PostgreSQL requires the data directory to have restrictive permissions (0700 or 0750). This error appears when permissions are too permissive, typically after pod restarts in containers or when mounting volumes with incorrect ownership.
PostgreSQL enforces strict security requirements on its data directory to prevent unauthorized access to sensitive database files. When PostgreSQL starts, it verifies that the data directory has permissions set to 0700 (rwx------) or 0750 (rwxr-x---), meaning only the PostgreSQL system user can read, write, and execute. If the directory has broader permissions (group or world access), PostgreSQL refuses to start. This typically occurs in containerized environments (Docker, Kubernetes) where volume mounts, init containers, or permission changes during pod restarts result in incorrect file ownership or permissions.
Connect to your container or server and check the actual permissions:
ls -ld /var/lib/postgresql/dataYou'll see output like drwx------ (0700) which is correct, or drwxr-xr-x (0755) which is wrong. The directory should show only the first three permission bits set (owner rwx only).
Verify the data directory is owned by the PostgreSQL system user:
ls -ld /var/lib/postgresql/dataThe output should show ownership by the postgres user (or equivalent PostgreSQL user). If it's owned by root or another user, this is the problem.
If the permissions are not 0700 or 0750, fix them with:
chmod 700 /var/lib/postgresql/dataFor Docker containers, you may need to run this as root or with sudo. For Kubernetes, add this to your init container.
If the directory is owned by the wrong user, change ownership to the PostgreSQL user:
chown postgres:postgres /var/lib/postgresql/dataOn some systems, the PostgreSQL user may be named differently (check /etc/passwd for the correct name).
In your Dockerfile or docker-compose.yml, add a step that ensures correct permissions before PostgreSQL starts:
services:
postgres:
image: postgres:15
volumes:
- postgres_data:/var/lib/postgresql/data
entrypoint: |
bash -c "
chmod 700 /var/lib/postgresql/data
docker-entrypoint.sh postgres"Alternatively, use an init container in Kubernetes (see next step).
Add an init container to your Kubernetes StatefulSet or Pod that sets correct permissions:
initContainers:
- name: init-chmod-data
image: busybox:1.28
command:
- sh
- -c
- chmod 700 /var/lib/postgresql/data || true
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/dataThis runs before the PostgreSQL container starts and ensures permissions are correct even if the volume was mounted with wrong permissions.
PostgreSQL requires 0700 or 0750 permissions as a security measure to prevent unauthorized access to sensitive database files like pg_hba.conf (authentication) and shared memory buffers. The 0750 permission (rwxr-x---) allows the PostgreSQL group to read the directory, which is useful in some enterprise setups but 0700 (rwx------) is more restrictive and recommended. In Windows Docker Desktop with Hyper-V backend, permissions issues are especially common because Windows doesn't have the same Unix permission model. WSL backend (Windows Subsystem for Linux) typically handles this better. For Azure Container Instances and managed cloud databases, the data directory is usually on shared storage that doesn't support Unix permissions; use a subdirectory (PGDATA subdirectory) where PostgreSQL has write access instead.
insufficient columns in unique constraint for partition key
How to fix "insufficient columns in unique constraint for partition key" in PostgreSQL
ERROR 42501: must be owner of table
How to fix "must be owner of table" in PostgreSQL
trigger cannot change partition destination
How to fix "Trigger cannot change partition destination" in PostgreSQL
SSL error: certificate does not match host name
SSL error: certificate does not match host name in PostgreSQL
No SSL connection
No SSL connection to PostgreSQL