| From: | Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: pg_basebackup ignores the existing data directory permissions |
| Date: | 2019-02-14 12:21:19 |
| Message-ID: | CAJrrPGckmkFnW_yeoDriPAkjRVH9eNTKJwQ1=WZpv5edD5HbuQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Feb 14, 2019 at 8:57 PM Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> On Thu, Feb 14, 2019 at 9:10 AM Michael Paquier <michael(at)paquier(dot)xyz>
> wrote:
>
>> On Thu, Feb 14, 2019 at 06:34:07PM +1100, Haribabu Kommi wrote:
>> > we have an application that is used to create the data directory with
>>
>> Well, initdb would do that happily, so there is no actual any need to
>> do that to begin with. Anyway..
>>
>> > owner access (0700), but with initdb group permissions option, it
>> > automatically
>> > converts to (0750) by the initdb. But pg_basebackup doesn't change it
>> when
>> > it tries to do a backup from a group access server.
>>
>> So that's basically the opposite of the case I was thinking about,
>> where you create a path for a base backup with permissions strictly
>> higher than 700, say 755, and the base backup path does not have
>> enough restrictions. And in your case the permissions are too
>> restrictive because of the application creating the folder itself but
>> they should be relaxed if group access is enabled. Actually, that's
>> something that we may want to do consistently across all branches. If
>> an application calls pg_basebackup after creating a path, they most
>> likely change the permissions anyway to allow the postmaster to
>> start.
>>
>
> I think it could be argued that neither initdb *or* pg_basebackup should
> change the permissions on an existing directory, because the admin may have
> done that intentionally. But when they do create the directory, they should
> follow the same patterns.
>
Hmm, even if the administrator set some specific permissions to the data
directory,
PostgreSQL server doesn't allow server to start if the permissions are not
(0700)
for versions less than 11 and (0700 or 0750) for version 11 or later.
To let the user to use the PostgreSQL server, user must change the
permissions
of the data directory. So, I don't see a problem in changing the
permissions by these
tools.
Regards,
Haribabu Kommi
Fujitsu Australia
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kyotaro HORIGUCHI | 2019-02-14 12:24:09 | Re: Cache relation sizes? |
| Previous Message | Thomas Munro | 2019-02-14 12:12:35 | Re: pg11.1: dsa_area could not attach to segment |