Re: [PATCHES] Doc-patch: PAM authentication fails for local UNIX users
I have updated the documentation to read: If PAM is set up to read filename/etc/shadow/, authentication will fail because the PostgreSQL server is started by a non-root user. However, this is not an issue with LDAP or other authentication methods. Thanks. --- Dhanaraj M wrote: This is the continuation to the discussion that we had in the hacker's list. http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php Here, I like to add some details in 20.2.6. PAM authentication section. http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM Can someone review and make changes, if required? Thanks. Eh, those extensions are only valid if you use PAM with a shadow password file, no? You shouldn't need root if you use say PAM-with-LDAP? Also, it strikes me that granting the postgres user read access to the shadow file is probably very poor security practice, and not something I would want to recommend without considerable thought. What we should say, rather, is that PAM auth is likely to fail if your PAM is set up to use the shadow file rather than an auth source such as LDAP which does not require privileged file access. Is this change Ok? *** client-auth.sgml.orig Tue Aug 21 16:52:45 2007 --- client-auth.sgmlTue Aug 21 17:02:52 2007 *** *** 987,992 --- 987,1001 and the ulink url=http://www.sun.com/software/solaris/pam/; systemitem class=osnameSolaris/ PAM Page/ulink. /para + +note + para + If your PAM is set up to use the shadow file, the PAM authentication + is likely to fail for local UNIX users because the postgresql server + is started by a non-root user. However, this is not an issue + when LDAP or other authentication mechanism is used. + /para +/note /sect2 /sect1 ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match -- Bruce Momjian [EMAIL PROTECTED]http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 4: Have you searched our list archives? http://archives.postgresql.org
Re: [PATCHES] Doc-patch: PAM authentication fails for local UNIX users
This is the continuation to the discussion that we had in the hacker's list. http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php Here, I like to add some details in 20.2.6. PAM authentication section. http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM Can someone review and make changes, if required? Thanks. Eh, those extensions are only valid if you use PAM with a shadow password file, no? You shouldn't need root if you use say PAM-with-LDAP? Also, it strikes me that granting the postgres user read access to the shadow file is probably very poor security practice, and not something I would want to recommend without considerable thought. What we should say, rather, is that PAM auth is likely to fail if your PAM is set up to use the shadow file rather than an auth source such as LDAP which does not require privileged file access. Is this change Ok? *** client-auth.sgml.orig Tue Aug 21 16:52:45 2007 --- client-auth.sgmlTue Aug 21 17:02:52 2007 *** *** 987,992 --- 987,1001 and the ulink url=http://www.sun.com/software/solaris/pam/; systemitem class=osnameSolaris/ PAM Page/ulink. /para + +note + para + If your PAM is set up to use the shadow file, the PAM authentication + is likely to fail for local UNIX users because the postgresql server + is started by a non-root user. However, this is not an issue + when LDAP or other authentication mechanism is used. + /para +/note /sect2 /sect1 ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [PATCHES] Doc-patch: PAM authentication fails for local UNIX users
On Tue, Dec 18, 2007 at 12:41:56PM +0530, Dhanaraj M wrote: Hi all, This is the continuation to the discussion that we had in the hacker's list. http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php Here, I like to add some details in 20.2.6. PAM authentication section. http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM Can someone review and make changes, if required? Thanks. Eh, those extensions are only valid if you use PAM with a shadow password file, no? You shouldn't need root if you use say PAM-with-LDAP? //Magnus ---(end of broadcast)--- TIP 7: You can help support the PostgreSQL project by donating at http://www.postgresql.org/about/donate
Re: [PATCHES] Doc-patch: PAM authentication fails for local UNIX users
Magnus Hagander wrote: On Tue, Dec 18, 2007 at 12:41:56PM +0530, Dhanaraj M wrote: Hi all, This is the continuation to the discussion that we had in the hacker's list. http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php Here, I like to add some details in 20.2.6. PAM authentication section. http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM Can someone review and make changes, if required? Thanks. Eh, those extensions are only valid if you use PAM with a shadow password file, no? You shouldn't need root if you use say PAM-with-LDAP? Also, it strikes me that granting the postgres user read access to the shadow file is probably very poor security practice, and not something I would want to recommend without considerable thought. What we should say, rather, is that PAM auth is likely to fail if your PAM is set up to use the shadow file rather than an auth source such as LDAP which does not require privileged file access. cheers andrew ---(end of broadcast)--- TIP 6: explain analyze is your friend
[PATCHES] Doc-patch: PAM authentication fails for local UNIX users
Hi all, This is the continuation to the discussion that we had in the hacker's list. http://archives.postgresql.org/pgsql-hackers/2007-08/msg00684.php Here, I like to add some details in 20.2.6. PAM authentication section. http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM Can someone review and make changes, if required? Thanks. *** client-auth.sgml.orig Tue Aug 21 16:52:45 2007 --- client-auth.sgmlTue Aug 21 17:02:52 2007 *** *** 987,992 --- 987,1001 and the ulink url=http://www.sun.com/software/solaris/pam/; systemitem class=osnameSolaris/ PAM Page/ulink. /para + +note + para + The local UNIX user authentication is not permitted, + because the postgres server is started by a non-root user. + In order to enable this functionality, the root user must provide + additional permissions to the postgres user (for reading /etc/shadow file). + /para +/note /sect2 /sect1 ---(end of broadcast)--- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
