Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Header And Logo

PostgreSQL
| The world's most advanced open source database.

Site Navigation

Search archives
  Advanced Search

Re: PAM authentication fails for local UNIX users

  • From: Andrew Dunstan <andrew(at)dunslane(dot)net>
  • To: Zdenek Kotala <Zdenek(dot)Kotala(at)Sun(dot)COM>
  • Cc: Dhanaraj(dot)M(at)Sun(dot)COM, pgsql-hackers(at)postgresql(dot)org
  • Subject: Re: PAM authentication fails for local UNIX users
  • Date: Mon, 20 Aug 2007 08:52:28 -0400
  • Message-id: <46C98E8C.9080707@dunslane.net> <text/plain>


Zdenek Kotala wrote:
The problem what Dhanaraj tries to address is how to secure solve problem with PAM and local user. Other servers (e.g. sshd) allow to run master under root (with limited privileges) and forked process under normal user. But postgresql 
requires start as non-root user. It limits to used common pattern.

There is important question:
Is current requirement to run postgresql under non-root OK? If yes, than we must update PAM documentation to explain this situation which will never works secure. Or if we say No, it is stupid limitation (in case when UID 0 says nothing about user's privileges) then we must start discussion about solution.
For now I think we should update the docs. You really can't compare postgres with sshd - ssh connections are in effect autonomous. I suspect the changes involved in allowing us to run as root and then give up privileges safely would be huge, and the gain quite small.
I'd rather see an HBA fallback mechanism, which I suspect might overcome most of the problems being encountered here. 

cheers

andrew
Home | Main Index | Thread Index

Privacy Policy | About PostgreSQL
Copyright © 1996 – 2012 PostgreSQL Global Development Group