On Wednesday 01 April 2009 20:37:56 Martijn van Oosterhout wrote:
> On Tue, Mar 31, 2009 at 11:33:26PM +0300, Peter Eisentraut wrote:
> > On Saturday 28 March 2009 00:42:28 Bruce Momjian wrote:
> > > I assume directory permissions controlling access to the socket file
> > > would be enough. You are going to have to set up SSL certificates
> > > anyway for this so isn't that just as hard as telling the client where
> > > the socket file is located?
> >
> > The permissions on the socket file or the containing directory doesn't
> > tell much by itself, because you also need to consider who owns it. What
> > that basically comes down to is that the client would need to specify
> > something like, "I only want a connection to a server owned by
> > 'postgres'." But the client currently has no way of saying that, so we'd
> > need to invent something new.
>
> If you're going to get complicated, go the whole way do SO_PEERCRED on
> the socket, then you get the UID of the server...
I have added this to the Todo list.
