On 3/16/18 11:12 AM, Stephen Frost wrote:
>
>>> Visibly there would be no need for a -g switch in
>>> pg_basebackup as it is possible to guess from the received untar'ed
>>> files what should be the permissions of the data based on what is
>>> received in pg_basebackup.c. It would also be necessary to change the
>>> permissions of pg_wal as this is created before receiving any files.
>>
>> This part might be trickier.
>
> This seems like another case where what we should be doing, and what
> people will be expecting, I'd think, is just what they're used to tar
> doing in these cases- which would be setting the dir/file mode for each
> file based on what's in the tarball. Again, the files which are in the
> data dir are, sadly, not always just those that PG is familiar with.
I've been working on this and have become convinced that adding group
permissions to files that pg_basebackup writes to disk based on whether
group permissions are enabled in PGDATA isn't the right way to go.
To be clear, I'm not taking about the permissions set within the tar
file - I think it makes sense to use the actual PGDATA permissions in
that case.
pg_basebackup may not be running as postgres, and even if it is I don't
think we can assume that group access is appropriate for the files that
it writes. It's a different environment and different security rules
may apply.
It seems to me that pg_basebackup and pg_receivexlog should have a -g
option to control the mode of the files that they write to disk (not
including the modes stored in the tar files).
Or perhaps we should just update the perms in the tar files for now and
leave the rest alone.
Thoughts?
--
-David
david@pgmasters.net
