Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
| От | Greg Sabino Mullane |
|---|---|
| Тема | Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) |
| Дата | |
| Msg-id | CAKAnmmKuAF94tTGvjhujLbvjX7g_m-yNp824U=yRQ_xE5LAy-g@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) (Amol Inamdar <amol.aai@gmail.com>) |
| Ответы |
Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
|
| Список | pgsql-general |
On Wed, Jul 16, 2025 at 9:25 AM Amol Inamdar <amol.aai@gmail.com> wrote:
- NFS mount point is for /nfs-mount/postgres (and permissions locked down so that Postgres cannot create directories in here)
- Postgres data directory is /nfs-mount/postgres/db
With secured NFS + AT-TLS setup Postgres will be able to write to data directory but not parent dir, however the file ownership information Postgres sees from the stat() call will not match the Postgres user in the container (even though the AT-TLS strict access control will ensure only the Posgres user can read/write to this directory)
This thread is fascinating. It's like combining two of the most annoying technologies in the world, NFS and SELinux, into something worse than either of them.
Many people use Docker, and NFS, and Postgres all the time. Stop trying to push on a string. Conform your process to Postgres' fairly minimal and sane requirements, rather than the other way around.
Cheers,
Greg
--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support
В списке pgsql-general по дате отправления: