18.7. Prevent server spoofing
When the server is running, it is impossible for a malicious user to replace a normal database server. However, when the server is down, a local user can deceive the normal server by starting their own server. The fraudulent server can read the password and query sent by the client, but will not return any data, because the directory PGDATA is secure (it has directory permissions). Spoofing is possible because any user can start a database server; the client cannot identify an invalid server unless it is specifically configured.
One way to prevent local connection spoofing is to use a Unix domain socket directory (unix_socket_directories), which only has write permissions for a trusted local user. This prevents malicious users from creating their own socket files in this directory. If you are worried that some applications may still reference the socket file under /tmp and are therefore vulnerable to deception, you can create a symbolic link /tmp/.s.PGSQL.5432 to point to a relocated socket when the operating system starts. Word file. You may also need to modify the /tmp cleanup script to prevent this symbolic link from being deleted.
Another option for local connection is to use requirepeer for the client to specify the owner of the server process that is required to connect to the socket.
To prevent spoofing on TCP connections, the best solution is to use an SSL certificate and make sure that the client checks the server's certificate. To do this, the server must be configured to accept only hostssl connections (Section 20.1) and have an SSL key and certificate file (Section 18.9). TCP client connection must use sslmode=verify-ca or verify-full to connect, and install the appropriate root certificate file (Section 34.18.1).