summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/auth-trust.html
blob: 639a91b156887a505a9341effdb7655f81de76d8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.4. Trust Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="auth-methods.html" title="21.3. Authentication Methods" /><link rel="next" href="auth-password.html" title="21.5. Password Authentication" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.4. Trust Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-methods.html" title="21.3. Authentication Methods">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 21. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 15.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-password.html" title="21.5. Password Authentication">Next</a></td></tr></table><hr /></div><div class="sect1" id="AUTH-TRUST"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.4. Trust Authentication</h2></div></div></div><p>
    When <code class="literal">trust</code> authentication is specified,
    <span class="productname">PostgreSQL</span> assumes that anyone who can
    connect to the server is authorized to access the database with
    whatever database user name they specify (even superuser names).
    Of course, restrictions made in the <code class="literal">database</code> and
    <code class="literal">user</code> columns still apply.
    This method should only be used when there is adequate
    operating-system-level protection on connections to the server.
   </p><p>
    <code class="literal">trust</code> authentication is appropriate and very
    convenient for local connections on a single-user workstation.  It
    is usually <span class="emphasis"><em>not</em></span> appropriate by itself on a multiuser
    machine.  However, you might be able to use <code class="literal">trust</code> even
    on a multiuser machine, if you restrict access to the server's
    Unix-domain socket file using file-system permissions.  To do this, set the
    <code class="varname">unix_socket_permissions</code> (and possibly
    <code class="varname">unix_socket_group</code>) configuration parameters as
    described in <a class="xref" href="runtime-config-connection.html" title="20.3. Connections and Authentication">Section 20.3</a>.  Or you
    could set the <code class="varname">unix_socket_directories</code>
    configuration parameter to place the socket file in a suitably
    restricted directory.
   </p><p>
    Setting file-system permissions only helps for Unix-socket connections.
    Local TCP/IP connections are not restricted by file-system permissions.
    Therefore, if you want to use file-system permissions for local security,
    remove the <code class="literal">host ... 127.0.0.1 ...</code> line from
    <code class="filename">pg_hba.conf</code>, or change it to a
    non-<code class="literal">trust</code> authentication method.
   </p><p>
    <code class="literal">trust</code> authentication is only suitable for TCP/IP connections
    if you trust every user on every machine that is allowed to connect
    to the server by the <code class="filename">pg_hba.conf</code> lines that specify
    <code class="literal">trust</code>.  It is seldom reasonable to use <code class="literal">trust</code>
    for any TCP/IP connections other than those from <span class="systemitem">localhost</span> (127.0.0.1).
   </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-methods.html" title="21.3. Authentication Methods">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-password.html" title="21.5. Password Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.3. Authentication Methods </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 15.4 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.5. Password Authentication</td></tr></table></div></body></html>