Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1ucChg-00ACPS-Io
	for pgsql-general@arkaria.postgresql.org; Thu, 17 Jul 2025 00:42:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1ucChc-00FDNE-Gr
	for pgsql-general@arkaria.postgresql.org; Thu, 17 Jul 2025 00:42:25 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <htamfids@gmail.com>)
	id 1ucChc-00FDN6-4z
	for pgsql-general@lists.postgresql.org; Thu, 17 Jul 2025 00:42:24 +0000
Received: from mail-il1-x12a.google.com ([2607:f8b0:4864:20::12a])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <htamfids@gmail.com>)
	id 1ucCha-008AAF-1L
	for pgsql-general@lists.postgresql.org;
	Thu, 17 Jul 2025 00:42:24 +0000
Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-3ddda0a8ba2so3058535ab.0
        for <pgsql-general@lists.postgresql.org>; Wed, 16 Jul 2025 17:42:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1752712940; x=1753317740; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=YmX/M3Cu07Y8MRwPSpeYqj1/pqBLyoqYbIfM6uIHsEs=;
        b=OZcUwiHAxh9MDFF2rfQuMu1/tkXFFIvWEYRW/rO7jNSnYyZOD7f8zqWsWXAa6rlTLB
         WwfNBsWvI3LSjA2eo4pj97/uh5OsqrEFB4MgsY1/0L5zW5TIptZbCtdLXDCyRsZAXVYc
         KuOSG1WiK6XGyHsS25HgWYRpvD2nAGnpf8aj+F4ue70EtDrRQCbdGEbMI49lOB+FsUyf
         8RySmQK9298eM+imMSe/Iwoz49HVPXK170CHCg7jNJcNwu7PhC6hTbQ5/wIKqYwyJG1g
         t5cto5VLi/aKn5vSZLieTbdsZLthM+ucEY4QLka70NMH2ZkUoPFhyhwhjY/l7Wl6jqWZ
         Foig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752712940; x=1753317740;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YmX/M3Cu07Y8MRwPSpeYqj1/pqBLyoqYbIfM6uIHsEs=;
        b=CYta2oIfES0Eg+Mt6XA+74qWmV2K7Dh1aqf8AaMjL8O0539VNP3sj5t9cjwBfM34xH
         7va2sZqqvkyS92NXqVYad/U4i6JnzyKbezvjWWmE7IBNbFmj7RZT/Om/nY/CnBQRs+BO
         EXl9+x977NBT46XWfv6jFVbovgYxW4ye6xJPQGS5KZDObuzNhPKIcUn0F0cqoRi/dsK4
         OUXTfAyBDfmdXgaBPmlt/Ayi04wFP9mknIRqug24n6OxZxve8A3bu1PF84E3pIfEP7cd
         S2FbmiushLPl3TzG3Q7ESjY/4R6kkBOT/Tbfkt8aUkYlKAI7d3rWZyEeT7km8Zr7xamK
         TqVw==
X-Forwarded-Encrypted: i=1; AJvYcCXPgmy1IjOJLwSuc9jVPC2z+/TRwj4c4ZE6Q+zmXgr1T62Wdc5yMwKyYbOa1FsHsLyOZlaSKndQrbfzoe5h@lists.postgresql.org
X-Gm-Message-State: AOJu0YzLQzpdnVW3mq44yQ/72wnCWQnaRn6c9NnZtwayAVEYa6q0L5iI
	2VD6dzPLpxKuSpBUVvTFUR4riG9/vf4QjRgXGft0vHAK27scSwESQuo+Jc6kzo4HcfKpkts0wep
	cxWOYcREg1ix//WvydZiceysityYh5XM=
X-Gm-Gg: ASbGncurIi/Z/wkOtjp6BuHv3dFtysv6TWCkdUdXft6sqj9sFBEsmgZkv/sd5CqQeSj
	RZHWPFlH7Z1Ze3uQ4isNvyGCDWwRh0Q/zSgWYSQnog6EaJt2PmRGqhsxMY+R7bwoQuHL+jfM6ts
	vmfrBAQI40c6A+04y1RWfW2x0QfZp6C9Uegt969xLipv8D2ARIuEUeViuZdHq+BvYWSoxuKrv+P
	qw9V9SedhyKUt33je2Q4kAVO6m4w622pJXTVrU2RZrt6ycTUw==
X-Google-Smtp-Source: AGHT+IH8M3wC3wFWDYH3uD4YyBEFIRspvKZGOHlGtVxLY6JZuDHsK3ML0E5Lp2HMaP7ieqK7hkY8F4YPrSMg3gBOlXw=
X-Received: by 2002:a05:6e02:190f:b0:3dd:bb64:d850 with SMTP id
 e9e14a558f8ab-3e2824ca03bmr54233215ab.11.1752712939990; Wed, 16 Jul 2025
 17:42:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>
 <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at>
 <609925.1752502040@sss.pgh.pa.us> <CAGOe9RirtoXtMJhejo4_V+Si83+c4gfM_E-DH9WqaEBJ9SnfiA@mail.gmail.com>
 <CAGOe9RiBSEZo3c8akePA+11HmV1JHx0Lsk57-fGfM0DEf4ekXg@mail.gmail.com>
In-Reply-To: <CAGOe9RiBSEZo3c8akePA+11HmV1JHx0Lsk57-fGfM0DEf4ekXg@mail.gmail.com>
From: Greg Sabino Mullane <htamfids@gmail.com>
Date: Wed, 16 Jul 2025 20:41:44 -0400
X-Gm-Features: Ac12FXzY4yhdgxUEEqL63QhRVfU39uNEhMaP-zG8MH54DeD3nss0iJ-a1jaKvXc
Message-ID: <CAKAnmmKuAF94tTGvjhujLbvjX7g_m-yNp824U=yRQ_xE5LAy-g@mail.gmail.com>
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with
 Secure z/OS NFS (AT-TLS)
To: Amol Inamdar <amol.aai@gmail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Laurenz Albe <laurenz.albe@cybertec.at>, 
	pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="0000000000002e7516063a154846"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKAnmmKuAF94tTGvjhujLbvjX7g_m-yNp824U%3DyRQ_xE5LAy-g%40mail.gmail.com>
Precedence: bulk

--0000000000002e7516063a154846
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 16, 2025 at 9:25=E2=80=AFAM Amol Inamdar <amol.aai@gmail.com> w=
rote:

>
>    1. NFS mount point is for /nfs-mount/postgres (and permissions locked
>    down so that Postgres cannot create directories in here)
>    2. Postgres data directory is /nfs-mount/postgres/db
>    3.
>
>    With secured NFS + AT-TLS setup Postgres will be able to write to data
>    directory but not parent dir, however the file ownership information
>    Postgres sees from the stat() call will not match the Postgres user in=
 the
>    container (even though the AT-TLS strict access control will ensure on=
ly
>    the Posgres user can read/write to this directory)
>
> This thread is fascinating. It's like combining two of the most annoying
technologies in the world, NFS and SELinux, into something worse than
either of them.

Many people use Docker, and NFS, and Postgres all the time. Stop trying to
push on a string.  Conform your process to Postgres' fairly minimal and
sane requirements, rather than the other way around.

Cheers,
Greg

--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support

--0000000000002e7516063a154846
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr">On Wed, Jul 16, 2025 at =
9:25=E2=80=AFAM Amol Inamdar &lt;<a href=3D"mailto:amol.aai@gmail.com" targ=
et=3D"_blank">amol.aai@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_qu=
ote"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><di=
v><ol><li style=3D"margin:0px;font-variant-numeric:normal;font-variant-east=
-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-ker=
ning:auto;font-feature-settings:normal;font-stretch:normal;font-size:13px;l=
ine-height:normal;font-family:&quot;Helvetica Neue&quot;">NFS mount point i=
s for /nfs-mount/postgres (and permissions locked down so that Postgres can=
not create directories in here)</li><li style=3D"margin:0px;font-variant-nu=
meric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;=
font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-s=
tretch:normal;font-size:13px;line-height:normal;font-family:&quot;Helvetica=
 Neue&quot;">Postgres data directory is /nfs-mount/postgres/db</li><li styl=
e=3D"margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;=
font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font=
-feature-settings:normal;font-stretch:normal;font-size:13px;line-height:nor=
mal;font-family:&quot;Helvetica Neue&quot;">





<p style=3D"margin:0px;font-variant-numeric:normal;font-variant-east-asian:=
normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:au=
to;font-feature-settings:normal;font-stretch:normal;line-height:normal">Wit=
h secured NFS + AT-TLS setup Postgres will be able to write to data directo=
ry but not parent dir, however the file ownership information Postgres sees=
 from the=C2=A0stat()=C2=A0call will not match the Postgres user in the con=
tainer (even though the AT-TLS strict access control will ensure only the P=
osgres user can read/write to this directory)</p></li></ol></div></div></bl=
ockquote><div>This thread is fascinating. It&#39;s like combining two of th=
e most annoying technologies in the world, NFS and SELinux, into something =
worse than either of them.</div><div><br></div><div>Many people use Docker,=
 and NFS, and Postgres all=C2=A0the time. Stop trying to push on a string.=
=C2=A0 Conform your process to Postgres&#39; fairly minimal and sane requir=
ements, rather than the other way around.</div><div>=C2=A0</div></div><div =
dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div>Cheers,</div><d=
iv>Greg</div><div><br></div><div>--</div><div>Crunchy Data - <a href=3D"htt=
ps://www.crunchydata.com" target=3D"_blank">https://www.crunchydata.com</a>=
</div><div>Enterprise Postgres Software Products &amp; Tech Support</div><d=
iv><br></div></div></div></div>
</div>

--0000000000002e7516063a154846--