-16/bin/postgresql-16-setup initdb
Initializing database ... OK

See Also

https://workbench.cisecurity.org/benchmarks/14977

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 9ed92d34293bada2d75ee5618e5b262f7a2ce74cd770a5b2b5309d4b5fe6c2e9