Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubORp-000Hh5-Jn for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 19:02:45 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ubORn-00Bnx2-Kk for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 19:02:44 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubORn-00Bnsh-98 for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 19:02:43 +0000 Received: from mail-lj1-x22f.google.com ([2a00:1450:4864:20::22f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ubORm-007HXe-0Z for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 19:02:43 +0000 Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-32cdc9544ceso40696241fa.0 for ; Mon, 14 Jul 2025 12:02:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752519759; x=1753124559; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NuA20YC0gvrX6L+jYMbWYxannQoUBbUp3CbhLqT26BA=; b=lY2X9tnbbKX7TTwb6BkrvW1U7yYthdUZPc4mj24xBzWPn95iBNROeV9LHDfM7UnhTs Q0YnM1tEh12KPBBqtYMAoxYf/lYVS3ssamhP6PIznqPGsGY50UmuGeyGq8/5kqAJ94JF LyItnmzfzD0EhiKXBay8Ggm1N5SPsoNQL+kajg+qdVOV9Prz3xMsKrrnsxiMH3cCz1sp lH62pqmsILJgdmYNro0LxqzeS5TurQ4N+tQgqcrnqWqsCLQFmk4S172P62yt74GY7Clu jzFJ9KI7kPfYhLhli97YYpBkFU5DLso2q5bAimxVnDIrGCpU05l7DqaAAhOIh5/HiD2X /GGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752519759; x=1753124559; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NuA20YC0gvrX6L+jYMbWYxannQoUBbUp3CbhLqT26BA=; b=ic+Ej4NhapZZJnHCx8+h/F0cR/miV7tjjee4ucYvpTOMFnmmb/H0oQ0HZDQo+y8x5u 6Avgrh8OANQD0p+lU0zpNEt28amI13oN8H8dTRTHaXXO9JQcYZkE3kla5oOxpJBfQe9R NFt4KIuVgw+7ZOQGrp01feKm0RaYWFh1ru+6XqEL+jQ6Rl/4Dn97TSwEVsIGhQfD4EHQ TTxNLjf0mVQCdamybMfspLBnnClOTx4C8b6mvn2fMNvQ6511BiRtutBfHXeNKL3dIT2N EAJrbQJr4xobMQE0WZmki0SnSwE/6I2MeMcJY6RH8LlXf0ThUDh6P2hmMNC4X/JySfa0 IGUw== X-Forwarded-Encrypted: i=1; AJvYcCXwReu3LgdQ+WJsTX7+SeRdhJ1rlge84+EuZkI/sqv7sr/5+YI7OygrFuHBbGxDf92B8gkGP3QmaVManbkg@lists.postgresql.org X-Gm-Message-State: AOJu0Yx0qioxONFOTFdHMttWC/OuS5yYYsfVGHl2cby/6ACSsFaZgRvR 6MSz2cgi4t+XcFBF2eHxGNYSmaqTkOzWP4V5ZKVoWjgNvQS0Vm+Cio6VX+1fBf1LFU9I7pOaDqv 8j946z481S0ZKOhg+kiHdNFmAaxKoorjTVhFY X-Gm-Gg: ASbGncuty2Cvck6FOgEfpPBORcH069Jdda8x8MPJExBUXhdOVNEaCn56hzsVUZL/Tk+ bWDNgRg7LGwDZtXMy9s21+WEXBR5UOXZiK5aY/8wDZOH575Dgrpsy3qE499NtIwyQwHa3fG/VX/ VHmfdmHuDud8gxq5Pzf6Pptkm5dAuDnXSPE+a3tgpJjH2T2x9p8wWorgeBupOGU5e/N15Y4szD4 JLVEIPFm+nRaEZfLeMTWOJpjKGTu3+lM0x8CNYq5Q== X-Google-Smtp-Source: AGHT+IEPiDiK76tAAls5XYk8J6LsjAy9WXw3wDaPe3FJ+fNaS4igHULdxj1Kbd7KroKw7BFt4Up+CIqmGfFY6gFwShM= X-Received: by 2002:a2e:a7ca:0:b0:32b:4521:73cf with SMTP id 38308e7fff4ca-33053293f8bmr41425411fa.2.1752519758999; Mon, 14 Jul 2025 12:02:38 -0700 (PDT) MIME-Version: 1.0 References: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> <609925.1752502040@sss.pgh.pa.us> <20250714182016.23ypyxgtq6vbgl4c@hjp.at> <708241.1752517845@sss.pgh.pa.us> In-Reply-To: <708241.1752517845@sss.pgh.pa.us> From: Benjamin Wang Date: Mon, 14 Jul 2025 20:02:27 +0100 X-Gm-Features: Ac12FXw15GFlHMzE4nvEgc85Hcrmrfkh4zE3H4DWBQ5doyVMc9LfqIzkbZjAA38 Message-ID: Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) To: Tom Lane Cc: "Peter J. Holzer" , pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000b279170639e84dab" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000b279170639e84dab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I am not sure whether PostgreSQL depends on system call `fsyncdata` to sync data to disk. If yes, then I don't think it's safe to use NFS. When `fsyncdata` returns success, it doesn't mean the data has really been synced to disk. But if PostgreSQL crashes right after it returns success to clients. Eventually it breaks the D (Durability) of ACID. Benjamin On Mon, Jul 14, 2025 at 7:31=E2=80=AFPM Tom Lane wrote: > "Peter J. Holzer" writes: > > On 2025-07-14 10:07:20 -0400, Tom Lane wrote: > >> That is primarily for safety reasons: if for some reason the > >> filesystem gets dismounted, or hasn't come on-line yet during > >> a reboot, you do not want Postgres to be able to write on the > >> underlying mount-point directory. > > > Be careful: There are two different directorys involved in a mount > > point. The one in the parent filesystem and the one in the mounted file > > system. > > True, and the safety requirement really is only that the parent > filesystem's mount-point directory not be writable by us. > But normal practice is that both directories are root-owned, > or at least owned by highly privileged users. > > (I have a vague idea that there are system-level security hazards, > not specific to Postgres, if mount-point directories are publicly > writable. Don't feel like researching that though.) > > regards, tom lane > > > --000000000000b279170639e84dab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I am not sure whether PostgreSQL depends on system call `f= syncdata` to
=C2=A0sync data to disk. If yes, then I don't think it= 's safe to use NFS.=C2=A0
When `fsyncdata` returns success, i= t doesn't mean the data has
really been synced to disk. But i= f PostgreSQL crashes right after
it returns success to clients. E= ventually it breaks the D (Durability) of
ACID.

Benjamin=C2=A0

On Mon, Jul 14, 2025 at 7= :31=E2=80=AFPM Tom Lane <tgl@sss.pg= h.pa.us> wrote:
"Peter J. Holzer" <hjp-pgsql@hjp.at> writes:
> On 2025-07-14 10:07:20 -0400, Tom Lane wrote:
>> That is primarily for safety reasons: if for some reason the
>> filesystem gets dismounted, or hasn't come on-line yet during<= br> >> a reboot, you do not want Postgres to be able to write on the
>> underlying mount-point directory.

> Be careful: There are two different directorys involved in a mount
> point. The one in the parent filesystem and the one in the mounted fil= e
> system.

True, and the safety requirement really is only that the parent
filesystem's mount-point directory not be writable by us.
But normal practice is that both directories are root-owned,
or at least owned by highly privileged users.

(I have a vague idea that there are system-level security hazards,
not specific to Postgres, if mount-point directories are publicly
writable.=C2=A0 Don't feel like researching that though.)

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 regards, tom lane


--000000000000b279170639e84dab--