Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Benjamin Wang <[email protected]>
To: Tom Lane <[email protected]>
Cc: Peter J. Holzer <[email protected]>
Cc: [email protected]
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Date: Mon, 14 Jul 2025 20:02:27 +0100
Message-ID: <CADVOZZ5D7bR_2fcqonVc5CE6wkwDb1smzZf+V7MVspw+1NKhRQ@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

I am not sure whether PostgreSQL depends on system call `fsyncdata` to
 sync data to disk. If yes, then I don't think it's safe to use NFS.
When `fsyncdata` returns success, it doesn't mean the data has
really been synced to disk. But if PostgreSQL crashes right after
it returns success to clients. Eventually it breaks the D (Durability) of
ACID.

Benjamin

On Mon, Jul 14, 2025 at 7:31 PM Tom Lane <[email protected]> wrote:

> "Peter J. Holzer" <[email protected]> writes:
> > On 2025-07-14 10:07:20 -0400, Tom Lane wrote:
> >> That is primarily for safety reasons: if for some reason the
> >> filesystem gets dismounted, or hasn't come on-line yet during
> >> a reboot, you do not want Postgres to be able to write on the
> >> underlying mount-point directory.
>
> > Be careful: There are two different directorys involved in a mount
> > point. The one in the parent filesystem and the one in the mounted file
> > system.
>
> True, and the safety requirement really is only that the parent
> filesystem's mount-point directory not be writable by us.
> But normal practice is that both directories are root-owned,
> or at least owned by highly privileged users.
>
> (I have a vague idea that there are system-level security hazards,
> not specific to Postgres, if mount-point directories are publicly
> writable.  Don't feel like researching that though.)
>
>                         regards, tom lane
>
>
>

view thread (3+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
  In-Reply-To: <CADVOZZ5D7bR_2fcqonVc5CE6wkwDb1smzZf+V7MVspw+1NKhRQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox