Skip to content

Ensure Postgres data directories have group-read permission #4227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 31, 2025
Merged

Ensure Postgres data directories have group-read permission #4227

merged 4 commits into from
Jul 31, 2025

Conversation

cbandy
Copy link
Member

@cbandy cbandy commented Jul 31, 2025

Postgres has allowed group-read on its data directories since v11. This permission enables more avenues for data recovery when storage misbehaves.

🙇🏻 This includes some unrelated fixes and improvements to the test suite.

Checklist:

  • Have you added an explanation of what your changes do and why you'd like them to be included?
  • Have you updated or added documentation for the change, as applicable?
  • Have you tested your changes on all related environments with successful results, as applicable?
    • Have you added automated tests?

Type of Changes:

  • Bug fix
  • Testing enhancement

What is the current behavior (link to any open issues here)?

PGO sets permissions on Postgres directories to 0700 after which Postgres creates files and directories with zero group permissions, g-rwx.

What is the new behavior (if this is a feature change)?

PGO sets permissions on these directories to 0750, the most liberal allowed by Postgres. With that, Postgres creates files and directories with group-read, g+rx. This group access allows:

  • PGO to read these files when the container UID changes, e.g. OpenShift SCC mistakes.
  • other processes in the pod to read these files, e.g. log files in the data directory.

Other Information:

Issue: PGO-300

cbandy added 4 commits July 31, 2025 13:50
@cbandy
Resolve symbolic links when finding CRDs in tests
cfa1439 
Without this, the relative path to the "external-snapshotter" module
would be incorrect depending on the symlinks involved.
@cbandy
Point the default KUTTL command to the correct package
d233c69 
Follow-up to 7776996. Did this ever work?
@cbandy
Consistently use our scheme for serializing API objects
9b74d39
@cbandy
Ensure Postgres data directories have group-read permission
c777bbc 
Postgres has allowed group-read on its data directories since v11.
This permission enables more avenues for data recovery when storage
misbehaves.

Issue: PGO-300
@cbandy cbandy merged commit c7842e7 into CrunchyData:main Jul 31, 2025
20 checks passed
@cbandy cbandy deleted the postgres-group-read branch July 31, 2025 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjmoore4 tjmoore4 tjmoore4 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cbandy @tjmoore4