| From: | Greg Sabino Mullane <htamfids(at)gmail(dot)com> |
|---|---|
| To: | Amol Inamdar <amol(dot)aai(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) |
| Date: | 2025-07-17 00:41:44 |
| Message-ID: | CAKAnmmKuAF94tTGvjhujLbvjX7g_m-yNp824U=yRQ_xE5LAy-g@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Jul 16, 2025 at 9:25 AM Amol Inamdar <amol(dot)aai(at)gmail(dot)com> wrote:
>
> 1. NFS mount point is for /nfs-mount/postgres (and permissions locked
> down so that Postgres cannot create directories in here)
> 2. Postgres data directory is /nfs-mount/postgres/db
> 3.
>
> With secured NFS + AT-TLS setup Postgres will be able to write to data
> directory but not parent dir, however the file ownership information
> Postgres sees from the stat() call will not match the Postgres user in the
> container (even though the AT-TLS strict access control will ensure only
> the Posgres user can read/write to this directory)
>
> This thread is fascinating. It's like combining two of the most annoying
technologies in the world, NFS and SELinux, into something worse than
either of them.
Many people use Docker, and NFS, and Postgres all the time. Stop trying to
push on a string. Conform your process to Postgres' fairly minimal and
sane requirements, rather than the other way around.
Cheers,
Greg
--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amol Inamdar | 2025-07-17 04:52:37 | Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) |
| Previous Message | Laurenz Albe | 2025-07-16 15:48:10 | Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) |