[Nsspampgsql-devel] Bug#551389: Bug#551389: libnss-pgsql2: Public auth info in the nss-pgsql.conf allows Denial-of-Service attack to NSS

[Bram Senders]

Hi there,

I'm considering using libnss-pgsql for using the same authentication
information on several machines, and I'm interested in the following.

On Sun, Oct 18, 2009 at 02:55:37AM +0100, Stephen Gran wrote:
> This one time, at band camp, Denis Feklushkin said:
> > Any local user can completely disable NSS resolution in DB by changing
> > the password to the database.
> > 
> > Unlike mysql, postgres does not allow create a user ("role") which has
> > no possibility to change own password (so-called "anonymous user").
> > 
> > Thus, any local user can obtain password from /etc/nss-pgsql.conf,
> > change it and access to the DB will be corrupted
> 
> OK, I'll bite - why are you not making access to the database 'trust' in
> pg_hba.conf?

I guess this would be a problem if the postgres database is not local;
i.e. if you want several machines to authenticate against the same
database.  The only way I currently see of "fixing" this is to use one
user with "trust" access for read-only access to the group_table,
passwd_table and usergroups tables (and use this user in
/etc/nss-pgsql.conf), and one user with "md5" access (or some other
authenticated access method) for access to the shadow_table table (and
use this user in /etc/nss-pgsql-root.conf).

However, I do not have much knowledge of postgres, so I don't know
whether this would actually be workable.  What do you think?

Cheers,
Bram