I just tried it and pg_basebackup doesn't create a folder by itself or changes the umask (RH 7.3).
Beside this I think it would be better not to just trust the permissions of the datadir above (Defense in depth).
Von: Michael Paquier <michael.paquier@gmail.com> Gesendet: Montag, 13. März 2017 07:51 An: Markus Bräunig Cc: PostgreSQL mailing lists Betreff: Re: [BUGS] BUG #14586: Permissions of recovery.conf are different in plain and tar-format
On Fri, Mar 10, 2017 at 5:00 PM, <markus@braeunig.biz> wrote: > The option "--write-recovery-conf" of pg_basebackup creates a valid > recovery.conf but misses to apply secure file permissions when the default > format (plain) is used. > > If you tar the result (-F t), the recovery.conf inside the base.tar has the > permissions 0600. > In plain format the umask of the actual user is applied and the permissions > are e.g. 0644. > > Because plain passwords are possible in this file, I would suggest to unify > this behavior and change the permissions to 0600 in both cases.
It does not matter much. Backup folder created by pg_basebackup has 0700 as umask. -- Michael