On Fri, 16 May 2003, ahoward wrote: > i had quite a difficult time getting pam authentication to work with > postgresql, as have a good deal many other people. turns out, since > postgresql runs as a non-privleged used, that pam was failing since the > process using it (postgresql) didn't have read permissions for /etc/shadow. > > now, i read the faq and this is mentioned, but i would like to confirm that > the only two approaches to this sort of problem are setuid type fixes and > normal file permission type fixes? can someone confirm this definitively? That's pretty much it yes. Do *NOT* however set the permissions you list in the subject line. That would completely undo all the benefits of using the shadow file rather than just /etc/passwd. The common solution to this is to create a group specifically for those processes/users authorised to read /etc/shadow and to give that group read permission on the file - ie: addgroup shadow-readers chgrp shadow-readers /etc/shadow chmod 0440 /etc/shadow then simply add the necessary users (postgresql only in your case) to the group. Before you do this however check that you don't have any security enhancements on your system that will cause problems if you do this. Jason Clifford -- Linux Consultants Ltd http://www.linuxconsultants.ltd.uk/ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
