Re: [PATCHES] Doc-patch: PAM authentication fails for local UNIX users

Fri, 28 Dec 2007 20:17:32 -0800 

I have updated the documentation to read:

     If PAM is set up to read <filename>/etc/shadow</>, authentication
     will fail because the PostgreSQL server is started by a non-root
     user.  However, this is not an issue with LDAP or other authentication
     methods.

Thanks.

---------------------------------------------------------------------------

Dhanaraj M wrote:
>  
> >>>
> >>> This is the continuation to the discussion that we had in the 
> >>> hacker's list.
> >>> http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php
> >>>
> >>>
> >>> Here, I like to add some details in 20.2.6. PAM authentication section.
> >>> http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM 
> >>>
> >>>
> >>> Can someone review and make changes, if required? Thanks.
> >>>     
> >>
> >> Eh, those extensions are only valid if you use PAM with a shadow 
> >> password
> >> file, no? You shouldn't need root if you use say PAM-with-LDAP?
> >>  
> >
> > Also, it strikes me that granting the postgres user read access to the 
> > shadow file is probably very poor security practice, and not something 
> > I would want to recommend without considerable thought. What we should 
> > say, rather, is that PAM auth is likely to fail if your PAM is set up 
> > to use the shadow file rather than an auth source such as LDAP which 
> > does not require privileged file access.
> >
> >
> Is this change Ok?
> 
> 
> 
> *** client-auth.sgml.orig       Tue Aug 21 16:52:45 2007
> --- client-auth.sgml    Tue Aug 21 17:02:52 2007
> ***************
> *** 987,992 ****
> --- 987,1001 ----
>     and the <ulink url="http://www.sun.com/software/solaris/pam/";>
>     <systemitem class="osname">Solaris</> PAM Page</ulink>.
>    </para>
> +
> +    <note>
> +     <para>
> +      If your PAM is set up to use the shadow file, the PAM authentication
> +      is likely to fail for local UNIX users because the postgresql server
> +      is started by a non-root user. However, this is not an issue
> +      when LDAP or other authentication mechanism is used.
> +     </para>
> +    </note>
>   </sect2>
>  </sect1>
> 
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 9: In versions below 8.0, the planner will ignore your desire to
>        choose an index scan if your joining column's datatypes do not
>        match

-- 
  Bruce Momjian  <[EMAIL PROTECTED]>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

               http://archives.postgresql.org

Reply via email to