Hi there,
I'm considering using libnss-pgsql for using the same authentication
information on several machines, and I'm interested in the following.
On Sun, Oct 18, 2009 at 02:55:37AM +0100, Stephen Gran wrote:
> This one time, at band camp, Denis Feklushkin said:
> > Any local user can completely disable NSS resolution in DB by changing
> > the password to the database.
> >
> > Unlike mysql, postgres does not allow create a user ("role") which has
> > no possibility to change own password (so-called "anonymous user").
> >
> > Thus, any local user can obtain password from /etc/nss-pgsql.conf,
> > change it and access to the DB will be corrupted
>
> OK, I'll bite - why are you not making access to the database 'trust' in
> pg_hba.conf?
I guess this would be a problem if the postgres database is not local;
i.e. if you want several machines to authenticate against the same
database. The only way I currently see of "fixing" this is to use one
user with "trust" access for read-only access to the group_table,
passwd_table and usergroups tables (and use this user in
/etc/nss-pgsql.conf), and one user with "md5" access (or some other
authenticated access method) for access to the shadow_table table (and
use this user in /etc/nss-pgsql-root.conf).
However, I do not have much knowledge of postgres, so I don't know
whether this would actually be workable. What do you think?
Cheers,
Bram
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
