Re: PATCH: Configurable file mode mask

Michael, David,

* Michael Paquier (michael(at)paquier(dot)xyz) wrote:
> On Fri, Mar 09, 2018 at 01:51:14PM -0500, David Steele wrote:
> > How about a GUC that enforces one mode or the other on startup? Default
> > would be 700. The GUC can be set automatically by initdb based on the
> > -g option. We had this GUC originally, but since the front-end tools
> > can't read it we abandoned it. Seems like it would be good as an
> > enforcing mechanism, though.
>
> Hm. OK. I can see the whole set of points about that. Please let me
> think a bit more about that bit. Do you think that there could be a
> pool of users willing to switch from one mode to another? Compared to
> your v1, we could indeed have a GUC which enforces a restriction to not
> allow group access, and enabled by default. As the commit fest is
> running and we don't have a clear picture yet, I am afraid that it may
> be better to move that to v12, and focus on getting patches 1 and 2
> committed. This will provide a good base for the next move.

We already had a discussion about having a GUC for this and concluded,
rightly in my view, that it's not sensible to have since we don't want
all of the various tools having to read and parse out postgresql.conf.

I don't see anything in the discussion which has changed that and I
don't agree that there's an issue with using the privileges on the data
directory for this- it's a simple solution which all of the tools can
use and work with easily. I certainly don't agree that it's a serious
issue to relax the explicit check- it's just a check, which a user could
implement themselves if they wished to and had a concern for. On the
other hand, with the explicit check, we are actively preventing an
entirely reasonable goal of wanting to use a read-only role to perform a
backup of the system.

Thanks!

Stephen