On 3/21/17 2:02 PM, David Steele wrote:
> On 3/18/17 3:57 PM, Robert Haas wrote:
>
>> I think Tom's concerns about people doing insecure stuff are
>> excessive. People can do insecure stuff no matter what we do, and
>> trying to prevent them often leads to them doing even-more-insecure
>> stuff. That having been aid, I do wonder whether the idea of allowing
>> group read privileges specifically might be a better concept than a
>> umask, though, because (1) it's not obvious that there's a real use
>> case for anything other than group read privileges, so why not support
>> exactly that to avoid user confusion and (2) umask is a pretty
>> specific concept that may not apply on every platform. For example,
>> AFS has an ACL list instead of using the traditional UNIX permission
>> bits, and I'm not sure Windows has the umask concept exactly either.
>> So wording what we're trying to do a bit more generically might be
>> smart.
>
> We took Tom's advice to heart and this is the direction the patch is
> currently going in. Even the GUC may be too much as there are number of
> tools that write into PGDATA but don't read postgresql.conf. It looks
> like using the permissions of PGDATA may be the best way to go.
>
> In any case, the changes required have enlarged the size and scope of
> the patch considerably and we are not confident that it will be done in
> time to commit for v10.
>
> I have marked this submission "Returned with Feedback".
Attached is a new patch set that should address various concerns raised
in this thread.
1) group-access-v3-01-mkdir.patch
Abstracts all mkdir calls in the backend into a MakeDirectory() function
implemented in fd.c. This did not get committed in September as part of
0c5803b450e but I still think it has value. However, I have kept it
separate to reduce noise in the second patch. The mkdir() calls could
also be modified to use PG_DIR_MODE_DEFAULT with equivalent results.
2) group-access-v3-02-group.patch
This is a "GUC-less" implementation of group read access that depends on
the mode of the $PGDATA directory to determine which mode to use for
subsequent writes. The initdb option is preserved to allow group access
to be enabled when the cluster is initialized.
Only two modes are allowed (700, 750) and the error message on startup
is hard-coded to address translation concerns.
I'll add this to the 2018-01 CF.
Thanks!
--
-David
david@pgmasters.net
