Re: Bypassing Directory Ownership Check in PostgreSQL 16.6 with Secure z/OS NFS (AT-TLS)
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Peter J. Holzer" <hjp-pgsql@hjp.at>
Cc: pgsql-general@lists.postgresql.org
Date: 2025-07-14T18:30:45Z
Lists: pgsql-general
"Peter J. Holzer" <hjp-pgsql@hjp.at> writes: > On 2025-07-14 10:07:20 -0400, Tom Lane wrote: >> That is primarily for safety reasons: if for some reason the >> filesystem gets dismounted, or hasn't come on-line yet during >> a reboot, you do not want Postgres to be able to write on the >> underlying mount-point directory. > Be careful: There are two different directorys involved in a mount > point. The one in the parent filesystem and the one in the mounted file > system. True, and the safety requirement really is only that the parent filesystem's mount-point directory not be writable by us. But normal practice is that both directories are root-owned, or at least owned by highly privileged users. (I have a vague idea that there are system-level security hazards, not specific to Postgres, if mount-point directories are publicly writable. Don't feel like researching that though.) regards, tom lane