Participants
ahoward
ahoward
Shridhar Daithankar
Shridhar Daithankar
Justin Clift
Justin Clift
Bruce Momjian
Bruce Momjian
Attachments
Show all attachments
Thread Outline
#1ahowardahoward
May 20, 2003
#2...#4
Shridhar DaithankarahowardJustin Clift
to ahoward (#1)
May 21, 2003
#2Shridhar DaithankarShridhar Daithankarto ahoward (#1)
May 21, 2003
#3ahowardahowardto Shridhar Daithankar (#2)
May 21, 2003
#4Justin CliftJustin Cliftto ahoward (#3)
May 22, 2003
#5Bruce MomjianBruce Momjianto ahoward (#1)
Aug 16, 2003

pam-linux, /etc/shadow : HOW-TO

Started by ahowardalmost 23 years ago5 messagesdocsgeneral
Jump to latest
#1ahoward
ahoward
ahoward@fsl.noaa.gov
docsgeneral

note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.

0) configure postgresql for pam, for example

[root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
host all all 137.75.0.0 255.255.0.0 pam

1) create a /etc/pam.d/postgresql entry, here's how i did mine

[root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql

i don't know if it's the best setup, but it works! mine looks like this

[root@omega tmp]# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth

2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry. i used vi to add this entry to /etc/group

[root@omega tmp]# grep shadow /etc/group
shadow:*:4002:root,postgres

root probably does not *need* to be added.

note the '*' v.s. an 'x' in the password field. if you place an 'x' there
you will also have to set up /etc/gshadow - i did not want to do this. if
you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
field - at least with my linux system.

3) make /etc/shadow group shadow

[root@omega tmp]# chgrp shadow /etc/shadow

4) chmod 0440 /etc/shadow

essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam). you must have some solution
which allows postgres, but not everyone, to read /etc/shadow. others probably
exist.

-a

--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara.t.howard@fsl.noaa.gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================

#2Shridhar Daithankar
Shridhar Daithankar
shridhar_daithankar@persistent.co.in
In reply to: ahoward (#1)
docsgeneral
Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO

Hi,

could you please make a smal writeup on this so that it canbe posted on
techdocs. A small HOWTO.. That would help a lot of people.

Shridhar

On 20 May 2003 at 19:13, ahoward wrote:

Show quoted text

note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.

0) configure postgresql for pam, for example

[root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
host all all 137.75.0.0 255.255.0.0 pam

1) create a /etc/pam.d/postgresql entry, here's how i did mine

[root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql

i don't know if it's the best setup, but it works! mine looks like this

[root@omega tmp]# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth

2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry. i used vi to add this entry to /etc/group

[root@omega tmp]# grep shadow /etc/group
shadow:*:4002:root,postgres

root probably does not *need* to be added.

note the '*' v.s. an 'x' in the password field. if you place an 'x' there
you will also have to set up /etc/gshadow - i did not want to do this. if
you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
field - at least with my linux system.

3) make /etc/shadow group shadow

[root@omega tmp]# chgrp shadow /etc/shadow

4) chmod 0440 /etc/shadow

essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam). you must have some solution
which allows postgres, but not everyone, to read /etc/shadow. others probably
exist.

-a

--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara.t.howard@fsl.noaa.gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

#3ahoward
ahoward
ahoward@fsl.noaa.gov
In reply to: Shridhar Daithankar (#2)
docsgeneral
Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO

On Wed, 21 May 2003, Shridhar Daithankar wrote:

Hi,

could you please make a smal writeup on this so that it canbe posted on
techdocs. A small HOWTO.. That would help a lot of people.

Shridhar

sure. html?

-a

On 20 May 2003 at 19:13, ahoward wrote:

note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.

0) configure postgresql for pam, for example

[root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
host all all 137.75.0.0 255.255.0.0 pam

1) create a /etc/pam.d/postgresql entry, here's how i did mine

[root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql

i don't know if it's the best setup, but it works! mine looks like this

[root@omega tmp]# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth

2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry. i used vi to add this entry to /etc/group

[root@omega tmp]# grep shadow /etc/group
shadow:*:4002:root,postgres

root probably does not *need* to be added.

note the '*' v.s. an 'x' in the password field. if you place an 'x' there
you will also have to set up /etc/gshadow - i did not want to do this. if
you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
field - at least with my linux system.

3) make /etc/shadow group shadow

[root@omega tmp]# chgrp shadow /etc/shadow

4) chmod 0440 /etc/shadow

essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam). you must have some solution
which allows postgres, but not everyone, to read /etc/shadow. others probably
exist.

-a

--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara.t.howard@fsl.noaa.gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara.t.howard@fsl.noaa.gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================

#4Justin Clift
Justin Clift
justin@postgresql.org
In reply to: ahoward (#3)
docsgeneral
Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO

ahoward wrote:

On Wed, 21 May 2003, Shridhar Daithankar wrote:

Hi,

could you please make a smal writeup on this so that it canbe posted on
techdocs. A small HOWTO.. That would help a lot of people.

Shridhar

sure. html?

Um, whatever works for you. :)

If you want to do it the easy way, and also assist in the testing of a Content Management System that I'm hoping is good enough to redo the Techdocs site with,
then putting it here would be cool:

http://techdocs.postgresql.org/v2/Guides/
Regards and best wishes,

Justin Clift

-a

--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi

#5Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: ahoward (#1)
docsgeneral
Re: [GENERAL] pam-linux, /etc/shadow : HOW-TO

Would someone merge this into our CVS docs and submit a patch?

---------------------------------------------------------------------------

ahoward wrote:

note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel,
or postgresql, but this setup is a safe, working, postgresql/linux/pam setup.

0) configure postgresql for pam, for example

[root@omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf
host all all 137.75.0.0 255.255.0.0 pam

1) create a /etc/pam.d/postgresql entry, here's how i did mine

[root@omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql

i don't know if it's the best setup, but it works! mine looks like this

[root@omega tmp]# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth

2) create a shadow group which will be used for user's needing read-access to
/etc/shadow, and add postgres (or whatever user the postmaster runs as) to
this entry. i used vi to add this entry to /etc/group

[root@omega tmp]# grep shadow /etc/group
shadow:*:4002:root,postgres

root probably does not *need* to be added.

note the '*' v.s. an 'x' in the password field. if you place an 'x' there
you will also have to set up /etc/gshadow - i did not want to do this. if
you don't set up /etc/gshadow pam will NOT work if an 'x' is in the password
field - at least with my linux system.

3) make /etc/shadow group shadow

[root@omega tmp]# chgrp shadow /etc/shadow

4) chmod 0440 /etc/shadow

essentially, pam will not work with postgres since the daemon needs at some
point, no matter how many library calls deep, to open and read /etc/shadow
(assuming this is how your system is using pam). you must have some solution
which allows postgres, but not everyone, to read /etc/shadow. others probably
exist.

-a

--
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: ara.t.howard@fsl.noaa.gov
| Phone: 303-497-7238
| Fax: 303-497-7259
====================================

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
← Back to Topics