Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubJ0A-00GS7W-Pv for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 13:13:50 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ubJ08-007cEJ-SE for pgsql-general@arkaria.postgresql.org; Mon, 14 Jul 2025 13:13:49 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubIJD-007DcW-2o for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 12:29:27 +0000 Received: from mail-ej1-x633.google.com ([2a00:1450:4864:20::633]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ubIJC-007EZH-06 for pgsql-general@lists.postgresql.org; Mon, 14 Jul 2025 12:29:26 +0000 Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-ae04d3d63e6so840434966b.2 for ; Mon, 14 Jul 2025 05:29:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752496164; x=1753100964; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Y+PYTWq71BUWnAky+P7JhcjVqHA2+18DH/0L//3YH7k=; b=MjvkD/5tMxfDNuNqsw21MbvgoC4jf01eOpgdz7QjhylDPLA7FvE3OSBp8jZoNh+SJZ Fs+bHDGNP7lnNLPmpCha2H/7cS0yBwzHLmYmuW/8pKFwK62M+9POrZQoNAJRCZHXzSGr +qhfHf26WaHid2zvD3V+qa+kHmI5/ElDAa4oBrLP/jFHIlHuj6odPQ4EJR9rKBe4Aa1v pKLpc4MPxEpMxYSRT79Oc5ARPjzoot2GPeX8TJp1JJ5oXSrTSlVd81Fbg/sXM8G0vw1F 3DROs3h78UrtszOjDg6fBHpCtc2y8+oKOPLu7UdcMQBuoXDAEV+9RzrTgh3WanZpt1Bq 8d6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752496164; x=1753100964; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Y+PYTWq71BUWnAky+P7JhcjVqHA2+18DH/0L//3YH7k=; b=cRx5MkMBzAQ9M9Erwm5G1+/0h9Rt4qnkmVXEJSI8Xi4KO7hwiBBDVKh/Uw+EfKWj9u raA5UcEH9vX+AU8ALfud2S4z35VFr2eoWnxx90kpgn8Q9upa+ZEbQ9MV47ZoYWI/KyEM +FyqlHMEdaNEtinB4us0SRXfvd9IgfxoV5/YK5Ei8UNFTHe/r7wT67yj3HaEia051qiD AP1mKMnc5nzDzdXjBD/kQ9JT5qgVW19ou0thRUIDhmCFFPYPS999TfgwsBQT/kk46S9A Z3shfEJWk2v7DUGMUew03d5uDAP5xwuCn96sxBxb1sgchhQaCqnzeS3XsIejl/6qnBu0 IVjw== X-Gm-Message-State: AOJu0YxZ180Br2HhDElPF2HKLg09tZGnEiS/Ju2jcmFGrUNgmU5EneJ/ /AyPwrGMP1bQLO108h27KbcTQe45W1LJBTI2DG+1q6ubBePGFhO8ew3e/782+8K9SpQhz0yJc6v ok6HiWAGrQfve1uRgY51SyaWbkSWWoEAMZ5/o X-Gm-Gg: ASbGnctQpus+jHfPyj8ea4YrPQp1xKGdMScpwy+uNLraWYMtnygcTp+FpMWiSiIkG9i q2ugGihTECZPQ+GBarUlkUjhJYTj1jxcg8ofu8RchOsScJcdruFnhrgEJLvSNwsznUInwhxYCpL DTU+1Atvi3svA5cjCcNaANgoNCKTax1qbGPY66Oxi9uFnUhfZJ+sLCItEcjgS8/8OzgJm8tP0Mv msJop5cbFlpLucXbA0suBz1wym2gOhiFsErvzor X-Google-Smtp-Source: AGHT+IGZDVqpTn3qlqQUfh7AKeXtfckTakHWvL2ERhQ9r60luGqA2kQg80OU47Bd2/8HScDI4Ao8FlqKVs3YbDkotNA= X-Received: by 2002:a17:907:b816:b0:ae3:c767:da11 with SMTP id a640c23a62f3a-ae6fc0f31eamr1078109966b.50.1752496164194; Mon, 14 Jul 2025 05:29:24 -0700 (PDT) MIME-Version: 1.0 References: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> In-Reply-To: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> From: Amol Inamdar Date: Mon, 14 Jul 2025 17:59:12 +0530 X-Gm-Features: Ac12FXyomn0oc6-eNZg-7t6mM9N99fCTAXTIJdqk7B9jSkIYpaONux4x5JkTuOM Message-ID: Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) To: Laurenz Albe Cc: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000564d970639e2cf16" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000564d970639e2cf16 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Laurenz Thanks for the reply, If I am not mistaken, below is my understanding of your suggestion. Suppose that My mount point on the NFS server is say /nfs-mount/postgres/ and you are suggesting to have a data directory as say /nfs-mount/postgres/db or something like that ? and assign this value to the PGDATA ? If that is the case, then when and who should be creating the directory DB ? Please correct me if I am wrong about the understanding. Thanks, Amol On Mon, Jul 14, 2025 at 5:50=E2=80=AFPM Laurenz Albe wrote: > On Mon, 2025-07-14 at 11:19 +0530, Amol Inamdar wrote: > > I'm currently running PostgreSQL version 16.6 inside a Docker container > > (base image: UBI 9), using Docker Compose. The PostgreSQL data director= y > > is mounted from an NFS volume hosted on a z/OS NFS server. > > > > The environment has a few constraints: > > > > - It=E2=80=99s a highly secure and access-controlled setup. > > - Due to platform restrictions on z/OS, the mounted NFS directory canno= t > > be owned by the PostgreSQL user (e.g., `postgres`) inside the > container. > > - As a result, PostgreSQL fails to start because of the directory > > ownership validation check. > > It is not a good idea to have a mount point be the data directory. > The proper solution is to create the data directory inside the > mount point. That way, the permissions of the data directory don't > have to be the same as the permissions of the mount point. > > Yours, > Laurenz Albe > --=20 -regards Amol --000000000000564d970639e2cf16 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Laurenz

Thanks for the reply,=C2=A0<= /div>

If I am not mistaken, below is my understanding of= your suggestion.=C2=A0

Suppose that My mount poin= t on the NFS server is say /nfs-mount/postgres/=C2=A0
and you are= suggesting to have a data directory as say /nfs-mount/postgres/db or somet= hing like=C2=A0that ?=C2=A0
and assign this value to the PGDATA ?= =C2=A0

If that is the case, then when and who shou= ld be creating the directory DB ?=C2=A0

Please cor= rect me if I am wrong about the understanding.

Tha= nks,
Amol



On Mon, Jul 14, 2025 at 5:50=E2=80=AFPM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Mon, 2025-07-14 at 1= 1:19 +0530, Amol Inamdar wrote:
> I'm currently running PostgreSQL version 16.6 inside a Docker cont= ainer
> (base image: UBI 9), using Docker Compose. The PostgreSQL data directo= ry
> is mounted from an NFS volume hosted on a z/OS NFS server.
>
> The environment has a few constraints:
>
> - It=E2=80=99s a highly secure and access-controlled setup.
> - Due to platform restrictions on z/OS, the mounted NFS directory cann= ot
> =C2=A0 be owned by the PostgreSQL user (e.g., `postgres`) inside the c= ontainer.
> - As a result, PostgreSQL fails to start because of the directory
> =C2=A0 ownership validation check.

It is not a good idea to have a mount point be the data directory.
The proper solution is to create the data directory inside the
mount point.=C2=A0 That way, the permissions of the data directory don'= t
have to be the same as the permissions of the mount point.

Yours,
Laurenz Albe


--
-regards
Amol
--000000000000564d970639e2cf16--