public inbox for [email protected]
help / color / mirror / Atom feedRe: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
3+ messages / 3 participants
[nested] [flat]
* Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
@ 2025-07-16 15:48 Laurenz Albe <[email protected]>
2025-07-17 04:52 ` Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) Amol Inamdar <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: Laurenz Albe @ 2025-07-16 15:48 UTC (permalink / raw)
To: Amol Inamdar <[email protected]>; Tom Lane <[email protected]>; +Cc: [email protected]
On Wed, 2025-07-16 at 18:54 +0530, Amol Inamdar wrote:
> I would like to rephrase the question a little bit, below is how our setup going to be
> 1. NFS mount point is for /nfs-mount/postgres (and permissions locked down so
> that Postgres cannot create directories in here)
> 2. Postgres data directory is /nfs-mount/postgres/db
> 3. With secured NFS + AT-TLS setup Postgres will be able to write to data directory
> but not parent dir, however the file ownership information Postgres sees from the
> stat() call will not match the Postgres user in the container (even though the
> AT-TLS strict access control will ensure only the Posgres user can read/write to
> this directory)
> Considering the above scenario/setup, what is the danger of removing the ownership check
> in miscinit.c checkDataDir() function ?
The danger is that somebody else than the PostgreSQL user has permissions on
the data directory. You will argue that that somebody is root, and root has
these permissions anyway.
But there is another reason why PostgreSQL insists that the PostgreSQL user
owns the data directory: at startup, the postmaster checks if the data
directory belongs to the current user and fails if not. This is a protection
against starting the postmaster with the wrong user.
There are certainly ways to do it differently, but I'd argue that they would
be more complicated, and the current simple solution is robust.
If you pre-create the data directory with the appropriate permissions,
what keeps you from giving ownership to the correct user too?
Yours,
Laurenz Albe
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
2025-07-16 15:48 Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) Laurenz Albe <[email protected]>
@ 2025-07-17 04:52 ` Amol Inamdar <[email protected]>
2025-07-17 05:14 ` Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) Tom Lane <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: Amol Inamdar @ 2025-07-17 04:52 UTC (permalink / raw)
To: Laurenz Albe <[email protected]>; +Cc: Tom Lane <[email protected]>; [email protected]
@Laurenz Albe <[email protected]>
If you pre-create the data directory with the appropriate permissions,
what keeps you from giving ownership to the correct user too?
Our NFS server is not a regular linux based server,
it's on zOS (Mainframes) with AT-TLS security enabled,
hence it doesn't allow changing of ownership.
Basically, we have tried everything we could
to change the directory ownership to match with the postgres user
and that as of now looks impossible, unless we make changes in the
environment.
To summarize*, we are not able to change the ownership of the data
directory *
*due to the Mainframe NFS server limitations when enabled with AT-TLS
security *
*Hence we wanted to check if bypassing this check is ok if it could be
assured *
*that only the postgres user can write here (NFS-AT-TLS ensures that). *
I wouldn't get into details of explaining why changing ownership is not
possible,
as that would take this discussion to another context, hence avoiding.
Thanks in advance
On Wed, Jul 16, 2025 at 9:18 PM Laurenz Albe <[email protected]>
wrote:
> On Wed, 2025-07-16 at 18:54 +0530, Amol Inamdar wrote:
> > I would like to rephrase the question a little bit, below is how our
> setup going to be
> > 1. NFS mount point is for /nfs-mount/postgres (and permissions locked
> down so
> > that Postgres cannot create directories in here)
> > 2. Postgres data directory is /nfs-mount/postgres/db
> > 3. With secured NFS + AT-TLS setup Postgres will be able to write to
> data directory
> > but not parent dir, however the file ownership information
> Postgres sees from the
> > stat() call will not match the Postgres user in the container
> (even though the
> > AT-TLS strict access control will ensure only the Posgres user can
> read/write to
> > this directory)
> > Considering the above scenario/setup, what is the danger of removing the
> ownership check
> > in miscinit.c checkDataDir() function ?
>
> The danger is that somebody else than the PostgreSQL user has permissions
> on
> the data directory. You will argue that that somebody is root, and root
> has
> these permissions anyway.
>
> But there is another reason why PostgreSQL insists that the PostgreSQL user
> owns the data directory: at startup, the postmaster checks if the data
> directory belongs to the current user and fails if not. This is a
> protection
> against starting the postmaster with the wrong user.
>
> There are certainly ways to do it differently, but I'd argue that they
> would
> be more complicated, and the current simple solution is robust.
>
> If you pre-create the data directory with the appropriate permissions,
> what keeps you from giving ownership to the correct user too?
>
> Yours,
> Laurenz Albe
>
--
-regards
Amol
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
2025-07-16 15:48 Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) Laurenz Albe <[email protected]>
2025-07-17 04:52 ` Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) Amol Inamdar <[email protected]>
@ 2025-07-17 05:14 ` Tom Lane <[email protected]>
0 siblings, 0 replies; 3+ messages in thread
From: Tom Lane @ 2025-07-17 05:14 UTC (permalink / raw)
To: Amol Inamdar <[email protected]>; +Cc: Laurenz Albe <[email protected]>; [email protected]
Amol Inamdar <[email protected]> writes:
> @Laurenz Albe <[email protected]>
>> If you pre-create the data directory with the appropriate permissions,
>> what keeps you from giving ownership to the correct user too?
> Our NFS server is not a regular linux based server,
> it's on zOS (Mainframes) with AT-TLS security enabled,
> hence it doesn't allow changing of ownership.
Not only is that not a fit storage substrate for Postgres,
it's pretty hard to imagine that it's a fit substrate for
anything. "Every file on this filesystem must belong to the
same owner" is a concept that should have gone out with
floppy disks.
You need some extremely fundamental re-examination of your
design decisions. At the moment I am content to say that
Postgres does not support this storage mechanism and we
do not intend to do so in the future.
regards, tom lane
^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2025-07-17 05:14 UTC | newest]
Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-07-16 15:48 Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) Laurenz Albe <[email protected]>
2025-07-17 04:52 ` Amol Inamdar <[email protected]>
2025-07-17 05:14 ` Tom Lane <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox