Re: Doc-patch: PAM authentication fails for local UNIX users

>>>
>>> This is the continuation to the discussion that we had in the
>>> hacker's list.
>>> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
>>>
>>>
>>> Here, I like to add some details in 20.2.6. PAM authentication section.
>>> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
>>>
>>>
>>> Can someone review and make changes, if required? Thanks.
>>>
>>
>> Eh, those extensions are only valid if you use PAM with a shadow
>> password
>> file, no? You shouldn't need root if you use say PAM-with-LDAP?
>>
>
> Also, it strikes me that granting the postgres user read access to the
> shadow file is probably very poor security practice, and not something
> I would want to recommend without considerable thought. What we should
> say, rather, is that PAM auth is likely to fail if your PAM is set up
> to use the shadow file rather than an auth source such as LDAP which
> does not require privileged file access.
>
>
Is this change Ok?

*** client-auth.sgml.orig Tue Aug 21 16:52:45 2007
--- client-auth.sgml Tue Aug 21 17:02:52 2007
***************
*** 987,992 ****
--- 987,1001 ----
and the <ulink url="http://www.sun.com/software/solaris/pam/">
<systemitem class="osname">Solaris</> PAM Page</ulink>.
</para>
+
+ <note>
+ <para>
+ If your PAM is set up to use the shadow file, the PAM authentication
+ is likely to fail for local UNIX users because the postgresql server
+ is started by a non-root user. However, this is not an issue
+ when LDAP or other authentication mechanism is used.
+ </para>
+ </note>
</sect2>
</sect1>