Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ucOQX-00CQ8i-5g for pgsql-general@arkaria.postgresql.org; Thu, 17 Jul 2025 13:13:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ucOQV-002ZxJ-4K for pgsql-general@arkaria.postgresql.org; Thu, 17 Jul 2025 13:13:31 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ucOQU-002ZxA-MM for pgsql-general@lists.postgresql.org; Thu, 17 Jul 2025 13:13:31 +0000 Received: from mail-oo1-xc36.google.com ([2607:f8b0:4864:20::c36]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ucOQT-008Fx8-0j for pgsql-general@postgresql.org; Thu, 17 Jul 2025 13:13:31 +0000 Received: by mail-oo1-xc36.google.com with SMTP id 006d021491bc7-615a02ebcc7so265293eaf.3 for ; Thu, 17 Jul 2025 06:13:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752758007; x=1753362807; darn=postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=uvXd8htnBiTQYa51K36DEvtSKnwiUC55umez78U+5D8=; b=Neq/aoOqRrsmueF9ubOYYOVTZGDS3I5RJCaXvzAsZWDIrsOplGkzni3lhsi3FfBcLd QPbdFjOEL1JhfmAXC/McmUHgJ7AK9uoN6TolUOtzbe5lCIRWg2r82S+3k7RJrtsD0CaP sBi1RBsbANpsto+tTJFlm6Up8uMQ2QBLL0v3ke1xh77Nuq5I41TQb76H8LrWFrVZWkV4 hOwtpvFYjA6a2kOcrXT+7hBSEJeH8ExP0o+4D1kcXcTGoJmbbUo21udmVAU9G7UonFRu d11viaR7hCHNeWcg8p8RbtxG8dR3dK0oKaR8KgMaQfuf7GaeGh9SEgnZXv3PqW8reYXG d+9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752758007; x=1753362807; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uvXd8htnBiTQYa51K36DEvtSKnwiUC55umez78U+5D8=; b=FFiO+fxs+WzdkqkGFDJz7cWc0pD25yv00s/mqEkYTuDKbL4K3FuE+xfP+f/oVFwbOT w70OT7UygFK8FRpl3i3AmJkY4l3hgU69iq+wWS43UuA/1h9RDij2DXNjd86TCydOcS5v CrOt9fGyugH6NzB/Z1Bzwzn4OdlamwAwpFYZ7u2gUue7PACKX3bendfeIE8YnZc/pAq4 Sou0BTgx+3zOIvpapyLGqufVor/L+ISE+RnLwPpArcEYf6MBBcEjul7Dp3GCzVlM429F z8w31nR7AsbsAB30Td0eEkF1lWwUnr1Pfa7htinfKENd0mLq7LFQCEQ5GJ3lybyt++EU 1g0Q== X-Gm-Message-State: AOJu0Ywhah8hsjMta9ZEJyVgntzV/ilIScxnbtEKBU3M1lGSJi3H3rx9 NETYveknvUl+dEca5juWy8Wr6GU9jgiaEH+lBLVAajIMfrKv5vLLDPbSMS9h/oOgtoxJcTzxkB0 ayR0v2YHD9iQJHbqpsh6rB99NDzOQH8BKBg== X-Gm-Gg: ASbGncubDQCrWpTVaMNgVY8bw/o2EVt2IGIXEU29r7MlS8GN6gmHcDtxfCTXyt8huYg sky2T5r65hK3OQt13kO+qAJwOnatKc+9E6lH2FWXleMORSYlzUZMPOC8c2FShsfiEDXSpzekxcC zcjxB7Fg7Ww4DvnvrQbGA0iSFGS5+0+VH12tUsyPbPo8KPB23gIvGSfb7Khh8Q36yK/5uW9m8tW 0ivZ6u6NkXo26jPYuX/Hpd0YXdwauJRHuUQSZN5lg== X-Google-Smtp-Source: AGHT+IEr58F9loe86UOWYynEOGR1HtXonVoh1kbI7PUxXySDFQBbzMN/U9gfzblEOzju5qybHaP+dLe5KmM9zjxxb8Y= X-Received: by 2002:a4a:a5cb:0:b0:615:9c11:a072 with SMTP id 006d021491bc7-6159ff4340amr3979232eaf.8.1752758006579; Thu, 17 Jul 2025 06:13:26 -0700 (PDT) MIME-Version: 1.0 References: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> <609925.1752502040@sss.pgh.pa.us> In-Reply-To: From: Ron Johnson Date: Thu, 17 Jul 2025 09:13:15 -0400 X-Gm-Features: Ac12FXycKITPIrjPlYRWXu_7Eot9J8tpm4aXX5hqnLZL6tWElZ4KqHcAYa959Wg Message-ID: Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) To: pgsql-general Content-Type: multipart/alternative; boundary="0000000000005c05a4063a1fc66e" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000005c05a4063a1fc66e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jul 16, 2025 at 8:42=E2=80=AFPM Greg Sabino Mullane wrote: > On Wed, Jul 16, 2025 at 9:25=E2=80=AFAM Amol Inamdar = wrote: > >> >> 1. NFS mount point is for /nfs-mount/postgres (and permissions locked >> down so that Postgres cannot create directories in here) >> 2. Postgres data directory is /nfs-mount/postgres/db >> 3. >> >> With secured NFS + AT-TLS setup Postgres will be able to write to >> data directory but not parent dir, however the file ownership informa= tion >> Postgres sees from the stat() call will not match the Postgres user i= n the >> container (even though the AT-TLS strict access control will ensure o= nly >> the Posgres user can read/write to this directory) >> >> This thread is fascinating. It's like combining two of the most annoying > technologies in the world, NFS and SELinux, into something worse than > either of them. > > Many people use Docker, and NFS, and Postgres all the time. Stop trying t= o > push on a string. Conform your process to Postgres' fairly minimal and > sane requirements, rather than the other way around. > Unless "all databases must be stored on the mainframe, Because Mainframes Are Secure" is dogma in that shop, and there's no way the CISO will make an exception for some random program off the Internet. "Heck, it's probably got malware in it!!" --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --0000000000005c05a4063a1fc66e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Jul 16, 2025 at 8:42=E2=80=AFPM G= reg Sabino Mullane <htamfids@gmail= .com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">
On Wed, Jul 16, 2025 at 9:25=E2=80=AFAM Amol Inam= dar <amol.aai@gm= ail.com> wrote:
  1. NFS mount point is for /nfs-mount/postgres= (and permissions locked down so that Postgres cannot create directories in= here)
  2. Postgres dat= a directory is /nfs-mount/postgres/db

  3. Wit= h secured NFS + AT-TLS setup Postgres will be able to write to data directo= ry but not parent dir, however the file ownership information Postgres sees= from the=C2=A0stat()=C2=A0call will not match the Postgres user in the con= tainer (even though the AT-TLS strict access control will ensure only the P= osgres user can read/write to this directory)

This thread is fascinating. It's like combining two of th= e most annoying technologies in the world, NFS and SELinux, into something = worse than either of them.

Many people use Docker,= and NFS, and Postgres all=C2=A0the time. Stop trying to push on a string.= =C2=A0 Conform your process to Postgres' fairly minimal and sane requir= ements, rather than the other way around.

Unless "all databases must be stored on the mai= nframe, Because Mainframes Are Secure" is dogma in that shop, and ther= e's=C2=A0no way the=C2=A0CISO will make an exception for some random pr= ogram off the Internet.=C2=A0 "Heck, it's probably got malware in = it!!"

--
= Death to <Redacted>, and butter sauce.
Don't boil me, I'm= still alive.
<Redacted> lobster!
--0000000000005c05a4063a1fc66e--