* Martijn van Oosterhout:
> Well, I guess it's an issue. At least it's not suceptable to the
> standard symlink attacks. There is in general no way of knowing if the
> server you are connecting to is what you think it is (except via SSL
> maybe?).
For local (i.e. UNIX domain socket) connections, there is -- just use
a hard-coded path where each directory is only writable by root or by
the PostgreSQL superuser (/var/run in Debian is not world-writable,
for instance).
> The good thing is that if you're using md5 auth they can't grab your
> password.
The password is probably of little concern if you use UNIX domain
sockets. But feeding wrong data to the application might trigger
interesting things.