167040 – postgresql-server should include PAM config file

Bug 167040 - postgresql-server should include PAM config file

Summary: postgresql-server should include PAM config file

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	postgresql
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tom Lane
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-08-29 19:08 UTC by Josh Kelley
Modified:	2013-07-03 03:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-12-20 16:39:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Kelley 2005-08-29 19:08:59 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
The postgresql-server package should include a default /etc/pam.d/postgresql file that calls pam_stack.so service=system-auth.  Otherwise, the admin has to manually configure PAM, even after enabling it in /var/lib/pgsql/data/pg_hba.conf; AFAIK, no other RH/Fedora services require manually configuring PAM like this.

Version-Release number of selected component (if applicable):
8.0.3-1

How reproducible:
Always

Steps to Reproduce:
1. Install postgresql-server.
2. Enable PAM auth in /var/lib/pgsql/data/pb_hba.conf



Actual Results:  No users can log in.

Expected Results:  PAM authentication using system default user authentication settings.

Additional info:

Comment 1 Tom Lane 2005-08-29 20:08:46 UTC

Will look into it.  Is there any likely scenario where this would *not* be the
desired PAM configuration?

Comment 2 Josh Kelley 2005-08-29 20:18:49 UTC

None that I can think of - but I don't have experience with a wide variety of
different Linux setups, so I may be overlooking something.

Even with pam_stack system-auth, users still have to be enabled in pg_hba.conf,
so this default wouldn't do anything unless an admin edits pg_hba.conf, and
editing pg_hba.conf would hopefully prompt the admin to double-check the pam
config if he doesn't want system-auth.

Comment 3 Tom Lane 2005-10-04 23:22:13 UTC

I've added this file in postgresql-8.0.4-2.FC4.1, which should appear as an
update tomorrow.  I'm not super familiar with PAM, so I'd appreciate it if you'd
check it out and make sure the fix is good.

Comment 4 Josh Kelley 2005-10-05 15:18:29 UTC

The included PAM file doesn't work for PostgreSQL 7.4.8-1.RHEL4.1 (on RHEL 4 /
CentOS 4) at least; it needs an account line too.

account    required     pam_stack.so service=system-auth

Thanks.

Comment 5 Tom Lane 2005-10-05 15:36:58 UTC

Thanks, I'll update it on next respin.

Comment 6 Tom Lane 2005-10-10 14:06:29 UTC

Hmm ... on fedora-devel-list Tomas Mraz says that pam_stack is deprecated and
recommends this instead:

#%PAM-1.0
auth            include         system-auth
account         include         system-auth

Any comments?

Comment 7 Josh Kelley 2005-10-10 15:07:19 UTC

That's news to me; I was just copying the same format as was used in other PAM
files on my RHEL 3 and 4 boxes.  If "include system-auth" is the new recommended
approach, then that sounds good.  Thanks.

Comment 8 Tom Lane 2005-10-10 15:26:13 UTC

I think the "include" syntax is too new for RHEL3, but it should work in FC4 and
probably RHEL4.

Comment 9 Tom Lane 2005-10-18 15:31:49 UTC

Note to self: also, tweak spec file to avoid overwriting any existing PAM
configuration file ...

Comment 10 Tom Lane 2005-12-20 16:39:58 UTC

I've pushed out a fixed-up file in postgresql-8.0.5-1.FC4.1.

Comment 11 Josh Kelley 2005-12-20 16:52:12 UTC

Thanks.

Note You need to log in before you can comment on or make changes to this bug.