Re: PATCH: Configurable file mode mask

From: David Steele <david(at)pgmasters(dot)net>
To: Stephen Frost <sfrost(at)snowman(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, Adam Brightwell <adam(dot)brightwell(at)crunchydata(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, "Tsunakawa, Takayuki" <tsunakawa(dot)takay(at)jp(dot)fujitsu(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PATCH: Configurable file mode mask
Date: 2018-03-20 15:23:20
Message-ID: 37749610-64cc-ebcf-d7a8-9d186cdce5a9@pgmasters.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 3/16/18 11:12 AM, Stephen Frost wrote:
>
>>> Visibly there would be no need for a -g switch in
>>> pg_basebackup as it is possible to guess from the received untar'ed
>>> files what should be the permissions of the data based on what is
>>> received in pg_basebackup.c. It would also be necessary to change the
>>> permissions of pg_wal as this is created before receiving any files.
>>
>> This part might be trickier.
>
> This seems like another case where what we should be doing, and what
> people will be expecting, I'd think, is just what they're used to tar
> doing in these cases- which would be setting the dir/file mode for each
> file based on what's in the tarball. Again, the files which are in the
> data dir are, sadly, not always just those that PG is familiar with.

I've been working on this and have become convinced that adding group
permissions to files that pg_basebackup writes to disk based on whether
group permissions are enabled in PGDATA isn't the right way to go.

To be clear, I'm not taking about the permissions set within the tar
file - I think it makes sense to use the actual PGDATA permissions in
that case.

pg_basebackup may not be running as postgres, and even if it is I don't
think we can assume that group access is appropriate for the files that
it writes. It's a different environment and different security rules
may apply.

It seems to me that pg_basebackup and pg_receivexlog should have a -g
option to control the mode of the files that they write to disk (not
including the modes stored in the tar files).

Or perhaps we should just update the perms in the tar files for now and
leave the rest alone.

Thoughts?
--
-David
david(at)pgmasters(dot)net

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Masahiko Sawada 2018-03-20 15:28:44 Re: XID-assigned idle transactions affect vacuum's job.
Previous Message Pavel Stehule 2018-03-20 15:09:29 Re: INOUT parameters in procedures