<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>18.7. Preventing Server Spoofing</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="upgrading.html" title="18.6. Upgrading a PostgreSQL Cluster" /><link rel="next" href="encryption-options.html" title="18.8. Encryption Options" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">18.7. Preventing Server Spoofing</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="upgrading.html" title="18.6. Upgrading a PostgreSQL Cluster">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime.html" title="Chapter 18. Server Setup and Operation">Up</a></td><th width="60%" align="center">Chapter 18. Server Setup and Operation</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 11.7 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="encryption-options.html" title="18.8. Encryption Options">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="PREVENTING-SERVER-SPOOFING"><div class="titlepage"><div><div><h2 class="title" style="clear: both">18.7. Preventing Server Spoofing</h2></div></div></div><a id="id-1.6.5.9.2" class="indexterm"></a><p> While the server is running, it is not possible for a malicious user to take the place of the normal database server. However, when the server is down, it is possible for a local user to spoof the normal server by starting their own server. The spoof server could read passwords and queries sent by clients, but could not return any data because the <code class="varname">PGDATA</code> directory would still be secure because of directory permissions. Spoofing is possible because any user can start a database server; a client cannot identify an invalid server unless it is specially configured. </p><p> One way to prevent spoofing of <code class="literal">local</code> connections is to use a Unix domain socket directory (<a class="xref" href="runtime-config-connection.html#GUC-UNIX-SOCKET-DIRECTORIES">unix_socket_directories</a>) that has write permission only for a trusted local user. This prevents a malicious user from creating their own socket file in that directory. If you are concerned that some applications might still reference <code class="filename">/tmp</code> for the socket file and hence be vulnerable to spoofing, during operating system startup create a symbolic link <code class="filename">/tmp/.s.PGSQL.5432</code> that points to the relocated socket file. You also might need to modify your <code class="filename">/tmp</code> cleanup script to prevent removal of the symbolic link. </p><p> Another option for <code class="literal">local</code> connections is for clients to use <a class="link" href="libpq-connect.html#LIBPQ-CONNECT-REQUIREPEER"><code class="literal">requirepeer</code></a> to specify the required owner of the server process connected to the socket. </p><p> To prevent spoofing on TCP connections, the best solution is to use SSL certificates and make sure that clients check the server's certificate. To do that, the server must be configured to accept only <code class="literal">hostssl</code> connections (<a class="xref" href="auth-pg-hba-conf.html" title="20.1. The pg_hba.conf File">Section 20.1</a>) and have SSL key and certificate files (<a class="xref" href="ssl-tcp.html" title="18.9. Secure TCP/IP Connections with SSL">Section 18.9</a>). The TCP client must connect using <code class="literal">sslmode=verify-ca</code> or <code class="literal">verify-full</code> and have the appropriate root certificate file installed (<a class="xref" href="libpq-ssl.html#LIBQ-SSL-CERTIFICATES" title="34.18.1. Client Verification of Server Certificates">Section 34.18.1</a>). </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="encryption-options.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">18.6. Upgrading a <span class="productname">PostgreSQL</span> Cluster </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 18.8. Encryption Options</td></tr></table></div></body></html>