Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Ron Johnson <[email protected]>
To: pgsql-general <[email protected]>
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Date: Thu, 17 Jul 2025 09:13:15 -0400
Message-ID: <CANzqJaBiYh6xitaAmUML5_0FFQjOCyrP-BUFgRykfUTCP4GBEg@mail.gmail.com> (raw)
In-Reply-To: <CAKAnmmKuAF94tTGvjhujLbvjX7g_m-yNp824U=yRQ_xE5LAy-g@mail.gmail.com>
References: <CAGOe9RiRUK9K8gUbsMfg8nWDsM2Fd9py-2oe4VG1Uaggu8fQGA@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CAGOe9RirtoXtMJhejo4_V+Si83+c4gfM_E-DH9WqaEBJ9SnfiA@mail.gmail.com>
	<CAGOe9RiBSEZo3c8akePA+11HmV1JHx0Lsk57-fGfM0DEf4ekXg@mail.gmail.com>
	<CAKAnmmKuAF94tTGvjhujLbvjX7g_m-yNp824U=yRQ_xE5LAy-g@mail.gmail.com>

On Wed, Jul 16, 2025 at 8:42 PM Greg Sabino Mullane <[email protected]>
wrote:

> On Wed, Jul 16, 2025 at 9:25 AM Amol Inamdar <[email protected]> wrote:
>
>>
>>    1. NFS mount point is for /nfs-mount/postgres (and permissions locked
>>    down so that Postgres cannot create directories in here)
>>    2. Postgres data directory is /nfs-mount/postgres/db
>>    3.
>>
>>    With secured NFS + AT-TLS setup Postgres will be able to write to
>>    data directory but not parent dir, however the file ownership information
>>    Postgres sees from the stat() call will not match the Postgres user in the
>>    container (even though the AT-TLS strict access control will ensure only
>>    the Posgres user can read/write to this directory)
>>
>> This thread is fascinating. It's like combining two of the most annoying
> technologies in the world, NFS and SELinux, into something worse than
> either of them.
>
> Many people use Docker, and NFS, and Postgres all the time. Stop trying to
> push on a string.  Conform your process to Postgres' fairly minimal and
> sane requirements, rather than the other way around.
>

Unless "all databases must be stored on the mainframe, Because Mainframes
Are Secure" is dogma in that shop, and there's no way the CISO will make an
exception for some random program off the Internet.  "Heck, it's probably
got malware in it!!"

-- 
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
  In-Reply-To: <CANzqJaBiYh6xitaAmUML5_0FFQjOCyrP-BUFgRykfUTCP4GBEg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox