[Nsspampgsql-devel] Bug#551389: Bug#551389: libnss-pgsql2: Public auth info in the nss-pgsql.conf allows Denial-of-Service attack to NSS

Stephen Gran sgran at debian.org
Fri Oct 30 19:45:19 UTC 2009 

This one time, at band camp, Bram Senders said:
> Hi there,
> 
> I guess this would be a problem if the postgres database is not local;
> i.e. if you want several machines to authenticate against the same
> database.  The only way I currently see of "fixing" this is to use one
> user with "trust" access for read-only access to the group_table,
> passwd_table and usergroups tables (and use this user in
> /etc/nss-pgsql.conf), and one user with "md5" access (or some other
> authenticated access method) for access to the shadow_table table (and
> use this user in /etc/nss-pgsql-root.conf).

Hi,

Sure, this is possible - they're just connection parameters to a
database call, after all.  Basically, you want to create a seperate
/etc/nss-pgsql-root.conf with different connection parameters than the
regular /etc/nss-pgsql.conf.  In postgres itself, the non-privileged
user should have read only access to your passwd, group and passwd-group
map tables.  The 'root' user (whatever name you choose to give it)
should have read only access to the shadow table.  These are standard
GRANT options in postgres speak.

In pg_hba.conf, the non-privileged user is granted access with trust,
the privileged user is granted access with md5 or whatever other password
mechanism you like.  On the local filesystem, you protect the shadow
credentials in /etc/nss-pgsql-root.conf by making the file mode 0600
root:root.  The non-privileged file of course has to be world read only,
so 0444 as a minimum.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/nsspampgsql-devel/attachments/20091030/384b8450/attachment.pgp>

More information about the Nsspampgsql-devel mailing list