Re: That mode-700 check on DATADIR again

Greetings Chapman,

* Chapman Flack (chap(at)anastigmatix(dot)net) wrote:
> I have, more or less, this classic question:
>
> https://www.postgresql.org/message-id/4667C403.1070807%40t3go.de

[...]

> So, it seems there's at least one use case where some kind of
> no_really_the_datadir_permissions_are_fine option would be welcome
> to get around a well-intended but sometimes broken check.

There's multiple use-cases for this, and some efforts are being made to
specifically address these cases.

> So it's always a good idea to provide an escape hatch for that kind of
> check.
>
> Isn't it?

Patches are in the works (the ground-work having been committed earlier
this cycle...) to be more flexible in this area. The unfortunate part
is that this is all PG11 work at this point, but, with a bit of luck and
some hard work, we'll have this improved for that release.

This effort may not address all use-cases, of course, but the plan is to
at least address standard unix group privileges, to allow a non-root /
non-PG-superuser, to be able to run a file-level backup of PG. If there
are other reasonable use-cases which still need to be addressed beyond
that, then hopefully we can work out a sensible way to build on what's
been done for those as well.

If you have specific questions or comments on this, I'd suggest chatting
with David Steele, who is working on this, and whom I've CC'd here.

Thanks!

Stephen