Quick Links

Re: [HACKERS] PAM authentication fails for local UNIX users

From:	Dhanaraj M <Dhanaraj(dot)M(at)Sun(dot)COM>
To:	pgsql-patches(at)postgresql(dot)org
Cc:	Andrew Dunstan <andrew(at)dunslane(dot)net>, Zdenek Kotala <Zdenek(dot)Kotala(at)Sun(dot)COM>
Subject:	Re: [HACKERS] PAM authentication fails for local UNIX users
Date:	2007-08-21 11:33:44
Message-ID:	46CACD98.3040102@sun.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers pgsql-patches

Hi all,

This is the continuation to the discussion that we had in the hacker's list.

http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
Here, I like to add some details in 20.2.6. PAM authentication section.

Can someone review and make changes, if required? Thanks.

*** client-auth.sgml.orig Tue Aug 21 16:52:45 2007
--- client-auth.sgml Tue Aug 21 17:02:52 2007
***************
*** 987,992 ****
--- 987,1001 ----
and the <ulink url="http://www.sun.com/software/solaris/pam/">
<systemitem class="osname">Solaris</> PAM Page</ulink>.
</para>
+
+ <note>
+ <para>
+ The local UNIX user authentication is not permitted,
+ because the postgres server is started by a non-root user.
+ In order to enable this functionality, the root user must provide
+ additional permissions to the postgres user (for reading
/etc/shadow file).
+ </para>
+ </note>
</sect2>
</sect1>

>
>
> Zdenek Kotala wrote:
>>
>> The problem what Dhanaraj tries to address is how to secure solve
>> problem with PAM and local user. Other servers (e.g. sshd) allow to
>> run master under root (with limited privileges) and forked process
>> under normal user. But postgresql
>> requires start as non-root user. It limits to used common pattern.
>>
>> There is important question:
>>
>> Is current requirement to run postgresql under non-root OK? If yes,
>> than we must update PAM documentation to explain this situation which
>> will never works secure. Or if we say No, it is stupid limitation (in
>> case when UID 0 says nothing about user's privileges) then we must
>> start discussion about solution.
>>
>>
>
> For now I think we should update the docs. You really can't compare
> postgres with sshd - ssh connections are in effect autonomous. I
> suspect the changes involved in allowing us to run as root and then
> give up privileges safely would be huge, and the gain quite small.
>
> I'd rather see an HBA fallback mechanism, which I suspect might
> overcome most of the problems being encountered here.
>
> cheers
>
> andrew

--
================================
Dhanaraj M
x40049/+91-9880244950
Solaris RPE, Bangalore, India
http://blogs.sun.com/dhanarajm/
================================

In response to

Re: PAM authentication fails for local UNIX users at 2007-08-20 12:52:28 from Andrew Dunstan

Responses

Re: [HACKERS] PAM authentication fails for local UNIX users at 2007-09-14 03:53:30 from Bruce Momjian

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Magnus Hagander	2007-08-21 13:37:00	Re: tsearch2 patch status report
Previous Message	Heikki Linnakangas	2007-08-21 07:48:46	Re: Status of 8.3 patches

Browse pgsql-patches by date

	From	Date	Subject
Next Message	Andrew Chernow	2007-08-21 18:19:50	PGparam extension version 0.4
Previous Message	Tom Lane	2007-08-21 03:16:11	Re: Patch to correct 64-bit money type in 8.3devel