doc: requirepeer is a way to avoid spoofing

We already mentioned unix_socket_directories as an option. Reported-by: https://www.postgresql.org/message-id/45016837-6cf3-3136-f959-763d06a28076%402ndquadrant.com Backpatch-through: 9.6

doc: requirepeer is a way to avoid spoofing
We already mentioned unix_socket_directories as an option. Reported-by: https://www.postgresql.org/message-id/45016837-6cf3-3136-f959-763d06a28076%402ndquadrant.com Backpatch-through: 9.6
5285c5e8 · Bruce Momjian · 9595383b · 5285c5e8
Commit 5285c5e8 authored Aug 18, 2016 by Bruce Momjian
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

doc/src/sgml/runtime.sgml doc/src/sgml/runtime.sgml +8 -1

No files found.
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1922,7 +1922,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
  </para>
  <para>
-   The simplest way to prevent spoofing for <literal>local</>
+   On way to prevent spoofing of <literal>local</>
   connections is to use a Unix domain socket directory (<xref
   linkend="guc-unix-socket-directories">) that has write permission only
   for a trusted local user.  This prevents a malicious user from creating
@@ -1934,6 +1934,13 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
   <filename>/tmp</> cleanup script to prevent removal of the symbolic link.
  </para>
+  <para>
+   Another option for <literal>local</> connections is for clients to use
+   <link linkend="libpq-connect-requirepeer"><literal>requirepeer</></>
+   to specify the required owner of the server process connected to
+   the socket.
+  </para>
  <para>
   To prevent spoofing on TCP connections, the best solution is to use
   SSL certificates and make sure that clients check the server's certificate.