[Nsspampgsql-devel] Bug#551389: Bug#551389: libnss-pgsql2: Public auth info in the nss-pgsql.conf allows Denial-of-Service attack to NSS

Bram Senders bram at luon.net
Tue Nov 3 14:06:00 UTC 2009 

Stephen Gran wrote:
> This one time, at band camp, Bram Senders said:
> > I guess this would be a problem if the postgres database is not local;
> > i.e. if you want several machines to authenticate against the same
> > database.  The only way I currently see of "fixing" this is to use one
> > user with "trust" access for read-only access to the group_table,
> > passwd_table and usergroups tables (and use this user in
> > /etc/nss-pgsql.conf), and one user with "md5" access (or some other
> > authenticated access method) for access to the shadow_table table (and
> > use this user in /etc/nss-pgsql-root.conf).
> 
> Hi,
> 
> Sure, this is possible - they're just connection parameters to a
> database call, after all.  Basically, you want to create a seperate
> /etc/nss-pgsql-root.conf with different connection parameters than the
> regular /etc/nss-pgsql.conf.  In postgres itself, the non-privileged
> user should have read only access to your passwd, group and passwd-group
> map tables.  The 'root' user (whatever name you choose to give it)
> should have read only access to the shadow table.  These are standard
> GRANT options in postgres speak.
> 
> In pg_hba.conf, the non-privileged user is granted access with trust,
> the privileged user is granted access with md5 or whatever other password
> mechanism you like.  On the local filesystem, you protect the shadow
> credentials in /etc/nss-pgsql-root.conf by making the file mode 0600
> root:root.  The non-privileged file of course has to be world read only,
> so 0444 as a minimum.

Okay, thanks!  I will look into this.

Denis Feklushkin wrote:
> If you want to make a system of multiple machines does not recommend
> the use of NSS and network access to NSS for *authentication* at all (it
> does not matter libnss-pgsql2 or another module)
> 
> Otherwise, in this case the attacker by breaking one of the machines to
> obtain root permission will be able to immediately take all logins and
> passwords hashes from your NSS DB.
> 
> NSS can be used for authorization but not for authentication. Use PAM
> instread it.

Hmm, that doesn't sound too good.  But yes, I can understand how that
would be the case.  In that case, I will see whether there is some PAM
module that better suits my needs.

Thank you for your assistance, both of you!

Bram

Bram

More information about the Nsspampgsql-devel mailing list