Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubdwQ-003QF7-Hm for pgsql-general@arkaria.postgresql.org; Tue, 15 Jul 2025 11:35:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ubdwO-001OKB-8C for pgsql-general@arkaria.postgresql.org; Tue, 15 Jul 2025 11:35:20 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubdwN-001OK2-Sx for pgsql-general@lists.postgresql.org; Tue, 15 Jul 2025 11:35:20 +0000 Received: from mail-ej1-x62f.google.com ([2a00:1450:4864:20::62f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ubdwM-007Olu-25 for pgsql-general@lists.postgresql.org; Tue, 15 Jul 2025 11:35:19 +0000 Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-ae9be1697easo70292566b.1 for ; Tue, 15 Jul 2025 04:35:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752579317; x=1753184117; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wcYHA1hPHdSJ6pbUzj4p/Uw49shTok8EWYjTg5Nu6/0=; b=jY8mL30jVUA6ACIDVHJQeghNGf5hcqTnvCmGTQxYm5zVLXp6ataSu8hz46Pxrruu+7 f8CmJp8FqecpE+/9NPX0Rbn1CtR56NadXpuh+6/nW7kMK8j20JmFgmsjW0dp3s3WEU4Y os9UvaDBkwBX5bu13ROhEPHBaHBBjhsD0S0Ho0DgfWhvW9wvZgJSD2Iku4lATHF4pGQD jEQ+NLw6KLk+60VFQgOGDJ8ZI1xEeZXX9wGJs5BDZco/XeoFaY1xI+x/gQ9dqpBy5zRm PlIv5AF5+qD9/R1dNa8J9kdPHHjcYNG1BcaERbJHlOU2dTDddd7Qilb6HoVqKkYopni+ 9mKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752579317; x=1753184117; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wcYHA1hPHdSJ6pbUzj4p/Uw49shTok8EWYjTg5Nu6/0=; b=rub2QWgKKmW1A4G/qmrzADZ/vK89cFK/XB7uicvUx3rKnEp59kOK5/5GcV6tZacZqA KrQeVt3AKxW3wOEa2nLjwUuPPvFegrE1bUzXFdFAAns5aZmScz/6zAT2bmAjelz30Hld 3baVdqU567ugatOsjqKp4xbkTq1gCctGeAxZYsirEhGKn275NOVAj4Op4iwi+o8pjiRZ zJUIHQLb5dUaStrswAfDQtBhTfWRQgwDdgfgd/xcEe5LCUwSTrK3YFMNhaHpef7L1HPp +YUWti+pSC9jNFt76k+4rbpMNmAVZb/xgVphgFzkIXyO0WMl4bsvPl5OejegftMRvV2F kJyw== X-Gm-Message-State: AOJu0Yx4KrsPGrnGvfr/aZjOPJHCkDKLSmcUpTZQndS4498l1lU66DUz o6sWV524SmtSDhFOIhx7aujaxEiDCn7frY29UN812N4ClcF9dB6Gqd5sjWvBar9bulacrUfDhkN GTGyH/knrV7VL+8HueyaIJtOkhFZ8Xsk= X-Gm-Gg: ASbGncumzNzuN2rC1aw9LhKEdJFzLcno1OXJUpXZJL1igFvmd0qIbEe4zTn6Z5E+TQK rciyD0BsJKRDRS5Ss0P655l1EhMkYocNidFFiCTmXuLUwv11lgbwsHksDPtlrGt2QmqklWLxAWm Ln9VkKFhRkLJzrTT9Xb0Yj0f6FXnxzx2kNTl+GtZlIJTKIy3vAm6Tht9Eo4/4W2YFPez1D01Wch xHt90j8VWSe5vSbTiVR7oIyBwM29NNw6xuKBFVG4A== X-Google-Smtp-Source: AGHT+IGfv1CT+OkSM7noJ3CrkKZ5T5AClHhu9WrEq0XLTYIAJZqt/RWimJHFtaYBA1gp1BIsEAPLjzrLPShdOPYmWh4= X-Received: by 2002:a17:906:9f84:b0:ae0:a464:99d with SMTP id a640c23a62f3a-ae9b5d2bdbamr310416666b.17.1752579316515; Tue, 15 Jul 2025 04:35:16 -0700 (PDT) MIME-Version: 1.0 References: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> <0b3fb11184bf9ce6516ed1aa08af5dddc924f21c.camel@cybertec.at> In-Reply-To: From: Amol Inamdar Date: Tue, 15 Jul 2025 17:05:04 +0530 X-Gm-Features: Ac12FXxj7B1bxO7UhSXHD7_bvre0LSFbnXcA4IC2kTOmDhW0WVeDe6xda-4ONdY Message-ID: Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) To: Laurenz Albe Cc: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000009a0b670639f62b5d" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000009a0b670639f62b5d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks Laurenz. On Mon, Jul 14, 2025 at 8:11=E2=80=AFPM Laurenz Albe wrote: > On Mon, 2025-07-14 at 18:32 +0530, Amol Inamdar wrote: > > > The data directory can either be created by "initdb", in which case > > > the mount point must allow the PostgreSQL user to create a directory. > > > You could set the group of the mount point to the group of the > > > PostgreSQL user and use permissions 1770, which should be perfectly > safe. > > > > This exactly is the problem we are facing, to give you a summary, > > our NFS server is enabled with AT-TLS authentication > > and we are accessing the server via a proxy server (Haproxy). > > This acts as our NFS client and it is configured with the > > required client certificates. > > > > The outcome of above configuration is that any directory created > > in the NFS mount is always owned by the user in the certificates > > and if that user isn't present in the proxy container it is marked > > as nobody:nogroup, we tried various things like > > created the user similar to postgres user so that the users ids match > but > > always ended up giving error =E2=80=9Cdata directory =E2=80=9C/var/lib= =E2=80=9D has wrong > ownership > > > > Hence, we thought of skipping this check (Directory owner and postgres > user validation) and > > wanted to understand the implication of the same. > > No; don't. > > Simply mount the directory once, create a subdirectory with the > appropriate ownership and permissions, and there you go. > Problem solved. > > Yours, > Laurenz Albe > --=20 -regards Amol --0000000000009a0b670639f62b5d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks Laurenz.=C2=A0

On Mon, Jul 14,= 2025 at 8:11=E2=80=AFPM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Mon, 2025-07-14 at 18:32 +0530, Amol = Inamdar wrote:
> > The data directory can either be created by "initdb", i= n which case
> > the mount point must allow the PostgreSQL user to create a direct= ory.
> > You could set the group of the mount point to the group of the > > PostgreSQL user and use permissions 1770, which should be perfect= ly safe.
>
> This exactly is the problem we are facing, to give you a summary,=C2= =A0
> our NFS server is enabled with AT-TLS authentication
> and we are accessing the server via a proxy server (Haproxy).=C2=A0 > This acts as our NFS client and it is configured with the=C2=A0
> required client certificates.
>
> The outcome of above configuration is that any directory created=C2=A0=
> in the NFS mount is always owned by the user in the certificates=C2=A0=
> and if that user isn't present in the proxy container it is marked= =C2=A0
> as nobody:nogroup, we tried various things like
> created the user similar to postgres user so that the users ids match = but=C2=A0
> always ended up giving error=C2=A0=C2=A0=E2=80=9Cdata directory =E2=80= =9C/var/lib=E2=80=9D has wrong ownership=C2=A0
>
> Hence, we thought of skipping this check (Directory owner and postgres= user validation) and=C2=A0
> wanted to understand the implication of the same.

No; don't.

Simply mount the directory once, create a subdirectory with the
appropriate ownership and permissions, and there you go.
Problem solved.

Yours,
Laurenz Albe


--
-regards
Amol
--0000000000009a0b670639f62b5d--