Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uc4Mk-008cSg-1b for pgsql-general@arkaria.postgresql.org; Wed, 16 Jul 2025 15:48:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uc4Mi-00BXJT-2Y for pgsql-general@arkaria.postgresql.org; Wed, 16 Jul 2025 15:48:16 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uc4Mh-00BXJL-MF for pgsql-general@lists.postgresql.org; Wed, 16 Jul 2025 15:48:16 +0000 Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uc4Me-0085W1-31 for pgsql-general@lists.postgresql.org; Wed, 16 Jul 2025 15:48:16 +0000 Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-451dbe494d6so61831985e9.1 for ; Wed, 16 Jul 2025 08:48:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1752680892; x=1753285692; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=Ptz16NwPeYsIgH1x85sOSIZ6jorrwRG36thm16ZIK0k=; b=Mnqz6/rxtQJB3882rlylkltcJ5WTGX4scuVQa/u6ZHjRVQW8V2LNCDiOuOQK+gRpUs y4n1BTVVcwi2iuc5kI1uIyzl8TWFjNmywjP1rvjg0mfQWqEWBJI2tqZkyQQYFfP9W2Lt vFvb5Exyd41aUnayVUqHeq3wbgGP/m0kw14m8laISdDIQM9FbCq2wGZwAlSASzjvh/68 GoQkGamKFFifR0q1c5U9dnVeqJ2lUnrlfI33h3sLbWRuGp0lWT+7bxWPTAyTetNvy1n9 k6Cb4TBbHceAbWVOoH24pOuOHfeQq+bVwmq05GIVZRuc1R4cqvHHs2zjHnDzpyQ5ObEy LVGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752680892; x=1753285692; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Ptz16NwPeYsIgH1x85sOSIZ6jorrwRG36thm16ZIK0k=; b=hnFm6atwykA2eA8MKaLULPyp4vc+IEHzlYittsLmRfObjGMdGlkRN3jsJl8ZlsR0/P fkveYzaF2WCefv7aA6Qy9v0GEst5cllwXUa+KU5Z7zaX/FWXcweNf1BQ+gGcVVLMfqXr xYyePpqOb3elf0Xm3QxHp+qt7tfhwDulzBwP0dr3IX3c6ZwKOUUnR/MLtPbFouVVgY2D kkKbYpRged81TgO2NV+hirjY6b8RXwD0SM8ZMU62hlit7U9F+TXSBZlnefBWLDlI2Kc/ ZguU7exHLVxn5+PCj/Clnl4J7p9upDQNrtNaaSXnM6VLlG0ICUmNgmj92CFpyMlUI1Sh zcgg== X-Gm-Message-State: AOJu0YxvnucQSOB+AtdIjkp8PfcFFH9Hor2FgJ+5IE3mIu9IpnE2Zjyx I1OePnKu9xUHCLUHrI2KEqEVJmfqGb8qqqgDViO+AXT6nemPqj0D+Qa1JY75Cl2cWKFN/lRb1s+ PLUq+ X-Gm-Gg: ASbGncvXtp9mVIWJaF8IG93vYNRbD/5LC0Lx1KNT3ygwFv42cfhbarzhsX5yzYcZ7I7 HnMa889bFR+uUAceKnSVADrIcjjnMWFSULdetCmN9W5udcpgqIFlQyu5O66FmA4A25v3PdfM0Od yjPfdI/o7fKatg/oiVE/D3gt3IGf9NDx+Zl7RMmDn29Sw2w/5y8XqxDyg6XYBD/5fvdNDZciBW2 erF6pHUdM/JTPR48xY9Vx7fiE5ZdBFlB0I3xdFSpCEMCQY1Ioyg10KAma/TShJVJeZ2JGL3h/nx l61o3QUefYSo/JjZW06K5p0BaXkeR5UVNfPGOy4qi+Dos8gMW7RlR3CINkQlLdp37N9i48bR/XS FBB5w9l8wR8hK0KKQBiz9O0JSccybHm62KJPsLM1zrM6potUHwgGY X-Google-Smtp-Source: AGHT+IEXKPtp1sTTXy3WcBBQtlc7TZGvuXTXmPW8nwnCFA1nTmawoKiuHQlykVZfB27lQ+N7CZQF+g== X-Received: by 2002:a05:600c:3e0e:b0:456:2ce8:b341 with SMTP id 5b1f17b1804b1-4562f88ae8fmr31151395e9.17.1752680891485; Wed, 16 Jul 2025 08:48:11 -0700 (PDT) Received: from laurenz.albe-K4N0CV00F97414D ([2001:871:260:8255:4498:d44d:633d:3bff]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4562e82d58esm25254525e9.25.2025.07.16.08.48.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Jul 2025 08:48:11 -0700 (PDT) Message-ID: <62b420e1c9500c68c1bc135810d4cf9f3289fb8c.camel@cybertec.at> Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) From: Laurenz Albe To: Amol Inamdar , Tom Lane Cc: pgsql-general@lists.postgresql.org Date: Wed, 16 Jul 2025 17:48:10 +0200 In-Reply-To: References: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> <609925.1752502040@sss.pgh.pa.us> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, 2025-07-16 at 18:54 +0530, Amol Inamdar wrote: > I would like to rephrase the question a little bit, below is how our setu= p going to be=C2=A0 > =C2=A0=C2=A0=C2=A01. NFS mount point is for /nfs-mount/postgres (and perm= issions locked down so > that Postgres cannot create directories in here) > =C2=A0=C2=A0=C2=A02. Postgres data directory is /nfs-mount/postgres/db > =C2=A0=C2=A0=C2=A03. With secured NFS + AT-TLS setup Postgres will be abl= e to write to data directory > but not parent dir, however the file ownership information Postgres= sees from the > =C2=A0stat()=C2=A0call will not match the Postgres user in the conta= iner (even though the > AT-TLS strict access control will ensure only the Posgres user can = read/write to > this directory) > Considering the above scenario/setup,=C2=A0what is the danger of removing= the ownership check > in=C2=A0miscinit.c=C2=A0checkDataDir()=C2=A0function ?=C2=A0 The danger is that somebody else than the PostgreSQL user has permissions o= n the data directory. You will argue that that somebody is root, and root ha= s these permissions anyway. But there is another reason why PostgreSQL insists that the PostgreSQL user owns the data directory: at startup, the postmaster checks if the data directory belongs to the current user and fails if not. This is a protecti= on against starting the postmaster with the wrong user. There are certainly ways to do it differently, but I'd argue that they woul= d be more complicated, and the current simple solution is robust. If you pre-create the data directory with the appropriate permissions, what keeps you from giving ownership to the correct user too? Yours, Laurenz Albe