File: pg_pam.HOWTO

package info (click to toggle)
postgresql 7.4.7-6sarge6
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 11,168 kB
  • ctags: 27
  • sloc: sh: 1,903; makefile: 337; ansic: 204; perl: 69; sed: 6; tcl: 1
file content (61 lines) | stat: -rw-r--r-- 2,454 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
This advice was quoted on the pgsql-general mailing list on 21st May 2003
=============================================================================

note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.

0) configure postgresql for pam, for example

      [root ( at ) omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
      host    all         all          137.75.0.0        255.255.0.0       pam

1) create a /etc/pam.d/postgresql entry, here's how i did mine

      [root ( at ) omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql

  i don't know if it's the best setup, but it works!  mine looks like this

      [root ( at ) omega tmp]# cat /etc/pam.d/postgresql
      #%PAM-1.0
      auth       required     /lib/security/pam_stack.so service=system-auth
      account    required     /lib/security/pam_stack.so service=system-auth
      password   required     /lib/security/pam_stack.so service=system-auth

2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry.  i used vi to add this entry to /etc/group

      [root ( at ) omega tmp]# grep shadow /etc/group
      shadow:*:4002:root,postgres

  root probably does not *need* to be added.

  note the '*' v.s. an 'x' in the password field.  if you place an 'x' there
  you will also have to set up /etc/gshadow - i did not want to do this.  if
  you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
  field - at least with my linux system.

3) make /etc/shadow group shadow

      [root ( at ) omega tmp]# chgrp shadow /etc/shadow

4) chmod 0440 /etc/shadow


essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam).  you must have some solution
which allows postgres, but not everyone, to read /etc/shadow.  others probably
exist.

  ====================================
  | Ara Howard
  | NOAA Forecast Systems Laboratory
  | Information and Technology Services
  | Data Systems Group
  | R/FST 325 Broadway
  | Boulder, CO 80305-3328
  | Email: ara ( dot ) t ( dot ) howard ( at ) fsl ( dot ) noaa ( dot ) gov
  | Phone:  303-497-7238
  | Fax:    303-497-7259
  ====================================