Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)

On Mon, 2025-07-14 at 18:32 +0530, Amol Inamdar wrote:
> > The data directory can either be created by "initdb", in which case
> > the mount point must allow the PostgreSQL user to create a directory.
> > You could set the group of the mount point to the group of the
> > PostgreSQL user and use permissions 1770, which should be perfectly safe.
>
> This exactly is the problem we are facing, to give you a summary, 
> our NFS server is enabled with AT-TLS authentication
> and we are accessing the server via a proxy server (Haproxy). 
> This acts as our NFS client and it is configured with the 
> required client certificates.
>
> The outcome of above configuration is that any directory created 
> in the NFS mount is always owned by the user in the certificates 
> and if that user isn't present in the proxy container it is marked 
> as nobody:nogroup, we tried various things like
> created the user similar to postgres user so that the users ids match but 
> always ended up giving error  “data directory “/var/lib” has wrong ownership 
>
> Hence, we thought of skipping this check (Directory owner and postgres user validation) and 
> wanted to understand the implication of the same.

No; don't.

Simply mount the directory once, create a subdirectory with the
appropriate ownership and permissions, and there you go.
Problem solved.

Yours,
Laurenz Albe