| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Peter J(dot) Holzer" <hjp-pgsql(at)hjp(dot)at> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) |
| Date: | 2025-07-14 18:30:45 |
| Message-ID: | 708241.1752517845@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Peter J. Holzer" <hjp-pgsql(at)hjp(dot)at> writes:
> On 2025-07-14 10:07:20 -0400, Tom Lane wrote:
>> That is primarily for safety reasons: if for some reason the
>> filesystem gets dismounted, or hasn't come on-line yet during
>> a reboot, you do not want Postgres to be able to write on the
>> underlying mount-point directory.
> Be careful: There are two different directorys involved in a mount
> point. The one in the parent filesystem and the one in the mounted file
> system.
True, and the safety requirement really is only that the parent
filesystem's mount-point directory not be writable by us.
But normal practice is that both directories are root-owned,
or at least owned by highly privileged users.
(I have a vague idea that there are system-level security hazards,
not specific to Postgres, if mount-point directories are publicly
writable. Don't feel like researching that though.)
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-07-14 18:54:42 | Re: optimizing number of workers |
| Previous Message | Greg Hennessy | 2025-07-14 18:25:19 | Re: optimizing number of workers |