Re: 7.4.3 and PAM authentication failures

Dallas N Antley wrote:
> /- On Monday (8/16/2004 19:35) Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > I think you've proven that the particular PAM modules you are
> > testing with are useless for programs executing as non-root, but
> > that doesn't mean the entire concept is broken. Look around ...
> > there are lots of
> > PAM modules (or at least that's the theory).
>
> Correct. I'm only referring to pam_unix* modules. This has come up
> on the list a few times, but there's never been a "solution" in any
> of the replies.

I'm not sure what you're looking for in a solution, but I dug through
the source to one of the pam_unix modules at one point to see why an app
I was writing was misbehaving.

In short, pam_unix specifically reads /etc/passwd and /etc/shadow
(unless your NSS configuration uses NIS, LDAP, or some other
remote-authentication system- and even then it may still need root
access) and if you don't want PAM or your app to be setuid root, you
don't use pam_unix (or any of the other modules that require root access
for one reason or another).

If you want PAM authentication against the system password file, your
app MUST either:

1) Run setuid root

OR

2) Communicate with some external authentication system that runs setuid
root. This can be done relatively easily through PAM; you just have to
find the appropriate modules and authentication daemon. <g>

So far as I understand your original question, you're asking "I want to
authenticate against the system password file, but I don't want my app
[Postgres] to have root priviledges in any way". PAM, in and of itself,
does not inherently require root access to work correctly - UNLESS
you're using a particular PAM module that *does*.... such as pam_unix.

This is by no means unique to Postgres.

-kgd
--
Get your mouse off of there! You don't know where that email has been!