Re: chmod 444 /etc/shadow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ahoward wrote:
On Sat, 17 May 2003, Jason Clifford wrote:


On Fri, 16 May 2003, ahoward wrote:


i had quite a difficult time getting pam authentication to work with
postgresql, as have a good deal many other people.  turns out, since
postgresql runs as a non-privleged used, that pam was failing since the
process using it (postgresql) didn't have read permissions for /etc/shadow.

now, i read the faq and this is mentioned, but i would like to confirm that
the only two approaches to this sort of problem are setuid type fixes and
normal file permission type fixes?  can someone confirm this definitively?

That's pretty much it yes.


Do *NOT* however set the permissions you list in the subject line. That
would completely undo all the benefits of using the shadow file rather
than just /etc/passwd.

The common solution to this is to create a group specifically for those
processes/users authorised to read /etc/shadow and to give that group read
permission on the file - ie:

addgroup shadow-readers
chgrp shadow-readers /etc/shadow
chmod 0440 /etc/shadow

then simply add the necessary users (postgresql only in your case) to the
group.

Before you do this however check that you don't have any security
enhancements on your system that will cause problems if you do this.


hmm. sounds great, but it doesn't seem to work?

  [root@xxxxx dsg]# grep etc /etc/group
  etcshadow:x:4002:root,postgres

  [root@xxxxx dsg]# ls -l /etc/shadow
  -r--r-----    1 root     etcshado     2526 May  8 20:09 /etc/shadow

  [root@xxxxx dsg]# groups postgres
  postgres : postgres etcshadow

so /etc/shadow is readable by anyone, like postgres, in the etcshadow group.

now on another host:

  ~ > psql -h omega
  Password:
  psql: FATAL:  PAM authentication failed for user "ahoward"

now if i do:

[root@xxxxx dsg]# chmod 444 /etc/shadow

it (authentication by postgresql as user postgres) works.


alternatively i *could* add every user wishing connectivity to postgresql to the etcshadow group, but in my case this is nearly identical to chmod 444?!

am i missing something completely obvious here?  i realize this is not a great
situation but nothing 'safe' seems to work...

-a







--
  ====================================
  | Ara Howard
  | NOAA Forecast Systems Laboratory
  | Information and Technology Services
  | Data Systems Group
  | R/FST 325 Broadway
  | Boulder, CO 80305-3328
  | Email: ara.t.howard@xxxxxxxxxxxx
  | Phone:  303-497-7238
  | Fax:    303-497-7259
  ====================================


_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list

This sort-of depends on hw postgres gets started. If the daemon is directly started, the you might need: chmod g+s /usr/bin/postgres chgrp etcshadow /usr/bin/postgres so that the daemon _runs_ in the given group.

If, on the other hand the daemon is started like:
    su postgres -c "... /usr/bin/postgres ...",
then try this:
    su postgres -c "id"
to see what groups postgres is really in.

I would also try a "legal" group (<= 8 characters in length) just in case that
is the problem.

--
Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033


_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux