diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/ref/initdb.sgml | 17 | ||||
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 23 | ||||
| -rw-r--r-- | doc/src/sgml/standalone-install.xml | 9 |
3 files changed, 24 insertions, 25 deletions
diff --git a/doc/src/sgml/ref/initdb.sgml b/doc/src/sgml/ref/initdb.sgml index 74b994b6498..da5c8f53075 100644 --- a/doc/src/sgml/ref/initdb.sgml +++ b/doc/src/sgml/ref/initdb.sgml @@ -137,23 +137,8 @@ PostgreSQL documentation </para> <para> - The default is <literal>peer</literal> for Unix-domain socket - connections on operating systems that support it, otherwise - <literal>md5</literal>, and <literal>md5</literal> for TCP/IP - connections. - </para> - - <para> - When running <command>initdb</command> on a platform that does not - support <literal>peer</literal> authentication, either a password must - be provided (see <option>-W</option> and other options) or a different - authentication method must be chosen, otherwise - <command>initdb</command> will error. - </para> - - <para> Do not use <literal>trust</literal> unless you trust all local users on your - system. + system. <literal>trust</literal> is the default for ease of installation. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 305698aa0e7..365ec75aad8 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -156,19 +156,24 @@ postgres$ <userinput>initdb -D /usr/local/pgsql/data</userinput> </para> <para> - The default client authentication setup is such that users can connect over - the Unix-domain socket to the same database user name as their operating - system user names (on operating systems that support this, which are most - modern Unix-like systems, but not Windows) and otherwise with a password. - To assign a password to the initial database superuser, use one of + However, while the directory contents are secure, the default + client authentication setup allows any local user to connect to the + database and even become the database superuser. If you do not + trust other local users, we recommend you use one of <command>initdb</command>'s <option>-W</option>, <option>--pwprompt</option> - or <option>--pwfile</option> options.<indexterm> + or <option>--pwfile</option> options to assign a password to the + database superuser.<indexterm> <primary>password</primary> <secondary>of the superuser</secondary> </indexterm> - This configuration is secure and sufficient to get started. Later, see - <xref linkend="client-authentication"/> for more information about setting - up client authentication. + Also, specify <option>-A md5</option> or + <option>-A password</option> so that the default <literal>trust</literal> authentication + mode is not used; or modify the generated <filename>pg_hba.conf</filename> + file after running <command>initdb</command>, but + <emphasis>before</emphasis> you start the server for the first time. (Other + reasonable approaches include using <literal>peer</literal> authentication + or file system permissions to restrict connections. See <xref + linkend="client-authentication"/> for more information.) </para> <para> diff --git a/doc/src/sgml/standalone-install.xml b/doc/src/sgml/standalone-install.xml index 749a071061a..f584789f9a4 100644 --- a/doc/src/sgml/standalone-install.xml +++ b/doc/src/sgml/standalone-install.xml @@ -65,6 +65,15 @@ postgres$ <userinput>/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data</useri <step> <para> + At this point, if you did not use the <command>initdb</command> <literal>-A</literal> + option, you might want to modify <filename>pg_hba.conf</filename> to control + local access to the server before you start it. The default is to + trust all local users. + </para> + </step> + + <step> + <para> The previous <command>initdb</command> step should have told you how to start up the database server. Do so now. The command should look something like: |