Re: chmod 444 /etc/shadow

[Gary Algier <gaa@xxxxxxxxxxx>]

ahoward wrote:
> On Mon, 19 May 2003, Gary Algier wrote:
>
>
> > This sort-of depends on hw postgres gets started.  If the daemon is directly
> > started, the you might need:
> >     chmod g+s /usr/bin/postgres
> >     chgrp etcshadow /usr/bin/postgres
> > so that the daemon _runs_ in the given group.
>
>
> not this way...
>
>
> > If, on the other hand the daemon is started like:
> >     su postgres -c "... /usr/bin/postgres ...",
>
>
> this is how it's started
>
>
> > then try this:
> >     su postgres -c "id"
> > to see what groups postgres is really in.
>
>
> [root@xxxxx dsg]# su postgres -c "id"
> uid=26(postgres) gid=26(postgres) groups=26(postgres),4002(shadow)
>
> so looks as if the daemon runs with gid postgres...  i guess the groups() are
> not sufficient.  i'm not sure what it would do to change postgres' group - it
> is a very sensitive daemon with respect to permissions.... back at square one.
>
>
>
> > I would also try a "legal" group (<= 8 characters in length) just in case that
> > is the problem.
>
>
> i did try this - no go.
>
> -a
> --
>   ====================================
>   | Ara Howard
>   | NOAA Forecast Systems Laboratory
>   | Information and Technology Services
>   | Data Systems Group
>   | R/FST 325 Broadway
>   | Boulder, CO 80305-3328
>   | Email: ara.t.howard@xxxxxxxxxxxx
>   | Phone:  303-497-7238
>   | Fax:    303-497-7259
>   ====================================
>
>
> _______________________________________________
>
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list

I just tested some of this on my linux system:
    root@xxxxxx 64% ls -l /etc/shadow
    -r--r-----    1 root     shadow       1364 May 13 14:16 /etc/shadow
    root@xxxxxx 65% grep shadow /etc/group
    shadow:x:11:postgres
    root@xxxxxx 66% su postgres -c id
    uid=26(postgres) gid=26(postgres) groups=26(postgres),11(shadow)
    root@xxxxxx 67% su postgres -c "grep games /etc/shadow"
    games:*:12160:0:99999:7:::

As you can see a process started with "su postgres -c ..." _can_ read the shadow
file (with appropriate modes, ownership, etc.).  So unless the postgres process 
goes out of its way to do a "setgroups()" system call it _has_to_ work.


--
Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list