Re: [HACKERS] PAM authentication fails for local UNIX users

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Dhanaraj(dot)M(at)Sun(dot)COM
Cc: pgsql-patches(at)postgresql(dot)org, Andrew Dunstan <andrew(at)dunslane(dot)net>, Zdenek Kotala <Zdenek(dot)Kotala(at)Sun(dot)COM>
Subject: Re: [HACKERS] PAM authentication fails for local UNIX users
Date: 2007-09-14 03:53:30
Message-ID: 200709140353.l8E3rUP19060@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-patches


Applied:

PAM does work authenticating against Unix system authentication
because the postgres server is started by a non-root user. In order
to enable this functionality, the root user must provide additional
permissions to the postgres user (for reading
<filename>/etc/shadow</>).

---------------------------------------------------------------------------

Dhanaraj M wrote:
> Hi all,
>
> This is the continuation to the discussion that we had in the hacker's list.
>
> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
> Here, I like to add some details in 20.2.6. PAM authentication section.
>
> Can someone review and make changes, if required? Thanks.
>
> *** client-auth.sgml.orig Tue Aug 21 16:52:45 2007
> --- client-auth.sgml Tue Aug 21 17:02:52 2007
> ***************
> *** 987,992 ****
> --- 987,1001 ----
> and the <ulink url="http://www.sun.com/software/solaris/pam/">
> <systemitem class="osname">Solaris</> PAM Page</ulink>.
> </para>
> +
> + <note>
> + <para>
> + The local UNIX user authentication is not permitted,
> + because the postgres server is started by a non-root user.
> + In order to enable this functionality, the root user must provide
> + additional permissions to the postgres user (for reading
> /etc/shadow file).
> + </para>
> + </note>
> </sect2>
> </sect1>
>
>
> >
> >
> > Zdenek Kotala wrote:
> >>
> >> The problem what Dhanaraj tries to address is how to secure solve
> >> problem with PAM and local user. Other servers (e.g. sshd) allow to
> >> run master under root (with limited privileges) and forked process
> >> under normal user. But postgresql
> >> requires start as non-root user. It limits to used common pattern.
> >>
> >> There is important question:
> >>
> >> Is current requirement to run postgresql under non-root OK? If yes,
> >> than we must update PAM documentation to explain this situation which
> >> will never works secure. Or if we say No, it is stupid limitation (in
> >> case when UID 0 says nothing about user's privileges) then we must
> >> start discussion about solution.
> >>
> >>
> >
> > For now I think we should update the docs. You really can't compare
> > postgres with sshd - ssh connections are in effect autonomous. I
> > suspect the changes involved in allowing us to run as root and then
> > give up privileges safely would be huge, and the gain quite small.
> >
> > I'd rather see an HBA fallback mechanism, which I suspect might
> > overcome most of the problems being encountered here.
> >
> > cheers
> >
> > andrew
>
>
> --
> ================================
> Dhanaraj M
> x40049/+91-9880244950
> Solaris RPE, Bangalore, India
> http://blogs.sun.com/dhanarajm/
> ================================
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2007-09-14 03:54:55 Re: [HACKERS] PGparam extension version 0.4
Previous Message Alvaro Herrera 2007-09-14 03:52:19 Re: Reducing Transaction Start/End Contention

Browse pgsql-patches by date

  From Date Subject
Next Message Bruce Momjian 2007-09-14 03:54:55 Re: [HACKERS] PGparam extension version 0.4
Previous Message Pavan Deolasee 2007-09-14 03:45:42 Re: HOT patch - version 15