Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubIXj-00GKIc-3Z for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 12:44:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ubIXg-007Jfh-7Z for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 12:44:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubIXf-007JfY-Ro for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 12:44:24 +0000 Received: from mail-ej1-x633.google.com ([2a00:1450:4864:20::633]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ubIXe-007Eea-1M for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 12:44:23 +0000 Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-ae3b336e936so854634866b.3 for ; Mon, 14 Jul 2025 05:44:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1752497061; x=1753101861; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=4EnDFteTQLKS/YJlY53KeUsp3kalhQoNqh4HM9W8f+M=; b=TB9eXn9oAnAjrQ9HSoghVY0xPltpWLrDS5vl9nuzBWfLd8bXiOXbzG4EYm2c9ghTWI ctrAKGfSBMQlsiY8d+0Rmh6/7AQLlFOCSJ1gAFaMSEuBVoulggXlG2ov1+9eBO1H4Nxb qmEhPlc9Y5vMiocJCCSeciw7cjfukvGt9m0eDCo0KDXoVnXFtxpp+Z/WwVu8NsQ0x+6F 5CSBMuA+wc4rW0fpIQ0+nU9bCuUut5lZjXtOcZSZ7mdXiEYrZ4jG+XfrMuJh/Vf4K1dm 4SbQiL7e3WzeuvNZWfyZOsvYVrxVzqlr33VGce9RaSJfn0LPCaYmgY5xTHQDn01yjHLN Pbrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752497061; x=1753101861; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=4EnDFteTQLKS/YJlY53KeUsp3kalhQoNqh4HM9W8f+M=; b=FMD8Kh/B+2ONMZV8jf+/5lAyi8448n31VpzMzvzIcxr/I0r9EgDWVK/NdR4b+ehEFr affquuvnR1fdl/XTYTR+P5x/RFEghkle/kzsUmbpDke33AY/76bxqikh4LVmxyz1da/y 6U72RzvqP4FGR7mWIPBbPP1+lA3I2jCv0M2tb3dojmLCaFufnB98AItwbMV0c+CT6OqE O+VTO6JfFAvcxHy4bNYa89Zg54sJqWIzNmuo6LTKnAJFx/W2SG7Iqie49I590raqrp+q Mkmphds8G6hwToS3EKIfXBYDMwzq2tLejAUPx5fsXfSn0sngyfALYmTNHPNvx67JLfYE TWVw== X-Gm-Message-State: AOJu0YzeyLaV0XsPP0SbEv9zHSKvbUFQEhHau7DybEAjJ9KIJKUHcnRO d9XjBFf7ehn24jFKlJQLV0NkBfTDAmYeQw9rvConOC3nw7ksQ9QnWArqJbfWRpCZm3CQ2sf76io 2iheXZOE= X-Gm-Gg: ASbGncs0soPU3KA8QDIlAAoqKDu+zsQAL5fayTSYEC2oBeDN0F1RB/WIKaWzJVoO1ws aQuyDvRR/pnOuwZWMxZdZlDUUw94n8iDwo/cIqii9emD2N4h6gejRblbGuu2rgSMAMFx9ZtYgZX KpYdPsee3vIyPrmNpiIRF4nDG7pVPy/4nzCNbvNXyBAcQq8meXX0fXYzFO+rlAbGJKooJx8rbrY FuRRabbXckKgvUi/ylt2pMXQldGCul/cu3F6rHRU0J1ovDBrZlmzZi/AZlkCvpzx9FoWLSExJK0 o0u7X3X4NddaAlBfde6/qMiZ3TJmc1RALcS8uP3StoYZFCfzPVNGlstyhtPuQP0Zht4O3oSol40 DhddSoTdn9IcOm7Badx4C8KkkrEIIjdX7t9p76GAJPlzNubS0GFU= X-Google-Smtp-Source: AGHT+IG3PxJQ8oABQJABoUkb6F72s6b7NW0jHvv1O5lROtWQdiUaMFcS+oKQAVPiQPEQrsytN9zxMw== X-Received: by 2002:a17:907:7b8c:b0:adb:335b:decb with SMTP id a640c23a62f3a-ae6fca54171mr1339942566b.24.1752497060727; Mon, 14 Jul 2025 05:44:20 -0700 (PDT) Received: from laurenz.albe-K4N0CV00F97414D ([2001:871:5e:870b:3a5c:2fbf:b86f:9443]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ae6e8294bd9sm825225666b.132.2025.07.14.05.44.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jul 2025 05:44:20 -0700 (PDT) Message-ID: <0b3fb11184bf9ce6516ed1aa08af5dddc924f21c.camel@cybertec.at> Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) From: Laurenz Albe To: Amol Inamdar Cc: pgsql-general@lists.postgresql.org Date: Mon, 14 Jul 2025 21:44:19 +0900 In-Reply-To: References: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, 2025-07-14 at 17:59 +0530, Amol Inamdar wrote: > If I am not mistaken, below is my understanding of your suggestion.=C2=A0 >=20 > Suppose that My mount point on the NFS server is say /nfs-mount/postgres/= =C2=A0 > and you are suggesting to have a data directory as say /nfs-mount/postgre= s/db or something like=C2=A0that ?=C2=A0 > and assign this value to the PGDATA ?=C2=A0 >=20 > If that is the case, then when and who should be creating the directory D= B ?=C2=A0 >=20 > Please correct me if I am wrong about the understanding. You understood me perfectly well. The data directory can either be created by "initdb", in which case the mount point must allow the PostgreSQL user to create a directory. You could set the group of the mount point to the group of the PostgreSQL user and use permissions 1770, which should be perfectly safe. Alternatively, the root user could create the data directory with the correct ownership and permissions prior to running "initdb". Yours, Laurenz Albe