Re: authentication question - Mailing list pgsql-general

On Thu, 2006-11-09 at 11:51 -0500, Tom Lane wrote:
> Craig White <craigwhite@azapple.com> writes:
> > I haven't had to fool too much with pam for authenticating other
> > services so I'm a little bit out of my knowledge base but I know that it
> > was simple to add netatalk into the pam authentication and expected that
> > postgresql would be similar.
>
> FWIW, we ship this PAM config file in the Red Hat PG RPMs:
>
> #%PAM-1.0
> auth        include        system-auth
> account        include        system-auth
>
> which AFAIR looks about the same as the corresponding files for other
> services.  It's installed as /etc/pam.d/postgresql.
----
that doesn't work at all... /var/log/messages reports...
Nov  9 10:26:33 srv1 postgres[6034]: PAM unable to
dlopen(/lib/security/system-auth)
Nov  9 10:26:33 srv1 postgres[6034]: PAM
[dlerror: /lib/security/system-auth: cannot open shared object file: No
such file or directory]

as for what is included BY Red Hat in their postgresql-server rpm...
# rpm -ql postgresql-server|grep pam

returns nothing which makes me double check the spec file on the RPM
which has...
# grep pam /usr/src/redhat/SPECS/postgresql.spec
#work around the undefined or defined to 1 build 6x interaction with the
pam stuff
%{!?build6x:%define non6xpamdeps 1}
%{?build6x:%define non6xpamdeps 0}
%{!?pam:%define pam 1}
%if %pam
%if %non6xpamdeps
BuildPrereq: pam-devel
%if %pam
        --with-pam \

a search of Red Hat's bugzilla shows all postgresql bugs closed and
nothing reporting a problem with pam  ;-(

and since it does attempt to call pam (as I am seeing in logs), I am
certain that pam option is compiled.

I'm virtually certain that I am better off pointing
to /etc/pam.d/system-auth which clearly works for sshd logins
----
>
> I concur with the other response that you need to find out where the
> "Permission denied" failure is coming from.  There is no "audit_open"
> in the Postgres sources so it sounds like an internal failure in the PAM
> libraries.  If nothing else comes to mind, try strace'ing the postmaster
> to see what kernel call draws that failure.
----
pretty short strace but I can't see anything that jumps at me and says
aha...

# strace -p 3267
Process 3267 attached - interrupt to quit
select(6, [3 5], NULL, NULL, {95, 566000}) = 1 (in [3], left {88,
881000})
rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT SYS RTMIN
RT_1], NULL, 8) = 0
accept(3, {sa_family=AF_INET, sin_port=htons(56844),
sin_addr=inet_addr("192.168.2.10")}, [16]) = 9
getsockname(9, {sa_family=AF_INET, sin_port=htons(5432),
sin_addr=inet_addr("192.168.2.1")}, [16]) = 0
setsockopt(9, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(9, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
SIGCHLD, child_tidptr=0xb7f2e708) = 5921
close(9)                                = 0
time(NULL)                              = 1163093004
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
select(6, [3 5], NULL, NULL, {89, 0})   = ? ERESTARTNOHAND (To be
restarted)
--- SIGCHLD (Child exited) @ 0 (0) ---
rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT SYS RTMIN
RT_1], NULL, 8) = 0
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG) = 5921
send(6, "\2\0\0\0\30\0\0\0\0\0\0\0!\27\0\0\0\0\0\0\0\0\0\0", 24, 0) = 24
waitpid(-1, 0xbfecf5fc, WNOHANG)        = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
sigreturn()                             = ? (mask now [])
rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT SYS RTMIN
RT_1], NULL, 8) = 0
time(NULL)                              = 1163093004
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
select(6, [3 5], NULL, NULL, {89, 0} <unfinished ...>
Process 3267 detached