Re: PAM authentication fails for local UNIX users - Mailing list pgsql-hackers

From Zdenek Kotala
Subject Re: PAM authentication fails for local UNIX users
Date
Msg-id 46C9B603.7010807@sun.com
Whole thread Raw
In response to Re: PAM authentication fails for local UNIX users  (Andrew Dunstan <andrew@dunslane.net>)
List pgsql-hackers
Andrew Dunstan wrote:
> 
> 
> Zdenek Kotala wrote:
>>
>> The problem what Dhanaraj tries to address is how to secure solve 
>> problem with PAM and local user. Other servers (e.g. sshd) allow to 
>> run master under root (with limited privileges) and forked process 
>> under normal user. But postgresql
>> requires start as non-root user. It limits to used common pattern.
>>
>> There is important question:
>>
>> Is current requirement to run postgresql under non-root OK? If yes, 
>> than we must update PAM documentation to explain this situation which 
>> will never works secure. Or if we say No, it is stupid limitation (in 
>> case when UID 0 says nothing about user's privileges) then we must 
>> start discussion about solution.
>>
>>
> 
> For now I think we should update the docs. 

I agree.


> I suspect 
> the changes involved in allowing us to  run as root and then give up 
> privileges safely would be huge, and the gain quite small.

The main problem there is that there are a lot of different ways how to 
do it and there is not standard. For example on Solaris applications use 
RBAC functionality to handle privileges and this is not available on 
other platforms and so on...


> I'd rather see an HBA fallback mechanism, which I suspect might overcome 
> most of the  problems being encountered here.

The question is why don't use fallback functionality guaranteed by PAM 
and naming services. It seems that only fallback to or from password 
auth makes sense. Other could be handled by PAM/naming.


    Zdenek


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: random crashes on -HEAD for a few days now
Next
From: Stefan Kaltenbrunner
Date:
Subject: Re: random crashes on -HEAD for a few days now