Description
Currently the container needs the capability dac_override. This is a potential security issue also mentioned in this Red Hat article.
In Issue #208 and pull request #209
5802
this issue was fixed but was reintroduced later.
If I drop the capability dac_override on an already initialized postgres installation serveral "permission denied" errors appear in the logs:
find: /var/lib/postgresql/data: Permission denied
You can workaround this error if you change the following line to chmod 750 "$PGDATA" || :
Line 41 in a11e908
The group of the files is "root" in this case. This is the reason why dac_override is not needed anymore and the find command can operate on the files anyway.
I'm not sure if this is only a fix for already initialized databases. Maybe other fixes are needed to be sure that dac_override can be dropped on non initialized databases.
For security reason it would be really great if we can drop the dac_override capability for this container again.