Re: PATCH: Configurable file mode mask

On Wed, Mar 15, 2017 at 3:00 AM, Tsunakawa, Takayuki
<tsunakawa(dot)takay(at)jp(dot)fujitsu(dot)com> wrote:
> I'm on David's side, too. I don't postmaster to always scan all files at startup.

+1. Even just doing it during crash recovery, it can take a
regrettably long time on machines with tons of relations and a very
slow disk. I've been sort of thinking that we should add some logging
there so that users know what's happening when that code goes into the
tank - I've seen that come up 3 or 4 times now, and I'm getting tired
of telling people to run strace to find out.

I think Tom's concerns about people doing insecure stuff are
excessive. People can do insecure stuff no matter what we do, and
trying to prevent them often leads to them doing even-more-insecure
stuff. That having been aid, I do wonder whether the idea of allowing
group read privileges specifically might be a better concept than a
umask, though, because (1) it's not obvious that there's a real use
case for anything other than group read privileges, so why not support
exactly that to avoid user confusion and (2) umask is a pretty
specific concept that may not apply on every platform. For example,
AFS has an ACL list instead of using the traditional UNIX permission
bits, and I'm not sure Windows has the umask concept exactly either.
So wording what we're trying to do a bit more generically might be
smart.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company