Try
Home   >   mailing lists

Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS) - Mailing list pgsql-general

From Greg Sabino Mullane
Subject Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Date
Msg-id CAKAnmmKuAF94tTGvjhujLbvjX7g_m-yNp824U=yRQ_xE5LAy-g@mail.gmail.com
Whole thread Raw
In response to Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)  (Amol Inamdar <amol.aai@gmail.com>)
Responses Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
List pgsql-general
Tree view
On Wed, Jul 16, 2025 at 9:25 AM Amol Inamdar <amol.aai@gmail.com> wrote:
  1. NFS mount point is for /nfs-mount/postgres (and permissions locked down so that Postgres cannot create directories in here)
  2. Postgres data directory is /nfs-mount/postgres/db

  3. With secured NFS + AT-TLS setup Postgres will be able to write to data directory but not parent dir, however the file ownership information Postgres sees from the stat() call will not match the Postgres user in the container (even though the AT-TLS strict access control will ensure only the Posgres user can read/write to this directory)

This thread is fascinating. It's like combining two of the most annoying technologies in the world, NFS and SELinux, into something worse than either of them.

Many people use Docker, and NFS, and Postgres all the time. Stop trying to push on a string.  Conform your process to Postgres' fairly minimal and sane requirements, rather than the other way around.
 
Cheers,
Greg

--
Enterprise Postgres Software Products & Tech Support

pgsql-general by date:

Previous
From: Laurenz Albe
Date:
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Next
From: Amol Inamdar
Date:
Subject: Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)