The page at https://www.postgresql.org/docs/current/auth-trust.html goes through some length to explain why Trust is sometimes a good idea.
Is it really though? And in particular, aren't there better choices? As a first step, I think we should put a <warning> box on the page explicitly saying that that trust, unless limited in pg_hba, will allow any user to become superuser which allows them to bypass all other security restrictions. Second, we're kind of going out of our way to recommend setting unix socket permissions etc -- in those cases, wouldn't it in almost every case just be better for the user to use "peer" auth instead of trust, and we should recommend them to use that instead? Is it really any less appropriate and/or convenient? (It was listed as appropriate back in 2001 in 6f0f5bf2fbe, but the world has changed a bit in 20+ years..) And finally, the sentence "It is seldom reasonable to use trust for any TCP/IP connections other than those from localhost (127.0.0.1)." should probably be amended with an ", and only reasonable for localhost if you trust every single user on the host"? Thoughts? I'll be happy to work up a patch if there's agreement on the general idea. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
