ahoward wrote:
On Sat, 17 May 2003, Jason Clifford wrote:
On Fri, 16 May 2003, ahoward wrote:
i had quite a difficult time getting pam authentication to work with
postgresql, as have a good deal many other people. turns out, since
postgresql runs as a non-privleged used, that pam was failing since the
process using it (postgresql) didn't have read permissions for /etc/shadow.
now, i read the faq and this is mentioned, but i would like to confirm that
the only two approaches to this sort of problem are setuid type fixes and
normal file permission type fixes? can someone confirm this definitively?
That's pretty much it yes.
Do *NOT* however set the permissions you list in the subject line. That
would completely undo all the benefits of using the shadow file rather
than just /etc/passwd.
The common solution to this is to create a group specifically for those
processes/users authorised to read /etc/shadow and to give that group read
permission on the file - ie:
addgroup shadow-readers
chgrp shadow-readers /etc/shadow
chmod 0440 /etc/shadow
then simply add the necessary users (postgresql only in your case) to the
group.
Before you do this however check that you don't have any security
enhancements on your system that will cause problems if you do this.
hmm. sounds great, but it doesn't seem to work?
[root@xxxxx dsg]# grep etc /etc/group
etcshadow:x:4002:root,postgres
[root@xxxxx dsg]# ls -l /etc/shadow
-r--r----- 1 root etcshado 2526 May 8 20:09 /etc/shadow
[root@xxxxx dsg]# groups postgres
postgres : postgres etcshadow
so /etc/shadow is readable by anyone, like postgres, in the etcshadow group.
now on another host:
~ > psql -h omega
Password:
psql: FATAL: PAM authentication failed for user "ahoward"
now if i do:
[root@xxxxx dsg]# chmod 444 /etc/shadow
it (authentication by postgresql as user postgres) works.
alternatively i *could* add every user wishing connectivity to postgresql to
the etcshadow group, but in my case this is nearly identical to chmod 444?!
am i missing something completely obvious here? i realize this is not a great
situation but nothing 'safe' seems to work...
-a
--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara.t.howard@xxxxxxxxxxxx
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
This sort-of depends on hw postgres gets started. If the daemon is directly
started, the you might need:
chmod g+s /usr/bin/postgres
chgrp etcshadow /usr/bin/postgres
so that the daemon _runs_ in the given group.
If, on the other hand the daemon is started like:
su postgres -c "... /usr/bin/postgres ...",
then try this:
su postgres -c "id"
to see what groups postgres is really in.
I would also try a "legal" group (<= 8 characters in length) just in case that
is the problem.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list