Red Hat Bugzilla – Bug 167040
postgresql-server should include PAM config file
Last modified: 2013-07-02 23:06:51 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Description of problem:
The postgresql-server package should include a default /etc/pam.d/postgresql file that calls pam_stack.so service=system-auth. Otherwise, the admin has to manually configure PAM, even after enabling it in /var/lib/pgsql/data/pg_hba.conf; AFAIK, no other RH/Fedora services require manually configuring PAM like this.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install postgresql-server.
2. Enable PAM auth in /var/lib/pgsql/data/pb_hba.conf
Actual Results: No users can log in.
Expected Results: PAM authentication using system default user authentication settings.
Will look into it. Is there any likely scenario where this would *not* be the
desired PAM configuration?
None that I can think of - but I don't have experience with a wide variety of
different Linux setups, so I may be overlooking something.
Even with pam_stack system-auth, users still have to be enabled in pg_hba.conf,
so this default wouldn't do anything unless an admin edits pg_hba.conf, and
editing pg_hba.conf would hopefully prompt the admin to double-check the pam
config if he doesn't want system-auth.
I've added this file in postgresql-8.0.4-2.FC4.1, which should appear as an
update tomorrow. I'm not super familiar with PAM, so I'd appreciate it if you'd
check it out and make sure the fix is good.
The included PAM file doesn't work for PostgreSQL 7.4.8-1.RHEL4.1 (on RHEL 4 /
CentOS 4) at least; it needs an account line too.
account required pam_stack.so service=system-auth
Thanks, I'll update it on next respin.
Hmm ... on fedora-devel-list Tomas Mraz says that pam_stack is deprecated and
recommends this instead:
auth include system-auth
account include system-auth
That's news to me; I was just copying the same format as was used in other PAM
files on my RHEL 3 and 4 boxes. If "include system-auth" is the new recommended
approach, then that sounds good. Thanks.
I think the "include" syntax is too new for RHEL3, but it should work in FC4 and
Note to self: also, tweak spec file to avoid overwriting any existing PAM
configuration file ...
I've pushed out a fixed-up file in postgresql-8.0.5-1.FC4.1.