Postgres Pro
Downloads
Home   >   mailing lists

Re: pgsql: Prevent running pg_basebackup as root - Mailing list pgsql-committers

From Magnus Hagander
Subject Re: pgsql: Prevent running pg_basebackup as root
Date
Msg-id CABUevEyjDjGFkQdTWQNPJFxe8zHH2b53DNtW-vKrxyuMRA0MuQ@mail.gmail.com
Whole thread Raw
In response to Re: pgsql: Prevent running pg_basebackup as root  (Michael Paquier <michael@paquier.xyz>)
Responses Re: pgsql: Prevent running pg_basebackup as root  (Stephen Frost <sfrost@snowman.net>)
Re: pgsql: Prevent running pg_basebackup as root  (Andres Freund <andres@anarazel.de>)
List pgsql-committers
Tree view 
On Thu, Feb 6, 2020 at 8:04 AM Michael Paquier <michael@paquier.xyz> wrote:
>
> On Wed, Feb 05, 2020 at 12:22:59PM -0500, Stephen Frost wrote:
> > In any case, sorry for not responding on this sooner (was traveling for
> > FOSDEM and such), but I'm not really convinced this is something we want
> > and it certainly breaks at least somewhat reasonable use-cases when you
> > think about using pg_basebackup with -Ft.  In that vein, this change is
> > kinda like saying "you can't run pg_dump as root"..
>
> It seems to me that this is entirely different than the case of
> pg_dump, as it is possible to restore a dump even as root, something
> that cannot happen with physical backups without an extra chmod -R.

I don't see how that's relevant? And yes, you can restore physical
backups this way too, if the userids match. (though see Stephens
comment about the username, but that's independent of this issue)

And pg_basebackup is about taking backups, not restores :)


> You have a point with -Ft as untaring the tarballs from a base backup
> taken with pg_basebackup -Ft used by root generates files owned by the
> original user.  -Fp enforces the files to be owned by the user taking
> the backup, which makes the most sense, so for consistency with the
> other tools preventing root to run pg_basebackup makes sense to me
> with -Fp.  Any thoughts from others to restrict the tool with -Fp but
> not with -Ft?  The argument of consistency mattered for me first for
> both formats.

I think having -Fp and -Ft consistent is a lot more important than
being consistent with other tools that aren't really that closely
related. And it's already inconsistent against probably the most
related command, being pg_dump.

So *very* strong objection to makeing -Fp and -Ft behave differently
in this regard.


I agree with Stephen that this seems to be misguided, and my vote is
to revert. I would've also objected had you given more than 2 days
warning before committing, and it happened to be during FOSDEM. I saw
the original email which clearly said it'd be in the March commitfest,
so I figured I'd have time...

--
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/

pgsql-committers by date:

Previous
From: Amit Kapila
Date:
Subject: pgsql: Fix typo.
Next
From: Stephen Frost
Date:
Subject: Re: pgsql: Prevent running pg_basebackup as root