Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Amol Inamdar <[email protected]>
To: [email protected]
Subject: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Date: Mon, 14 Jul 2025 11:19:55 +0530
Message-ID: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com> (raw)

Dear PostgreSQL Community,

I'm currently running PostgreSQL version 16.6 inside a Docker container
(base image: UBI 9), using Docker Compose. The PostgreSQL data directory
is mounted from an NFS volume hosted on a z/OS NFS server.

The environment has a few constraints:

- The NFS server runs on z/OS with AT-TLS enabled.
- It’s a highly secure and access-controlled setup.
- Due to platform restrictions on z/OS, the mounted NFS directory cannot
  be owned by the PostgreSQL user (e.g., `postgres`) inside the container.
- As a result, PostgreSQL fails to start because of the directory
  ownership validation check.

Given the secure nature of the NFS server, I’d like to ask:

1. Is there a supported or recommended way to bypass the ownership
   check on the data directory?
2. What are the potential risks or implications of doing so in a secure
   NFS environment?
3. I'm considering building a custom PostgreSQL image by modifying the
   `miscinit.c` file—specifically, disabling the ownership check in the
   `checkDataDir()` function. Is this a reasonable approach, and are
   there any caveats or unintended side effects I should be aware of?

**Disclaimer**: The z/OS NFS server is secured using AT-TLS and enforces
strict access control policies. My intention is not to weaken
PostgreSQL’s security model, but to adapt to platform-specific
constraints while maintaining overall security integrity.

Any insights, experiences, or alternative suggestions would be greatly
appreciated.

Best regards,
Amol

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
  In-Reply-To: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox