public inbox for [email protected]
help / color / mirror / Atom feedFrom: Amol Inamdar <[email protected]>
To: Laurenz Albe <[email protected]>
Cc: [email protected]
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Date: Tue, 15 Jul 2025 17:05:04 +0530
Message-ID: <CAGOe9RjvC0x0cOn4K-2ZXfrZODi6ZoFF5PUQMZixS5vu+2=m0A@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>
<[email protected]>
<CAGOe9RijT-5X=UoeGv_TeW=KVVV9xvBBSwY9V-a=n_8GyzdRDA@mail.gmail.com>
<[email protected]>
<CAGOe9Ri8aNao0SB8kkm0F6xp=TPe5XWHpcA9MEBkY4kp-6Bjig@mail.gmail.com>
<[email protected]>
Thanks Laurenz.
On Mon, Jul 14, 2025 at 8:11 PM Laurenz Albe <[email protected]>
wrote:
> On Mon, 2025-07-14 at 18:32 +0530, Amol Inamdar wrote:
> > > The data directory can either be created by "initdb", in which case
> > > the mount point must allow the PostgreSQL user to create a directory.
> > > You could set the group of the mount point to the group of the
> > > PostgreSQL user and use permissions 1770, which should be perfectly
> safe.
> >
> > This exactly is the problem we are facing, to give you a summary,
> > our NFS server is enabled with AT-TLS authentication
> > and we are accessing the server via a proxy server (Haproxy).
> > This acts as our NFS client and it is configured with the
> > required client certificates.
> >
> > The outcome of above configuration is that any directory created
> > in the NFS mount is always owned by the user in the certificates
> > and if that user isn't present in the proxy container it is marked
> > as nobody:nogroup, we tried various things like
> > created the user similar to postgres user so that the users ids match
> but
> > always ended up giving error “data directory “/var/lib” has wrong
> ownership
> >
> > Hence, we thought of skipping this check (Directory owner and postgres
> user validation) and
> > wanted to understand the implication of the same.
>
> No; don't.
>
> Simply mount the directory once, create a subdirectory with the
> appropriate ownership and permissions, and there you go.
> Problem solved.
>
> Yours,
> Laurenz Albe
>
--
-regards
Amol
view thread (3+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
In-Reply-To: <CAGOe9RjvC0x0cOn4K-2ZXfrZODi6ZoFF5PUQMZixS5vu+2=m0A@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox