database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-25 21:42:33 +03:00
Code

doc: requirepeer is a way to avoid spoofing

Browse Source 
We already mentioned unix_socket_directories as an option.

Reported-by: https://www.postgresql.org/message-id/45016837-6cf3-3136-f959-763d06a28076%402ndquadrant.com

Backpatch-through: 9.6
This commit is contained in:
Bruce Momjian 2016-08-18 21:41:10 -04:00
parent 9595383bc6
commit 5285c5e873
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/src/sgml/runtime.sgml
View File

@ -1922,7 +1922,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
</para> </para>
<para> <para>
The simplest way to prevent spoofing for <literal>local</> On way to prevent spoofing of <literal>local</>
connections is to use a Unix domain socket directory (<xref connections is to use a Unix domain socket directory (<xref
linkend="guc-unix-socket-directories">) that has write permission only linkend="guc-unix-socket-directories">) that has write permission only
for a trusted local user. This prevents a malicious user from creating for a trusted local user. This prevents a malicious user from creating
@ -1934,6 +1934,13 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
<filename>/tmp</> cleanup script to prevent removal of the symbolic link. <filename>/tmp</> cleanup script to prevent removal of the symbolic link.
</para> </para>
<para>
Another option for <literal>local</> connections is for clients to use
<link linkend="libpq-connect-requirepeer"><literal>requirepeer</></>
to specify the required owner of the server process connected to
the socket.
</para>
<para> <para>
To prevent spoofing on TCP connections, the best solution is to use To prevent spoofing on TCP connections, the best solution is to use
SSL certificates and make sure that clients check the server's certificate. SSL certificates and make sure that clients check the server's certificate.