Irritation with shutdown(8) and postgress rc.d script

Thread: Irritation with shutdown(8) and postgress rc.d script

Search this list only Search all lists
Irritation with shutdown(8) and postgress rc.d script
United States	2007-03-13 00:41:28
I have a box on which I run PostgreSQL. I'm using the rc.d script that came with the pkgsrc server I installed. I'm in the operator group. I can run shutdown(8) and turn off the computer. The problem is when it comes time to stop postgres. Postgress likes to be running as the postgress user (pgsql here). So it does a su pgsql to tell the system to shutdown. Well. The problem is that when I run shutdown and shutdown runs rc.d hooks, su notices that I'm me and not root, so it asks for pgsql's password. Well, I've forgotten it. So PostgreSQL gets a hard shutdown. I chatted with John Nemeth, who indicated that su is calling into PAM, and pam_rootok only checks the real id. For my case the effective ID is roots, but the real is my own. How do we fix this? I can turn off the computer, so why are we not letting me stop services? Options: 1) Make pam_rootok check effective too. 2) Add pam_effectiverootok which checks effective id. 3) Make shutdown set its real id to root as well. I prefer (1) since if my effective id is root, I am acting as root. I can turn off the box, so it makes little sense to not let me do other root things. But what I really want is for shutdown to work. So any of the three options would be fine. Oh, this is NetBSD 3.0. Take care, Bill

Re: Irritation with shutdown(8) and postgress rc.d script
	2007-03-13 01:12:01
>>>>> On Mon, 12 Mar 2007 21:41:28 -0800, Bill Stouder-Studenmund <wrstudenNetBSD.org> said: > Options: > 1) Make pam_rootok check effective too. At least this isn't a valid option, as John Nemeth talked at the private talk, because: 1. It breaks compatibility with old NetBSD su which didn't use PAM. (Old NetBSD su checked real id too.) 2. It breaks compatibility with every other PAM implementations, including FreeBSD, linux, and so on... Using same name (pam_rootok) for different functionality (real id vs effective id) is not what users expect. 3. This may introduce security problems (think about third party applications which use pam_rootok in its configuration). > 3) Make shutdown set its real id to root as well. I think this is the way to go. The shutdown hooks should be executed with real id == 0, just like "su root -c <command>", I guess. -- soda

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )