Re: backup manifests

Greetings,

* Andres Freund (andres(at)anarazel(dot)de) wrote:
> On 2020-03-27 17:44:07 -0400, Stephen Frost wrote:
> > * Andres Freund (andres(at)anarazel(dot)de) wrote:
> > > On 2020-03-27 15:20:27 -0400, Robert Haas wrote:
> > > > On Fri, Mar 27, 2020 at 2:29 AM Andres Freund <andres(at)anarazel(dot)de> wrote:
> > > > > Hm. Should this warn if the directory's permissions are set too openly
> > > > > (world writable?)?
> > > >
> > > > I don't think so, but it's pretty clear that different people have
> > > > different ideas about what the scope of this tool ought to be, even in
> > > > this first version.
> > >
> > > Yea. I don't have a strong opinion on this specific issue. I was mostly
> > > wondering because I've repeatedly seen people restore backups with world
> > > readable properties, and with that it's obviously possible for somebody
> > > else to change the contents after the checksum was computed.
> >
> > For my 2c, at least, I don't think we need to check the directory
> > permissions, but I wouldn't object to including a warning if they're set
> > such that PG won't start. I suppose +0 for "warn if they are such that
> > PG won't start".
>
> I was thinking of that check not being just at the top-level, but in
> subdirectories too. It's easy to screw up the top and subdirectory
> permissions in different ways, e.g. when manually creating the database
> dir and then restoring a data directory directly into that. IIRC
> postmaster doesn't check that at start.

Yeah, I'm pretty sure we don't check that at postmaster start.. which
also means that we'll start up just fine even if the perms on
subdirectories are odd or wrong, unless maybe we end up in a really odd
state where a directory is 000'd or something.

Of course.. this is all a mess when it comes to pg_basebackup, really,
as previously discussed elsewhere, because what permissions and such you
end up with actually depends on what *format* you use with
pg_basebackup- it's different between 'tar' format and 'plain' format.
That is, if you use 'tar' format, and then actually use 'tar' to
extract, you get one set of privs, but if you use 'plain', you get
something different.

I mean.. pgBackRest sets all perms to whatever is in the manifest on
restore (or delta), but this patch doesn't include the permissions on
files, or ownership (something pgBackRest also tries to set, if
possible, on restore), does it...? Doesn't look like it on a quick
look. So if we want to compare to pgBackRest then, yes, we should
include the permissions in the manifest and we should check that
everything in the manifest matches what's on the filesystem.

I don't think we should just compare all permissions or ownership with
some arbitrary idea of what we think they should be, even though if you
use pg_basebackup in 'plain' format, you actually end up with
differences, today, from what the source system has. In my view, that
should actually be fixed, to the extent possible.

Thanks,

Stephen