Age Owner Branch data TLA Line data Source code
1 : : /*-------------------------------------------------------------------------
2 : : *
3 : : * miscinit.c
4 : : * miscellaneous initialization support stuff
5 : : *
6 : : * Portions Copyright (c) 1996-2026, PostgreSQL Global Development Group
7 : : * Portions Copyright (c) 1994, Regents of the University of California
8 : : *
9 : : *
10 : : * IDENTIFICATION
11 : : * src/backend/utils/init/miscinit.c
12 : : *
13 : : *-------------------------------------------------------------------------
14 : : */
15 : : #include "postgres.h"
16 : :
17 : : #include <sys/param.h>
18 : : #include <signal.h>
19 : : #include <time.h>
20 : : #include <sys/file.h>
21 : : #include <sys/stat.h>
22 : : #include <sys/time.h>
23 : : #include <fcntl.h>
24 : : #include <unistd.h>
25 : : #include <grp.h>
26 : : #include <pwd.h>
27 : : #include <netinet/in.h>
28 : : #include <arpa/inet.h>
29 : : #include <utime.h>
30 : :
31 : : #include "access/htup_details.h"
32 : : #include "access/parallel.h"
33 : : #include "catalog/pg_authid.h"
34 : : #include "common/file_perm.h"
35 : : #include "libpq/libpq.h"
36 : : #include "libpq/pqsignal.h"
37 : : #include "mb/pg_wchar.h"
38 : : #include "miscadmin.h"
39 : : #include "pgstat.h"
40 : : #include "postmaster/autovacuum.h"
41 : : #include "postmaster/interrupt.h"
42 : : #include "postmaster/postmaster.h"
43 : : #include "replication/slotsync.h"
44 : : #include "storage/fd.h"
45 : : #include "storage/ipc.h"
46 : : #include "storage/latch.h"
47 : : #include "storage/pg_shmem.h"
48 : : #include "storage/pmsignal.h"
49 : : #include "storage/proc.h"
50 : : #include "storage/procarray.h"
51 : : #include "utils/builtins.h"
52 : : #include "utils/guc.h"
53 : : #include "utils/inval.h"
54 : : #include "utils/memutils.h"
55 : : #include "utils/pidfile.h"
56 : : #include "utils/syscache.h"
57 : : #include "utils/varlena.h"
58 : : #include "utils/wait_event.h"
59 : :
60 : :
61 : : #define DIRECTORY_LOCK_FILE "postmaster.pid"
62 : :
63 : : ProcessingMode Mode = InitProcessing;
64 : :
65 : : BackendType MyBackendType;
66 : :
67 : : /* List of lock files to be removed at proc exit */
68 : : static List *lock_files = NIL;
69 : :
70 : : static Latch LocalLatchData;
71 : :
72 : : /* ----------------------------------------------------------------
73 : : * ignoring system indexes support stuff
74 : : *
75 : : * NOTE: "ignoring system indexes" means we do not use the system indexes
76 : : * for lookups (either in hardwired catalog accesses or in planner-generated
77 : : * plans). We do, however, still update the indexes when a catalog
78 : : * modification is made.
79 : : * ----------------------------------------------------------------
80 : : */
81 : :
82 : : bool IgnoreSystemIndexes = false;
83 : :
84 : :
85 : : /* ----------------------------------------------------------------
86 : : * common process startup code
87 : : * ----------------------------------------------------------------
88 : : */
89 : :
90 : : /*
91 : : * Initialize the basic environment for a postmaster child
92 : : *
93 : : * Should be called as early as possible after the child's startup. However,
94 : : * on EXEC_BACKEND builds it does need to be after read_backend_variables().
95 : : */
96 : : void
2246 peter@eisentraut.org 97 :CBC 23290 : InitPostmasterChild(void)
98 : : {
99 : 23290 : IsUnderPostmaster = true; /* we are a postmaster subprocess now */
100 : :
101 : : /*
102 : : * Start our win32 signal implementation. This has to be done after we
103 : : * read the backend variables, because we need to pick up the signal pipe
104 : : * from the parent process.
105 : : */
106 : : #ifdef WIN32
107 : : pgwin32_signal_initialize();
108 : : #endif
109 : :
110 : 23290 : InitProcessGlobals();
111 : :
112 : : /*
113 : : * make sure stderr is in binary mode before anything can possibly be
114 : : * written to it, in case it's actually the syslogger pipe, so the pipe
115 : : * chunking protocol isn't disturbed. Non-logpipe data gets translated on
116 : : * redirection (e.g. via pg_ctl -l) anyway.
117 : : */
118 : : #ifdef WIN32
119 : : _setmode(fileno(stderr), _O_BINARY);
120 : : #endif
121 : :
122 : : /* We don't want the postmaster's proc_exit() handlers */
123 : 23290 : on_exit_reset();
124 : :
125 : : /* In EXEC_BACKEND case we will not have inherited BlockSig etc values */
126 : : #ifdef EXEC_BACKEND
127 : : pqinitmask();
128 : : #endif
129 : :
130 : : /* Initialize process-local latch support */
425 heikki.linnakangas@i 131 : 23290 : InitializeWaitEventSupport();
1209 tmunro@postgresql.or 132 : 23290 : InitProcessLocalLatch();
2105 133 : 23290 : InitializeLatchWaitSet();
134 : :
135 : : /*
136 : : * If possible, make this process a group leader, so that the postmaster
137 : : * can signal any child processes too. Not all processes will have
138 : : * children, but for consistency we make all postmaster child processes do
139 : : * this.
140 : : */
141 : : #ifdef HAVE_SETSID
2246 peter@eisentraut.org 142 [ - + ]: 23290 : if (setsid() < 0)
2246 peter@eisentraut.org 143 [ # # ]:UBC 0 : elog(FATAL, "setsid() failed: %m");
144 : : #endif
145 : :
146 : : /*
147 : : * Every postmaster child process is expected to respond promptly to
148 : : * SIGQUIT at all times. Therefore we centrally remove SIGQUIT from
149 : : * BlockSig and install a suitable signal handler. (Client-facing
150 : : * processes may choose to replace this default choice of handler with
151 : : * quickdie().) All other blockable signals remain blocked for now.
152 : : */
2057 tgl@sss.pgh.pa.us 153 :CBC 23290 : pqsignal(SIGQUIT, SignalHandlerForCrashExit);
154 : :
155 : 23290 : sigdelset(&BlockSig, SIGQUIT);
1187 tmunro@postgresql.or 156 : 23290 : sigprocmask(SIG_SETMASK, &BlockSig, NULL);
157 : :
158 : : /* Request a signal if the postmaster dies, if possible. */
2246 peter@eisentraut.org 159 : 23290 : PostmasterDeathSignalInit();
160 : :
161 : : /* Don't give the pipe to subprograms that we execute. */
162 : : #ifndef WIN32
1159 tmunro@postgresql.or 163 [ - + ]: 23290 : if (fcntl(postmaster_alive_fds[POSTMASTER_FD_WATCH], F_SETFD, FD_CLOEXEC) < 0)
1159 tmunro@postgresql.or 164 [ # # ]:UBC 0 : ereport(FATAL,
165 : : (errcode_for_socket_access(),
166 : : errmsg_internal("could not set postmaster death monitoring pipe to FD_CLOEXEC mode: %m")));
167 : : #endif
2246 peter@eisentraut.org 168 :CBC 23290 : }
169 : :
170 : : /*
171 : : * Initialize the basic environment for a standalone process.
172 : : *
173 : : * argv0 has to be suitable to find the program's executable.
174 : : */
175 : : void
176 : 274 : InitStandaloneProcess(const char *argv0)
177 : : {
178 [ - + ]: 274 : Assert(!IsPostmasterEnvironment);
179 : :
1352 andres@anarazel.de 180 : 274 : MyBackendType = B_STANDALONE_BACKEND;
181 : :
182 : : /*
183 : : * Start our win32 signal implementation
184 : : */
185 : : #ifdef WIN32
186 : : pgwin32_signal_initialize();
187 : : #endif
188 : :
2246 peter@eisentraut.org 189 : 274 : InitProcessGlobals();
190 : :
191 : : /* Initialize process-local latch support */
425 heikki.linnakangas@i 192 : 274 : InitializeWaitEventSupport();
1209 tmunro@postgresql.or 193 : 274 : InitProcessLocalLatch();
2105 194 : 274 : InitializeLatchWaitSet();
195 : :
196 : : /*
197 : : * For consistency with InitPostmasterChild, initialize signal mask here.
198 : : * But we don't unblock SIGQUIT or provide a default handler for it.
199 : : */
2057 tgl@sss.pgh.pa.us 200 : 274 : pqinitmask();
1187 tmunro@postgresql.or 201 : 274 : sigprocmask(SIG_SETMASK, &BlockSig, NULL);
202 : :
203 : : /* Compute paths, no postmaster to inherit from */
2246 peter@eisentraut.org 204 [ + - ]: 274 : if (my_exec_path[0] == '\0')
205 : : {
206 [ - + ]: 274 : if (find_my_exec(argv0, my_exec_path) < 0)
2246 peter@eisentraut.org 207 [ # # ]:UBC 0 : elog(FATAL, "%s: could not locate my own executable path",
208 : : argv0);
209 : : }
210 : :
2246 peter@eisentraut.org 211 [ + - ]:CBC 274 : if (pkglib_path[0] == '\0')
212 : 274 : get_pkglib_path(my_exec_path, pkglib_path);
213 : 274 : }
214 : :
215 : : void
216 : 23063 : SwitchToSharedLatch(void)
217 : : {
218 [ - + ]: 23063 : Assert(MyLatch == &LocalLatchData);
219 [ - + ]: 23063 : Assert(MyProc != NULL);
220 : :
221 : 23063 : MyLatch = &MyProc->procLatch;
222 : :
223 [ + + ]: 23063 : if (FeBeWaitSet)
1891 tmunro@postgresql.or 224 : 14843 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetLatchPos, WL_LATCH_SET,
225 : : MyLatch);
226 : :
227 : : /*
228 : : * Set the shared latch as the local one might have been set. This
229 : : * shouldn't normally be necessary as code is supposed to check the
230 : : * condition before waiting for the latch, but a bit care can't hurt.
231 : : */
2246 peter@eisentraut.org 232 : 23063 : SetLatch(MyLatch);
233 : 23063 : }
234 : :
235 : : void
1209 tmunro@postgresql.or 236 : 24576 : InitProcessLocalLatch(void)
237 : : {
238 : 24576 : MyLatch = &LocalLatchData;
239 : 24576 : InitLatch(MyLatch);
240 : 24576 : }
241 : :
242 : : void
2246 peter@eisentraut.org 243 : 23063 : SwitchBackToLocalLatch(void)
244 : : {
245 [ - + ]: 23063 : Assert(MyLatch != &LocalLatchData);
246 [ + - - + ]: 23063 : Assert(MyProc != NULL && MyLatch == &MyProc->procLatch);
247 : :
248 : 23063 : MyLatch = &LocalLatchData;
249 : :
250 [ + + ]: 23063 : if (FeBeWaitSet)
1891 tmunro@postgresql.or 251 : 14843 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetLatchPos, WL_LATCH_SET,
252 : : MyLatch);
253 : :
2246 peter@eisentraut.org 254 : 23063 : SetLatch(MyLatch);
255 : 23063 : }
256 : :
257 : : /*
258 : : * Return a human-readable string representation of a BackendType.
259 : : *
260 : : * The string is not localized here, but we mark the strings for translation
261 : : * so that callers can invoke _() on the result.
262 : : */
263 : : const char *
264 : 395403 : GetBackendTypeDesc(BackendType backendType)
265 : : {
537 heikki.linnakangas@i 266 : 395403 : const char *backendDesc = gettext_noop("unknown process type");
267 : :
2246 peter@eisentraut.org 268 [ + + + + : 395403 : switch (backendType)
+ + + + +
+ - + + +
+ + + + +
+ - ]
269 : : {
270 : : #define PG_PROCTYPE(bktype, bkcategory, description, main_func, shmem_attach) \
271 : : case bktype: backendDesc = description; break;
272 : : #include "postmaster/proctypelist.h"
273 : : #undef PG_PROCTYPE
274 : : }
275 : 395403 : return backendDesc;
276 : : }
277 : :
278 : : /* ----------------------------------------------------------------
279 : : * database path / name support stuff
280 : : * ----------------------------------------------------------------
281 : : */
282 : :
283 : : void
9609 peter_e@gmx.net 284 : 16943 : SetDatabasePath(const char *path)
285 : : {
286 : : /* This should happen only once per process */
6110 tgl@sss.pgh.pa.us 287 [ - + ]: 16943 : Assert(!DatabasePath);
288 : 16943 : DatabasePath = MemoryContextStrdup(TopMemoryContext, path);
10892 scrappy@hub.org 289 : 16943 : }
290 : :
291 : : /*
292 : : * Validate the proposed data directory.
293 : : *
294 : : * Also initialize file and directory create modes and mode mask.
295 : : */
296 : : void
2950 sfrost@snowman.net 297 : 1255 : checkDataDir(void)
298 : : {
299 : : struct stat stat_buf;
300 : :
301 [ - + ]: 1255 : Assert(DataDir);
302 : :
303 [ - + ]: 1255 : if (stat(DataDir, &stat_buf) != 0)
304 : : {
2950 sfrost@snowman.net 305 [ # # ]:UBC 0 : if (errno == ENOENT)
306 [ # # ]: 0 : ereport(FATAL,
307 : : (errcode_for_file_access(),
308 : : errmsg("data directory \"%s\" does not exist",
309 : : DataDir)));
310 : : else
311 [ # # ]: 0 : ereport(FATAL,
312 : : (errcode_for_file_access(),
313 : : errmsg("could not read permissions of directory \"%s\": %m",
314 : : DataDir)));
315 : : }
316 : :
317 : : /* eventual chdir would fail anyway, but let's test ... */
2950 sfrost@snowman.net 318 [ - + ]:CBC 1255 : if (!S_ISDIR(stat_buf.st_mode))
2950 sfrost@snowman.net 319 [ # # ]:UBC 0 : ereport(FATAL,
320 : : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
321 : : errmsg("specified data directory \"%s\" is not a directory",
322 : : DataDir)));
323 : :
324 : : /*
325 : : * Check that the directory belongs to my userid; if not, reject.
326 : : *
327 : : * This check is an essential part of the interlock that prevents two
328 : : * postmasters from starting in the same directory (see CreateLockFile()).
329 : : * Do not remove or weaken it.
330 : : *
331 : : * XXX can we safely enable this check on Windows?
332 : : */
333 : : #if !defined(WIN32) && !defined(__CYGWIN__)
2950 sfrost@snowman.net 334 [ - + ]:CBC 1255 : if (stat_buf.st_uid != geteuid())
2950 sfrost@snowman.net 335 [ # # ]:UBC 0 : ereport(FATAL,
336 : : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
337 : : errmsg("data directory \"%s\" has wrong ownership",
338 : : DataDir),
339 : : errhint("The server must be started by the user that owns the data directory.")));
340 : : #endif
341 : :
342 : : /*
343 : : * Check if the directory has correct permissions. If not, reject.
344 : : *
345 : : * Only two possible modes are allowed, 0700 and 0750. The latter mode
346 : : * indicates that group read/execute should be allowed on all newly
347 : : * created files and directories.
348 : : *
349 : : * XXX temporarily suppress check when on Windows, because there may not
350 : : * be proper support for Unix-y file permissions. Need to think of a
351 : : * reasonable check to apply on Windows.
352 : : */
353 : : #if !defined(WIN32) && !defined(__CYGWIN__)
2950 sfrost@snowman.net 354 [ - + ]:CBC 1255 : if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
2950 sfrost@snowman.net 355 [ # # ]:UBC 0 : ereport(FATAL,
356 : : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
357 : : errmsg("data directory \"%s\" has invalid permissions",
358 : : DataDir),
359 : : errdetail("Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).")));
360 : : #endif
361 : :
362 : : /*
363 : : * Reset creation modes and mask based on the mode of the data directory.
364 : : *
365 : : * The mask was set earlier in startup to disallow group permissions on
366 : : * newly created files and directories. However, if group read/execute
367 : : * are present on the data directory then modify the create modes and mask
368 : : * to allow group read/execute on newly created files and directories and
369 : : * set the data_directory_mode GUC.
370 : : *
371 : : * Suppress when on Windows, because there may not be proper support for
372 : : * Unix-y file permissions.
373 : : */
374 : : #if !defined(WIN32) && !defined(__CYGWIN__)
2950 sfrost@snowman.net 375 :CBC 1255 : SetDataDirectoryCreatePerm(stat_buf.st_mode);
376 : :
377 : 1255 : umask(pg_mode_mask);
378 : 1255 : data_directory_mode = pg_dir_create_mode;
379 : : #endif
380 : :
381 : : /* Check for PG_VERSION */
382 : 1255 : ValidatePgVersion(DataDir);
383 : 1255 : }
384 : :
385 : : /*
386 : : * Set data directory, but make sure it's an absolute path. Use this,
387 : : * never set DataDir directly.
388 : : */
389 : : void
9288 tgl@sss.pgh.pa.us 390 : 1258 : SetDataDir(const char *dir)
391 : : {
392 : : char *new;
393 : :
1285 peter@eisentraut.org 394 [ - + ]: 1258 : Assert(dir);
395 : :
396 : : /* If presented path is relative, convert to absolute */
7878 tgl@sss.pgh.pa.us 397 : 1258 : new = make_absolute_path(dir);
398 : :
1419 peter@eisentraut.org 399 : 1258 : free(DataDir);
7878 tgl@sss.pgh.pa.us 400 : 1258 : DataDir = new;
401 : 1258 : }
402 : :
403 : : /*
404 : : * Change working directory to DataDir. Most of the postmaster and backend
405 : : * code assumes that we are in DataDir so it can use relative paths to access
406 : : * stuff in and under the data directory. For convenience during path
407 : : * setup, however, we don't force the chdir to occur during SetDataDir.
408 : : */
409 : : void
7610 410 : 1255 : ChangeToDataDir(void)
411 : : {
1285 peter@eisentraut.org 412 [ - + ]: 1255 : Assert(DataDir);
413 : :
7610 tgl@sss.pgh.pa.us 414 [ - + ]: 1255 : if (chdir(DataDir) < 0)
7610 tgl@sss.pgh.pa.us 415 [ # # ]:UBC 0 : ereport(FATAL,
416 : : (errcode_for_file_access(),
417 : : errmsg("could not change directory to \"%s\": %m",
418 : : DataDir)));
7610 tgl@sss.pgh.pa.us 419 :CBC 1255 : }
420 : :
421 : :
422 : : /* ----------------------------------------------------------------
423 : : * User ID state
424 : : *
425 : : * We have to track several different values associated with the concept
426 : : * of "user ID".
427 : : *
428 : : * AuthenticatedUserId is determined at connection start and never changes.
429 : : *
430 : : * SessionUserId is initially the same as AuthenticatedUserId, but can be
431 : : * changed by SET SESSION AUTHORIZATION (if AuthenticatedUserId is a
432 : : * superuser). This is the ID reported by the SESSION_USER SQL function.
433 : : *
434 : : * OuterUserId is the current user ID in effect at the "outer level" (outside
435 : : * any transaction or function). This is initially the same as SessionUserId,
436 : : * but can be changed by SET ROLE to any role that SessionUserId is a
437 : : * member of. (XXX rename to something like CurrentRoleId?)
438 : : *
439 : : * CurrentUserId is the current effective user ID; this is the one to use
440 : : * for all normal permissions-checking purposes. At outer level this will
441 : : * be the same as OuterUserId, but it changes during calls to SECURITY
442 : : * DEFINER functions, as well as locally in some specialized commands.
443 : : *
444 : : * SecurityRestrictionContext holds flags indicating reason(s) for changing
445 : : * CurrentUserId. In some cases we need to lock down operations that are
446 : : * not directly controlled by privilege settings, and this provides a
447 : : * convenient way to do it.
448 : : * ----------------------------------------------------------------
449 : : */
450 : : static Oid AuthenticatedUserId = InvalidOid;
451 : : static Oid SessionUserId = InvalidOid;
452 : : static Oid OuterUserId = InvalidOid;
453 : : static Oid CurrentUserId = InvalidOid;
454 : : static const char *SystemUser = NULL;
455 : :
456 : : /* We also have to remember the superuser state of the session user */
457 : : static bool SessionUserIsSuperuser = false;
458 : :
459 : : static int SecurityRestrictionContext = 0;
460 : :
461 : : /* We also remember if a SET ROLE is currently active */
462 : : static bool SetRoleIsActive = false;
463 : :
464 : : /*
465 : : * GetUserId - get the current effective user ID.
466 : : *
467 : : * Note: there's no SetUserId() anymore; use SetUserIdAndSecContext().
468 : : */
469 : : Oid
9359 peter_e@gmx.net 470 : 9307474 : GetUserId(void)
471 : : {
1285 peter@eisentraut.org 472 [ - + ]: 9307474 : Assert(OidIsValid(CurrentUserId));
9359 peter_e@gmx.net 473 : 9307474 : return CurrentUserId;
474 : : }
475 : :
476 : :
477 : : /*
478 : : * GetOuterUserId/SetOuterUserId - get/set the outer-level user ID.
479 : : */
480 : : Oid
7589 tgl@sss.pgh.pa.us 481 : 1098 : GetOuterUserId(void)
482 : : {
1285 peter@eisentraut.org 483 [ - + ]: 1098 : Assert(OidIsValid(OuterUserId));
7589 tgl@sss.pgh.pa.us 484 : 1098 : return OuterUserId;
485 : : }
486 : :
487 : :
488 : : static void
540 489 : 46602 : SetOuterUserId(Oid userid, bool is_superuser)
490 : : {
1285 peter@eisentraut.org 491 [ - + ]: 46602 : Assert(SecurityRestrictionContext == 0);
492 [ - + ]: 46602 : Assert(OidIsValid(userid));
7589 tgl@sss.pgh.pa.us 493 : 46602 : OuterUserId = userid;
494 : :
495 : : /* We force the effective user ID to match, too */
496 : 46602 : CurrentUserId = userid;
497 : :
498 : : /* Also update the is_superuser GUC to match OuterUserId's property */
540 499 [ + + ]: 46602 : SetConfigOption("is_superuser",
500 : : is_superuser ? "on" : "off",
501 : : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
7589 502 : 46602 : }
503 : :
504 : :
505 : : /*
506 : : * GetSessionUserId/SetSessionUserId - get/set the session user ID.
507 : : */
508 : : Oid
9359 peter_e@gmx.net 509 : 39533 : GetSessionUserId(void)
510 : : {
1285 peter@eisentraut.org 511 [ - + ]: 39533 : Assert(OidIsValid(SessionUserId));
9359 peter_e@gmx.net 512 : 39533 : return SessionUserId;
513 : : }
514 : :
515 : : bool
540 tgl@sss.pgh.pa.us 516 : 2685 : GetSessionUserIsSuperuser(void)
517 : : {
518 [ - + ]: 2685 : Assert(OidIsValid(SessionUserId));
519 : 2685 : return SessionUserIsSuperuser;
520 : : }
521 : :
522 : : static void
7589 523 : 22712 : SetSessionUserId(Oid userid, bool is_superuser)
524 : : {
1285 peter@eisentraut.org 525 [ - + ]: 22712 : Assert(SecurityRestrictionContext == 0);
526 [ - + ]: 22712 : Assert(OidIsValid(userid));
7589 tgl@sss.pgh.pa.us 527 : 22712 : SessionUserId = userid;
528 : 22712 : SessionUserIsSuperuser = is_superuser;
9372 peter_e@gmx.net 529 : 22712 : }
530 : :
531 : : /*
532 : : * Return the system user representing the authenticated identity.
533 : : * It is defined in InitializeSystemUser() as auth_method:authn_id.
534 : : */
535 : : const char *
1314 michael@paquier.xyz 536 : 33 : GetSystemUser(void)
537 : : {
538 : 33 : return SystemUser;
539 : : }
540 : :
541 : : /*
542 : : * GetAuthenticatedUserId/SetAuthenticatedUserId - get/set the authenticated
543 : : * user ID
544 : : */
545 : : Oid
4212 rhaas@postgresql.org 546 : 19911 : GetAuthenticatedUserId(void)
547 : : {
1285 peter@eisentraut.org 548 [ - + ]: 19911 : Assert(OidIsValid(AuthenticatedUserId));
4212 rhaas@postgresql.org 549 : 19911 : return AuthenticatedUserId;
550 : : }
551 : :
552 : : void
540 tgl@sss.pgh.pa.us 553 : 17241 : SetAuthenticatedUserId(Oid userid)
554 : : {
555 [ - + ]: 17241 : Assert(OidIsValid(userid));
556 : :
557 : : /* call only once */
558 [ - + ]: 17241 : Assert(!OidIsValid(AuthenticatedUserId));
559 : :
560 : 17241 : AuthenticatedUserId = userid;
561 : :
562 : : /* Also mark our PGPROC entry with the authenticated user id */
563 : : /* (We assume this is an atomic store so no lock is needed) */
564 : 17241 : MyProc->roleId = userid;
565 : 17241 : }
566 : :
567 : :
568 : : /*
569 : : * GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID
570 : : * and the SecurityRestrictionContext flags.
571 : : *
572 : : * Currently there are three valid bits in SecurityRestrictionContext:
573 : : *
574 : : * SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation
575 : : * that is temporarily changing CurrentUserId via these functions. This is
576 : : * needed to indicate that the actual value of CurrentUserId is not in sync
577 : : * with guc.c's internal state, so SET ROLE has to be disallowed.
578 : : *
579 : : * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
580 : : * that does not wish to trust called user-defined functions at all. The
581 : : * policy is to use this before operations, e.g. autovacuum and REINDEX, that
582 : : * enumerate relations of a database or schema and run functions associated
583 : : * with each found relation. The relation owner is the new user ID. Set this
584 : : * as soon as possible after locking the relation. Restore the old user ID as
585 : : * late as possible before closing the relation; restoring it shortly after
586 : : * close is also tolerable. If a command has both relation-enumerating and
587 : : * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit
588 : : * prevents not only SET ROLE, but various other changes of session state that
589 : : * normally is unprotected but might possibly be used to subvert the calling
590 : : * session later. An example is replacing an existing prepared statement with
591 : : * new code, which will then be executed with the outer session's permissions
592 : : * when the prepared statement is next used. These restrictions are fairly
593 : : * draconian, but the functions called in relation-enumerating operations are
594 : : * really supposed to be side-effect-free anyway.
595 : : *
596 : : * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should
597 : : * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to
598 : : * ensure that FORCE RLS does not mistakenly break referential integrity
599 : : * checks. Note that this is intentionally only checked when running as the
600 : : * owner of the table (which should always be the case for referential
601 : : * integrity checks).
602 : : *
603 : : * Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current
604 : : * value of CurrentUserId is valid; nor does SetUserIdAndSecContext require
605 : : * the new value to be valid. In fact, these routines had better not
606 : : * ever throw any kind of error. This is because they are used by
607 : : * StartTransaction and AbortTransaction to save/restore the settings,
608 : : * and during the first transaction within a backend, the value to be saved
609 : : * and perhaps restored is indeed invalid. We have to be able to get
610 : : * through AbortTransaction without asserting in case InitPostgres fails.
611 : : */
612 : : void
5991 613 : 1346041 : GetUserIdAndSecContext(Oid *userid, int *sec_context)
614 : : {
6697 615 : 1346041 : *userid = CurrentUserId;
5991 616 : 1346041 : *sec_context = SecurityRestrictionContext;
6697 617 : 1346041 : }
618 : :
619 : : void
5991 620 : 654722 : SetUserIdAndSecContext(Oid userid, int sec_context)
621 : : {
6697 622 : 654722 : CurrentUserId = userid;
5991 623 : 654722 : SecurityRestrictionContext = sec_context;
6697 624 : 654722 : }
625 : :
626 : :
627 : : /*
628 : : * InLocalUserIdChange - are we inside a local change of CurrentUserId?
629 : : */
630 : : bool
5991 631 : 40918 : InLocalUserIdChange(void)
632 : : {
633 : 40918 : return (SecurityRestrictionContext & SECURITY_LOCAL_USERID_CHANGE) != 0;
634 : : }
635 : :
636 : : /*
637 : : * InSecurityRestrictedOperation - are we inside a security-restricted command?
638 : : */
639 : : bool
640 : 47387 : InSecurityRestrictedOperation(void)
641 : : {
642 : 47387 : return (SecurityRestrictionContext & SECURITY_RESTRICTED_OPERATION) != 0;
643 : : }
644 : :
645 : : /*
646 : : * InNoForceRLSOperation - are we ignoring FORCE ROW LEVEL SECURITY ?
647 : : */
648 : : bool
3866 sfrost@snowman.net 649 : 179 : InNoForceRLSOperation(void)
650 : : {
651 : 179 : return (SecurityRestrictionContext & SECURITY_NOFORCE_RLS) != 0;
652 : : }
653 : :
654 : :
655 : : /*
656 : : * These are obsolete versions of Get/SetUserIdAndSecContext that are
657 : : * only provided for bug-compatibility with some rather dubious code in
658 : : * pljava. We allow the userid to be set, but only when not inside a
659 : : * security restriction context.
660 : : */
661 : : void
5991 tgl@sss.pgh.pa.us 662 :UBC 0 : GetUserIdAndContext(Oid *userid, bool *sec_def_context)
663 : : {
664 : 0 : *userid = CurrentUserId;
665 : 0 : *sec_def_context = InLocalUserIdChange();
666 : 0 : }
667 : :
668 : : void
669 : 0 : SetUserIdAndContext(Oid userid, bool sec_def_context)
670 : : {
671 : : /* We throw the same error SET ROLE would. */
672 [ # # ]: 0 : if (InSecurityRestrictedOperation())
673 [ # # ]: 0 : ereport(ERROR,
674 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
675 : : errmsg("cannot set parameter \"%s\" within security-restricted operation",
676 : : "role")));
677 : 0 : CurrentUserId = userid;
678 [ # # ]: 0 : if (sec_def_context)
679 : 0 : SecurityRestrictionContext |= SECURITY_LOCAL_USERID_CHANGE;
680 : : else
681 : 0 : SecurityRestrictionContext &= ~SECURITY_LOCAL_USERID_CHANGE;
6697 682 : 0 : }
683 : :
684 : :
685 : : /*
686 : : * Check whether specified role has explicit REPLICATION privilege
687 : : */
688 : : bool
4151 alvherre@alvh.no-ip. 689 :CBC 1919 : has_rolreplication(Oid roleid)
690 : : {
691 : 1919 : bool result = false;
692 : : HeapTuple utup;
693 : :
694 : : /* Superusers bypass all permission checking. */
1146 peter@eisentraut.org 695 [ + + ]: 1919 : if (superuser_arg(roleid))
696 : 1855 : return true;
697 : :
4151 alvherre@alvh.no-ip. 698 : 64 : utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
699 [ + - ]: 64 : if (HeapTupleIsValid(utup))
700 : : {
701 : 64 : result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
702 : 64 : ReleaseSysCache(utup);
703 : : }
704 : 64 : return result;
705 : : }
706 : :
707 : : /*
708 : : * Initialize user identity during normal backend startup
709 : : */
710 : : void
493 tgl@sss.pgh.pa.us 711 : 17244 : InitializeSessionUserId(const char *rolename, Oid roleid,
712 : : bool bypass_login_check)
713 : : {
714 : : HeapTuple roleTup;
715 : : Form_pg_authid rform;
716 : : char *rname;
717 : : bool is_superuser;
718 : :
719 : : /*
720 : : * In a parallel worker, we don't have to do anything here.
721 : : * ParallelWorkerMain already set our output variables, and we aren't
722 : : * going to enforce either rolcanlogin or rolconnlimit. Furthermore, we
723 : : * don't really want to perform a catalog lookup for the role: we don't
724 : : * want to fail if it's been dropped.
725 : : */
726 [ + + ]: 17244 : if (InitializingParallelWorker)
727 : : {
728 [ - + ]: 2008 : Assert(bypass_login_check);
729 : 2008 : return;
730 : : }
731 : :
732 : : /*
733 : : * Don't do scans if we're bootstrapping, none of the system catalogs
734 : : * exist yet, and they should be owned by postgres anyway.
735 : : */
1285 peter@eisentraut.org 736 [ - + ]: 15236 : Assert(!IsBootstrapProcessingMode());
737 : :
738 : : /*
739 : : * Make sure syscache entries are flushed for recent catalog changes. This
740 : : * allows us to find roles that were created on-the-fly during
741 : : * authentication.
742 : : */
2853 tmunro@postgresql.or 743 : 15236 : AcceptInvalidationMessages();
744 : :
745 : : /*
746 : : * Look up the role, either by name if that's given or by OID if not.
747 : : */
4110 rhaas@postgresql.org 748 [ + + ]: 15236 : if (rolename != NULL)
749 : : {
750 : 14636 : roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(rolename));
3714 751 [ + + ]: 14636 : if (!HeapTupleIsValid(roleTup))
752 [ + - ]: 2 : ereport(FATAL,
753 : : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
754 : : errmsg("role \"%s\" does not exist", rolename)));
755 : : }
756 : : else
757 : : {
4110 758 : 600 : roleTup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
3714 759 [ - + ]: 599 : if (!HeapTupleIsValid(roleTup))
3714 rhaas@postgresql.org 760 [ # # ]:UBC 0 : ereport(FATAL,
761 : : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
762 : : errmsg("role with OID %u does not exist", roleid)));
763 : : }
764 : :
7616 tgl@sss.pgh.pa.us 765 :CBC 15233 : rform = (Form_pg_authid) GETSTRUCT(roleTup);
2723 andres@anarazel.de 766 : 15233 : roleid = rform->oid;
3714 rhaas@postgresql.org 767 : 15233 : rname = NameStr(rform->rolname);
1027 nathan@postgresql.or 768 : 15233 : is_superuser = rform->rolsuper;
769 : :
493 tgl@sss.pgh.pa.us 770 : 15233 : SetAuthenticatedUserId(roleid);
771 : :
772 : : /*
773 : : * Set SessionUserId and related variables, including "role", via the GUC
774 : : * mechanisms.
775 : : *
776 : : * Note: ideally we would use PGC_S_DYNAMIC_DEFAULT here, so that
777 : : * session_authorization could subsequently be changed from
778 : : * pg_db_role_setting entries. Instead, session_authorization in
779 : : * pg_db_role_setting has no effect. Changing that would require solving
780 : : * two problems:
781 : : *
782 : : * 1. If pg_db_role_setting has values for both session_authorization and
783 : : * role, we could not be sure which order those would be applied in, and
784 : : * it would matter.
785 : : *
786 : : * 2. Sites may have years-old session_authorization entries. There's not
787 : : * been any particular reason to remove them. Ending the dormancy of
788 : : * those entries could seriously change application behavior, so only a
789 : : * major release should do that.
790 : : */
791 : 15233 : SetConfigOption("session_authorization", rname,
792 : : PGC_BACKEND, PGC_S_OVERRIDE);
793 : :
794 : : /*
795 : : * These next checks are not enforced when in standalone mode, so that
796 : : * there is a way to recover from sillinesses like "UPDATE pg_authid SET
797 : : * rolcanlogin = false;".
798 : : */
5859 799 [ + - ]: 15233 : if (IsUnderPostmaster)
800 : : {
801 : : /*
802 : : * Is role allowed to login at all? (But background workers can
803 : : * override this by setting bypass_login_check.)
804 : : */
936 michael@paquier.xyz 805 [ + + + + ]: 15233 : if (!bypass_login_check && !rform->rolcanlogin)
7583 tgl@sss.pgh.pa.us 806 [ + - ]: 3 : ereport(FATAL,
807 : : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
808 : : errmsg("role \"%s\" is not permitted to log in",
809 : : rname)));
810 : :
811 : : /*
812 : : * Check connection limit for this role. We enforce the limit only
813 : : * for regular backends, since other process types have their own
814 : : * PGPROC pools.
815 : : *
816 : : * There is a race condition here --- we create our PGPROC before
817 : : * checking for other PGPROCs. If two backends did this at about the
818 : : * same time, they might both think they were over the limit, while
819 : : * ideally one should succeed and one fail. Getting that to work
820 : : * exactly seems more trouble than it is worth, however; instead we
821 : : * just document that the connection limit is approximate.
822 : : */
823 [ - + ]: 15230 : if (rform->rolconnlimit >= 0 &&
493 tgl@sss.pgh.pa.us 824 [ # # ]:UBC 0 : AmRegularBackendProcess() &&
1027 nathan@postgresql.or 825 [ # # ]: 0 : !is_superuser &&
7583 tgl@sss.pgh.pa.us 826 [ # # ]: 0 : CountUserBackends(roleid) > rform->rolconnlimit)
827 [ # # ]: 0 : ereport(FATAL,
828 : : (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
829 : : errmsg("too many connections for role \"%s\"",
830 : : rname)));
831 : : }
832 : :
7616 tgl@sss.pgh.pa.us 833 :CBC 15230 : ReleaseSysCache(roleTup);
834 : : }
835 : :
836 : :
837 : : /*
838 : : * Initialize user identity during special backend startup
839 : : */
840 : : void
9005 peter_e@gmx.net 841 : 755 : InitializeSessionUserIdStandalone(void)
842 : : {
843 : : /*
844 : : * This function should only be called in single-user mode, in autovacuum
845 : : * workers, in slot sync worker and in background workers.
846 : : */
792 heikki.linnakangas@i 847 [ + + + + : 755 : Assert(!IsUnderPostmaster || AmAutoVacuumWorkerProcess() ||
+ + + + +
+ - + ]
848 : : AmLogicalSlotSyncWorkerProcess() || AmBackgroundWorkerProcess() ||
849 : : AmDataChecksumsWorkerProcess());
850 : :
851 : : /* call only once */
1285 peter@eisentraut.org 852 [ - + ]: 755 : Assert(!OidIsValid(AuthenticatedUserId));
853 : :
7616 tgl@sss.pgh.pa.us 854 : 755 : AuthenticatedUserId = BOOTSTRAP_SUPERUSERID;
855 : :
856 : : /*
857 : : * XXX Ideally we'd do this via SetConfigOption("session_authorization"),
858 : : * but we lack the role name needed to do that, and we can't fetch it
859 : : * because one reason for this special case is to be able to start up even
860 : : * if something's happened to the BOOTSTRAP_SUPERUSERID's pg_authid row.
861 : : * Since we don't set the GUC itself, C code will see the value as NULL,
862 : : * and current_setting() will report an empty string within this session.
863 : : */
540 864 : 755 : SetSessionAuthorization(BOOTSTRAP_SUPERUSERID, true);
865 : :
866 : : /* We could do SetConfigOption("role"), but let's be consistent */
867 : 755 : SetCurrentRoleId(InvalidOid, false);
9005 peter_e@gmx.net 868 : 755 : }
869 : :
870 : : /*
871 : : * Initialize the system user.
872 : : *
873 : : * This is built as auth_method:authn_id.
874 : : */
875 : : void
1314 michael@paquier.xyz 876 : 191 : InitializeSystemUser(const char *authn_id, const char *auth_method)
877 : : {
878 : : char *system_user;
879 : :
880 : : /* call only once */
881 [ - + ]: 191 : Assert(SystemUser == NULL);
882 : :
883 : : /*
884 : : * InitializeSystemUser should be called only when authn_id is not NULL,
885 : : * meaning that auth_method is valid.
886 : : */
887 [ - + ]: 191 : Assert(authn_id != NULL);
888 : :
889 : 191 : system_user = psprintf("%s:%s", auth_method, authn_id);
890 : :
891 : : /* Store SystemUser in long-lived storage */
892 : 191 : SystemUser = MemoryContextStrdup(TopMemoryContext, system_user);
893 : 191 : pfree(system_user);
894 : 191 : }
895 : :
896 : : /*
897 : : * SQL-function SYSTEM_USER
898 : : */
899 : : Datum
900 : 33 : system_user(PG_FUNCTION_ARGS)
901 : : {
902 : 33 : const char *sysuser = GetSystemUser();
903 : :
904 [ + + ]: 33 : if (sysuser)
905 : 22 : PG_RETURN_DATUM(CStringGetTextDatum(sysuser));
906 : : else
907 : 11 : PG_RETURN_NULL();
908 : : }
909 : :
910 : : /*
911 : : * Change session auth ID while running
912 : : *
913 : : * The SQL standard says that SET SESSION AUTHORIZATION implies SET ROLE NONE.
914 : : * We mechanize that at higher levels not here, because this is the GUC
915 : : * assign hook for "session_authorization", and it must be commutative with
916 : : * SetCurrentRoleId (the hook for "role") because guc.c provides no guarantees
917 : : * which will run first during cases such as transaction rollback. Therefore,
918 : : * we update derived state (OuterUserId/CurrentUserId/is_superuser) only if
919 : : * !SetRoleIsActive.
920 : : */
921 : : void
7589 tgl@sss.pgh.pa.us 922 : 22712 : SetSessionAuthorization(Oid userid, bool is_superuser)
923 : : {
924 : 22712 : SetSessionUserId(userid, is_superuser);
925 : :
540 926 [ + + ]: 22712 : if (!SetRoleIsActive)
927 : 22667 : SetOuterUserId(userid, is_superuser);
7589 928 : 22712 : }
929 : :
930 : : /*
931 : : * Report current role id
932 : : * This follows the semantics of SET ROLE, ie return the outer-level ID
933 : : * not the current effective ID, and return InvalidOid when the setting
934 : : * is logically SET ROLE NONE.
935 : : */
936 : : Oid
937 : 728 : GetCurrentRoleId(void)
938 : : {
939 [ + + ]: 728 : if (SetRoleIsActive)
940 : 40 : return OuterUserId;
941 : : else
942 : 688 : return InvalidOid;
943 : : }
944 : :
945 : : /*
946 : : * Change Role ID while running (SET ROLE)
947 : : *
948 : : * If roleid is InvalidOid, we are doing SET ROLE NONE: revert to the
949 : : * session user authorization. In this case the is_superuser argument
950 : : * is ignored.
951 : : *
952 : : * When roleid is not InvalidOid, the caller must have checked whether
953 : : * the session user has permission to become that role. (We cannot check
954 : : * here because this routine must be able to execute in a failed transaction
955 : : * to restore a prior value of the ROLE GUC variable.)
956 : : */
957 : : void
958 : 25221 : SetCurrentRoleId(Oid roleid, bool is_superuser)
959 : : {
960 : : /*
961 : : * Get correct info if it's SET ROLE NONE
962 : : *
963 : : * If SessionUserId hasn't been set yet, do nothing beyond updating
964 : : * SetRoleIsActive --- the eventual SetSessionAuthorization call will
965 : : * update the derived state. This is needed since we will get called
966 : : * during GUC initialization.
967 : : */
968 [ + + ]: 25221 : if (!OidIsValid(roleid))
969 : : {
540 970 : 24481 : SetRoleIsActive = false;
971 : :
7589 972 [ + + ]: 24481 : if (!OidIsValid(SessionUserId))
973 : 1286 : return;
974 : :
975 : 23195 : roleid = SessionUserId;
976 : 23195 : is_superuser = SessionUserIsSuperuser;
977 : : }
978 : : else
979 : 740 : SetRoleIsActive = true;
980 : :
540 981 : 23935 : SetOuterUserId(roleid, is_superuser);
982 : : }
983 : :
984 : :
985 : : /*
986 : : * Get user name from user oid, returns NULL for nonexistent roleid if noerr
987 : : * is true.
988 : : */
989 : : char *
4014 andrew@dunslane.net 990 : 12656 : GetUserNameFromId(Oid roleid, bool noerr)
991 : : {
992 : : HeapTuple tuple;
993 : : char *result;
994 : :
5924 rhaas@postgresql.org 995 : 12656 : tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
9359 peter_e@gmx.net 996 [ + + ]: 12656 : if (!HeapTupleIsValid(tuple))
997 : : {
4014 andrew@dunslane.net 998 [ - + ]: 12 : if (!noerr)
4014 andrew@dunslane.net 999 [ # # ]:UBC 0 : ereport(ERROR,
1000 : : (errcode(ERRCODE_UNDEFINED_OBJECT),
1001 : : errmsg("invalid role OID: %u", roleid)));
4014 andrew@dunslane.net 1002 :CBC 12 : result = NULL;
1003 : : }
1004 : : else
1005 : : {
1006 : 12644 : result = pstrdup(NameStr(((Form_pg_authid) GETSTRUCT(tuple))->rolname));
1007 : 12644 : ReleaseSysCache(tuple);
1008 : : }
9301 tgl@sss.pgh.pa.us 1009 : 12656 : return result;
1010 : : }
1011 : :
1012 : : /* ------------------------------------------------------------------------
1013 : : * Client connection state shared with parallel workers
1014 : : *
1015 : : * ClientConnectionInfo contains pieces of information about the client that
1016 : : * need to be synced to parallel workers when they initialize.
1017 : : *-------------------------------------------------------------------------
1018 : : */
1019 : :
1020 : : ClientConnectionInfo MyClientConnectionInfo;
1021 : :
1022 : : /*
1023 : : * Intermediate representation of ClientConnectionInfo for easier
1024 : : * serialization. Variable-length fields are allocated right after this
1025 : : * header.
1026 : : */
1027 : : typedef struct SerializedClientConnectionInfo
1028 : : {
1029 : : int32 authn_id_len; /* strlen(authn_id), or -1 if NULL */
1030 : : UserAuth auth_method;
1031 : : } SerializedClientConnectionInfo;
1032 : :
1033 : : /*
1034 : : * Calculate the space needed to serialize MyClientConnectionInfo.
1035 : : */
1036 : : Size
1350 michael@paquier.xyz 1037 : 680 : EstimateClientConnectionInfoSpace(void)
1038 : : {
1039 : 680 : Size size = 0;
1040 : :
1041 : 680 : size = add_size(size, sizeof(SerializedClientConnectionInfo));
1042 : :
1043 [ + + ]: 680 : if (MyClientConnectionInfo.authn_id)
1044 : 2 : size = add_size(size, strlen(MyClientConnectionInfo.authn_id) + 1);
1045 : :
1046 : 680 : return size;
1047 : : }
1048 : :
1049 : : /*
1050 : : * Serialize MyClientConnectionInfo for use by parallel workers.
1051 : : */
1052 : : void
264 1053 : 680 : SerializeClientConnectionInfo(Size maxsize PG_USED_FOR_ASSERTS_ONLY,
1054 : : char *start_address)
1055 : : {
1350 1056 : 680 : SerializedClientConnectionInfo serialized = {0};
1057 : :
1058 : 680 : serialized.authn_id_len = -1;
1059 : 680 : serialized.auth_method = MyClientConnectionInfo.auth_method;
1060 : :
1061 [ + + ]: 680 : if (MyClientConnectionInfo.authn_id)
1062 : 2 : serialized.authn_id_len = strlen(MyClientConnectionInfo.authn_id);
1063 : :
1064 : : /* Copy serialized representation to buffer */
1065 [ - + ]: 680 : Assert(maxsize >= sizeof(serialized));
1066 : 680 : memcpy(start_address, &serialized, sizeof(serialized));
1067 : :
1068 : 680 : maxsize -= sizeof(serialized);
1069 : 680 : start_address += sizeof(serialized);
1070 : :
1071 : : /* Copy authn_id into the space after the struct */
1072 [ + + ]: 680 : if (serialized.authn_id_len >= 0)
1073 : : {
1074 [ - + ]: 2 : Assert(maxsize >= (serialized.authn_id_len + 1));
1075 : 2 : memcpy(start_address,
1076 : 2 : MyClientConnectionInfo.authn_id,
1077 : : /* include the NULL terminator to ease deserialization */
1078 : 2 : serialized.authn_id_len + 1);
1079 : : }
1080 : 680 : }
1081 : :
1082 : : /*
1083 : : * Restore MyClientConnectionInfo from its serialized representation.
1084 : : */
1085 : : void
1086 : 2008 : RestoreClientConnectionInfo(char *conninfo)
1087 : : {
1088 : : SerializedClientConnectionInfo serialized;
1089 : :
1090 : 2008 : memcpy(&serialized, conninfo, sizeof(serialized));
1091 : :
1092 : : /* Copy the fields back into place */
1093 : 2008 : MyClientConnectionInfo.authn_id = NULL;
1094 : 2008 : MyClientConnectionInfo.auth_method = serialized.auth_method;
1095 : :
1096 [ + + ]: 2008 : if (serialized.authn_id_len >= 0)
1097 : : {
1098 : : char *authn_id;
1099 : :
1100 : 4 : authn_id = conninfo + sizeof(serialized);
1101 : 4 : MyClientConnectionInfo.authn_id = MemoryContextStrdup(TopMemoryContext,
1102 : : authn_id);
1103 : : }
1104 : 2008 : }
1105 : :
1106 : :
1107 : : /*-------------------------------------------------------------------------
1108 : : * Interlock-file support
1109 : : *
1110 : : * These routines are used to create both a data-directory lockfile
1111 : : * ($DATADIR/postmaster.pid) and Unix-socket-file lockfiles ($SOCKFILE.lock).
1112 : : * Both kinds of files contain the same info initially, although we can add
1113 : : * more information to a data-directory lockfile after it's created, using
1114 : : * AddToDataDirLockFile(). See pidfile.h for documentation of the contents
1115 : : * of these lockfiles.
1116 : : *
1117 : : * On successful lockfile creation, a proc_exit callback to remove the
1118 : : * lockfile is automatically created.
1119 : : *-------------------------------------------------------------------------
1120 : : */
1121 : :
1122 : : /*
1123 : : * proc_exit callback to remove lockfiles.
1124 : : */
1125 : : static void
5016 tgl@sss.pgh.pa.us 1126 : 1252 : UnlinkLockFiles(int status, Datum arg)
1127 : : {
1128 : : ListCell *l;
1129 : :
1130 [ + - + + : 3493 : foreach(l, lock_files)
+ + ]
1131 : : {
1132 : 2241 : char *curfile = (char *) lfirst(l);
1133 : :
1134 : 2241 : unlink(curfile);
1135 : : /* Should we complain if the unlink fails? */
1136 : : }
1137 : : /* Since we're about to exit, no need to reclaim storage */
1138 : :
1139 : : /*
1140 : : * Lock file removal should always be the last externally visible action
1141 : : * of a postmaster or standalone backend, while we won't come here at all
1142 : : * when exiting postmaster child processes. Therefore, this is a good
1143 : : * place to log completion of shutdown. We could alternatively teach
1144 : : * proc_exit() to do it, but that seems uglier. In a standalone backend,
1145 : : * use NOTICE elevel to be less chatty.
1146 : : */
3736 1147 [ + + + + ]: 1252 : ereport(IsPostmasterEnvironment ? LOG : NOTICE,
1148 : : (errmsg("database system is shut down")));
9613 ishii@postgresql.org 1149 : 1252 : }
1150 : :
1151 : : /*
1152 : : * Create a lockfile.
1153 : : *
1154 : : * filename is the path name of the lockfile to create.
1155 : : * amPostmaster is used to determine how to encode the output PID.
1156 : : * socketDir is the Unix socket directory path to include (possibly empty).
1157 : : * isDDLock and refName are used to determine what error message to produce.
1158 : : */
1159 : : static void
9184 tgl@sss.pgh.pa.us 1160 : 2244 : CreateLockFile(const char *filename, bool amPostmaster,
1161 : : const char *socketDir,
1162 : : bool isDDLock, const char *refName)
1163 : : {
1164 : : int fd;
1165 : : char buffer[MAXPGPATH * 2 + 256];
1166 : : int ntries;
1167 : : int len;
1168 : : int encoded_pid;
1169 : : pid_t other_pid;
1170 : : pid_t my_pid,
1171 : : my_p_pid,
1172 : : my_gp_pid;
1173 : : const char *envvar;
1174 : :
1175 : : /*
1176 : : * If the PID in the lockfile is our own PID or our parent's or
1177 : : * grandparent's PID, then the file must be stale (probably left over from
1178 : : * a previous system boot cycle). We need to check this because of the
1179 : : * likelihood that a reboot will assign exactly the same PID as we had in
1180 : : * the previous reboot, or one that's only one or two counts larger and
1181 : : * hence the lockfile's PID now refers to an ancestor shell process. We
1182 : : * allow pg_ctl to pass down its parent shell PID (our grandparent PID)
1183 : : * via the environment variable PG_GRANDPARENT_PID; this is so that
1184 : : * launching the postmaster via pg_ctl can be just as reliable as
1185 : : * launching it directly. There is no provision for detecting
1186 : : * further-removed ancestor processes, but if the init script is written
1187 : : * carefully then all but the immediate parent shell will be root-owned
1188 : : * processes and so the kill test will fail with EPERM. Note that we
1189 : : * cannot get a false negative this way, because an existing postmaster
1190 : : * would surely never launch a competing postmaster or pg_ctl process
1191 : : * directly.
1192 : : */
6095 1193 : 2244 : my_pid = getpid();
1194 : :
1195 : : #ifndef WIN32
1196 : 2244 : my_p_pid = getppid();
1197 : : #else
1198 : :
1199 : : /*
1200 : : * Windows hasn't got getppid(), but doesn't need it since it's not using
1201 : : * real kill() either...
1202 : : */
1203 : : my_p_pid = 0;
1204 : : #endif
1205 : :
1206 : 2244 : envvar = getenv("PG_GRANDPARENT_PID");
1207 [ + + ]: 2244 : if (envvar)
1208 : 1791 : my_gp_pid = atoi(envvar);
1209 : : else
1210 : 453 : my_gp_pid = 0;
1211 : :
1212 : : /*
1213 : : * We need a loop here because of race conditions. But don't loop forever
1214 : : * (for example, a non-writable $PGDATA directory might cause a failure
1215 : : * that won't go away). 100 tries seems like plenty.
1216 : : */
8958 bruce@momjian.us 1217 : 2244 : for (ntries = 0;; ntries++)
1218 : : {
1219 : : /*
1220 : : * Try to create the lock file --- O_EXCL makes this atomic.
1221 : : *
1222 : : * Think not to make the file protection weaker than 0600/0640. See
1223 : : * comments below.
1224 : : */
2950 sfrost@snowman.net 1225 : 2247 : fd = open(filename, O_RDWR | O_CREAT | O_EXCL, pg_file_create_mode);
9288 tgl@sss.pgh.pa.us 1226 [ + + ]: 2247 : if (fd >= 0)
1227 : 2241 : break; /* Success; exit the retry loop */
1228 : :
1229 : : /*
1230 : : * Couldn't create the pid file. Probably it already exists.
1231 : : */
9072 1232 [ - + - - : 6 : if ((errno != EEXIST && errno != EACCES) || ntries > 100)
- + ]
8320 tgl@sss.pgh.pa.us 1233 [ # # ]:UBC 0 : ereport(FATAL,
1234 : : (errcode_for_file_access(),
1235 : : errmsg("could not create lock file \"%s\": %m",
1236 : : filename)));
1237 : :
1238 : : /*
1239 : : * Read the file to get the old owner's PID. Note race condition
1240 : : * here: file might have been deleted since we tried to create it.
1241 : : */
2950 sfrost@snowman.net 1242 :CBC 6 : fd = open(filename, O_RDONLY, pg_file_create_mode);
9519 bruce@momjian.us 1243 [ - + ]: 6 : if (fd < 0)
1244 : : {
9288 tgl@sss.pgh.pa.us 1245 [ # # ]:UBC 0 : if (errno == ENOENT)
1246 : 0 : continue; /* race condition; try again */
8320 1247 [ # # ]: 0 : ereport(FATAL,
1248 : : (errcode_for_file_access(),
1249 : : errmsg("could not open lock file \"%s\": %m",
1250 : : filename)));
1251 : : }
3335 rhaas@postgresql.org 1252 :CBC 6 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_READ);
8154 tgl@sss.pgh.pa.us 1253 [ - + ]: 6 : if ((len = read(fd, buffer, sizeof(buffer) - 1)) < 0)
8320 tgl@sss.pgh.pa.us 1254 [ # # ]:UBC 0 : ereport(FATAL,
1255 : : (errcode_for_file_access(),
1256 : : errmsg("could not read lock file \"%s\": %m",
1257 : : filename)));
3335 rhaas@postgresql.org 1258 :CBC 6 : pgstat_report_wait_end();
9613 ishii@postgresql.org 1259 : 6 : close(fd);
1260 : :
4997 bruce@momjian.us 1261 [ - + ]: 6 : if (len == 0)
1262 : : {
4997 bruce@momjian.us 1263 [ # # ]:UBC 0 : ereport(FATAL,
1264 : : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1265 : : errmsg("lock file \"%s\" is empty", filename),
1266 : : errhint("Either another server is starting, or the lock file is the remnant of a previous server startup crash.")));
1267 : : }
1268 : :
9288 tgl@sss.pgh.pa.us 1269 :CBC 6 : buffer[len] = '\0';
1270 : 6 : encoded_pid = atoi(buffer);
1271 : :
1272 : : /* if pid < 0, the pid is for postgres, not postmaster */
1273 : 6 : other_pid = (pid_t) (encoded_pid < 0 ? -encoded_pid : encoded_pid);
1274 : :
1275 [ - + ]: 6 : if (other_pid <= 0)
7624 tgl@sss.pgh.pa.us 1276 [ # # ]:UBC 0 : elog(FATAL, "bogus data in lock file \"%s\": \"%s\"",
1277 : : filename, buffer);
1278 : :
1279 : : /*
1280 : : * Check to see if the other process still exists
1281 : : *
1282 : : * Per discussion above, my_pid, my_p_pid, and my_gp_pid can be
1283 : : * ignored as false matches.
1284 : : *
1285 : : * Normally kill() will fail with ESRCH if the given PID doesn't
1286 : : * exist.
1287 : : *
1288 : : * We can treat the EPERM-error case as okay because that error
1289 : : * implies that the existing process has a different userid than we
1290 : : * do, which means it cannot be a competing postmaster. A postmaster
1291 : : * cannot successfully attach to a data directory owned by a userid
1292 : : * other than its own, as enforced in checkDataDir(). Also, since we
1293 : : * create the lockfiles mode 0600/0640, we'd have failed above if the
1294 : : * lockfile belonged to another userid --- which means that whatever
1295 : : * process kill() is reporting about isn't the one that made the
1296 : : * lockfile. (NOTE: this last consideration is the only one that
1297 : : * keeps us from blowing away a Unix socket file belonging to an
1298 : : * instance of Postgres being run by someone else, at least on
1299 : : * machines where /tmp hasn't got a stickybit.)
1300 : : */
6095 tgl@sss.pgh.pa.us 1301 [ + - + - :CBC 6 : if (other_pid != my_pid && other_pid != my_p_pid &&
+ - ]
1302 : : other_pid != my_gp_pid)
1303 : : {
8122 neilc@samurai.com 1304 [ + + ]: 6 : if (kill(other_pid, 0) == 0 ||
7425 bruce@momjian.us 1305 [ - + - - ]: 4 : (errno != ESRCH && errno != EPERM))
1306 : : {
1307 : : /* lockfile belongs to a live process */
8318 tgl@sss.pgh.pa.us 1308 [ + - + - : 2 : ereport(FATAL,
- + - - ]
1309 : : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1310 : : errmsg("lock file \"%s\" already exists",
1311 : : filename),
1312 : : isDDLock ?
1313 : : (encoded_pid < 0 ?
1314 : : errhint("Is another postgres (PID %d) running in data directory \"%s\"?",
1315 : : (int) other_pid, refName) :
1316 : : errhint("Is another postmaster (PID %d) running in data directory \"%s\"?",
1317 : : (int) other_pid, refName)) :
1318 : : (encoded_pid < 0 ?
1319 : : errhint("Is another postgres (PID %d) using socket file \"%s\"?",
1320 : : (int) other_pid, refName) :
1321 : : errhint("Is another postmaster (PID %d) using socket file \"%s\"?",
1322 : : (int) other_pid, refName))));
1323 : : }
1324 : : }
1325 : :
1326 : : /*
1327 : : * No, the creating process did not exist. However, it could be that
1328 : : * the postmaster crashed (or more likely was kill -9'd by a clueless
1329 : : * admin) but has left orphan backends behind. Check for this by
1330 : : * looking to see if there is an associated shmem segment that is
1331 : : * still in use.
1332 : : *
1333 : : * Note: because postmaster.pid is written in multiple steps, we might
1334 : : * not find the shmem ID values in it; we can't treat that as an
1335 : : * error.
1336 : : */
9184 1337 [ + + ]: 4 : if (isDDLock)
1338 : : {
5607 bruce@momjian.us 1339 : 2 : char *ptr = buffer;
1340 : : unsigned long id1,
1341 : : id2;
1342 : : int lineno;
1343 : :
5591 tgl@sss.pgh.pa.us 1344 [ + + ]: 14 : for (lineno = 1; lineno < LOCK_FILE_LINE_SHMEM_KEY; lineno++)
1345 : : {
5608 bruce@momjian.us 1346 [ - + ]: 12 : if ((ptr = strchr(ptr, '\n')) == NULL)
5608 bruce@momjian.us 1347 :UBC 0 : break;
5608 bruce@momjian.us 1348 :CBC 12 : ptr++;
1349 : : }
1350 : :
5591 tgl@sss.pgh.pa.us 1351 [ + - ]: 2 : if (ptr != NULL &&
1352 [ + - ]: 2 : sscanf(ptr, "%lu %lu", &id1, &id2) == 2)
1353 : : {
5608 bruce@momjian.us 1354 [ + + ]: 2 : if (PGSharedMemoryIsInUse(id1, id2))
5608 bruce@momjian.us 1355 [ + - ]:GBC 1 : ereport(FATAL,
1356 : : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1357 : : errmsg("pre-existing shared memory block (key %lu, ID %lu) is still in use",
1358 : : id1, id2),
1359 : : errhint("Terminate any old server processes associated with data directory \"%s\".",
1360 : : refName)));
1361 : : }
1362 : : }
1363 : :
1364 : : /*
1365 : : * Looks like nobody's home. Unlink the file and try again to create
1366 : : * it. Need a loop because of possible race condition against other
1367 : : * would-be creators.
1368 : : */
9288 tgl@sss.pgh.pa.us 1369 [ - + ]:CBC 3 : if (unlink(filename) < 0)
8320 tgl@sss.pgh.pa.us 1370 [ # # ]:UBC 0 : ereport(FATAL,
1371 : : (errcode_for_file_access(),
1372 : : errmsg("could not remove old lock file \"%s\": %m",
1373 : : filename),
1374 : : errhint("The file seems accidentally left over, but "
1375 : : "it could not be removed. Please remove the file "
1376 : : "by hand and try again.")));
1377 : : }
1378 : :
1379 : : /*
1380 : : * Successfully created the file, now fill it. See comment in pidfile.h
1381 : : * about the contents. Note that we write the same first five lines into
1382 : : * both datadir and socket lockfiles; although more stuff may get added to
1383 : : * the datadir lockfile later.
1384 : : */
575 nathan@postgresql.or 1385 [ + + ]:CBC 2241 : snprintf(buffer, sizeof(buffer), "%d\n%s\n" INT64_FORMAT "\n%d\n%s\n",
1386 : : amPostmaster ? (int) my_pid : -((int) my_pid),
1387 : : DataDir,
1388 : : MyStartTime,
1389 : : PostPortNumber,
1390 : : socketDir);
1391 : :
1392 : : /*
1393 : : * In a standalone backend, the next line (LOCK_FILE_LINE_LISTEN_ADDR)
1394 : : * will never receive data, so fill it in as empty now.
1395 : : */
4888 tgl@sss.pgh.pa.us 1396 [ + + + + ]: 2241 : if (isDDLock && !amPostmaster)
1397 : 248 : strlcat(buffer, "\n", sizeof(buffer));
1398 : :
9099 1399 : 2241 : errno = 0;
3335 rhaas@postgresql.org 1400 : 2241 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_WRITE);
9288 tgl@sss.pgh.pa.us 1401 [ - + ]: 2241 : if (write(fd, buffer, strlen(buffer)) != strlen(buffer))
1402 : : {
9175 bruce@momjian.us 1403 :UBC 0 : int save_errno = errno;
1404 : :
9613 ishii@postgresql.org 1405 : 0 : close(fd);
9288 tgl@sss.pgh.pa.us 1406 : 0 : unlink(filename);
1407 : : /* if write didn't set errno, assume problem is no disk space */
9099 1408 [ # # ]: 0 : errno = save_errno ? save_errno : ENOSPC;
8320 1409 [ # # ]: 0 : ereport(FATAL,
1410 : : (errcode_for_file_access(),
1411 : : errmsg("could not write lock file \"%s\": %m", filename)));
1412 : : }
3335 rhaas@postgresql.org 1413 :CBC 2241 : pgstat_report_wait_end();
1414 : :
1415 : 2241 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_SYNC);
5741 tgl@sss.pgh.pa.us 1416 [ - + ]: 2241 : if (pg_fsync(fd) != 0)
1417 : : {
5741 tgl@sss.pgh.pa.us 1418 :UBC 0 : int save_errno = errno;
1419 : :
1420 : 0 : close(fd);
1421 : 0 : unlink(filename);
1422 : 0 : errno = save_errno;
1423 [ # # ]: 0 : ereport(FATAL,
1424 : : (errcode_for_file_access(),
1425 : : errmsg("could not write lock file \"%s\": %m", filename)));
1426 : : }
3335 rhaas@postgresql.org 1427 :CBC 2241 : pgstat_report_wait_end();
5741 tgl@sss.pgh.pa.us 1428 [ - + ]: 2241 : if (close(fd) != 0)
1429 : : {
8135 tgl@sss.pgh.pa.us 1430 :UBC 0 : int save_errno = errno;
1431 : :
1432 : 0 : unlink(filename);
1433 : 0 : errno = save_errno;
1434 [ # # ]: 0 : ereport(FATAL,
1435 : : (errcode_for_file_access(),
1436 : : errmsg("could not write lock file \"%s\": %m", filename)));
1437 : : }
1438 : :
1439 : : /*
1440 : : * Arrange to unlink the lock file(s) at proc_exit. If this is the first
1441 : : * one, set up the on_proc_exit function to do it; then add this lock file
1442 : : * to the list of files to unlink.
1443 : : */
5016 tgl@sss.pgh.pa.us 1444 [ + + ]:CBC 2241 : if (lock_files == NIL)
1445 : 1252 : on_proc_exit(UnlinkLockFiles, 0);
1446 : :
1447 : : /*
1448 : : * Use lcons so that the lock files are unlinked in reverse order of
1449 : : * creation; this is critical!
1450 : : */
3929 1451 : 2241 : lock_files = lcons(pstrdup(filename), lock_files);
9288 1452 : 2241 : }
1453 : :
1454 : : /*
1455 : : * Create the data directory lockfile.
1456 : : *
1457 : : * When this is called, we must have already switched the working
1458 : : * directory to DataDir, so we can just use a relative path. This
1459 : : * helps ensure that we are locking the directory we should be.
1460 : : *
1461 : : * Note that the socket directory path line is initially written as empty.
1462 : : * postmaster.c will rewrite it upon creating the first Unix socket.
1463 : : */
1464 : : void
7610 1465 : 1255 : CreateDataDirLockFile(bool amPostmaster)
1466 : : {
5016 1467 : 1255 : CreateLockFile(DIRECTORY_LOCK_FILE, amPostmaster, "", true, DataDir);
9613 ishii@postgresql.org 1468 : 1252 : }
1469 : :
1470 : : /*
1471 : : * Create a lockfile for the specified Unix socket file.
1472 : : */
1473 : : void
5016 tgl@sss.pgh.pa.us 1474 : 989 : CreateSocketLockFile(const char *socketfile, bool amPostmaster,
1475 : : const char *socketDir)
1476 : : {
1477 : : char lockfile[MAXPGPATH];
1478 : :
9288 1479 : 989 : snprintf(lockfile, sizeof(lockfile), "%s.lock", socketfile);
5016 1480 : 989 : CreateLockFile(lockfile, amPostmaster, socketDir, false, socketfile);
9288 1481 : 989 : }
1482 : :
1483 : : /*
1484 : : * TouchSocketLockFiles -- mark socket lock files as recently accessed
1485 : : *
1486 : : * This routine should be called every so often to ensure that the socket
1487 : : * lock files have a recent mod or access date. That saves them
1488 : : * from being removed by overenthusiastic /tmp-directory-cleaner daemons.
1489 : : * (Another reason we should never have put the socket file in /tmp...)
1490 : : */
1491 : : void
5016 tgl@sss.pgh.pa.us 1492 :UBC 0 : TouchSocketLockFiles(void)
1493 : : {
1494 : : ListCell *l;
1495 : :
1496 [ # # # # : 0 : foreach(l, lock_files)
# # ]
1497 : : {
1498 : 0 : char *socketLockFile = (char *) lfirst(l);
1499 : :
1500 : : /* No need to touch the data directory lock file, we trust */
1501 [ # # ]: 0 : if (strcmp(socketLockFile, DIRECTORY_LOCK_FILE) == 0)
1502 : 0 : continue;
1503 : :
1504 : : /* we just ignore any error here */
2265 1505 : 0 : (void) utime(socketLockFile, NULL);
1506 : : }
9229 1507 : 0 : }
1508 : :
1509 : :
1510 : : /*
1511 : : * Add (or replace) a line in the data directory lock file.
1512 : : * The given string should not include a trailing newline.
1513 : : *
1514 : : * Note: because we don't truncate the file, if we were to rewrite a line
1515 : : * with less data than it had before, there would be garbage after the last
1516 : : * line. While we could fix that by adding a truncate call, that would make
1517 : : * the file update non-atomic, which we'd rather avoid. Therefore, callers
1518 : : * should endeavor never to shorten a line once it's been written.
1519 : : */
1520 : : void
5591 tgl@sss.pgh.pa.us 1521 :CBC 6224 : AddToDataDirLockFile(int target_line, const char *str)
1522 : : {
1523 : : int fd;
1524 : : int len;
1525 : : int lineno;
1526 : : char *srcptr;
1527 : : char *destptr;
1528 : : char srcbuffer[BLCKSZ];
1529 : : char destbuffer[BLCKSZ];
1530 : :
7610 1531 : 6224 : fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
9184 1532 [ - + ]: 6224 : if (fd < 0)
1533 : : {
8320 tgl@sss.pgh.pa.us 1534 [ # # ]:UBC 0 : ereport(LOG,
1535 : : (errcode_for_file_access(),
1536 : : errmsg("could not open file \"%s\": %m",
1537 : : DIRECTORY_LOCK_FILE)));
9184 1538 : 0 : return;
1539 : : }
3335 rhaas@postgresql.org 1540 :CBC 6224 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_READ);
5016 tgl@sss.pgh.pa.us 1541 : 6224 : len = read(fd, srcbuffer, sizeof(srcbuffer) - 1);
3335 rhaas@postgresql.org 1542 : 6224 : pgstat_report_wait_end();
8154 tgl@sss.pgh.pa.us 1543 [ - + ]: 6224 : if (len < 0)
1544 : : {
8320 tgl@sss.pgh.pa.us 1545 [ # # ]:UBC 0 : ereport(LOG,
1546 : : (errcode_for_file_access(),
1547 : : errmsg("could not read from file \"%s\": %m",
1548 : : DIRECTORY_LOCK_FILE)));
9184 1549 : 0 : close(fd);
1550 : 0 : return;
1551 : : }
5016 tgl@sss.pgh.pa.us 1552 :CBC 6224 : srcbuffer[len] = '\0';
1553 : :
1554 : : /*
1555 : : * Advance over lines we are not supposed to rewrite, then copy them to
1556 : : * destbuffer.
1557 : : */
1558 : 6224 : srcptr = srcbuffer;
5604 bruce@momjian.us 1559 [ + + ]: 42617 : for (lineno = 1; lineno < target_line; lineno++)
1560 : : {
3233 tgl@sss.pgh.pa.us 1561 : 37382 : char *eol = strchr(srcptr, '\n');
1562 : :
1563 [ + + ]: 37382 : if (eol == NULL)
1564 : 989 : break; /* not enough lines in file yet */
1565 : 36393 : srcptr = eol + 1;
1566 : : }
5016 1567 : 6224 : memcpy(destbuffer, srcbuffer, srcptr - srcbuffer);
1568 : 6224 : destptr = destbuffer + (srcptr - srcbuffer);
1569 : :
1570 : : /*
1571 : : * Fill in any missing lines before the target line, in case lines are
1572 : : * added to the file out of order.
1573 : : */
3233 1574 [ + + ]: 7213 : for (; lineno < target_line; lineno++)
1575 : : {
1576 [ + - ]: 989 : if (destptr < destbuffer + sizeof(destbuffer))
1577 : 989 : *destptr++ = '\n';
1578 : : }
1579 : :
1580 : : /*
1581 : : * Write or rewrite the target line.
1582 : : */
5016 1583 : 6224 : snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s\n", str);
1584 : 6224 : destptr += strlen(destptr);
1585 : :
1586 : : /*
1587 : : * If there are more lines in the old file, append them to destbuffer.
1588 : : */
1589 [ + + ]: 6224 : if ((srcptr = strchr(srcptr, '\n')) != NULL)
1590 : : {
1591 : 4002 : srcptr++;
1592 : 4002 : snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s",
1593 : : srcptr);
1594 : : }
1595 : :
1596 : : /*
1597 : : * And rewrite the data. Since we write in a single kernel call, this
1598 : : * update should appear atomic to onlookers.
1599 : : */
1600 : 6224 : len = strlen(destbuffer);
9099 1601 : 6224 : errno = 0;
3335 rhaas@postgresql.org 1602 : 6224 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_WRITE);
1314 tmunro@postgresql.or 1603 [ - + ]: 6224 : if (pg_pwrite(fd, destbuffer, len, 0) != len)
1604 : : {
3335 rhaas@postgresql.org 1605 :UBC 0 : pgstat_report_wait_end();
1606 : : /* if write didn't set errno, assume problem is no disk space */
9099 tgl@sss.pgh.pa.us 1607 [ # # ]: 0 : if (errno == 0)
1608 : 0 : errno = ENOSPC;
8320 1609 [ # # ]: 0 : ereport(LOG,
1610 : : (errcode_for_file_access(),
1611 : : errmsg("could not write to file \"%s\": %m",
1612 : : DIRECTORY_LOCK_FILE)));
9184 1613 : 0 : close(fd);
1614 : 0 : return;
1615 : : }
3335 rhaas@postgresql.org 1616 :CBC 6224 : pgstat_report_wait_end();
1617 : 6224 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_SYNC);
5741 tgl@sss.pgh.pa.us 1618 [ - + ]: 6224 : if (pg_fsync(fd) != 0)
1619 : : {
5741 tgl@sss.pgh.pa.us 1620 [ # # ]:UBC 0 : ereport(LOG,
1621 : : (errcode_for_file_access(),
1622 : : errmsg("could not write to file \"%s\": %m",
1623 : : DIRECTORY_LOCK_FILE)));
1624 : : }
3335 rhaas@postgresql.org 1625 :CBC 6224 : pgstat_report_wait_end();
5741 tgl@sss.pgh.pa.us 1626 [ - + ]: 6224 : if (close(fd) != 0)
1627 : : {
8135 tgl@sss.pgh.pa.us 1628 [ # # ]:UBC 0 : ereport(LOG,
1629 : : (errcode_for_file_access(),
1630 : : errmsg("could not write to file \"%s\": %m",
1631 : : DIRECTORY_LOCK_FILE)));
1632 : : }
1633 : : }
1634 : :
1635 : :
1636 : : /*
1637 : : * Recheck that the data directory lock file still exists with expected
1638 : : * content. Return true if the lock file appears OK, false if it isn't.
1639 : : *
1640 : : * We call this periodically in the postmaster. The idea is that if the
1641 : : * lock file has been removed or replaced by another postmaster, we should
1642 : : * do a panic database shutdown. Therefore, we should return true if there
1643 : : * is any doubt: we do not want to cause a panic shutdown unnecessarily.
1644 : : * Transient failures like EINTR or ENFILE should not cause us to fail.
1645 : : * (If there really is something wrong, we'll detect it on a future recheck.)
1646 : : */
1647 : : bool
3864 tgl@sss.pgh.pa.us 1648 :CBC 18 : RecheckDataDirLockFile(void)
1649 : : {
1650 : : int fd;
1651 : : int len;
1652 : : long file_pid;
1653 : : char buffer[BLCKSZ];
1654 : :
1655 : 18 : fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
1656 [ - + ]: 18 : if (fd < 0)
1657 : : {
1658 : : /*
1659 : : * There are many foreseeable false-positive error conditions. For
1660 : : * safety, fail only on enumerated clearly-something-is-wrong
1661 : : * conditions.
1662 : : */
3864 tgl@sss.pgh.pa.us 1663 [ # # ]:UBC 0 : switch (errno)
1664 : : {
1665 : 0 : case ENOENT:
1666 : : case ENOTDIR:
1667 : : /* disaster */
1668 [ # # ]: 0 : ereport(LOG,
1669 : : (errcode_for_file_access(),
1670 : : errmsg("could not open file \"%s\": %m",
1671 : : DIRECTORY_LOCK_FILE)));
1672 : 0 : return false;
1673 : 0 : default:
1674 : : /* non-fatal, at least for now */
1675 [ # # ]: 0 : ereport(LOG,
1676 : : (errcode_for_file_access(),
1677 : : errmsg("could not open file \"%s\": %m; continuing anyway",
1678 : : DIRECTORY_LOCK_FILE)));
1679 : 0 : return true;
1680 : : }
1681 : : }
3335 rhaas@postgresql.org 1682 :CBC 18 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_RECHECKDATADIR_READ);
3864 tgl@sss.pgh.pa.us 1683 : 18 : len = read(fd, buffer, sizeof(buffer) - 1);
3335 rhaas@postgresql.org 1684 : 18 : pgstat_report_wait_end();
3864 tgl@sss.pgh.pa.us 1685 [ - + ]: 18 : if (len < 0)
1686 : : {
3864 tgl@sss.pgh.pa.us 1687 [ # # ]:UBC 0 : ereport(LOG,
1688 : : (errcode_for_file_access(),
1689 : : errmsg("could not read from file \"%s\": %m",
1690 : : DIRECTORY_LOCK_FILE)));
1691 : 0 : close(fd);
1692 : 0 : return true; /* treat read failure as nonfatal */
1693 : : }
3864 tgl@sss.pgh.pa.us 1694 :CBC 18 : buffer[len] = '\0';
1695 : 18 : close(fd);
1696 : 18 : file_pid = atol(buffer);
1697 [ + - ]: 18 : if (file_pid == getpid())
1698 : 18 : return true; /* all is well */
1699 : :
1700 : : /* Trouble: someone's overwritten the lock file */
3864 tgl@sss.pgh.pa.us 1701 [ # # ]:UBC 0 : ereport(LOG,
1702 : : (errmsg("lock file \"%s\" contains wrong PID: %ld instead of %ld",
1703 : : DIRECTORY_LOCK_FILE, file_pid, (long) getpid())));
1704 : 0 : return false;
1705 : : }
1706 : :
1707 : :
1708 : : /*-------------------------------------------------------------------------
1709 : : * Version checking support
1710 : : *-------------------------------------------------------------------------
1711 : : */
1712 : :
1713 : : /*
1714 : : * Determine whether the PG_VERSION file in directory `path' indicates
1715 : : * a data version compatible with the version of this program.
1716 : : *
1717 : : * If compatible, return. Otherwise, ereport(FATAL).
1718 : : */
1719 : : void
9438 peter_e@gmx.net 1720 :CBC 18141 : ValidatePgVersion(const char *path)
1721 : : {
1722 : : char full_path[MAXPGPATH];
1723 : : FILE *file;
1724 : : int ret;
1725 : : long file_major;
1726 : : long my_major;
1727 : : char *endptr;
1728 : : char file_version_string[64];
3550 tgl@sss.pgh.pa.us 1729 : 18141 : const char *my_version_string = PG_VERSION;
1730 : :
1731 : 18141 : my_major = strtol(my_version_string, &endptr, 10);
1732 : :
8318 1733 : 18141 : snprintf(full_path, sizeof(full_path), "%s/PG_VERSION", path);
1734 : :
9438 peter_e@gmx.net 1735 : 18141 : file = AllocateFile(full_path, "r");
1736 [ - + ]: 18141 : if (!file)
1737 : : {
9438 peter_e@gmx.net 1738 [ # # ]:UBC 0 : if (errno == ENOENT)
8320 tgl@sss.pgh.pa.us 1739 [ # # ]: 0 : ereport(FATAL,
1740 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1741 : : errmsg("\"%s\" is not a valid data directory",
1742 : : path),
1743 : : errdetail("File \"%s\" is missing.", full_path)));
1744 : : else
1745 [ # # ]: 0 : ereport(FATAL,
1746 : : (errcode_for_file_access(),
1747 : : errmsg("could not open file \"%s\": %m", full_path)));
1748 : : }
1749 : :
3550 tgl@sss.pgh.pa.us 1750 :CBC 18141 : file_version_string[0] = '\0';
1751 : 18141 : ret = fscanf(file, "%63s", file_version_string);
1752 : 18141 : file_major = strtol(file_version_string, &endptr, 10);
1753 : :
1754 [ + - - + ]: 18141 : if (ret != 1 || endptr == file_version_string)
8310 bruce@momjian.us 1755 [ # # ]:UBC 0 : ereport(FATAL,
1756 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1757 : : errmsg("\"%s\" is not a valid data directory",
1758 : : path),
1759 : : errdetail("File \"%s\" does not contain valid data.",
1760 : : full_path),
1761 : : errhint("You might need to initdb.")));
1762 : :
9438 peter_e@gmx.net 1763 :CBC 18141 : FreeFile(file);
1764 : :
3550 tgl@sss.pgh.pa.us 1765 [ - + ]: 18141 : if (my_major != file_major)
8320 tgl@sss.pgh.pa.us 1766 [ # # ]:UBC 0 : ereport(FATAL,
1767 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1768 : : errmsg("database files are incompatible with server"),
1769 : : errdetail("The data directory was initialized by PostgreSQL version %s, "
1770 : : "which is not compatible with this version %s.",
1771 : : file_version_string, my_version_string)));
9438 peter_e@gmx.net 1772 :CBC 18141 : }
1773 : :
1774 : : /*-------------------------------------------------------------------------
1775 : : * Library preload support
1776 : : *-------------------------------------------------------------------------
1777 : : */
1778 : :
1779 : : /*
1780 : : * GUC variables: lists of library names to be preloaded at postmaster
1781 : : * start and at backend start
1782 : : */
1783 : : char *session_preload_libraries_string = NULL;
1784 : : char *shared_preload_libraries_string = NULL;
1785 : : char *local_preload_libraries_string = NULL;
1786 : :
1787 : : /* Flag telling that we are loading shared_preload_libraries */
1788 : : bool process_shared_preload_libraries_in_progress = false;
1789 : : bool process_shared_preload_libraries_done = false;
1790 : :
1791 : : shmem_request_hook_type shmem_request_hook = NULL;
1792 : : bool process_shmem_requests_in_progress = false;
1793 : :
1794 : : /*
1795 : : * load the shared libraries listed in 'libraries'
1796 : : *
1797 : : * 'gucname': name of GUC variable, for error reports
1798 : : * 'restricted': if true, force libraries to be in $libdir/plugins/
1799 : : */
1800 : : static void
7202 tgl@sss.pgh.pa.us 1801 : 27891 : load_libraries(const char *libraries, const char *gucname, bool restricted)
1802 : : {
1803 : : char *rawstring;
1804 : : List *elemlist;
1805 : : ListCell *l;
1806 : :
7203 1807 [ + - + + ]: 27891 : if (libraries == NULL || libraries[0] == '\0')
1808 : 27834 : return; /* nothing to do */
1809 : :
1810 : : /* Need a modifiable copy of string */
1811 : 57 : rawstring = pstrdup(libraries);
1812 : :
1813 : : /* Parse string into list of filename paths */
3241 1814 [ - + ]: 57 : if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1815 : : {
1816 : : /* syntax error in list */
3241 tgl@sss.pgh.pa.us 1817 :UBC 0 : list_free_deep(elemlist);
8447 bruce@momjian.us 1818 : 0 : pfree(rawstring);
8320 tgl@sss.pgh.pa.us 1819 [ # # ]: 0 : ereport(LOG,
1820 : : (errcode(ERRCODE_SYNTAX_ERROR),
1821 : : errmsg("invalid list syntax in parameter \"%s\"",
1822 : : gucname)));
1823 : 0 : return;
1824 : : }
1825 : :
8447 bruce@momjian.us 1826 [ + - + + :CBC 137 : foreach(l, elemlist)
+ + ]
1827 : : {
1828 : : /* Note that filename was already canonicalized */
3241 tgl@sss.pgh.pa.us 1829 : 80 : char *filename = (char *) lfirst(l);
1830 : 80 : char *expanded = NULL;
1831 : :
1832 : : /* If restricting, insert $libdir/plugins if not mentioned already */
7202 1833 [ - + - - ]: 80 : if (restricted && first_dir_separator(filename) == NULL)
1834 : : {
4587 peter_e@gmx.net 1835 :UBC 0 : expanded = psprintf("$libdir/plugins/%s", filename);
7203 tgl@sss.pgh.pa.us 1836 : 0 : filename = expanded;
1837 : : }
7202 tgl@sss.pgh.pa.us 1838 :CBC 80 : load_file(filename, restricted);
4545 jdavis@postgresql.or 1839 [ + + ]: 80 : ereport(DEBUG1,
1840 : : (errmsg_internal("loaded library \"%s\"", filename)));
3241 tgl@sss.pgh.pa.us 1841 [ - + ]: 80 : if (expanded)
3241 tgl@sss.pgh.pa.us 1842 :UBC 0 : pfree(expanded);
1843 : : }
1844 : :
3241 tgl@sss.pgh.pa.us 1845 :CBC 57 : list_free_deep(elemlist);
8447 bruce@momjian.us 1846 : 57 : pfree(rawstring);
1847 : : }
1848 : :
1849 : : /*
1850 : : * process any libraries that should be preloaded at postmaster start
1851 : : */
1852 : : void
7203 tgl@sss.pgh.pa.us 1853 : 1081 : process_shared_preload_libraries(void)
1854 : : {
6331 1855 : 1081 : process_shared_preload_libraries_in_progress = true;
7203 1856 : 1081 : load_libraries(shared_preload_libraries_string,
1857 : : "shared_preload_libraries",
1858 : : false);
6331 1859 : 1081 : process_shared_preload_libraries_in_progress = false;
1490 jdavis@postgresql.or 1860 : 1081 : process_shared_preload_libraries_done = true;
7203 tgl@sss.pgh.pa.us 1861 : 1081 : }
1862 : :
1863 : : /*
1864 : : * process any libraries that should be preloaded at backend start
1865 : : */
1866 : : void
4710 peter_e@gmx.net 1867 : 13405 : process_session_preload_libraries(void)
1868 : : {
1869 : 13405 : load_libraries(session_preload_libraries_string,
1870 : : "session_preload_libraries",
1871 : : false);
7203 tgl@sss.pgh.pa.us 1872 : 13405 : load_libraries(local_preload_libraries_string,
1873 : : "local_preload_libraries",
1874 : : true);
1875 : 13405 : }
1876 : :
1877 : : /*
1878 : : * process any shared memory requests from preloaded libraries
1879 : : */
1880 : : void
1453 rhaas@postgresql.org 1881 : 1068 : process_shmem_requests(void)
1882 : : {
1883 : 1068 : process_shmem_requests_in_progress = true;
1884 [ + + ]: 1068 : if (shmem_request_hook)
1885 : 1 : shmem_request_hook();
1886 : 1068 : process_shmem_requests_in_progress = false;
1887 : 1068 : }
1888 : :
1889 : : void
6354 peter_e@gmx.net 1890 : 2488 : pg_bindtextdomain(const char *domain)
1891 : : {
1892 : : #ifdef ENABLE_NLS
6417 alvherre@alvh.no-ip. 1893 [ + - ]: 2488 : if (my_exec_path[0] != '\0')
1894 : : {
1895 : : char locale_path[MAXPGPATH];
1896 : :
1897 : 2488 : get_locale_path(my_exec_path, locale_path);
1898 : 2488 : bindtextdomain(domain, locale_path);
6236 heikki.linnakangas@i 1899 : 2488 : pg_bind_textdomain_codeset(domain);
1900 : : }
1901 : : #endif
6417 alvherre@alvh.no-ip. 1902 : 2488 : }
|
