Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubYk0-002KTZ-J2 for pgsql-general@arkaria.postgresql.org; Tue, 15 Jul 2025 06:02:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ubYjy-00HKl9-MB for pgsql-general@arkaria.postgresql.org; Tue, 15 Jul 2025 06:02:11 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ubYjy-00HKjr-AT for pgsql-general@lists.postgresql.org; Tue, 15 Jul 2025 06:02:10 +0000 Received: from mail-wr1-x436.google.com ([2a00:1450:4864:20::436]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ubYjx-007MGY-1A for pgsql-general@lists.postgresql.org; Tue, 15 Jul 2025 06:02:10 +0000 Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-3b5e6bfb427so2600993f8f.2 for ; Mon, 14 Jul 2025 23:02:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1752559328; x=1753164128; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=cmFL54FufIDWNbWqMI0MV2TVrPxFPk4O6wfec3Dq+/s=; b=PbKotxUM8pRgngBrv6BjKeZxbQFqdK3c9n4e3hOHHjzTtyISppf62X7gx4f5w5q7Fy FaI8C/67ua2cGLMWL7MiXmL+4xg2TuVED74Gb7t++TjxohIUiyprsJlUsOuGtoin9d9w kLIZADoq7s9zHwHXtzHzZzmww3psy+JoeyQBtJEF3zkTQGib8MgJvMJ4NiKC2HWWqPW0 Q8fJrwLuNOhQ7vcMIx/JupSp4adTw0uJg8mgjODf3vZS1PgNnEbPhNOQ4nIIBB8Yv1zL wr0hbbAvNMk1N65/SDnDuJ50KzQc6Z5HYdRTQ1AE9IU8LEo76IuYIcTE4jZHlBnQfAHn yusw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752559328; x=1753164128; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=cmFL54FufIDWNbWqMI0MV2TVrPxFPk4O6wfec3Dq+/s=; b=RA2sOMwyxkGq2A/fPeSYWFZNggfctI7qCCmRNP7Y68Btc4SAdL3+HJEUmN3FDbvyBK p4GH6UH7rrTHBYjY8gf8qLb72q6Yf7cDrhpmfimOs268SePFQRGkp2DGnTaTmHZ2x70r Mk6lETUGBbDlxVO8RozCr9zpSyKTQRcdjkGc7YOTKuSaArTkBjn8F5NL/aunlCQM+cpk vfmN/H4XHPF7OBURAV8GR9Wc7ALChTtQApTRkrV7C3N4FWGZxSd1RS+LTbKa/Jo2CZL8 sJ8ox+65j8NHBCJUiBow20GG90nHsFKoyMtcBVUnRNY+zxcNoIPgSfkt8RyQiJHVk9Yk F89w== X-Gm-Message-State: AOJu0Yzb6QqAYV45QXTbrwHBz7+2FGl+BOATVICTnio8ytejcd6lQw9d 1kpV6//e5e7eivZ+8yaDQply35nbjlT/3XvfZM6sEtoqYAH2uA9gh07qAHr9XVx8DWA= X-Gm-Gg: ASbGnctQyotjbJyKn7NLw1v/yhBnaTB1M0auCYLxrc1lrsLt7Z+OMruTVOcp9qm5jwa TL80TGz5JKJDUMDOY5vySpN2YCy3afmfNwpIegOHqckfXEuAIAIV2ttlIJ/sqSMwO2ljluIfuqw SpgRooECPRDBaAww2Zo4yh/nihAJ1UsGRrLw5sY274k0T/uBHWPdGFx4OgIrKtECpAfqwUF3R6I epN8zexRQDKA4kCHiEfRyn4fmkJJa7cNPyhYRkR9r3xEN7xZ/v7Z6zs28agFHwoilsF9xlLxOkK b84AIt+z3lTTgy29G7IbDW1bx8jQKKlfPquweHsfEAR79BQVnoMUzIBLa0BEdMIguLyiVptQRQ2 DRQtekrZfpkyDSYxNj+ZLkLMzIuPWQ/GX2ZzaoIyMWa2ZtGaYbUXg X-Google-Smtp-Source: AGHT+IFahJym2rIxI87Upq65Me1VYhZj3Aa7nGyMF2wIaCtsQj2XlkkqFbkdBDTjN5HFk3OKruGgjw== X-Received: by 2002:a05:6000:2c08:b0:3a4:dc2a:924e with SMTP id ffacd0b85a97d-3b5f187b273mr12691478f8f.6.1752559327712; Mon, 14 Jul 2025 23:02:07 -0700 (PDT) Received: from laurenz.albe-K4N0CV00F97414D ([2001:871:260:6670:8653:2e94:b4f9:98f9]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3b5e8e14ce6sm14415622f8f.68.2025.07.14.23.02.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jul 2025 23:02:06 -0700 (PDT) Message-ID: Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) From: Laurenz Albe To: Tom Lane , "Peter J. Holzer" Cc: pgsql-general@lists.postgresql.org Date: Tue, 15 Jul 2025 08:02:06 +0200 In-Reply-To: <708241.1752517845@sss.pgh.pa.us> References: <13e3100fc7c7d14919c37943dcfd76b263cecce2.camel@cybertec.at> <609925.1752502040@sss.pgh.pa.us> <20250714182016.23ypyxgtq6vbgl4c@hjp.at> <708241.1752517845@sss.pgh.pa.us> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-1.fc42) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, 2025-07-14 at 14:30 -0400, Tom Lane wrote: > (I have a vague idea that there are system-level security hazards, > not specific to Postgres, if mount-point directories are publicly > writable.=C2=A0 Don't feel like researching that though.) Well, if you are using an ext? file system, there is a lost+found directory where fsck places links to orphaned inodes. If the PostgreSQL user owns the mount point and wants to use "initdb" to create a data directory in it, the program will fail and complain that the directory is not empty. The danger is great that the user removes the lost+found directory to solve the problem. True, one could re-create it with "mklost+found", but if a DBA is uneducated enough to remove the directory in the first place, the risk is high that he wouldn't think of creating it again, which is a problem if the file system ever becomes corrupted. All this doesn't apply to NFS, but it is yet another reason (apart from the safety of a subdirectory that doesn't exist on the file system underlying the mount point) why we should continue to recommend that the data directory be not a mount point. Yours, Laurenz Albe