From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)lists(dot)postgresql(dot)org, Gilles Darold <gilles(dot)darold(at)dalibo(dot)com> |
Subject: | Re: current_logfiles not following group access and instead follows log_file_mode permissions |
Date: | 2019-02-01 08:22:19 |
Message-ID: | 20190201082219.GL2179@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Jan 18, 2019 at 09:50:40AM -0500, Stephen Frost wrote:
> Yes, we should update the documentation in this regard, though it's
> really an independent thing as that documentation should have been
> updated in the original group-access patch, so I'll see about fixing
> it and back-patching it.
Stephen, could you apply Hari's patch then? I am not sure what the
consensus is, but documenting the restriction is the minimum we can
do.
- The default permissions are <literal>0600</literal>, meaning only the
- server owner can read or write the log files. The other commonly
- useful setting is <literal>0640</literal>, allowing members of the owner's
- group to read the files. Note however that to make use of such a
- setting, you'll need to alter <xref linkend="guc-log-directory"/> to
- store the files somewhere outside the cluster data directory. In
- any case, it's unwise to make the log files world-readable, since
- they might contain sensitive data.
+ The default permissions are either <literal>0600</literal>, meaning only the
+ server owner can read or write the log files or <literal>0640</literal>, that
+ allows any user in the same group can read the log files, based on the new
+ cluster created with <option>--allow-group-access</option> option of <command>initdb</command>
+ command. Note however that to make use of any setting other than default,
+ you'll need to alter <xref linkend="guc-log-directory"/> to store the files
+ somewhere outside the cluster data directory.
I would formulate that differently, by just adding an extra paragraph
to mention that using <literal>0640</literal> is recommended to be
compatible with initdb's --allow-group-access instead of sticking it
on the middle of the existing paragraph.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2019-02-01 08:26:58 | Re: reloption to prevent VACUUM from truncating empty pages at the end of relation |
Previous Message | Kato, Sho | 2019-02-01 08:16:11 | Speeding up creating UPDATE/DELETE generic plan for partitioned table into a lot |