| From: | ahoward <ahoward(at)fsl(dot)noaa(dot)gov> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | pam-linux, /etc/shadow : HOW-TO |
| Date: | 2003-05-20 19:13:29 |
| Message-ID: | Pine.LNX.4.53.0305201902160.11310@eli.fsl.noaa.gov |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy pgsql-docs pgsql-general |
note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
0) configure postgresql for pam, for example
[root(at)omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
host all all 137.75.0.0 255.255.0.0 pam
1) create a /etc/pam.d/postgresql entry, here's how i did mine
[root(at)omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
i don't know if it's the best setup, but it works! mine looks like this
[root(at)omega tmp]# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry. i used vi to add this entry to /etc/group
[root(at)omega tmp]# grep shadow /etc/group
shadow:*:4002:root,postgres
root probably does not *need* to be added.
note the '*' v.s. an 'x' in the password field. if you place an 'x' there
you will also have to set up /etc/gshadow - i did not want to do this. if
you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
field - at least with my linux system.
3) make /etc/shadow group shadow
[root(at)omega tmp]# chgrp shadow /etc/shadow
4) chmod 0440 /etc/shadow
essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam). you must have some solution
which allows postgres, but not everyone, to read /etc/shadow. others probably
exist.
-a
--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================
| From | Date | Subject | |
|---|---|---|---|
| Next Message | elein | 2003-05-20 19:19:49 | Access to postmaster? |
| Previous Message | Heather Carle | 2003-05-20 11:11:30 | Re: .org domain went down. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shridhar Daithankar | 2003-05-21 06:36:36 | Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO |
| Previous Message | Richard Huxton | 2003-05-16 17:15:51 | Re: password setting for a user |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Wilson | 2003-05-20 19:50:11 | Re: PRIMARY KEYS |
| Previous Message | Mark Nelson | 2003-05-20 18:57:02 | PLPGSQL Fetching rows |