| Lists: | pgsql-advocacypgsql-docspgsql-general |
|---|
| From: | ahoward <ahoward(at)fsl(dot)noaa(dot)gov> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | pam-linux, /etc/shadow : HOW-TO |
| Date: | 2003-05-20 19:13:29 |
| Message-ID: | Pine.LNX.4.53.0305201902160.11310@eli.fsl.noaa.gov |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-advocacy pgsql-docs pgsql-general |
note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
0) configure postgresql for pam, for example
[root(at)omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
host all all 137.75.0.0 255.255.0.0 pam
1) create a /etc/pam.d/postgresql entry, here's how i did mine
[root(at)omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
i don't know if it's the best setup, but it works! mine looks like this
[root(at)omega tmp]# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry. i used vi to add this entry to /etc/group
[root(at)omega tmp]# grep shadow /etc/group
shadow:*:4002:root,postgres
root probably does not *need* to be added.
note the '*' v.s. an 'x' in the password field. if you place an 'x' there
you will also have to set up /etc/gshadow - i did not want to do this. if
you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
field - at least with my linux system.
3) make /etc/shadow group shadow
[root(at)omega tmp]# chgrp shadow /etc/shadow
4) chmod 0440 /etc/shadow
essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam). you must have some solution
which allows postgres, but not everyone, to read /etc/shadow. others probably
exist.
-a
--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================
| From: | "Shridhar Daithankar" <shridhar_daithankar(at)persistent(dot)co(dot)in> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org, ahoward <ahoward(at)fsl(dot)noaa(dot)gov> |
| Cc: | pgsql-advocacy(at)postgresql(dot)org |
| Subject: | Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO |
| Date: | 2003-05-21 06:36:36 |
| Message-ID: | 3ECB6BCC.12574.4EAEA68@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-advocacy pgsql-docs pgsql-general |
Hi,
could you please make a smal writeup on this so that it canbe posted on
techdocs. A small HOWTO.. That would help a lot of people.
Shridhar
On 20 May 2003 at 19:13, ahoward wrote:
>
> note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
> or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
>
> 0) configure postgresql for pam, for example
>
> [root(at)omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
> host all all 137.75.0.0 255.255.0.0 pam
>
> 1) create a /etc/pam.d/postgresql entry, here's how i did mine
>
> [root(at)omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
>
> i don't know if it's the best setup, but it works! mine looks like this
>
> [root(at)omega tmp]# cat /etc/pam.d/postgresql
> #%PAM-1.0
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
>
> 2) create a shadow group which will be used for user's needing read-access to
> /etc/shadow, and add postgres (or whatever user the postmaster runs as) to
> this entry. i used vi to add this entry to /etc/group
>
> [root(at)omega tmp]# grep shadow /etc/group
> shadow:*:4002:root,postgres
>
> root probably does not *need* to be added.
>
> note the '*' v.s. an 'x' in the password field. if you place an 'x' there
> you will also have to set up /etc/gshadow - i did not want to do this. if
> you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
> field - at least with my linux system.
>
> 3) make /etc/shadow group shadow
>
> [root(at)omega tmp]# chgrp shadow /etc/shadow
>
> 4) chmod 0440 /etc/shadow
>
>
> essentially, pam will not work with postgres since the daemon needs at some
> point, no matter how many library calls deep, to open and read /etc/shadow
> (assuming this is how your system is using pam). you must have some solution
> which allows postgres, but not everyone, to read /etc/shadow. others probably
> exist.
>
> -a
>
> --
> ====================================
> | Ara Howard
> | NOAA Forecast Systems Laboratory
> | Information and Technology Services
> | Data Systems Group
> | R/FST 325 Broadway
> | Boulder, CO 80305-3328
> | Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
> | Phone: 303-497-7238
> | Fax: 303-497-7259
> ====================================
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
| From: | ahoward <ahoward(at)fsl(dot)noaa(dot)gov> |
|---|---|
| To: | Shridhar Daithankar <shridhar_daithankar(at)persistent(dot)co(dot)in> |
| Cc: | pgsql-general(at)postgresql(dot)org, pgsql-advocacy(at)postgresql(dot)org |
| Subject: | Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO |
| Date: | 2003-05-21 16:22:01 |
| Message-ID: | Pine.LNX.4.53.0305211621460.11310@eli.fsl.noaa.gov |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-advocacy pgsql-docs pgsql-general |
On Wed, 21 May 2003, Shridhar Daithankar wrote:
> Hi,
>
> could you please make a smal writeup on this so that it canbe posted on
> techdocs. A small HOWTO.. That would help a lot of people.
>
> Shridhar
sure. html?
-a
>
> On 20 May 2003 at 19:13, ahoward wrote:
>
> >
> > note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
> > or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
> >
> > 0) configure postgresql for pam, for example
> >
> > [root(at)omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
> > host all all 137.75.0.0 255.255.0.0 pam
> >
> > 1) create a /etc/pam.d/postgresql entry, here's how i did mine
> >
> > [root(at)omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
> >
> > i don't know if it's the best setup, but it works! mine looks like this
> >
> > [root(at)omega tmp]# cat /etc/pam.d/postgresql
> > #%PAM-1.0
> > auth required /lib/security/pam_stack.so service=system-auth
> > account required /lib/security/pam_stack.so service=system-auth
> > password required /lib/security/pam_stack.so service=system-auth
> >
> > 2) create a shadow group which will be used for user's needing read-access to
> > /etc/shadow, and add postgres (or whatever user the postmaster runs as) to
> > this entry. i used vi to add this entry to /etc/group
> >
> > [root(at)omega tmp]# grep shadow /etc/group
> > shadow:*:4002:root,postgres
> >
> > root probably does not *need* to be added.
> >
> > note the '*' v.s. an 'x' in the password field. if you place an 'x' there
> > you will also have to set up /etc/gshadow - i did not want to do this. if
> > you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
> > field - at least with my linux system.
> >
> > 3) make /etc/shadow group shadow
> >
> > [root(at)omega tmp]# chgrp shadow /etc/shadow
> >
> > 4) chmod 0440 /etc/shadow
> >
> >
> > essentially, pam will not work with postgres since the daemon needs at some
> > point, no matter how many library calls deep, to open and read /etc/shadow
> > (assuming this is how your system is using pam). you must have some solution
> > which allows postgres, but not everyone, to read /etc/shadow. others probably
> > exist.
> >
> > -a
> >
> > --
> > ====================================
> > | Ara Howard
> > | NOAA Forecast Systems Laboratory
> > | Information and Technology Services
> > | Data Systems Group
> > | R/FST 325 Broadway
> > | Boulder, CO 80305-3328
> > | Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
> > | Phone: 303-497-7238
> > | Fax: 303-497-7259
> > ====================================
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 4: Don't 'kill -9' the postmaster
>
>
>
--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================
| From: | Justin Clift <justin(at)postgresql(dot)org> |
|---|---|
| To: | ahoward <ahoward(at)fsl(dot)noaa(dot)gov> |
| Cc: | Shridhar Daithankar <shridhar_daithankar(at)persistent(dot)co(dot)in>, pgsql-general(at)postgresql(dot)org, pgsql-advocacy(at)postgresql(dot)org |
| Subject: | Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO |
| Date: | 2003-05-22 01:18:10 |
| Message-ID: | 3ECC2552.6000204@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-advocacy pgsql-docs pgsql-general |
ahoward wrote:
> On Wed, 21 May 2003, Shridhar Daithankar wrote:
>
>
>>Hi,
>>
>>could you please make a smal writeup on this so that it canbe posted on
>>techdocs. A small HOWTO.. That would help a lot of people.
>>
>> Shridhar
>
>
> sure. html?
Um, whatever works for you. :)
If you want to do it the easy way, and also assist in the testing of a Content Management System that I'm hoping is good enough to redo the Techdocs site with,
then putting it here would be cool:
http://techdocs.postgresql.org/v2/Guides/
Regards and best wishes,
Justin Clift
> -a
--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | ahoward <ahoward(at)fsl(dot)noaa(dot)gov> |
| Cc: | PostgreSQL-documentation <pgsql-docs(at)postgresql(dot)org> |
| Subject: | Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO |
| Date: | 2003-08-16 23:55:05 |
| Message-ID: | 200308162355.h7GNt5S14440@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-advocacy pgsql-docs pgsql-general |
Would someone merge this into our CVS docs and submit a patch?
---------------------------------------------------------------------------
ahoward wrote:
>
> note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
> or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
>
> 0) configure postgresql for pam, for example
>
> [root(at)omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
> host all all 137.75.0.0 255.255.0.0 pam
>
> 1) create a /etc/pam.d/postgresql entry, here's how i did mine
>
> [root(at)omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
>
> i don't know if it's the best setup, but it works! mine looks like this
>
> [root(at)omega tmp]# cat /etc/pam.d/postgresql
> #%PAM-1.0
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
>
> 2) create a shadow group which will be used for user's needing read-access to
> /etc/shadow, and add postgres (or whatever user the postmaster runs as) to
> this entry. i used vi to add this entry to /etc/group
>
> [root(at)omega tmp]# grep shadow /etc/group
> shadow:*:4002:root,postgres
>
> root probably does not *need* to be added.
>
> note the '*' v.s. an 'x' in the password field. if you place an 'x' there
> you will also have to set up /etc/gshadow - i did not want to do this. if
> you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
> field - at least with my linux system.
>
> 3) make /etc/shadow group shadow
>
> [root(at)omega tmp]# chgrp shadow /etc/shadow
>
> 4) chmod 0440 /etc/shadow
>
>
> essentially, pam will not work with postgres since the daemon needs at some
> point, no matter how many library calls deep, to open and read /etc/shadow
> (assuming this is how your system is using pam). you must have some solution
> which allows postgres, but not everyone, to read /etc/shadow. others probably
> exist.
>
> -a
>
> --
> ====================================
> | Ara Howard
> | NOAA Forecast Systems Laboratory
> | Information and Technology Services
> | Data Systems Group
> | R/FST 325 Broadway
> | Boulder, CO 80305-3328
> | Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
> | Phone: 303-497-7238
> | Fax: 303-497-7259
> ====================================
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073