Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubIAQ-00GEJL-VG for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 12:20:23 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ubIAO-0077iK-C9 for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 12:20:21 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubIAO-0077iA-07 for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 12:20:20 +0000 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ubIAM-007EVh-1x for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 12:20:19 +0000 Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-60c5b8ee2d9so9279487a12.2 for ; Mon, 14 Jul 2025 05:20:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1752495616; x=1753100416; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=0dQCfu3Dcp0dYHyXG8TzNV2xSrw4w/Qm4NIzhMXOAe4=; b=R6hRzqqXFu3rNzClGlhbDLw3TJ8t7fTj3xmEAENr1fOHPuc3bVADgGDVkAznCo/cs0 sj5c+Yb9zl72Ymw2T1ySNqi52lirpGrOAvUJOHgl3cLxirm3+EoyQ5YcRpZSqiZOqfhn 2L+1C+QgiLzv28KLZunfk0QGyic/oWYlLd6L9HB1u2FqRhjfmGqWj9vZs4f7v0NI+fOZ 4AVvUR+2DbTQ0rwgCBzpEFBKttyd7qal2stpCfLIE+nHqN17qdwnGmC0u4GohCkpq5/x 3tvzmpmbgeCoYi4Ku8Hn6wO1QtG7xU97LrEpSGaLanmxbjmQGObf9CiNG29+hFjhOj26 fP/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752495616; x=1753100416; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0dQCfu3Dcp0dYHyXG8TzNV2xSrw4w/Qm4NIzhMXOAe4=; b=UHLsaLUNBN4bQARJhlTi/8quqiPg92pojBbv9rXE0M7+euaATpb5Vn7QVRc49uGE0n pbunoDaG6ovrzECwrdRzmxr04iTbXZ+DtFAklOGTvZhNA2DRz1Zj2H64aJvEm8izKlOm bb+lopaBc+0FpBmRM9Eftk/4Z41jwUiaHIuDWJYJ+/rzgGmF7aM3JnFPsmG+5iwJdka+ aPE4Jh8Weuxn76EqAHkOSXPktVglAI7ViXIhQv1evFvR11tzqA+2N9hcAqm9CY+5YKCX nimu4Q27TUrCPld9ky1dSNIgE38atGMeHvSB2qalPLSyeXrpTJpmcA36Nb3NOFJ+Gw76 cBaA== X-Forwarded-Encrypted: i=1; AJvYcCU3Moxtzz8548vnhF2rE1yXmcQ6c52y9ysDOiAztnv9RnlQEEmNu9Fpdp3Dyn+G5IiVp0FZQtoWjbQVhlwC@lists.postgresql.org X-Gm-Message-State: AOJu0Yyy1E2Ei8YZh9JSLR5wq91wOFpPJl/U/MXBnoMnGALcfXEJ8W27 RoasaPHujsjy8qnMpX1hgt0ZfaPL5ml6OahKD73G+2lwGoYK7B+hBa/t/lFGQR1FDGo= X-Gm-Gg: ASbGncuyX8yYUo56EIVLXcqrJUYHlmIZFBR1k4K4nily5K/2FfpwB097DOXqgz7G0vt hamOKmxZpMGpT3JuZFDjtKto/G9rz3dFFiqvfKWLWJovVSqrRwBhOxXIDjRiNPr+jqirArUvd/Q WTDkSFdtjNsg1P97ItsdbeHF8It8JEdMhesk/0NqMBC3ew+UYxGL3YbzfblUweJm+n3EqTjU6eJ IuoL3G5SzWW7x29XftwAxR7G2+YxKJNbvn4OHugJGYqcsk9tGggTgu+U9aXYPFy8vtTdQSqpmPo a1EkE4euipc6cERk/IUo8tRZhUPYgpDcc7A9iDIwSD+g8wsTBfCjv0S5x5LDaj/j/wNxQksvfQi glN8bSQpsXE9zl4Vv9QYZW4pBGWQap3wXGgi0lTr6apDyRrV1L4UlBrMc68UitA== X-Google-Smtp-Source: AGHT+IGcC6qNaLvSh56dNmEiDYK1D2Xd0Rc+BYqR17omiMssVjn0Y9WSnpyxyLdxCofJ8F3JqGTt6g== X-Received: by 2002:a17:907:1316:b0:ae3:6d27:5246 with SMTP id a640c23a62f3a-ae7012a417fmr865339866b.48.1752495615588; Mon, 14 Jul 2025 05:20:15 -0700 (PDT) Received: from laurenz.albe-K4N0CV00F97414D ([2001:871:5e:870b:3a5c:2fbf:b86f:9443]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ae6e8294b92sm817884266b.134.2025.07.14.05.20.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jul 2025 05:20:15 -0700 (PDT) Message-ID: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) From: Laurenz Albe To: Amol Inamdar , pgsql-general@lists.postgresql.org Date: Mon, 14 Jul 2025 14:20:14 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, 2025-07-14 at 11:19 +0530, Amol Inamdar wrote: > I'm currently running PostgreSQL version 16.6 inside a Docker container > (base image: UBI 9), using Docker Compose. The PostgreSQL data directory > is mounted from an NFS volume hosted on a z/OS NFS server. >=20 > The environment has a few constraints: >=20 > - It=E2=80=99s a highly secure and access-controlled setup. > - Due to platform restrictions on z/OS, the mounted NFS directory cannot > =C2=A0 be owned by the PostgreSQL user (e.g., `postgres`) inside the cont= ainer. > - As a result, PostgreSQL fails to start because of the directory > =C2=A0 ownership validation check. It is not a good idea to have a mount point be the data directory. The proper solution is to create the data directory inside the mount point. That way, the permissions of the data directory don't have to be the same as the permissions of the mount point. Yours, Laurenz Albe