public inbox for [email protected]
help / color / mirror / Atom feedFrom: Laurenz Albe <[email protected]>
To: Amol Inamdar <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Date: Wed, 16 Jul 2025 17:48:10 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAGOe9RiBSEZo3c8akePA+11HmV1JHx0Lsk57-fGfM0DEf4ekXg@mail.gmail.com>
References: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAGOe9RirtoXtMJhejo4_V+Si83+c4gfM_E-DH9WqaEBJ9SnfiA@mail.gmail.com>
<CAGOe9RiBSEZo3c8akePA+11HmV1JHx0Lsk57-fGfM0DEf4ekXg@mail.gmail.com>
On Wed, 2025-07-16 at 18:54 +0530, Amol Inamdar wrote:
> I would like to rephrase the question a little bit, below is how our setup going to be
> 1. NFS mount point is for /nfs-mount/postgres (and permissions locked down so
> that Postgres cannot create directories in here)
> 2. Postgres data directory is /nfs-mount/postgres/db
> 3. With secured NFS + AT-TLS setup Postgres will be able to write to data directory
> but not parent dir, however the file ownership information Postgres sees from the
> stat() call will not match the Postgres user in the container (even though the
> AT-TLS strict access control will ensure only the Posgres user can read/write to
> this directory)
> Considering the above scenario/setup, what is the danger of removing the ownership check
> in miscinit.c checkDataDir() function ?
The danger is that somebody else than the PostgreSQL user has permissions on
the data directory. You will argue that that somebody is root, and root has
these permissions anyway.
But there is another reason why PostgreSQL insists that the PostgreSQL user
owns the data directory: at startup, the postmaster checks if the data
directory belongs to the current user and fails if not. This is a protection
against starting the postmaster with the wrong user.
There are certainly ways to do it differently, but I'd argue that they would
be more complicated, and the current simple solution is robust.
If you pre-create the data directory with the appropriate permissions,
what keeps you from giving ownership to the correct user too?
Yours,
Laurenz Albe
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox