Skip site navigation (1) Skip section navigation (2)

Re: 7.4.3 and PAM authentication failures

From: Kris Deugau <kdeugau(at)vianet(dot)ca>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: 7.4.3 and PAM authentication failures
Date: 2004-08-17 14:23:39
Message-ID: 412214EB.5B300875@vianet.ca (view raw or flat)
Thread:
Lists: pgsql-admin
Dallas N Antley wrote:
> /- On Monday (8/16/2004 19:35) Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > I think you've proven that the particular PAM modules you are
> > testing with are useless for programs executing as non-root, but
> > that doesn't mean the entire concept is broken.  Look around ...
> > there are lots of
> > PAM modules (or at least that's the theory).
> 
> Correct.  I'm only referring to pam_unix* modules.  This has come up
> on the list a few times, but there's never been a "solution" in any
> of the replies.

I'm not sure what you're looking for in a solution, but I dug through
the source to one of the pam_unix modules at one point to see why an app
I was writing was misbehaving.

In short, pam_unix specifically reads /etc/passwd and /etc/shadow
(unless your NSS configuration uses NIS, LDAP, or some other
remote-authentication system- and even then it may still need root
access) and if you don't want PAM or your app to be setuid root, you
don't use pam_unix (or any of the other modules that require root access
for one reason or another).

If you want PAM authentication against the system password file, your
app MUST either:

1) Run setuid root

OR

2) Communicate with some external authentication system that runs setuid
root.  This can be done relatively easily through PAM;  you just have to
find the appropriate modules and authentication daemon.  <g>

So far as I understand your original question, you're asking "I want to
authenticate against the system password file, but I don't want my app
[Postgres] to have root priviledges in any way".  PAM, in and of itself,
does not inherently require root access to work correctly - UNLESS
you're using a particular PAM module that *does*....  such as pam_unix.

This is by no means unique to Postgres.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

In response to

pgsql-admin by date

Next:From: Mark GibsonDate: 2004-08-17 14:40:02
Subject: Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in harmony! How?
Previous:From: Jean-Max ReymondDate: 2004-08-17 12:54:48
Subject:

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group