Hi all,
This is the continuation to the discussion that we had in the hacker's list.
http://www.postgresql.org/docs/8.2/interactive/auth-methods.html#AUTH-PAM
Here, I like to add some details in 20.2.6. PAM authentication section.
Can someone review and make changes, if required? Thanks.
*** client-auth.sgml.orig Tue Aug 21 16:52:45 2007
--- client-auth.sgml Tue Aug 21 17:02:52 2007
***************
*** 987,992 ****
--- 987,1001 ----
and the <ulink url="http://www.sun.com/software/solaris/pam/">
<systemitem class="osname">Solaris</> PAM Page</ulink>.
</para>
+
+ <note>
+ <para>
+ The local UNIX user authentication is not permitted,
+ because the postgres server is started by a non-root user.
+ In order to enable this functionality, the root user must provide
+ additional permissions to the postgres user (for reading
/etc/shadow file).
+ </para>
+ </note>
</sect2>
</sect1>
>
>
> Zdenek Kotala wrote:
>>
>> The problem what Dhanaraj tries to address is how to secure solve
>> problem with PAM and local user. Other servers (e.g. sshd) allow to
>> run master under root (with limited privileges) and forked process
>> under normal user. But postgresql
>> requires start as non-root user. It limits to used common pattern.
>>
>> There is important question:
>>
>> Is current requirement to run postgresql under non-root OK? If yes,
>> than we must update PAM documentation to explain this situation which
>> will never works secure. Or if we say No, it is stupid limitation (in
>> case when UID 0 says nothing about user's privileges) then we must
>> start discussion about solution.
>>
>>
>
> For now I think we should update the docs. You really can't compare
> postgres with sshd - ssh connections are in effect autonomous. I
> suspect the changes involved in allowing us to run as root and then
> give up privileges safely would be huge, and the gain quite small.
>
> I'd rather see an HBA fallback mechanism, which I suspect might
> overcome most of the problems being encountered here.
>
> cheers
>
> andrew
--
================================
Dhanaraj M
x40049/+91-9880244950
Solaris RPE, Bangalore, India
http://blogs.sun.com/dhanarajm/
================================