Re: PAM authentication fails for local UNIX users - Mailing list pgsql-hackers

From Zdenek Kotala
Subject Re: PAM authentication fails for local UNIX users
Date
Msg-id 46C98A8E.5030503@sun.com
Whole thread Raw
In response to Re: PAM authentication fails for local UNIX users  (Andrew Dunstan <andrew@dunslane.net>)
Responses Re: PAM authentication fails for local UNIX users
List pgsql-hackers
Andrew Dunstan wrote:
> 
> 
> Dhanaraj M wrote:

>>
>> The non-root user does not have the permission to read other unix 
>> local user password.
>> I found two solutions:
>>
>> 1. usermod -K defaultpriv=Basic,file_dac_read  postgres
>>
>>  - Gives privilege to read all files. This solution works. Is it the 
>> right way to do?
>>
>> 2. chmod +s processName
>>
>>  - This does not work, because postgres never allows this.
>>
>>
>> Is there anyother solution to this problem?
> 
> Usage questions really don't belong on -hackers - in future please use 
> -general. Both your proposed solutions are utterly insecure.

The problem what Dhanaraj tries to address is how to secure solve problem with 
PAM and local user. Other servers (e.g. sshd) allow to run master under root 
(with limited privileges) and forked process under normal user. But postgresql
requires start as non-root user. It limits to used common pattern.

There is important question:

Is current requirement to run postgresql under non-root OK? If yes, than we must 
update PAM documentation to explain this situation which will never works 
secure. Or if we say No, it is stupid limitation (in case when UID 0 says 
nothing about user's privileges) then we must start discussion about solution.

> 
> See  http://itc.musc.edu/wiki/PostgreSQL for some discussion of using 
> PAM for postgres auth.

It also offer also same insecure solution to add read permission on shadow for 
postgresql user.

    Zdenek


pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: PAM authentication fails for local UNIX users
Next
From: Andrew Dunstan
Date:
Subject: Re: PAM authentication fails for local UNIX users