Bug 167040 - postgresql-server should include PAM config file
postgresql-server should include PAM config file
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: postgresql (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom Lane
David Lawrence
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-29 15:08 EDT by Josh Kelley
Modified: 2013-07-02 23:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-20 11:39:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Kelley 2005-08-29 15:08:59 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
The postgresql-server package should include a default /etc/pam.d/postgresql file that calls pam_stack.so service=system-auth.  Otherwise, the admin has to manually configure PAM, even after enabling it in /var/lib/pgsql/data/pg_hba.conf; AFAIK, no other RH/Fedora services require manually configuring PAM like this.

Version-Release number of selected component (if applicable):
8.0.3-1

How reproducible:
Always

Steps to Reproduce:
1. Install postgresql-server.
2. Enable PAM auth in /var/lib/pgsql/data/pb_hba.conf



Actual Results:  No users can log in.

Expected Results:  PAM authentication using system default user authentication settings.

Additional info:
Comment 1 Tom Lane 2005-08-29 16:08:46 EDT
Will look into it.  Is there any likely scenario where this would *not* be the
desired PAM configuration?
Comment 2 Josh Kelley 2005-08-29 16:18:49 EDT
None that I can think of - but I don't have experience with a wide variety of
different Linux setups, so I may be overlooking something.

Even with pam_stack system-auth, users still have to be enabled in pg_hba.conf,
so this default wouldn't do anything unless an admin edits pg_hba.conf, and
editing pg_hba.conf would hopefully prompt the admin to double-check the pam
config if he doesn't want system-auth.
Comment 3 Tom Lane 2005-10-04 19:22:13 EDT
I've added this file in postgresql-8.0.4-2.FC4.1, which should appear as an
update tomorrow.  I'm not super familiar with PAM, so I'd appreciate it if you'd
check it out and make sure the fix is good.
Comment 4 Josh Kelley 2005-10-05 11:18:29 EDT
The included PAM file doesn't work for PostgreSQL 7.4.8-1.RHEL4.1 (on RHEL 4 /
CentOS 4) at least; it needs an account line too.

account    required     pam_stack.so service=system-auth

Thanks.
Comment 5 Tom Lane 2005-10-05 11:36:58 EDT
Thanks, I'll update it on next respin.
Comment 6 Tom Lane 2005-10-10 10:06:29 EDT
Hmm ... on fedora-devel-list Tomas Mraz says that pam_stack is deprecated and
recommends this instead:

#%PAM-1.0
auth            include         system-auth
account         include         system-auth

Any comments?
Comment 7 Josh Kelley 2005-10-10 11:07:19 EDT
That's news to me; I was just copying the same format as was used in other PAM
files on my RHEL 3 and 4 boxes.  If "include system-auth" is the new recommended
approach, then that sounds good.  Thanks.
Comment 8 Tom Lane 2005-10-10 11:26:13 EDT
I think the "include" syntax is too new for RHEL3, but it should work in FC4 and
probably RHEL4.
Comment 9 Tom Lane 2005-10-18 11:31:49 EDT
Note to self: also, tweak spec file to avoid overwriting any existing PAM
configuration file ...
Comment 10 Tom Lane 2005-12-20 11:39:58 EST
I've pushed out a fixed-up file in postgresql-8.0.5-1.FC4.1.
Comment 11 Josh Kelley 2005-12-20 11:52:12 EST
Thanks.

Note You need to log in before you can comment on or make changes to this bug.