On Mon, 2003-05-19 at 20:14, ahoward wrote: > On Sat, 17 May 2003, Jason Clifford wrote: > > > On Fri, 16 May 2003, ahoward wrote: > > > > > i had quite a difficult time getting pam authentication to work with > > > postgresql, as have a good deal many other people. turns out, since > > > postgresql runs as a non-privleged used, that pam was failing since the > > > process using it (postgresql) didn't have read permissions for /etc/shadow. > > > > > > now, i read the faq and this is mentioned, but i would like to confirm that > > > the only two approaches to this sort of problem are setuid type fixes and > > > normal file permission type fixes? can someone confirm this definitively? > > > > That's pretty much it yes. > > > > Do *NOT* however set the permissions you list in the subject line. That > > would completely undo all the benefits of using the shadow file rather > > than just /etc/passwd. > > > > The common solution to this is to create a group specifically for those > > processes/users authorised to read /etc/shadow and to give that group read > > permission on the file - ie: > > > > addgroup shadow-readers > > chgrp shadow-readers /etc/shadow > > chmod 0440 /etc/shadow > > > > then simply add the necessary users (postgresql only in your case) to the > > group. > > > > Before you do this however check that you don't have any security > > enhancements on your system that will cause problems if you do this. > > hmm. sounds great, but it doesn't seem to work? > > [root@xxxxx dsg]# grep etc /etc/group > etcshadow:x:4002:root,postgres > > [root@xxxxx dsg]# ls -l /etc/shadow > -r--r----- 1 root etcshado 2526 May 8 20:09 /etc/shadow > > [root@xxxxx dsg]# groups postgres > postgres : postgres etcshadow > > so /etc/shadow is readable by anyone, like postgres, in the etcshadow group. > > now on another host: > > ~ > psql -h omega > Password: > psql: FATAL: PAM authentication failed for user "ahoward" > > now if i do: > > [root@xxxxx dsg]# chmod 444 /etc/shadow > > it (authentication by postgresql as user postgres) works. > > > alternatively i *could* add every user wishing connectivity to postgresql to > the etcshadow group, but in my case this is nearly identical to chmod 444?! > > am i missing something completely obvious here? i realize this is not a great > situation but nothing 'safe' seems to work... Try pwunconv ? Maybe you don't need shadow at all? The choice is yours :) On the other hand, try a groupname that is 8 or less chars long. --Allen _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
