Re: pg_basebackup ignores the existing data directory permissions

From: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: pg_basebackup ignores the existing data directory permissions
Date: 2019-09-04 20:11:17
Message-ID: 20190904201117.GA12986@alvherre.pgsql
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 2019-Apr-03, Robert Haas wrote:

> I am not sure what solution is best here, but it is hard to imagine
> that the status quo is the right thing.

This patch has been dormant for months. There's been at lot of
discussion but it doesn't seem conclusive; it doesn't look like we know
what we actually want to do. Can I try to restart the discussion and
see if we can get to an agreement, so that somebody can implement it?
Failing that, it seems this patch would be Returned with Little Useful Feedback.

There seem to be multiple fine points here:

1. We want to have initdb and pg_basebackup behave consistently.

Maybe if we don't like that changing pg_basebackup would make it
behave differently to initdb, then we ought to change both tools'
default behavior, and give equivalent new options to both to select
the other(s?) behavior(s?). So I talk about "the tool" referring to
both initdb and pg_basebackup in the following.

2. Should the case of creating a new dir behave differently from using
an existing directory?

Probably for simplicity we want both cases to behave the same.
I mean that if an existing dir has group privs and we choose that the
default behavior is without group privs, then those would get removed
unless a cmd line arg is given. Contrariwise if we choose that group
perms are to be preserved if they exist, then we should create a new
dir with group privs unless an option is given.

3. Sometimes we want to have the tool keep the permissions of an
existing directory, but for pg_basebackup the user might sometimes
want to preserve the permissions of upstream instead.

It seems to me that we could choose the default to be the most secure
behavior (which AFAICT is not to have any group perms), and if the
user wants to preserve group perms in an existing dir (or give group
perms to a directory created by the tool) they can pass a bespoke
command line argument.

I think ultimately this means that upstream privs would go ignored by
pg_basebackup. Maybe we can add another cmdline option to enable
preserving such.

I hope I didn't completely misunderstand the thread -- always a

Álvaro Herrera
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2019-09-04 20:23:39 Re: [HACKERS] WIP: Aggregation push-down
Previous Message Alvaro Herrera 2019-09-04 19:46:29 Re: [HACKERS] [PATCH] pageinspect function to decode infomasks