Commit5285c5e

committed

doc: requirepeer is a way to avoid spoofing

1 parent9595383 commit5285c5eCopy full SHA for 5285c5e

File tree

-1

lines changed

-1

lines changed

Lines changed: 8 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1922,7 +1922,7 @@ pg_dumpall -p 5432 \| psql -d postgres -p 5433`
`1922`	`1922`	`</para>`
`1923`	`1923`
`1924`	`1924`	`<para>`
`1925`		`-The simplestway to prevent spoofingfor <literal>local</>`
	`1925`	`+Onway to prevent spoofingof <literal>local</>`
`1926`	`1926`	`connections is to use a Unix domain socket directory (<xref`
`1927`	`1927`	`linkend="guc-unix-socket-directories">) that has write permission only`
`1928`	`1928`	`for a trusted local user. This prevents a malicious user from creating`
`@@ -1934,6 +1934,13 @@ pg_dumpall -p 5432 \| psql -d postgres -p 5433`
`1934`	`1934`	`<filename>/tmp</> cleanup script to prevent removal of the symbolic link.`
`1935`	`1935`	`</para>`
`1936`	`1936`
	`1937`	`+ <para>`
	`1938`	`+ Another option for <literal>local</> connections is for clients to use`
	`1939`	`+ <link linkend="libpq-connect-requirepeer"><literal>requirepeer</></>`
	`1940`	`+ to specify the required owner of the server process connected to`
	`1941`	`+ the socket.`
	`1942`	`+ </para>`
	`1943`	`+`
`1937`	`1944`	`<para>`
`1938`	`1945`	`To prevent spoofing on TCP connections, the best solution is to use`
`1939`	`1946`	`SSL certificates and make sure that clients check the server's certificate.`

Comments

(0)