Re: pg_basebackup ignores the existing data directory permissions

From: Kyotaro HORIGUCHI <horiguchi(dot)kyotaro(at)lab(dot)ntt(dot)co(dot)jp>
To: michael(at)paquier(dot)xyz
Cc: kommi(dot)haribabu(at)gmail(dot)com, magnus(at)hagander(dot)net, pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: pg_basebackup ignores the existing data directory permissions
Date: 2019-02-15 00:24:15
Message-ID: 20190215.092415.55740969.horiguchi.kyotaro@lab.ntt.co.jp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

At Fri, 15 Feb 2019 08:15:24 +0900, Michael Paquier <michael(at)paquier(dot)xyz> wrote in <20190214231524(dot)GC2240(at)paquier(dot)xyz>
> On Thu, Feb 14, 2019 at 11:21:19PM +1100, Haribabu Kommi wrote:
> > On Thu, Feb 14, 2019 at 8:57 PM Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> >> I think it could be argued that neither initdb *or* pg_basebackup should
> >> change the permissions on an existing directory, because the admin may have
> >> done that intentionally. But when they do create the directory, they should
> >> follow the same patterns.
> >
> > Hmm, even if the administrator set some specific permissions to the data
> > directory, PostgreSQL server doesn't allow server to start if the
> > permissions are not (0700) for versions less than 11 and (0700 or
> > 0750) for version 11 or later.
>
> Yes, particularly with pg_basebackup -R this adds an extra step in the
> user flow.

I disagree that pg_basebackup rejects directories other than
specific permissions, since it is just a binary backup tool,
which is not exclusive to making replication-standby. It ought to
be runnable and actually runnable by any OS users even by root,
for who postgres rejects to start. As mentioned upthread, it is
safe-side failure that server rejects to run on it.

> > To let the user to use the PostgreSQL server, user must change the
> > permissions of the data directory. So, I don't see a problem in
> > changing the permissions by these tools.
>
> I certainly agree with the point of Magnus that both tools should
> behave consistently, and I cannot actually imagine why it would be
> useful for an admin to keep a more permissive data folder while all
> the contents already have umasks set at the same level as the primary
> (or what initdb has been told to use), but perhaps I lack imagination.
> If we doubt about potential user impact, the usual, best, answer is to
> let back-branches behave the way they do now, and only do something on
> HEAD.

initdb is to create a directory on which server works and rather
rejects existing directory, so I think the "incosistency" seems
fine.

I can live with some new options, say --create-New-directory or
--check-directory-Permission.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jamison, Kirk 2019-02-15 01:15:17 RE: idle-in-transaction timeout error does not give a hint
Previous Message Alvaro Herrera 2019-02-15 00:22:08 Re: Using POPCNT and other advanced bit manipulation instructions