Thread: Re: [HACKERS] PAM authentication fails for local UNIX users

Re: [HACKERS] PAM authentication fails for local UNIX users

From

Dhanaraj M

Date:

21 August 2007, 11:34:46

Hi all,

This is the continuation to the discussion that we had in the hacker's list.

http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
Here, I like to add some details in 20.2.6. PAM authentication section.

Can someone review and make changes, if required? Thanks.

*** client-auth.sgml.orig       Tue Aug 21 16:52:45 2007
--- client-auth.sgml    Tue Aug 21 17:02:52 2007
***************
*** 987,992 ****
--- 987,1001 ----
      and the <ulink url="http://www.sun.com/software/solaris/pam/">
      <systemitem class="osname">Solaris</> PAM Page</ulink>.
     </para>
+
+    <note>
+     <para>
+      The local UNIX user authentication is not permitted,
+      because the postgres server is started by a non-root user.
+      In order to enable this functionality, the root user must provide
+      additional permissions to the postgres user (for reading
/etc/shadow file).
+     </para>
+    </note>
    </sect2>
   </sect1>


>
>
> Zdenek Kotala wrote:
>>
>> The problem what Dhanaraj tries to address is how to secure solve
>> problem with PAM and local user. Other servers (e.g. sshd) allow to
>> run master under root (with limited privileges) and forked process
>> under normal user. But postgresql
>> requires start as non-root user. It limits to used common pattern.
>>
>> There is important question:
>>
>> Is current requirement to run postgresql under non-root OK? If yes,
>> than we must update PAM documentation to explain this situation which
>> will never works secure. Or if we say No, it is stupid limitation (in
>> case when UID 0 says nothing about user's privileges) then we must
>> start discussion about solution.
>>
>>
>
> For now I think we should update the docs. You really can't compare
> postgres with sshd - ssh connections are in effect autonomous. I
> suspect the changes involved in allowing us to  run as root and then
> give up privileges safely would be huge, and the gain quite small.
>
> I'd rather see an HBA fallback mechanism, which I suspect might
> overcome most of the  problems being encountered here.
>
> cheers
>
> andrew


--
================================
Dhanaraj M
x40049/+91-9880244950
Solaris RPE, Bangalore, India
http://blogs.sun.com/dhanarajm/
================================

Re: [HACKERS] PAM authentication fails for local UNIX users

From

Bruce Momjian

Date:

14 September 2007, 03:53:36

Applied:

     PAM does work authenticating against Unix system authentication
     because the postgres server is started by a non-root user.  In order
     to enable this functionality, the root user must provide additional
     permissions to the postgres user (for reading
     <filename>/etc/shadow</>).

---------------------------------------------------------------------------

Dhanaraj M wrote:
> Hi all,
>
> This is the continuation to the discussion that we had in the hacker's list.
>
> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
> Here, I like to add some details in 20.2.6. PAM authentication section.
>
> Can someone review and make changes, if required? Thanks.
>
> *** client-auth.sgml.orig       Tue Aug 21 16:52:45 2007
> --- client-auth.sgml    Tue Aug 21 17:02:52 2007
> ***************
> *** 987,992 ****
> --- 987,1001 ----
>       and the <ulink url="http://www.sun.com/software/solaris/pam/">
>       <systemitem class="osname">Solaris</> PAM Page</ulink>.
>      </para>
> +
> +    <note>
> +     <para>
> +      The local UNIX user authentication is not permitted,
> +      because the postgres server is started by a non-root user.
> +      In order to enable this functionality, the root user must provide
> +      additional permissions to the postgres user (for reading
> /etc/shadow file).
> +     </para>
> +    </note>
>     </sect2>
>    </sect1>
>
>
> >
> >
> > Zdenek Kotala wrote:
> >>
> >> The problem what Dhanaraj tries to address is how to secure solve
> >> problem with PAM and local user. Other servers (e.g. sshd) allow to
> >> run master under root (with limited privileges) and forked process
> >> under normal user. But postgresql
> >> requires start as non-root user. It limits to used common pattern.
> >>
> >> There is important question:
> >>
> >> Is current requirement to run postgresql under non-root OK? If yes,
> >> than we must update PAM documentation to explain this situation which
> >> will never works secure. Or if we say No, it is stupid limitation (in
> >> case when UID 0 says nothing about user's privileges) then we must
> >> start discussion about solution.
> >>
> >>
> >
> > For now I think we should update the docs. You really can't compare
> > postgres with sshd - ssh connections are in effect autonomous. I
> > suspect the changes involved in allowing us to  run as root and then
> > give up privileges safely would be huge, and the gain quite small.
> >
> > I'd rather see an HBA fallback mechanism, which I suspect might
> > overcome most of the  problems being encountered here.
> >
> > cheers
> >
> > andrew
>
>
> --
> ================================
> Dhanaraj M
> x40049/+91-9880244950
> Solaris RPE, Bangalore, India
> http://blogs.sun.com/dhanarajm/
> ================================
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend

--
  Bruce Momjian  <bruce@momjian.us>          http://momjian.us
  EnterpriseDB                               http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +