blob: a8c1af8d880947d11aecc28854c56a3a2c8052a5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.4. Trust Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="auth-methods.html" title="21.3. Authentication Methods" /><link rel="next" href="auth-password.html" title="21.5. Password Authentication" /></head><body id="docContent" class="container-fluid col-10"><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.4. Trust Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-methods.html" title="21.3. Authentication Methods">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 21. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 14.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-password.html" title="21.5. Password Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="AUTH-TRUST"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.4. Trust Authentication</h2></div></div></div><p>
When <code class="literal">trust</code> authentication is specified,
<span class="productname">PostgreSQL</span> assumes that anyone who can
connect to the server is authorized to access the database with
whatever database user name they specify (even superuser names).
Of course, restrictions made in the <code class="literal">database</code> and
<code class="literal">user</code> columns still apply.
This method should only be used when there is adequate
operating-system-level protection on connections to the server.
</p><p>
<code class="literal">trust</code> authentication is appropriate and very
convenient for local connections on a single-user workstation. It
is usually <span class="emphasis"><em>not</em></span> appropriate by itself on a multiuser
machine. However, you might be able to use <code class="literal">trust</code> even
on a multiuser machine, if you restrict access to the server's
Unix-domain socket file using file-system permissions. To do this, set the
<code class="varname">unix_socket_permissions</code> (and possibly
<code class="varname">unix_socket_group</code>) configuration parameters as
described in <a class="xref" href="runtime-config-connection.html" title="20.3. Connections and Authentication">Section 20.3</a>. Or you
could set the <code class="varname">unix_socket_directories</code>
configuration parameter to place the socket file in a suitably
restricted directory.
</p><p>
Setting file-system permissions only helps for Unix-socket connections.
Local TCP/IP connections are not restricted by file-system permissions.
Therefore, if you want to use file-system permissions for local security,
remove the <code class="literal">host ... 127.0.0.1 ...</code> line from
<code class="filename">pg_hba.conf</code>, or change it to a
non-<code class="literal">trust</code> authentication method.
</p><p>
<code class="literal">trust</code> authentication is only suitable for TCP/IP connections
if you trust every user on every machine that is allowed to connect
to the server by the <code class="filename">pg_hba.conf</code> lines that specify
<code class="literal">trust</code>. It is seldom reasonable to use <code class="literal">trust</code>
for any TCP/IP connections other than those from <span class="systemitem">localhost</span> (127.0.0.1).
</p></div><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navfooter"><hr></hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-methods.html" title="21.3. Authentication Methods">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-password.html" title="21.5. Password Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.3. Authentication Methods </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 14.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.5. Password Authentication</td></tr></table></div></body></html>
|