On Thu, Feb 14, 2019 at 06:34:07PM +1100, Haribabu Kommi wrote:
> we have an application that is used to create the data directory with
Well, initdb would do that happily, so there is no actual any need to
do that to begin with. Anyway..
> owner access (0700), but with initdb group permissions option, it
> automatically
> converts to (0750) by the initdb. But pg_basebackup doesn't change it when
> it tries to do a backup from a group access server.
So that's basically the opposite of the case I was thinking about,
where you create a path for a base backup with permissions strictly
higher than 700, say 755, and the base backup path does not have
enough restrictions. And in your case the permissions are too
restrictive because of the application creating the folder itself but
they should be relaxed if group access is enabled. Actually, that's
something that we may want to do consistently across all branches. If
an application calls pg_basebackup after creating a path, they most
likely change the permissions anyway to allow the postmaster to
start.
I think it could be argued that neither initdb *or* pg_basebackup should change the permissions on an existing directory, because the admin may have done that intentionally. But when they do create the directory, they should follow the same patterns.
Hmm, even if the administrator set some specific permissions to the data directory,
PostgreSQL server doesn't allow server to start if the permissions are not (0700)
for versions less than 11 and (0700 or 0750) for version 11 or later.
To let the user to use the PostgreSQL server, user must change the permissions
of the data directory. So, I don't see a problem in changing the permissions by these
tools.
Regards,
Haribabu Kommi
Fujitsu Australia
