Postgres – pg_dump Permission Denied for Large Object

postgresql

When doing pg_dump as a read-only user readonly, it reports an error:

pg_dump: could not open large object 19536: ERROR:  permission denied for large object 19536

Then I connect as the superuser postgres, but SELECT * FROM pg_largeobject returns nothing.

When I run SELECT * FROM pg_largeobject_metadata WHERE oid=19536, I get

lomowner    lomacl
10

Then with SELECT rolname FROM pg_roles WHERE oid=10; I get postgres which is me (also the superuser).

How can I find this large object and grant SELECT or whatever read privilege to user readonly so it can do pg_dump?

Version: 11.4 (Ubuntu 11.4-1.pgdg18.04+1)

Best Answer

Unlike pg_largeobject, pg_largeobject_metadata can be read by all users and has one row per large object.

Try:

SELECT * FROM pg_largeobject_metadata WHERE oid = 19536;

The lomowner column holds the OID of the owner of the large object. If the account used for pg_dump is not superuser and not the owner of the large object and has not been granted rights to it, the failure to open it is expected.

Then I connect as the superuser postgres, but SELECT * FROM pg_largeobject returns nothing.

Having no row in pg_largeobject despite having large objects in pg_largeobject_metadata is possible if the large objects are all empty (their size is 0 byte).

Permissions on large objects can be granted individually with a command like:

 GRANT SELECT ON LARGE OBJECT 19536 TO readonly;

I don't think there is any way to grant permissions to all large objects, but alternatively the permissions checks on a database can be neutralized entirely by a superuser with this command:

 ALTER DATABASE test SET lo_compat_privileges TO on;

Finally if you don't need that empty large object, it can be removed in SQL with

SELECT lo_unlink(19536);

Related Solutions

Postgresql – pg_dump: [archiver (db)] connection to database failed: FATAL: Peer authentication failed for user “postgres”

If your PHP Apache web site works with peer, keep this, and let's deal with it.

1. First Method :

As authentication is peer based, you have to specify the hostname (usually localhost) using -h option :

ssh server "pg_dump -h localhost -U postgres | gzip -c" >/backup/sqlbackup.sql.gz

The main issue here is that you will be prompted for the postgres user password. It is a problem for backups automation .

You can refer to this to avoid to be prompted for the password. But i will describe :

Create an hidden file named .pgpass in $HOME
Perform a chmod 600 .pgpass
Edit file .pgpass and add this line : localhost:5432:postgres:postgres:password

2. Second Method :

You could add a specific role for backups and trust it.

Create the backup role in Postgres :

CREATE ROLE backup WITH LOGIN SUPERUSER PASSWORD 'password'

Edit file pg_hba.conf, add role backup and trust it :

# Database administrative login by Unix domain socket
local   all             postgres                                peer
local   all             backup                                  trust

Restart postgresql

Then you should be able to run backup with the following :

ssh server "pg_dump -U backup postgres | gzip -c" >/backup/sqlbackup.sql.gz

Azure – Unable to restore postgresql data dump for Django app hosted on Azure VM

You should create the uauvuro0s8b9v4 user prior to restore the database or the pg_restore will raise such errors (as this user's owns a lot of relations, in your case).

In psql try:

CREATE USER uauvuro0s8b9v4 WITH PASSWORD '12334444';

Best Answer

Related Solutions

Postgresql – pg_dump: [archiver (db)] connection to database failed: FATAL: Peer authentication failed for user “postgres”

Azure – Unable to restore postgresql data dump for Django app hosted on Azure VM

Related Topic