Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.402
diff -c -c -r1.402 runtime.sgml
*** doc/src/sgml/runtime.sgml	8 Jan 2008 18:07:38 -0000	1.402
--- doc/src/sgml/runtime.sgml	17 Jan 2008 00:20:36 -0000
***************
*** 1397,1405 ****
     connections is to use a Unix domain socket directory (<xref
     linkend="guc-unix-socket-directory">) that has write permission only
     for a trusted local user.  This prevents a malicious user from creating
!    their own socket file in that directory.  For TCP connections the server
!    must accept only <literal>hostssl</> connections (<xref
!    linkend="auth-pg-hba-conf">) and have SSL
     <filename>server.key</filename> (key) and
     <filename>server.crt</filename> (certificate) files (<xref
     linkend="ssl-tcp">). The TCP client must connect using
--- 1397,1413 ----
     connections is to use a Unix domain socket directory (<xref
     linkend="guc-unix-socket-directory">) that has write permission only
     for a trusted local user.  This prevents a malicious user from creating
!    their own socket file in that directory.
!    Additionally, you might want to set <xref
!    linkend="guc-external-pid-file"> to <literal>/tmp/.s.PGSQL.5432</> to
!    prevent spoofing for clients looking for the socket in its default
!    location.  This protection is only effective while the server is
!    running.
!   </para>
! 
!   <para>
!    For TCP connections the server must accept only <literal>hostssl</>
!    connections (<xref linkend="auth-pg-hba-conf">) and have SSL
     <filename>server.key</filename> (key) and
     <filename>server.crt</filename> (certificate) files (<xref
     linkend="ssl-tcp">). The TCP client must connect using
