Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO

From: "Shridhar Daithankar" <shridhar_daithankar(at)persistent(dot)co(dot)in>
To: pgsql-general(at)postgresql(dot)org, ahoward <ahoward(at)fsl(dot)noaa(dot)gov>
Cc: pgsql-advocacy(at)postgresql(dot)org
Subject: Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO
Date: 2003-05-21 06:36:36
Message-ID: 3ECB6BCC.12574.4EAEA68@localhost
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-advocacy pgsql-docs pgsql-general

Hi,

could you please make a smal writeup on this so that it canbe posted on
techdocs. A small HOWTO.. That would help a lot of people.

Shridhar

On 20 May 2003 at 19:13, ahoward wrote:

>
> note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
> or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.
>
> 0) configure postgresql for pam, for example
>
> [root(at)omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
> host all all 137.75.0.0 255.255.0.0 pam
>
> 1) create a /etc/pam.d/postgresql entry, here's how i did mine
>
> [root(at)omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql
>
> i don't know if it's the best setup, but it works! mine looks like this
>
> [root(at)omega tmp]# cat /etc/pam.d/postgresql
> #%PAM-1.0
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
>
> 2) create a shadow group which will be used for user's needing read-access to
> /etc/shadow, and add postgres (or whatever user the postmaster runs as) to
> this entry. i used vi to add this entry to /etc/group
>
> [root(at)omega tmp]# grep shadow /etc/group
> shadow:*:4002:root,postgres
>
> root probably does not *need* to be added.
>
> note the '*' v.s. an 'x' in the password field. if you place an 'x' there
> you will also have to set up /etc/gshadow - i did not want to do this. if
> you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
> field - at least with my linux system.
>
> 3) make /etc/shadow group shadow
>
> [root(at)omega tmp]# chgrp shadow /etc/shadow
>
> 4) chmod 0440 /etc/shadow
>
>
> essentially, pam will not work with postgres since the daemon needs at some
> point, no matter how many library calls deep, to open and read /etc/shadow
> (assuming this is how your system is using pam). you must have some solution
> which allows postgres, but not everyone, to read /etc/shadow. others probably
> exist.
>
> -a
>
> --
> ====================================
> | Ara Howard
> | NOAA Forecast Systems Laboratory
> | Information and Technology Services
> | Data Systems Group
> | R/FST 325 Broadway
> | Boulder, CO 80305-3328
> | Email: ara(dot)t(dot)howard(at)fsl(dot)noaa(dot)gov
> | Phone: 303-497-7238
> | Fax: 303-497-7259
> ====================================
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

In response to

Responses

Browse pgsql-advocacy by date

  From Date Subject
Next Message ahoward 2003-05-21 16:22:01 Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO
Previous Message elein 2003-05-20 19:19:49 Access to postmaster?

Browse pgsql-docs by date

  From Date Subject
Next Message ahoward 2003-05-21 16:22:01 Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO
Previous Message ahoward 2003-05-20 19:13:29 pam-linux, /etc/shadow : HOW-TO

Browse pgsql-general by date

  From Date Subject
Next Message Martijn van Oosterhout 2003-05-21 07:41:31 Re: SELECT DISTINCT ON bug?
Previous Message Jean-Christian Imbeault 2003-05-21 06:35:37 SELECT DISTINCT ON bug?