Re: 7.4.3 and PAM authentication failures

Dallas N Antley wrote:
> /- On Monday (8/16/2004 19:35) Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > I think you've proven that the particular PAM modules you are
> > testing with are useless for programs executing as non-root, but
> > that doesn't mean the entire concept is broken.  Look around ...
> > there are lots of
> > PAM modules (or at least that's the theory).
>
> Correct.  I'm only referring to pam_unix* modules.  This has come up
> on the list a few times, but there's never been a "solution" in any
> of the replies.

I'm not sure what you're looking for in a solution, but I dug through
the source to one of the pam_unix modules at one point to see why an app
I was writing was misbehaving.

In short, pam_unix specifically reads /etc/passwd and /etc/shadow
(unless your NSS configuration uses NIS, LDAP, or some other
remote-authentication system- and even then it may still need root
access) and if you don't want PAM or your app to be setuid root, you
don't use pam_unix (or any of the other modules that require root access
for one reason or another).

If you want PAM authentication against the system password file, your
app MUST either:

1) Run setuid root

OR

2) Communicate with some external authentication system that runs setuid
root.  This can be done relatively easily through PAM;  you just have to
find the appropriate modules and authentication daemon.  <g>

So far as I understand your original question, you're asking "I want to
authenticate against the system password file, but I don't want my app
[Postgres] to have root priviledges in any way".  PAM, in and of itself,
does not inherently require root access to work correctly - UNLESS
you're using a particular PAM module that *does*....  such as pam_unix.

This is by no means unique to Postgres.

-kgd
--
Get your mouse off of there!  You don't know where that email has been!