| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Dhanaraj(dot)M(at)Sun(dot)COM |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: Doc-patch: PAM authentication fails for local UNIX users |
| Date: | 2007-12-29 04:15:57 |
| Message-ID: | 200712290415.lBT4Fvp02286@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
I have updated the documentation to read:
If PAM is set up to read <filename>/etc/shadow</>, authentication
will fail because the PostgreSQL server is started by a non-root
user. However, this is not an issue with LDAP or other authentication
methods.
Thanks.
---------------------------------------------------------------------------
Dhanaraj M wrote:
>
> >>>
> >>> This is the continuation to the discussion that we had in the
> >>> hacker's list.
> >>> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
> >>>
> >>>
> >>> Here, I like to add some details in 20.2.6. PAM authentication section.
> >>> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
> >>>
> >>>
> >>> Can someone review and make changes, if required? Thanks.
> >>>
> >>
> >> Eh, those extensions are only valid if you use PAM with a shadow
> >> password
> >> file, no? You shouldn't need root if you use say PAM-with-LDAP?
> >>
> >
> > Also, it strikes me that granting the postgres user read access to the
> > shadow file is probably very poor security practice, and not something
> > I would want to recommend without considerable thought. What we should
> > say, rather, is that PAM auth is likely to fail if your PAM is set up
> > to use the shadow file rather than an auth source such as LDAP which
> > does not require privileged file access.
> >
> >
> Is this change Ok?
>
>
>
> *** client-auth.sgml.orig Tue Aug 21 16:52:45 2007
> --- client-auth.sgml Tue Aug 21 17:02:52 2007
> ***************
> *** 987,992 ****
> --- 987,1001 ----
> and the <ulink url="http://www.sun.com/software/solaris/pam/">
> <systemitem class="osname">Solaris</> PAM Page</ulink>.
> </para>
> +
> + <note>
> + <para>
> + If your PAM is set up to use the shadow file, the PAM authentication
> + is likely to fail for local UNIX users because the postgresql server
> + is started by a non-root user. However, this is not an issue
> + when LDAP or other authentication mechanism is used.
> + </para>
> + </note>
> </sect2>
> </sect1>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: In versions below 8.0, the planner will ignore your desire to
> choose an index scan if your joining column's datatypes do not
> match
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2007-12-29 12:36:50 | Re: Archiver behavior at shutdown |
| Previous Message | Greg Smith | 2007-12-29 01:20:38 | Re: Archiver behavior at shutdown |