PAM module for authentication with Postgresql package ported from debian sources, using gentoo's pam_mysql ebuild as model Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 21365 [details] ebuild
Just for reference sake, you should save the attachment as pam_pgsql-0.5.2_p5.ebuild in order to get the latest code. Also, I'm not sure if this is the proper place to say this, but I would like to see this ebuild included in gentoo.
FYI as mentioned in gentoo-security@g.o (ref http://www.debian.org/security/2004/dsa-469) there is SQL injection bug in this. See Debian sources for patch.
Created attachment 36439 [details] pam_pgsql-0.5.2.7.1.ebuild This is the ebuild I did for my own installation. It uses the original 0.5.2 release and the patch for debian sid.
Created attachment 36441 [details] pam_pgsql.conf This file goes with the pam_pgsql-0.5.2.7.1.ebuild.
Bug ping. Any update on this into the main tree?
Sorry. I can't tell you why this is not in portage jet and when it will hit portage or if it will ever hit portage.
any news ? the project is also on pgfoundry which is (one of) the official site for PostgreSQL-related software : http://pgfoundry.org/frs/download.php/284/pam-pgsql-1.0.0.tgz is this tgz compatible with the attached ebuild ?
oops found the bug: 92659
Masatomo, I do not know if you might be interested in this .. there is no way for me to test this currently ...
*** Bug 91585 has been marked as a duplicate of this bug. ***
Well... I would love to help to maintain this ebuild, but I am not a Gentoo developer. If it is possible to get a developer status, then I would like to apply for the position to become a developer.
Created attachment 73341 [details] pam_pgsql-0.6.1.ebuild This file goes into sys-auth/pam_pgsql
I just updated the pam_pgsql ebuild. It is NOT supported by Gentoo and will probably never be in portage. If someone needs PAM support for PostgreSQL, then use the sys-auth/libnss-pgsql package from portage.
(In reply to comment #14) > I just updated the pam_pgsql ebuild. It is NOT supported by Gentoo and will > probably never be in portage. If someone needs PAM support for PostgreSQL, then > use the sys-auth/libnss-pgsql package from portage. To my knowledge, libnss-pgsql is not a complete replacement: you can't authenticate a user unless encrypting the password field with the same hashing used by pam. Actually, I do need pam-pgsql on a couple of systems of mines, and I would really appreciate if this package will finally be included among the portage packages.
pam_pgsql is still needed. The pgsql from pgfoundry doesn't allow custom queries and uses old configuration style in compare to sourceforge's pam_pgsql. I need this modul on many systems, especially on mail ones, so libnss-pgsql isnt a full replacement. kind regards
Any news about this matter?
What kind of news? Its still needed - or what do you exspect? kind regards
Well, I was just asking if there is any new about adding it to the portage tree. I see that pam-pgsql-1.0.0 fixes the security problem that was affecting previous versions, so I would wonder if there is any evident reason for pam-pgsql to still be out of the portage tree.
A modified ebuild for pam_pgsql-0.6.3 in now in our Sunrise Project overlay. svn co http://overlays.gentoo.org/svn/proj/sunrise Please, test and enjoy!
1.0? 0.6.3 is the latest released on http://sourceforge.net/projects/pam-pgsql. kind regards
The web site for this project moved out of sf. http://pgfoundry.org/frs/?group_id=1000039
Right, but Jakub is probably right too: the update time of the sf 0.6.3 is more recent than the 1.0.0 from pgf...
As far as i know, these are 2 different projects - look at pgsql.conf file, 0.6.1> allows you custom queries, 1.0.0 not, may it be? kind regards
(In reply to comment #24) > As far as i know, these are 2 different projects - look at pgsql.conf file, > 0.6.1> allows you custom queries, 1.0.0 not, may it be? Shrug... :) http://pgfoundry.org/frs/shownotes.php?release_id=230 <snip> Release Name: pam-pgsql 1.0.0 Notes: Initial Import from http://sourceforge.net/projects/pam-pgsql/ With latest patches on the website applied. Plus a reconfiguration of the way data is queried. Protection against SQL injections is in the form of PQexecParams. </snip> Anyway, both versions are in overlay now. http://overlays.gentoo.org/proj/sunrise/browser/sys-auth/pam_pgsql/pam_pgsql-0.6.3.ebuild http://overlays.gentoo.org/proj/sunrise/browser/sys-auth/pam_pgsql/pam_pgsql-1.0.0.ebuild
Mmmh, donno if it is sane to mix them: 1.0.0 from pgf is dated 2005-05-04, 0.6.3 from sf is dated 2006-05-08. Version 1.0.0 is supposed to be younger then 0.6.3, so... Ok, two suggestions: 1) Ask to the two project leaders the why and how the split; 2) Look at what other did: what is the package SuSE is adopting, in example?
(In reply to comment #26) > Mmmh, donno if it is sane to mix them: 1.0.0 from pgf is dated 2005-05-04, > 0.6.3 from sf is dated 2006-05-08. Version 1.0.0 is supposed to be younger then > 0.6.3, so... You won't mix them, they are both the same slot, you need to pick one. Additionally, 0.6.3 is package.masked in the overlay b/c of the possible SQL injection issues. You are also free to not use either of them, they are provided for users' convenience only. ;)
Well, maybe I'm missing something, but it seems to me that the sf 0.6.x version already addresses the security issue. In the debian/changelog file inside the package I read the following: ...omissis... pam-pgsql (0.6) experimental; urgency=low ...omissis... * Moved to PQexecParams (obsoletes need for data escaping) ...omissis... Which means to me that the security issue (i.e.: uncomplete escaping of sql paramenters) was resolved. I have the strong belief that the pgf's package is a port from the sf's 0.5.x version, and the fact that their changelog reports a locally-made adaption to the PQexecParams call in order to circumvent security issues is a proof of this. Anyhow, I just placed a message on the two projects' forums asking for further infos about the "competing" projects. We will see their replies... In the meanwhile, I'm personally going to stick with the sf's 0.6.3 version.
Created attachment 93974 [details] pam_pgsql-1.0.0.ebuild
The 1.0 ebuild from pgfoundry breaks the old 0.6.1 configuration: auth_succ_query - query to be executed after successful authentication auth_fail_query - query to be executed after failed authentication aren't supported - the 0.6.1 already has the injection issues fixed, so i dont see any reason to switch to pgfoundry module which will break things. kind regards
Torsten's note makes me much more affirmative about the fact we are mixing two branches from different packages. I urge to stick to the sf one and burn the 1.0's from pgf!
Yeah we are going to mix them. I vote for your suggestion - stick with the sf one ( 0.6.3 is latest release afaik) and burn the 1.0 from pgf.
The sourceforge page now uses name libpam-pgsql. What about having two different packages that block each other? Like libpam-pgsql and pam-pgsql. This way users won't be confused. BTW there's only 1.0 version now on sunrise.
(In reply to comment #33) > The sourceforge page now uses name libpam-pgsql. What about having two > different packages that block each other? Like libpam-pgsql and pam-pgsql. This is fine to me.
Created attachment 141596 [details, diff] Diff to build pam-pgsql-0.6.3 with recent gcc and postgresql 8.2.x stdlib.h include is missing, NULL is unknown. This patch fixes the build error.
Created attachment 173463 [details] pam_pgsql-0.6.4.ebuild I did a new ebuild as there's a pam-pgsql 0.6.4 available since 2008-05-24 Also I've did updated ebuild to use postgresql-base. obs.: this ebuild still need no_strict_antialising and pam_get_service patches.
Created attachment 173465 [details, diff] pam-pgsql-0.6.4-no_strict_aliasing.patch Little patch to avoid warnings of poor programming practices (it should be fixed by the pam-pgsql developers): "warning: dereferencing type-punned pointer will break strict-aliasing rules"
Created attachment 173467 [details, diff] pam-pgsql-0.6.4-pam_get_service.patch pam_get_service.c still missing stdlib.h include reference.
I've already posted an updated ebuild to 0.6.4 version. Any new about when will it hit portage tree? I'm OK having my own layman repository at my network but it should be great if this package get in portage tree.
As this ebuild uses postgresql-base, if the system where this library is installed also have libnss-pgsql installed, it may be needed to update libnss-pgsql to use postgresql-base as well. (In reply to comment #36) > Created an attachment (id=173463) [edit] > pam_pgsql-0.6.4.ebuild > > I did a new ebuild as there's a pam-pgsql 0.6.4 available since 2008-05-24 > > Also I've did updated ebuild to use postgresql-base. > > obs.: this ebuild still need no_strict_antialising and pam_get_service patches. >
After over six years this bug will finally be closed! :P I've added pam-pgsql to the tree, but with a snapshot of the current development repository as I've contributed upstream a new buildsystem that works properly. Please remove the old ebuild from sunrise whenever possible.
(In reply to comment #41) > After over six years this bug will finally be closed! :P > You are my hero. > I've added pam-pgsql to the tree, but with a snapshot of the current > development repository as I've contributed upstream a new buildsystem that > works properly. > > Please remove the old ebuild from sunrise whenever possible. >
Great new! Thanks!