diff options
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 60a06590fec..98752c2875c 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1922,7 +1922,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 </para> <para> - The simplest way to prevent spoofing for <literal>local</> + On way to prevent spoofing of <literal>local</> connections is to use a Unix domain socket directory (<xref linkend="guc-unix-socket-directories">) that has write permission only for a trusted local user. This prevents a malicious user from creating @@ -1935,6 +1935,13 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 </para> <para> + Another option for <literal>local</> connections is for clients to use + <link linkend="libpq-connect-requirepeer"><literal>requirepeer</></> + to specify the required owner of the server process connected to + the socket. + </para> + + <para> To prevent spoofing on TCP connections, the best solution is to use SSL certificates and make sure that clients check the server's certificate. To do that, the server |