Andrew Dunstan wrote:

Dhanaraj M wrote:

The non-root user does not have the permission to read other unix local user password.
I found two solutions:

1. usermod -K defaultpriv=Basic,file_dac_read  postgres

- Gives privilege to read all files. This solution works. Is it the right way to do?

2. chmod +s processName

 - This does not work, because postgres never allows this.

Is there anyother solution to this problem?

Usage questions really don't belong on -hackers - in future please use -general. Both your proposed solutions are utterly insecure.

The problem what Dhanaraj tries to address is how to secure solve problem with PAM and local user. Other servers (e.g. sshd) allow to run master under root (with limited privileges) and forked process under normal user. But postgresql
requires start as non-root user. It limits to used common pattern.

There is important question:

Is current requirement to run postgresql under non-root OK? If yes, than we must update PAM documentation to explain this situation which will never works secure. Or if we say No, it is stupid limitation (in case when UID 0 says nothing about user's privileges) then we must start discussion about solution.

See for some discussion of using PAM for postgres auth.

It also offer also same insecure solution to add read permission on shadow for postgresql user.


---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?


Reply via email to