MIME-Version: 1.0
References: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>
 <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at>
 <CAGOe9RijT-5X=UoeGv_TeW=KVVV9xvBBSwY9V-a=n_8GyzdRDA@mail.gmail.com> <0b3fb11184bf9ce6516ed1aa08af5dddc924f21c.camel@cybertec.at>
In-Reply-To: <0b3fb11184bf9ce6516ed1aa08af5dddc924f21c.camel@cybertec.at>
From: Amol Inamdar <amol.aai@gmail.com>
Date: Mon, 14 Jul 2025 18:32:23 +0530
Message-ID: <CAGOe9Ri8aNao0SB8kkm0F6xp=TPe5XWHpcA9MEBkY4kp-6Bjig@mail.gmail.com>
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with
 Secure z/OS NFS (AT-TLS)
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="00000000000003c7ee0639e34668"
Archived-At: <https://www.postgresql.org/message-id/CAGOe9Ri8aNao0SB8kkm0F6xp%3DTPe5XWHpcA9MEBkY4kp-6Bjig%40mail.gmail.com>
Precedence: bulk

--00000000000003c7ee0639e34668
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks Laurenz,

The data directory can either be created by "initdb", in which case
the mount point must allow the PostgreSQL user to create a directory.
You could set the group of the mount point to the group of the
PostgreSQL user and use permissions 1770, which should be perfectly safe.

This exactly is the problem we are facing, to give you a summary,
our NFS server is enabled with AT-TLS authentication
and we are accessing the server via a proxy server (Haproxy).
This acts as our NFS client and it is configured with the
required client certificates.

The outcome of above configuration is that any directory created
in the NFS mount is always owned by the user in the certificates
and if that user isn't present in the proxy container it is marked
as nobody:nogroup, we tried various things like
created the user similar to postgres user so that the users ids match but
always ended up giving error  =E2=80=9Cdata directory =E2=80=9C/var/lib=E2=
=80=9D has wrong ownership


Hence, we thought of skipping this check (Directory owner and postgres user
validation) and
wanted to understand the implication of the same.

Thanks,
Amol,


On Mon, Jul 14, 2025 at 6:14=E2=80=AFPM Laurenz Albe <laurenz.albe@cybertec=
.at>
wrote:

> On Mon, 2025-07-14 at 17:59 +0530, Amol Inamdar wrote:
> > If I am not mistaken, below is my understanding of your suggestion.
> >
> > Suppose that My mount point on the NFS server is say
> /nfs-mount/postgres/
> > and you are suggesting to have a data directory as say
> /nfs-mount/postgres/db or something like that ?
> > and assign this value to the PGDATA ?
> >
> > If that is the case, then when and who should be creating the directory
> DB ?
> >
> > Please correct me if I am wrong about the understanding.
>
> You understood me perfectly well.
>
> The data directory can either be created by "initdb", in which case
> the mount point must allow the PostgreSQL user to create a directory.
> You could set the group of the mount point to the group of the
> PostgreSQL user and use permissions 1770, which should be perfectly safe.
>
> Alternatively, the root user could create the data directory with the
> correct ownership and permissions prior to running "initdb".
>
> Yours,
> Laurenz Albe
>


--=20
-regards
Amol

--00000000000003c7ee0639e34668
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">Thanks Laurenz,=C2=A0<div><br></div><div>=
<font color=3D"#0000ff">The data directory can either be created by &quot;i=
nitdb&quot;, in which case<br>the mount point must allow the PostgreSQL use=
r to create a directory.<br>You could set the group of the mount point to t=
he group of the<br>PostgreSQL user and use permissions 1770, which should b=
e perfectly safe.</font></div><div><br></div><div>This exactly is the probl=
em we are facing, to give you a summary,=C2=A0</div><div>our NFS server is =
enabled with AT-TLS authentication</div><div>and we are accessing the serve=
r via a proxy server (Haproxy).=C2=A0</div><div>This acts as our NFS client=
 and it is configured with the=C2=A0</div><div>required client certificates=
.</div><div><br></div><div>The outcome of above configuration is that any d=
irectory created=C2=A0</div><div>in the NFS mount is always owned by the us=
er in the certificates=C2=A0</div><div>and if that user isn&#39;t present i=
n the proxy container it is marked=C2=A0</div><div>as nobody:nogroup, we tr=
ied various things like</div><div>created the user similar to postgres user=
 so that the users ids match but=C2=A0</div><div>always ended up giving err=
or=C2=A0=C2=A0<span style=3D"color:rgb(68,93,110);font-family:Roboto,sans-s=
erif;font-size:15px">=E2=80=9Cdata directory =E2=80=9C/var/lib=E2=80=9D has=
 wrong ownership</span>=C2=A0</div><div><br></div><div>Hence, we thought of=
 skipping this check (Directory owner and postgres user validation) and=C2=
=A0</div><div>wanted to understand the implication of the same.=C2=A0</div>=
<div><br></div><div>Thanks,</div><div>Amol,</div><div><br></div><div><br></=
div></div><br><div class=3D"gmail_quote gmail_quote_container"><div dir=3D"=
ltr" class=3D"gmail_attr">On Mon, Jul 14, 2025 at 6:14=E2=80=AFPM Laurenz A=
lbe &lt;<a href=3D"mailto:laurenz.albe@cybertec.at">laurenz.albe@cybertec.a=
t</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
>On Mon, 2025-07-14 at 17:59 +0530, Amol Inamdar wrote:<br>
&gt; If I am not mistaken, below is my understanding of your suggestion.=C2=
=A0<br>
&gt; <br>
&gt; Suppose that My mount point on the NFS server is say /nfs-mount/postgr=
es/=C2=A0<br>
&gt; and you are suggesting to have a data directory as say /nfs-mount/post=
gres/db or something like=C2=A0that ?=C2=A0<br>
&gt; and assign this value to the PGDATA ?=C2=A0<br>
&gt; <br>
&gt; If that is the case, then when and who should be creating the director=
y DB ?=C2=A0<br>
&gt; <br>
&gt; Please correct me if I am wrong about the understanding.<br>
<br>
You understood me perfectly well.<br>
<br>
The data directory can either be created by &quot;initdb&quot;, in which ca=
se<br>
the mount point must allow the PostgreSQL user to create a directory.<br>
You could set the group of the mount point to the group of the<br>
PostgreSQL user and use permissions 1770, which should be perfectly safe.<b=
r>
<br>
Alternatively, the root user could create the data directory with the<br>
correct ownership and permissions prior to running &quot;initdb&quot;.<br>
<br>
Yours,<br>
Laurenz Albe<br>
</blockquote></div><div><br clear=3D"all"></div><div><br></div><span class=
=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_s=
ignature">-regards<br>Amol</div></div>

--00000000000003c7ee0639e34668--