Thread: Doc-patch: PAM authentication fails for local UNIX users

Doc-patch: PAM authentication fails for local UNIX users

From

Dhanaraj M

Date:

18 December 2007, 06:16:13

Hi all,

This is the continuation to the discussion that we had in the hacker's
list.
http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php


Here, I like to add some details in 20.2.6. PAM authentication section.
http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM

Can someone review and make changes, if required? Thanks.

*** client-auth.sgml.orig       Tue Aug 21 16:52:45 2007
--- client-auth.sgml    Tue Aug 21 17:02:52 2007
***************
*** 987,992 ****
--- 987,1001 ----
     and the <ulink url="http://www.sun.com/software/solaris/pam/">
     <systemitem class="osname">Solaris</> PAM Page</ulink>.
    </para>
+
+    <note>
+     <para>
+      The local UNIX user authentication is not permitted,
+      because the postgres server is started by a non-root user.
+      In order to enable this functionality, the root user must provide
+      additional permissions to the postgres user (for reading
/etc/shadow file).
+     </para>
+    </note>
   </sect2>
  </sect1>

Re: Doc-patch: PAM authentication fails for local UNIX users

From

Magnus Hagander

Date:

19 December 2007, 11:54:31

On Tue, Dec 18, 2007 at 12:41:56PM +0530, Dhanaraj M wrote:
> Hi all,
>
> This is the continuation to the discussion that we had in the hacker's
> list.
> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
>
>
> Here, I like to add some details in 20.2.6. PAM authentication section.
> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
>
> Can someone review and make changes, if required? Thanks.

Eh, those extensions are only valid if you use PAM with a shadow password
file, no? You shouldn't need root if you use say PAM-with-LDAP?

//Magnus

Re: Doc-patch: PAM authentication fails for local UNIX users

From

Andrew Dunstan

Date:

19 December 2007, 12:13:17

Magnus Hagander wrote:
> On Tue, Dec 18, 2007 at 12:41:56PM +0530, Dhanaraj M wrote:
>
>> Hi all,
>>
>> This is the continuation to the discussion that we had in the hacker's
>> list.
>> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
>>
>>
>> Here, I like to add some details in 20.2.6. PAM authentication section.
>> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
>>
>> Can someone review and make changes, if required? Thanks.
>>
>
> Eh, those extensions are only valid if you use PAM with a shadow password
> file, no? You shouldn't need root if you use say PAM-with-LDAP?
>
>
>

Also, it strikes me that granting the postgres user read access to the
shadow file is probably very poor security practice, and not something I
would want to recommend without considerable thought. What we should
say, rather, is that PAM auth is likely to fail if your PAM is set up to
use the shadow file rather than an auth source such as LDAP which does
not require privileged file access.

cheers

andrew

Re: Doc-patch: PAM authentication fails for local UNIX users

From

Dhanaraj M

Date:

22 December 2007, 04:25:43

>>>
>>> This is the continuation to the discussion that we had in the
>>> hacker's list.
>>> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
>>>
>>>
>>> Here, I like to add some details in 20.2.6. PAM authentication section.
>>> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
>>>
>>>
>>> Can someone review and make changes, if required? Thanks.
>>>
>>
>> Eh, those extensions are only valid if you use PAM with a shadow
>> password
>> file, no? You shouldn't need root if you use say PAM-with-LDAP?
>>
>
> Also, it strikes me that granting the postgres user read access to the
> shadow file is probably very poor security practice, and not something
> I would want to recommend without considerable thought. What we should
> say, rather, is that PAM auth is likely to fail if your PAM is set up
> to use the shadow file rather than an auth source such as LDAP which
> does not require privileged file access.
>
>
Is this change Ok?



*** client-auth.sgml.orig       Tue Aug 21 16:52:45 2007
--- client-auth.sgml    Tue Aug 21 17:02:52 2007
***************
*** 987,992 ****
--- 987,1001 ----
    and the <ulink url="http://www.sun.com/software/solaris/pam/">
    <systemitem class="osname">Solaris</> PAM Page</ulink>.
   </para>
+
+    <note>
+     <para>
+      If your PAM is set up to use the shadow file, the PAM authentication
+      is likely to fail for local UNIX users because the postgresql server
+      is started by a non-root user. However, this is not an issue
+      when LDAP or other authentication mechanism is used.
+     </para>
+    </note>
  </sect2>
 </sect1>

Re: Doc-patch: PAM authentication fails for local UNIX users

From

Bruce Momjian

Date:

29 December 2007, 03:15:59

I have updated the documentation to read:

     If PAM is set up to read <filename>/etc/shadow</>, authentication
     will fail because the PostgreSQL server is started by a non-root
     user.  However, this is not an issue with LDAP or other authentication
     methods.

Thanks.

---------------------------------------------------------------------------

Dhanaraj M wrote:
>
> >>>
> >>> This is the continuation to the discussion that we had in the
> >>> hacker's list.
> >>> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
> >>>
> >>>
> >>> Here, I like to add some details in 20.2.6. PAM authentication section.
> >>> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
> >>>
> >>>
> >>> Can someone review and make changes, if required? Thanks.
> >>>
> >>
> >> Eh, those extensions are only valid if you use PAM with a shadow
> >> password
> >> file, no? You shouldn't need root if you use say PAM-with-LDAP?
> >>
> >
> > Also, it strikes me that granting the postgres user read access to the
> > shadow file is probably very poor security practice, and not something
> > I would want to recommend without considerable thought. What we should
> > say, rather, is that PAM auth is likely to fail if your PAM is set up
> > to use the shadow file rather than an auth source such as LDAP which
> > does not require privileged file access.
> >
> >
> Is this change Ok?
>
>
>
> *** client-auth.sgml.orig       Tue Aug 21 16:52:45 2007
> --- client-auth.sgml    Tue Aug 21 17:02:52 2007
> ***************
> *** 987,992 ****
> --- 987,1001 ----
>     and the <ulink url="http://www.sun.com/software/solaris/pam/">
>     <systemitem class="osname">Solaris</> PAM Page</ulink>.
>    </para>
> +
> +    <note>
> +     <para>
> +      If your PAM is set up to use the shadow file, the PAM authentication
> +      is likely to fail for local UNIX users because the postgresql server
> +      is started by a non-root user. However, this is not an issue
> +      when LDAP or other authentication mechanism is used.
> +     </para>
> +    </note>
>   </sect2>
>  </sect1>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: In versions below 8.0, the planner will ignore your desire to
>        choose an index scan if your joining column's datatypes do not
>        match

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +