On Sat, 17 May 2003, Jason Clifford wrote: > On Fri, 16 May 2003, ahoward wrote: > > > i had quite a difficult time getting pam authentication to work with > > postgresql, as have a good deal many other people. turns out, since > > postgresql runs as a non-privleged used, that pam was failing since the > > process using it (postgresql) didn't have read permissions for /etc/shadow. > > > > now, i read the faq and this is mentioned, but i would like to confirm that > > the only two approaches to this sort of problem are setuid type fixes and > > normal file permission type fixes? can someone confirm this definitively? > > That's pretty much it yes. > > Do *NOT* however set the permissions you list in the subject line. That > would completely undo all the benefits of using the shadow file rather > than just /etc/passwd. > > The common solution to this is to create a group specifically for those > processes/users authorised to read /etc/shadow and to give that group read > permission on the file - ie: > > addgroup shadow-readers > chgrp shadow-readers /etc/shadow > chmod 0440 /etc/shadow > > then simply add the necessary users (postgresql only in your case) to the > group. > > Before you do this however check that you don't have any security > enhancements on your system that will cause problems if you do this. hmm. sounds great, but it doesn't seem to work? [root@xxxxx dsg]# grep etc /etc/group etcshadow:x:4002:root,postgres [root@xxxxx dsg]# ls -l /etc/shadow -r--r----- 1 root etcshado 2526 May 8 20:09 /etc/shadow [root@xxxxx dsg]# groups postgres postgres : postgres etcshadow so /etc/shadow is readable by anyone, like postgres, in the etcshadow group. now on another host: ~ > psql -h omega Password: psql: FATAL: PAM authentication failed for user "ahoward" now if i do: [root@xxxxx dsg]# chmod 444 /etc/shadow it (authentication by postgresql as user postgres) works. alternatively i *could* add every user wishing connectivity to postgresql to the etcshadow group, but in my case this is nearly identical to chmod 444?! am i missing something completely obvious here? i realize this is not a great situation but nothing 'safe' seems to work... -a -- ==================================== | Ara Howard | NOAA Forecast Systems Laboratory | Information and Technology Services | Data Systems Group | R/FST 325 Broadway | Boulder, CO 80305-3328 | Email: ara.t.howard@xxxxxxxxxxxx | Phone: 303-497-7238 | Fax: 303-497-7259 ==================================== _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
