Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: ahoward <ahoward(at)fsl(dot)noaa(dot)gov>
Cc: PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org>
Subject: Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO
Date: 2003-08-16 23:55:05
Message-ID: 200308162355.h7GNt5S14440@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-advocacypgsql-docspgsql-general
Would someone merge this into our CVS docs and submit a patch?

---------------------------------------------------------------------------

ahoward wrote:
> 
> note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
> or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
> 
> 0) configure postgresql for pam, for example
> 
>       [root(at)omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
>       host    all         all          137.75.0.0        255.255.0.0       pam
> 
> 1) create a /etc/pam.d/postgresql entry, here's how i did mine
> 
>       [root(at)omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
> 
>   i don't know if it's the best setup, but it works!  mine looks like this
> 
>       [root(at)omega tmp]# cat /etc/pam.d/postgresql
>       #%PAM-1.0
>       auth       required     /lib/security/pam_stack.so service=system-auth
>       account    required     /lib/security/pam_stack.so service=system-auth
>       password   required     /lib/security/pam_stack.so service=system-auth
> 
> 2) create a shadow group which will be used for user's needing read-access to
> /etc/shadow, and add postgres (or whatever user the postmaster runs as) to
> this entry.  i used vi to add this entry to /etc/group
> 
>       [root(at)omega tmp]# grep shadow /etc/group
>       shadow:*:4002:root,postgres
> 
>   root probably does not *need* to be added.
> 
>   note the '*' v.s. an 'x' in the password field.  if you place an 'x' there
>   you will also have to set up /etc/gshadow - i did not want to do this.  if
>   you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
>   field - at least with my linux system.
> 
> 3) make /etc/shadow group shadow
> 
>       [root(at)omega tmp]# chgrp shadow /etc/shadow
> 
> 4) chmod 0440 /etc/shadow
> 
> 
> essentially, pam will not work with postgres since the daemon needs at some
> point, no matter how many library calls deep, to open and read /etc/shadow
> (assuming this is how your system is using pam).  you must have some solution
> which allows postgres, but not everyone, to read /etc/shadow.  others probably
> exist.
> 
> -a
> 
> --
>   ====================================
>   | Ara Howard
>   | NOAA Forecast Systems Laboratory
>   | Information and Technology Services
>   | Data Systems Group
>   | R/FST 325 Broadway
>   | Boulder, CO 80305-3328
>   | Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
>   | Phone:  303-497-7238
>   | Fax:    303-497-7259
>   ====================================
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

pgsql-docs by date

Next:From: Bruce MomjianDate: 2003-08-17 00:36:57
Subject: Re: [PERFORM] PostgreSQL vs. MySQL
Previous:From: Bruce MomjianDate: 2003-08-16 16:41:57
Subject: Re: [HACKERS] What goes into the security doc?

pgsql-advocacy by date

Next:From: Jan WieckDate: 2003-08-17 02:41:39
Subject: Re: [HACKERS] Are we losing momentum?
Previous:From: Bruce MomjianDate: 2003-08-16 23:22:47
Subject: Re: [HACKERS] Are we losing momentum?

pgsql-general by date

Next:From: Bruce MomjianDate: 2003-08-17 00:36:57
Subject: Re: [PERFORM] PostgreSQL vs. MySQL
Previous:From: Bruce MomjianDate: 2003-08-16 23:22:47
Subject: Re: [HACKERS] Are we losing momentum?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group