Home Explore Blog CI



postgresql
13th chunk of `doc/src/sgml/config.sgml`
87cf7ea1a7394fe94ef8e7938f5081a25cc1eab0f8b227900000000100000fa4
 combination with the parameter
        <varname>unix_socket_permissions</varname> this can be used as
        an additional access control mechanism for Unix-domain connections.
        By default this is the empty string, which uses the default
        group of the server user.  This parameter can only be set at
        server start.
       </para>

       <para>
        This parameter is not supported on Windows.  Any setting will be
        ignored.  Also, sockets in the abstract namespace have no file owner,
        so this setting is also ignored in that case.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-unix-socket-permissions" xreflabel="unix_socket_permissions">
      <term><varname>unix_socket_permissions</varname> (<type>integer</type>)
      <indexterm>
       <primary><varname>unix_socket_permissions</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Sets the access permissions of the Unix-domain socket(s).  Unix-domain
        sockets use the usual Unix file system permission set.
        The parameter value is expected to be a numeric mode
        specified in the format accepted by the
        <function>chmod</function> and <function>umask</function>
        system calls.  (To use the customary octal format the number
        must start with a <literal>0</literal> (zero).)
       </para>

       <para>
        The default permissions are <literal>0777</literal>, meaning
        anyone can connect. Reasonable alternatives are
        <literal>0770</literal> (only user and group, see also
        <varname>unix_socket_group</varname>) and <literal>0700</literal>
        (only user). (Note that for a Unix-domain socket, only write
        permission matters, so there is no point in setting or revoking
        read or execute permissions.)
       </para>

       <para>
        This access control mechanism is independent of the one
        described in <xref linkend="client-authentication"/>.
       </para>

       <para>
        This parameter can only be set at server start.
       </para>

       <para>
        This parameter is irrelevant on systems, notably Solaris as of Solaris
        10, that ignore socket permissions entirely.  There, one can achieve a
        similar effect by pointing <varname>unix_socket_directories</varname> to a
        directory having search permission limited to the desired audience.
       </para>

       <para>
        Sockets in the abstract namespace have no file permissions, so this
        setting is also ignored in that case.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-bonjour" xreflabel="bonjour">
      <term><varname>bonjour</varname> (<type>boolean</type>)
      <indexterm>
       <primary><varname>bonjour</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Enables advertising the server's existence via
        <productname>Bonjour</productname>.  The default is off.
        This parameter can only be set at server start.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-bonjour-name" xreflabel="bonjour_name">
      <term><varname>bonjour_name</varname> (<type>string</type>)
      <indexterm>
       <primary><varname>bonjour_name</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Specifies the <productname>Bonjour</productname> service
        name.  The computer name is used if this parameter is set to the
        empty string <literal>''</literal> (which is the default).  This parameter is
        ignored if the server was not compiled with
        <productname>Bonjour</productname> support.
        This parameter can only be set at server start.
       </para>
      </listitem>
     </varlistentry>
     </variablelist>
     </sect2>

     <sect2 id="runtime-config-tcp-settings">
Title: Configuring Unix Socket Permissions and Bonjour Advertising
Summary
This section details the configuration of Unix socket permissions using the `unix_socket_permissions` parameter, which sets access permissions using a numeric mode similar to `chmod`. The default permission is 0777 (anyone can connect), and alternatives like 0770 (user and group) and 0700 (only user) are discussed. It clarifies that only write permission matters for Unix domain sockets. The parameter is irrelevant on systems ignoring socket permissions, and for abstract sockets. The section also covers Bonjour advertising, enabling it with the `bonjour` parameter, and specifying the service name with `bonjour_name` (defaulting to the computer name if empty). Both Bonjour parameters are only settable at server start.