MIME-Version: 1.0
References: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>
 <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at>
 <609925.1752502040@sss.pgh.pa.us> <CAGOe9RirtoXtMJhejo4_V+Si83+c4gfM_E-DH9WqaEBJ9SnfiA@mail.gmail.com>
In-Reply-To: <CAGOe9RirtoXtMJhejo4_V+Si83+c4gfM_E-DH9WqaEBJ9SnfiA@mail.gmail.com>
From: Amol Inamdar <amol.aai@gmail.com>
Date: Wed, 16 Jul 2025 18:54:50 +0530
Message-ID: <CAGOe9RiBSEZo3c8akePA+11HmV1JHx0Lsk57-fGfM0DEf4ekXg@mail.gmail.com>
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with
 Secure z/OS NFS (AT-TLS)
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>, pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000009ee1063a0bd285"
Archived-At: <https://www.postgresql.org/message-id/CAGOe9RiBSEZo3c8akePA%2B11HmV1JHx0Lsk57-fGfM0DEf4ekXg%40mail.gmail.com>
Precedence: bulk

--000000000000009ee1063a0bd285
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi All,

I would like to rephrase the question a little bit, below is how our setup
going to be

   1. NFS mount point is for /nfs-mount/postgres (and permissions locked
   down so that Postgres cannot create directories in here)
   2. Postgres data directory is /nfs-mount/postgres/db
   3.

   With secured NFS + AT-TLS setup Postgres will be able to write to data
   directory but not parent dir, however the file ownership information
   Postgres sees from the stat() call will not match the Postgres user in t=
he
   container (even though the AT-TLS strict access control will ensure only
   the Posgres user can read/write to this directory)

Considering the above scenario/setup, what is the danger of removing the
ownership check in miscinit.c checkDataDir() function ?


On Tue, Jul 15, 2025 at 5:06=E2=80=AFPM Amol Inamdar <amol.aai@gmail.com> w=
rote:

> Thanks Tom and Laurenz for the explanation.
> Let me try out a few things and get back to you if needed.
>
> Thanks,
> Amol
>
> On Mon, Jul 14, 2025 at 7:37=E2=80=AFPM Tom Lane <tgl@sss.pgh.pa.us> wrot=
e:
>
>> Laurenz Albe <laurenz.albe@cybertec.at> writes:
>> > It is not a good idea to have a mount point be the data directory.
>>
>> ^^^ This. ^^^
>>
>> That is primarily for safety reasons: if for some reason the
>> filesystem gets dismounted, or hasn't come on-line yet during
>> a reboot, you do not want Postgres to be able to write on the
>> underlying mount-point directory.  There is a sobering tale
>> in this old thread:
>>
>>
>> https://www.postgresql.org/message-id/flat/41BFAB7C.5040108%40joeconway.=
com
>>
>> Now it didn't help any that they were using a start script that
>> would automatically run initdb if it didn't see a data directory
>> where expected.  But even without that, you are in for a world of
>> hurt if the mount drops while the server is running and the server
>> has any ability to write on the underlying storage; it will think
>> whatever it was able to write is safely down on disk.  To prevent
>> that, the server must not have write permissions on the mount
>> point, which dictates making a separate data directory (with
>> different ownership/permissions) just below the mount.
>>
>> Do not bypass that ownership/permissions check.  It is there
>> for very good reasons.
>>
>>                         regards, tom lane
>>
>
>
> --
> -regards
> Amol
>


--=20
-regards
Amol

--000000000000009ee1063a0bd285
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi All,<div><br></div><div>I would like to rephrase the qu=
estion a little bit, below is how our setup going to be=C2=A0</div><div>


<ol class=3D"gmail-ol1">
<li class=3D"gmail-li1" style=3D"margin:0px;font-variant-numeric:normal;fon=
t-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust=
:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;fo=
nt-size:13px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">NFS=
 mount point is for /nfs-mount/postgres (and permissions locked down so tha=
t Postgres cannot create directories in here)</li><li class=3D"gmail-li1" s=
tyle=3D"margin:0px;font-variant-numeric:normal;font-variant-east-asian:norm=
al;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;f=
ont-feature-settings:normal;font-stretch:normal;font-size:13px;line-height:=
normal;font-family:&quot;Helvetica Neue&quot;">Postgres data directory is /=
nfs-mount/postgres/db</li><li class=3D"gmail-li1" style=3D"margin:0px;font-=
variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternat=
es:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:nor=
mal;font-stretch:normal;font-size:13px;line-height:normal;font-family:&quot=
;Helvetica Neue&quot;">


<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:n=
one;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;line=
-height:normal">With secured NFS + AT-TLS setup Postgres will be able to wr=
ite to data directory but not parent dir, however the file ownership inform=
ation Postgres sees from the=C2=A0stat()=C2=A0call will not match the Postg=
res user in the container (even though the AT-TLS strict access control wil=
l ensure only the Posgres user can read/write to this directory)</p></li></=
ol><div><font face=3D"Helvetica Neue">Considering the above scenario/setup,=
=C2=A0</font><span style=3D"font-family:&quot;Helvetica Neue&quot;;font-siz=
e:13px">what is the danger of removing the ownership check in=C2=A0miscinit=
.c=C2=A0checkDataDir()=C2=A0function ?=C2=A0</span></div>


</div><div><br></div></div><br><div class=3D"gmail_quote gmail_quote_contai=
ner"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Jul 15, 2025 at 5:06=E2=
=80=AFPM Amol Inamdar &lt;<a href=3D"mailto:amol.aai@gmail.com">amol.aai@gm=
ail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div dir=3D"ltr">Thanks Tom and Laurenz for the explanation.=C2=A0<d=
iv>Let me try out a few things and get back to you if needed.<div><br></div=
><div>Thanks,</div><div>Amol</div></div></div><br><div class=3D"gmail_quote=
"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jul 14, 2025 at 7:37=E2=80=
=AFPM Tom Lane &lt;<a href=3D"mailto:tgl@sss.pgh.pa.us" target=3D"_blank">t=
gl@sss.pgh.pa.us</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa=
dding-left:1ex">Laurenz Albe &lt;<a href=3D"mailto:laurenz.albe@cybertec.at=
" target=3D"_blank">laurenz.albe@cybertec.at</a>&gt; writes:<br>
&gt; It is not a good idea to have a mount point be the data directory.<br>
<br>
^^^ This. ^^^<br>
<br>
That is primarily for safety reasons: if for some reason the<br>
filesystem gets dismounted, or hasn&#39;t come on-line yet during<br>
a reboot, you do not want Postgres to be able to write on the<br>
underlying mount-point directory.=C2=A0 There is a sobering tale<br>
in this old thread:<br>
<br>
<a href=3D"https://www.postgresql.org/message-id/flat/41BFAB7C.5040108%40jo=
econway.com" rel=3D"noreferrer" target=3D"_blank">https://www.postgresql.or=
g/message-id/flat/41BFAB7C.5040108%40joeconway.com</a><br>
<br>
Now it didn&#39;t help any that they were using a start script that<br>
would automatically run initdb if it didn&#39;t see a data directory<br>
where expected.=C2=A0 But even without that, you are in for a world of<br>
hurt if the mount drops while the server is running and the server<br>
has any ability to write on the underlying storage; it will think<br>
whatever it was able to write is safely down on disk.=C2=A0 To prevent<br>
that, the server must not have write permissions on the mount<br>
point, which dictates making a separate data directory (with<br>
different ownership/permissions) just below the mount.<br>
<br>
Do not bypass that ownership/permissions check.=C2=A0 It is there<br>
for very good reasons.<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 regards, tom lane<br>
</blockquote></div><div><br clear=3D"all"></div><div><br></div><span class=
=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_s=
ignature">-regards<br>Amol</div>
</blockquote></div><div><br clear=3D"all"></div><div><br></div><span class=
=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_s=
ignature">-regards<br>Amol</div>

--000000000000009ee1063a0bd285--