Thread: pam-linux, /etc/shadow : HOW-TO
note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
0) configure postgresql for pam, for example
[root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
host all all 137.75.0.0 255.255.0.0 pam
1) create a /etc/pam.d/postgresql entry, here's how i did mine
[root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
i don't know if it's the best setup, but it works! mine looks like this
[root@omega tmp]# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry. i used vi to add this entry to /etc/group
[root@omega tmp]# grep shadow /etc/group
shadow:*:4002:root,postgres
root probably does not *need* to be added.
note the '*' v.s. an 'x' in the password field. if you place an 'x' there
you will also have to set up /etc/gshadow - i did not want to do this. if
you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
field - at least with my linux system.
3) make /etc/shadow group shadow
[root@omega tmp]# chgrp shadow /etc/shadow
4) chmod 0440 /etc/shadow
essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam). you must have some solution
which allows postgres, but not everyone, to read /etc/shadow. others probably
exist.
-a
--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara.t.howard@fsl.noaa.gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================
Hi, could you please make a smal writeup on this so that it canbe posted on techdocs. A small HOWTO.. That would help a lot of people. Shridhar On 20 May 2003 at 19:13, ahoward wrote: > > note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel, > or postgresql, but this setup is a safe, working, postgresql/linux/pam setup. > > 0) configure postgresql for pam, for example > > [root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf > host all all 137.75.0.0 255.255.0.0 pam > > 1) create a /etc/pam.d/postgresql entry, here's how i did mine > > [root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql > > i don't know if it's the best setup, but it works! mine looks like this > > [root@omega tmp]# cat /etc/pam.d/postgresql > #%PAM-1.0 > auth required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth > > 2) create a shadow group which will be used for user's needing read-access to > /etc/shadow, and add postgres (or whatever user the postmaster runs as) to > this entry. i used vi to add this entry to /etc/group > > [root@omega tmp]# grep shadow /etc/group > shadow:*:4002:root,postgres > > root probably does not *need* to be added. > > note the '*' v.s. an 'x' in the password field. if you place an 'x' there > you will also have to set up /etc/gshadow - i did not want to do this. if > you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password > field - at least with my linux system. > > 3) make /etc/shadow group shadow > > [root@omega tmp]# chgrp shadow /etc/shadow > > 4) chmod 0440 /etc/shadow > > > essentially, pam will not work with postgres since the daemon needs at some > point, no matter how many library calls deep, to open and read /etc/shadow > (assuming this is how your system is using pam). you must have some solution > which allows postgres, but not everyone, to read /etc/shadow. others probably > exist. > > -a > > -- > ==================================== > | Ara Howard > | NOAA Forecast Systems Laboratory > | Information and Technology Services > | Data Systems Group > | R/FST 325 Broadway > | Boulder, CO 80305-3328 > | Email: ara.t.howard@fsl.noaa.gov > | Phone: 303-497-7238 > | Fax: 303-497-7259 > ==================================== > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster
On Wed, 21 May 2003, Shridhar Daithankar wrote: > Hi, > > could you please make a smal writeup on this so that it canbe posted on > techdocs. A small HOWTO.. That would help a lot of people. > > Shridhar sure. html? -a > > On 20 May 2003 at 19:13, ahoward wrote: > > > > > note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel, > > or postgresql, but this setup is a safe, working, postgresql/linux/pam setup. > > > > 0) configure postgresql for pam, for example > > > > [root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf > > host all all 137.75.0.0 255.255.0.0 pam > > > > 1) create a /etc/pam.d/postgresql entry, here's how i did mine > > > > [root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql > > > > i don't know if it's the best setup, but it works! mine looks like this > > > > [root@omega tmp]# cat /etc/pam.d/postgresql > > #%PAM-1.0 > > auth required /lib/security/pam_stack.so service=system-auth > > account required /lib/security/pam_stack.so service=system-auth > > password required /lib/security/pam_stack.so service=system-auth > > > > 2) create a shadow group which will be used for user's needing read-access to > > /etc/shadow, and add postgres (or whatever user the postmaster runs as) to > > this entry. i used vi to add this entry to /etc/group > > > > [root@omega tmp]# grep shadow /etc/group > > shadow:*:4002:root,postgres > > > > root probably does not *need* to be added. > > > > note the '*' v.s. an 'x' in the password field. if you place an 'x' there > > you will also have to set up /etc/gshadow - i did not want to do this. if > > you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password > > field - at least with my linux system. > > > > 3) make /etc/shadow group shadow > > > > [root@omega tmp]# chgrp shadow /etc/shadow > > > > 4) chmod 0440 /etc/shadow > > > > > > essentially, pam will not work with postgres since the daemon needs at some > > point, no matter how many library calls deep, to open and read /etc/shadow > > (assuming this is how your system is using pam). you must have some solution > > which allows postgres, but not everyone, to read /etc/shadow. others probably > > exist. > > > > -a > > > > -- > > ==================================== > > | Ara Howard > > | NOAA Forecast Systems Laboratory > > | Information and Technology Services > > | Data Systems Group > > | R/FST 325 Broadway > > | Boulder, CO 80305-3328 > > | Email: ara.t.howard@fsl.noaa.gov > > | Phone: 303-497-7238 > > | Fax: 303-497-7259 > > ==================================== > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 4: Don't 'kill -9' the postmaster > > > -- ==================================== | Ara Howard | NOAA Forecast Systems Laboratory | Information and Technology Services | Data Systems Group | R/FST 325 Broadway | Boulder, CO 80305-3328 | Email: ara.t.howard@fsl.noaa.gov | Phone: 303-497-7238 | Fax: 303-497-7259 ====================================