Re: Doc-patch: PAM authentication fails for local UNIX users - Mailing list pgsql-patches

From Andrew Dunstan
Subject Re: Doc-patch: PAM authentication fails for local UNIX users
Date
Msg-id 476918E5.8020400@dunslane.net
Whole thread Raw
In response to Re: Doc-patch: PAM authentication fails for local UNIX users  (Magnus Hagander <magnus@hagander.net>)
Responses Re: Doc-patch: PAM authentication fails for local UNIX users  (Dhanaraj M <Dhanaraj.M@Sun.COM>)
List pgsql-patches

Magnus Hagander wrote:
> On Tue, Dec 18, 2007 at 12:41:56PM +0530, Dhanaraj M wrote:
>
>> Hi all,
>>
>> This is the continuation to the discussion that we had in the hacker's
>> list.
>> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
>>
>>
>> Here, I like to add some details in 20.2.6. PAM authentication section.
>> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
>>
>> Can someone review and make changes, if required? Thanks.
>>
>
> Eh, those extensions are only valid if you use PAM with a shadow password
> file, no? You shouldn't need root if you use say PAM-with-LDAP?
>
>
>

Also, it strikes me that granting the postgres user read access to the
shadow file is probably very poor security practice, and not something I
would want to recommend without considerable thought. What we should
say, rather, is that PAM auth is likely to fail if your PAM is set up to
use the shadow file rather than an auth source such as LDAP which does
not require privileged file access.

cheers

andrew

pgsql-patches by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: Doc-patch: PAM authentication fails for local UNIX users
Next
From: "Gokulakannan Somasundaram"
Date:
Subject: Re: [HACKERS] Proposal for Null Bitmap Optimization(for TrailingNULLs)