Red Hat Bugzilla – Bug 115278
default permissions in postgresql-server-7.3.4-3.rhl9 break krb5 authentication
Last modified: 2013-07-02 23:00:26 EDT
Description of problem:
The default permissions on /etc/sysconfig/pgsql prevent krb5
authentication from working.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure a user to require "krb5" authentication in pg_hba.conf
2. Extract the database key into a keytab in the default location
3. Make the keytab readable by postgresql (chgrp postgres
/etc/sysconfig/pgsql/krb5.keytab; chmod g+r
4. Restart postgresql just in case.
5. Attempt to connect as the user (psql -h hostname -l).
User will get a "Kerberos 5 authentication failed" error, and the
server will log an error 13 (EACCES) in /var/log/messages.
Authentication should succeed, user does the dance of joy.
A workaround is to make /etc/sysconfig/pgsql 0750, group postgres, but
I don't know of any other implications to making this change.
More than that: Postgres also expects pg_service.conf to be in the
--sysconfdir directory, so we'd have to make the directory
world-readable if we want to use it as --sysconfdir.
I cannot see any good reason offhand why it's not world-readable;
other subdirectories of /etc/sysconfig are.
A fix slated for RHEL3 Update 2 is now in QA.
A (slightly different) fix is also in Postgres 7.4.2 RPMs btw, both
Fedora Core 2 and the PGDG RPM sets.
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.