Age Owner TLA Line data Source code
1 : /*-------------------------------------------------------------------------
2 : *
3 : * miscinit.c
4 : * miscellaneous initialization support stuff
5 : *
6 : * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
7 : * Portions Copyright (c) 1994, Regents of the University of California
8 : *
9 : *
10 : * IDENTIFICATION
11 : * src/backend/utils/init/miscinit.c
12 : *
13 : *-------------------------------------------------------------------------
14 : */
15 : #include "postgres.h"
16 :
17 : #include <sys/param.h>
18 : #include <signal.h>
19 : #include <time.h>
20 : #include <sys/file.h>
21 : #include <sys/stat.h>
22 : #include <sys/time.h>
23 : #include <fcntl.h>
24 : #include <unistd.h>
25 : #include <grp.h>
26 : #include <pwd.h>
27 : #include <netinet/in.h>
28 : #include <arpa/inet.h>
29 : #include <utime.h>
30 :
31 : #include "access/htup_details.h"
32 : #include "catalog/pg_authid.h"
33 : #include "common/file_perm.h"
34 : #include "libpq/libpq.h"
35 : #include "libpq/pqsignal.h"
36 : #include "mb/pg_wchar.h"
37 : #include "miscadmin.h"
38 : #include "pgstat.h"
39 : #include "postmaster/autovacuum.h"
40 : #include "postmaster/interrupt.h"
41 : #include "postmaster/pgarch.h"
42 : #include "postmaster/postmaster.h"
43 : #include "storage/fd.h"
44 : #include "storage/ipc.h"
45 : #include "storage/latch.h"
46 : #include "storage/pg_shmem.h"
47 : #include "storage/pmsignal.h"
48 : #include "storage/proc.h"
49 : #include "storage/procarray.h"
50 : #include "utils/builtins.h"
51 : #include "utils/guc.h"
52 : #include "utils/inval.h"
53 : #include "utils/memutils.h"
54 : #include "utils/pidfile.h"
55 : #include "utils/syscache.h"
56 : #include "utils/varlena.h"
57 :
58 :
59 : #define DIRECTORY_LOCK_FILE "postmaster.pid"
60 :
61 : ProcessingMode Mode = InitProcessing;
62 :
63 : BackendType MyBackendType;
64 :
65 : /* List of lock files to be removed at proc exit */
66 : static List *lock_files = NIL;
67 :
68 : static Latch LocalLatchData;
69 :
70 : /* ----------------------------------------------------------------
71 : * ignoring system indexes support stuff
72 : *
73 : * NOTE: "ignoring system indexes" means we do not use the system indexes
74 : * for lookups (either in hardwired catalog accesses or in planner-generated
75 : * plans). We do, however, still update the indexes when a catalog
76 : * modification is made.
77 : * ----------------------------------------------------------------
78 : */
79 :
80 : bool IgnoreSystemIndexes = false;
81 :
82 :
83 : /* ----------------------------------------------------------------
84 : * common process startup code
85 : * ----------------------------------------------------------------
86 : */
87 :
88 : /*
89 : * Initialize the basic environment for a postmaster child
90 : *
91 : * Should be called as early as possible after the child's startup. However,
92 : * on EXEC_BACKEND builds it does need to be after read_backend_variables().
93 : */
94 : void
1124 peter 95 CBC 12815 : InitPostmasterChild(void)
96 : {
97 12815 : IsUnderPostmaster = true; /* we are a postmaster subprocess now */
98 :
99 : /*
100 : * Start our win32 signal implementation. This has to be done after we
101 : * read the backend variables, because we need to pick up the signal pipe
102 : * from the parent process.
103 : */
104 : #ifdef WIN32
105 : pgwin32_signal_initialize();
106 : #endif
107 :
108 : /*
109 : * Set reference point for stack-depth checking. This might seem
110 : * redundant in !EXEC_BACKEND builds; but it's not because the postmaster
111 : * launches its children from signal handlers, so we might be running on
112 : * an alternative stack.
113 : */
416 tgl 114 12815 : (void) set_stack_base();
115 :
1124 peter 116 12815 : InitProcessGlobals();
117 :
118 : /*
119 : * make sure stderr is in binary mode before anything can possibly be
120 : * written to it, in case it's actually the syslogger pipe, so the pipe
121 : * chunking protocol isn't disturbed. Non-logpipe data gets translated on
122 : * redirection (e.g. via pg_ctl -l) anyway.
123 : */
124 : #ifdef WIN32
125 : _setmode(fileno(stderr), _O_BINARY);
126 : #endif
127 :
128 : /* We don't want the postmaster's proc_exit() handlers */
129 12815 : on_exit_reset();
130 :
131 : /* In EXEC_BACKEND case we will not have inherited BlockSig etc values */
132 : #ifdef EXEC_BACKEND
133 : pqinitmask();
134 : #endif
135 :
136 : /* Initialize process-local latch support */
137 12815 : InitializeLatchSupport();
87 tmunro 138 GNC 12815 : InitProcessLocalLatch();
983 tmunro 139 GIC 12815 : InitializeLatchWaitSet();
140 :
141 : /*
142 : * If possible, make this process a group leader, so that the postmaster
143 : * can signal any child processes too. Not all processes will have
144 : * children, but for consistency we make all postmaster child processes do
145 : * this.
146 : */
1124 peter 147 ECB : #ifdef HAVE_SETSID
1124 peter 148 GBC 12815 : if (setsid() < 0)
1124 peter 149 UIC 0 : elog(FATAL, "setsid() failed: %m");
150 : #endif
151 :
152 : /*
153 : * Every postmaster child process is expected to respond promptly to
154 : * SIGQUIT at all times. Therefore we centrally remove SIGQUIT from
155 : * BlockSig and install a suitable signal handler. (Client-facing
156 : * processes may choose to replace this default choice of handler with
157 : * quickdie().) All other blockable signals remain blocked for now.
935 tgl 158 ECB : */
935 tgl 159 GIC 12815 : pqsignal(SIGQUIT, SignalHandlerForCrashExit);
935 tgl 160 ECB :
935 tgl 161 CBC 12815 : sigdelset(&BlockSig, SIGQUIT);
65 tmunro 162 GNC 12815 : sigprocmask(SIG_SETMASK, &BlockSig, NULL);
163 :
1124 peter 164 ECB : /* Request a signal if the postmaster dies, if possible. */
1124 peter 165 GIC 12815 : PostmasterDeathSignalInit();
166 :
167 : /* Don't give the pipe to subprograms that we execute. */
168 : #ifndef WIN32
37 tmunro 169 GNC 12815 : if (fcntl(postmaster_alive_fds[POSTMASTER_FD_WATCH], F_SETFD, FD_CLOEXEC) < 0)
37 tmunro 170 UNC 0 : ereport(FATAL,
171 : (errcode_for_socket_access(),
172 : errmsg_internal("could not set postmaster death monitoring pipe to FD_CLOEXEC mode: %m")));
173 : #endif
1124 peter 174 GIC 12815 : }
175 :
1124 peter 176 ECB : /*
1124 peter 177 EUB : * Initialize the basic environment for a standalone process.
178 : *
179 : * argv0 has to be suitable to find the program's executable.
180 : */
1124 peter 181 ECB : void
1124 peter 182 GIC 1256 : InitStandaloneProcess(const char *argv0)
183 : {
184 1256 : Assert(!IsPostmasterEnvironment);
185 :
230 andres 186 GNC 1256 : MyBackendType = B_STANDALONE_BACKEND;
187 :
188 : /*
189 : * Start our win32 signal implementation
190 : */
612 andres 191 ECB : #ifdef WIN32
192 : pgwin32_signal_initialize();
193 : #endif
194 :
1124 peter 195 CBC 1256 : InitProcessGlobals();
196 :
197 : /* Initialize process-local latch support */
1124 peter 198 GIC 1256 : InitializeLatchSupport();
87 tmunro 199 GNC 1256 : InitProcessLocalLatch();
983 tmunro 200 GIC 1256 : InitializeLatchWaitSet();
201 :
202 : /*
935 tgl 203 ECB : * For consistency with InitPostmasterChild, initialize signal mask here.
204 : * But we don't unblock SIGQUIT or provide a default handler for it.
205 : */
935 tgl 206 CBC 1256 : pqinitmask();
65 tmunro 207 GNC 1256 : sigprocmask(SIG_SETMASK, &BlockSig, NULL);
935 tgl 208 ECB :
209 : /* Compute paths, no postmaster to inherit from */
1124 peter 210 GIC 1256 : if (my_exec_path[0] == '\0')
211 : {
212 1256 : if (find_my_exec(argv0, my_exec_path) < 0)
1124 peter 213 UIC 0 : elog(FATAL, "%s: could not locate my own executable path",
1124 peter 214 ECB : argv0);
215 : }
216 :
1124 peter 217 GIC 1256 : if (pkglib_path[0] == '\0')
1124 peter 218 CBC 1256 : get_pkglib_path(my_exec_path, pkglib_path);
1124 peter 219 GIC 1256 : }
1124 peter 220 ECB :
1124 peter 221 EUB : void
1124 peter 222 GIC 13373 : SwitchToSharedLatch(void)
223 : {
224 13373 : Assert(MyLatch == &LocalLatchData);
1124 peter 225 CBC 13373 : Assert(MyProc != NULL);
1124 peter 226 ECB :
1124 peter 227 CBC 13373 : MyLatch = &MyProc->procLatch;
228 :
1124 peter 229 GIC 13373 : if (FeBeWaitSet)
769 tmunro 230 CBC 8695 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetLatchPos, WL_LATCH_SET,
231 : MyLatch);
1124 peter 232 ECB :
233 : /*
234 : * Set the shared latch as the local one might have been set. This
235 : * shouldn't normally be necessary as code is supposed to check the
236 : * condition before waiting for the latch, but a bit care can't hurt.
237 : */
1124 peter 238 CBC 13373 : SetLatch(MyLatch);
1124 peter 239 GIC 13373 : }
240 :
241 : void
87 tmunro 242 GNC 14672 : InitProcessLocalLatch(void)
243 : {
244 14672 : MyLatch = &LocalLatchData;
245 14672 : InitLatch(MyLatch);
246 14672 : }
247 :
248 : void
1124 peter 249 GIC 13373 : SwitchBackToLocalLatch(void)
250 : {
251 13373 : Assert(MyLatch != &LocalLatchData);
252 13373 : Assert(MyProc != NULL && MyLatch == &MyProc->procLatch);
1124 peter 253 ECB :
1124 peter 254 CBC 13373 : MyLatch = &LocalLatchData;
255 :
1124 peter 256 GIC 13373 : if (FeBeWaitSet)
769 tmunro 257 CBC 8695 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetLatchPos, WL_LATCH_SET,
258 : MyLatch);
1124 peter 259 ECB :
1124 peter 260 CBC 13373 : SetLatch(MyLatch);
261 13373 : }
262 :
263 : const char *
264 28018 : GetBackendTypeDesc(BackendType backendType)
265 : {
266 28018 : const char *backendDesc = "unknown process type";
1124 peter 267 ECB :
1124 peter 268 GIC 28018 : switch (backendType)
1124 peter 269 ECB : {
1124 peter 270 GIC 56 : case B_INVALID:
1124 peter 271 CBC 56 : backendDesc = "not initialized";
272 56 : break;
230 andres 273 GNC 86 : case B_ARCHIVER:
274 86 : backendDesc = "archiver";
275 86 : break;
1124 peter 276 GIC 909 : case B_AUTOVAC_LAUNCHER:
277 909 : backendDesc = "autovacuum launcher";
1124 peter 278 CBC 909 : break;
279 195 : case B_AUTOVAC_WORKER:
1124 peter 280 GIC 195 : backendDesc = "autovacuum worker";
281 195 : break;
1124 peter 282 CBC 20923 : case B_BACKEND:
1124 peter 283 GIC 20923 : backendDesc = "client backend";
1124 peter 284 CBC 20923 : break;
1124 peter 285 GIC 56 : case B_BG_WORKER:
1124 peter 286 CBC 56 : backendDesc = "background worker";
1124 peter 287 GIC 56 : break;
1124 peter 288 CBC 971 : case B_BG_WRITER:
289 971 : backendDesc = "background writer";
290 971 : break;
291 1279 : case B_CHECKPOINTER:
292 1279 : backendDesc = "checkpointer";
293 1279 : break;
230 andres 294 GNC 57 : case B_LOGGER:
295 57 : backendDesc = "logger";
296 57 : break;
297 56 : case B_STANDALONE_BACKEND:
298 56 : backendDesc = "standalone backend";
299 56 : break;
1124 peter 300 CBC 707 : case B_STARTUP:
301 707 : backendDesc = "startup";
302 707 : break;
303 254 : case B_WAL_RECEIVER:
304 254 : backendDesc = "walreceiver";
305 254 : break;
306 1541 : case B_WAL_SENDER:
307 1541 : backendDesc = "walsender";
308 1541 : break;
309 928 : case B_WAL_WRITER:
310 928 : backendDesc = "walwriter";
311 928 : break;
1124 peter 312 ECB : }
313 :
1124 peter 314 CBC 28018 : return backendDesc;
1124 peter 315 ECB : }
316 :
9770 scrappy 317 : /* ----------------------------------------------------------------
9345 bruce 318 : * database path / name support stuff
9770 scrappy 319 : * ----------------------------------------------------------------
320 : */
321 :
322 : void
8487 peter_e 323 CBC 10520 : SetDatabasePath(const char *path)
9770 scrappy 324 ECB : {
4988 tgl 325 : /* This should happen only once per process */
4988 tgl 326 CBC 10520 : Assert(!DatabasePath);
327 10520 : DatabasePath = MemoryContextStrdup(TopMemoryContext, path);
9770 scrappy 328 10520 : }
9770 scrappy 329 ECB :
330 : /*
331 : * Validate the proposed data directory.
1828 sfrost 332 : *
333 : * Also initialize file and directory create modes and mode mask.
334 : */
335 : void
1828 sfrost 336 GIC 1830 : checkDataDir(void)
337 : {
338 : struct stat stat_buf;
339 :
340 1830 : Assert(DataDir);
1828 sfrost 341 ECB :
1828 sfrost 342 GIC 1830 : if (stat(DataDir, &stat_buf) != 0)
343 : {
1828 sfrost 344 LBC 0 : if (errno == ENOENT)
345 0 : ereport(FATAL,
1828 sfrost 346 ECB : (errcode_for_file_access(),
347 : errmsg("data directory \"%s\" does not exist",
348 : DataDir)));
349 : else
1828 sfrost 350 UIC 0 : ereport(FATAL,
351 : (errcode_for_file_access(),
352 : errmsg("could not read permissions of directory \"%s\": %m",
353 : DataDir)));
1828 sfrost 354 ECB : }
355 :
356 : /* eventual chdir would fail anyway, but let's test ... */
1828 sfrost 357 GIC 1830 : if (!S_ISDIR(stat_buf.st_mode))
1828 sfrost 358 LBC 0 : ereport(FATAL,
359 : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1828 sfrost 360 ECB : errmsg("specified data directory \"%s\" is not a directory",
361 : DataDir)));
1828 sfrost 362 EUB :
363 : /*
364 : * Check that the directory belongs to my userid; if not, reject.
365 : *
366 : * This check is an essential part of the interlock that prevents two
367 : * postmasters from starting in the same directory (see CreateLockFile()).
368 : * Do not remove or weaken it.
369 : *
370 : * XXX can we safely enable this check on Windows?
371 : */
372 : #if !defined(WIN32) && !defined(__CYGWIN__)
1828 sfrost 373 GIC 1830 : if (stat_buf.st_uid != geteuid())
1828 sfrost 374 UIC 0 : ereport(FATAL,
1828 sfrost 375 ECB : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
1828 sfrost 376 EUB : errmsg("data directory \"%s\" has wrong ownership",
377 : DataDir),
378 : errhint("The server must be started by the user that owns the data directory.")));
379 : #endif
380 :
381 : /*
382 : * Check if the directory has correct permissions. If not, reject.
383 : *
384 : * Only two possible modes are allowed, 0700 and 0750. The latter mode
385 : * indicates that group read/execute should be allowed on all newly
386 : * created files and directories.
387 : *
388 : * XXX temporarily suppress check when on Windows, because there may not
389 : * be proper support for Unix-y file permissions. Need to think of a
390 : * reasonable check to apply on Windows.
1828 sfrost 391 ECB : */
1828 sfrost 392 EUB : #if !defined(WIN32) && !defined(__CYGWIN__)
1828 sfrost 393 GIC 1830 : if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
1828 sfrost 394 UIC 0 : ereport(FATAL,
395 : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
396 : errmsg("data directory \"%s\" has invalid permissions",
397 : DataDir),
398 : errdetail("Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).")));
399 : #endif
400 :
401 : /*
402 : * Reset creation modes and mask based on the mode of the data directory.
403 : *
404 : * The mask was set earlier in startup to disallow group permissions on
405 : * newly created files and directories. However, if group read/execute
406 : * are present on the data directory then modify the create modes and mask
407 : * to allow group read/execute on newly created files and directories and
408 : * set the data_directory_mode GUC.
409 : *
410 : * Suppress when on Windows, because there may not be proper support for
1828 sfrost 411 ECB : * Unix-y file permissions.
1828 sfrost 412 EUB : */
413 : #if !defined(WIN32) && !defined(__CYGWIN__)
1828 sfrost 414 GIC 1830 : SetDataDirectoryCreatePerm(stat_buf.st_mode);
415 :
416 1830 : umask(pg_mode_mask);
417 1830 : data_directory_mode = pg_dir_create_mode;
418 : #endif
419 :
420 : /* Check for PG_VERSION */
421 1830 : ValidatePgVersion(DataDir);
422 1830 : }
423 :
424 : /*
425 : * Set data directory, but make sure it's an absolute path. Use this,
426 : * never set DataDir directly.
427 : */
428 : void
8166 tgl 429 1833 : SetDataDir(const char *dir)
430 : {
431 : char *new;
8166 tgl 432 ECB :
163 peter 433 GNC 1833 : Assert(dir);
8166 tgl 434 ECB :
7706 435 : /* If presented path is relative, convert to absolute */
6756 tgl 436 GIC 1833 : new = make_absolute_path(dir);
437 :
297 peter 438 GNC 1833 : free(DataDir);
6756 tgl 439 CBC 1833 : DataDir = new;
6756 tgl 440 GIC 1833 : }
441 :
442 : /*
443 : * Change working directory to DataDir. Most of the postmaster and backend
444 : * code assumes that we are in DataDir so it can use relative paths to access
445 : * stuff in and under the data directory. For convenience during path
6488 tgl 446 ECB : * setup, however, we don't force the chdir to occur during SetDataDir.
447 : */
448 : void
6488 tgl 449 GIC 1830 : ChangeToDataDir(void)
6488 tgl 450 ECB : {
163 peter 451 GNC 1830 : Assert(DataDir);
452 :
6488 tgl 453 CBC 1830 : if (chdir(DataDir) < 0)
6488 tgl 454 UIC 0 : ereport(FATAL,
6488 tgl 455 ECB : (errcode_for_file_access(),
456 : errmsg("could not change directory to \"%s\": %m",
457 : DataDir)));
6488 tgl 458 GIC 1830 : }
459 :
460 :
461 : /* ----------------------------------------------------------------
462 : * User ID state
463 : *
464 : * We have to track several different values associated with the concept
465 : * of "user ID".
6467 tgl 466 ECB : *
467 : * AuthenticatedUserId is determined at connection start and never changes.
468 : *
469 : * SessionUserId is initially the same as AuthenticatedUserId, but can be
470 : * changed by SET SESSION AUTHORIZATION (if AuthenticatedUserIsSuperuser).
6467 tgl 471 EUB : * This is the ID reported by the SESSION_USER SQL function.
472 : *
473 : * OuterUserId is the current user ID in effect at the "outer level" (outside
474 : * any transaction or function). This is initially the same as SessionUserId,
6467 tgl 475 ECB : * but can be changed by SET ROLE to any role that SessionUserId is a
476 : * member of. (XXX rename to something like CurrentRoleId?)
477 : *
478 : * CurrentUserId is the current effective user ID; this is the one to use
479 : * for all normal permissions-checking purposes. At outer level this will
480 : * be the same as OuterUserId, but it changes during calls to SECURITY
481 : * DEFINER functions, as well as locally in some specialized commands.
482 : *
483 : * SecurityRestrictionContext holds flags indicating reason(s) for changing
484 : * CurrentUserId. In some cases we need to lock down operations that are
485 : * not directly controlled by privilege settings, and this provides a
486 : * convenient way to do it.
487 : * ----------------------------------------------------------------
488 : */
489 : static Oid AuthenticatedUserId = InvalidOid;
490 : static Oid SessionUserId = InvalidOid;
491 : static Oid OuterUserId = InvalidOid;
492 : static Oid CurrentUserId = InvalidOid;
493 : static const char *SystemUser = NULL;
494 :
495 : /* We also have to remember the superuser state of some of these levels */
496 : static bool AuthenticatedUserIsSuperuser = false;
497 : static bool SessionUserIsSuperuser = false;
498 :
499 : static int SecurityRestrictionContext = 0;
500 :
501 : /* We also remember if a SET ROLE is currently active */
502 : static bool SetRoleIsActive = false;
503 :
504 : /*
505 : * GetUserId - get the current effective user ID.
506 : *
507 : * Note: there's no SetUserId() anymore; use SetUserIdAndSecContext().
508 : */
509 : Oid
8237 peter_e 510 GIC 7666832 : GetUserId(void)
511 : {
163 peter 512 GNC 7666832 : Assert(OidIsValid(CurrentUserId));
8237 peter_e 513 GIC 7666832 : return CurrentUserId;
514 : }
515 :
516 :
517 : /*
518 : * GetOuterUserId/SetOuterUserId - get/set the outer-level user ID.
519 : */
520 : Oid
6467 tgl 521 703 : GetOuterUserId(void)
522 : {
163 peter 523 GNC 703 : Assert(OidIsValid(OuterUserId));
6467 tgl 524 GIC 703 : return OuterUserId;
525 : }
526 :
527 :
6467 tgl 528 ECB : static void
6467 tgl 529 GIC 1978 : SetOuterUserId(Oid userid)
6467 tgl 530 ECB : {
163 peter 531 GNC 1978 : Assert(SecurityRestrictionContext == 0);
532 1978 : Assert(OidIsValid(userid));
6467 tgl 533 GIC 1978 : OuterUserId = userid;
534 :
535 : /* We force the effective user ID to match, too */
536 1978 : CurrentUserId = userid;
537 1978 : }
538 :
6467 tgl 539 ECB :
540 : /*
541 : * GetSessionUserId/SetSessionUserId - get/set the session user ID.
8237 peter_e 542 : */
543 : Oid
8237 peter_e 544 GIC 22225 : GetSessionUserId(void)
545 : {
163 peter 546 GNC 22225 : Assert(OidIsValid(SessionUserId));
8237 peter_e 547 CBC 22225 : return SessionUserId;
548 : }
8237 peter_e 549 ECB :
550 :
6467 tgl 551 : static void
6467 tgl 552 GIC 24376 : SetSessionUserId(Oid userid, bool is_superuser)
553 : {
163 peter 554 GNC 24376 : Assert(SecurityRestrictionContext == 0);
555 24376 : Assert(OidIsValid(userid));
6467 tgl 556 GIC 24376 : SessionUserId = userid;
557 24376 : SessionUserIsSuperuser = is_superuser;
558 24376 : SetRoleIsActive = false;
559 :
560 : /* We force the effective user IDs to match, too */
561 24376 : OuterUserId = userid;
6467 tgl 562 CBC 24376 : CurrentUserId = userid;
8250 peter_e 563 GIC 24376 : }
9345 bruce 564 ECB :
565 : /*
566 : * Return the system user representing the authenticated identity.
567 : * It is defined in InitializeSystemUser() as auth_method:authn_id.
568 : */
569 : const char *
192 michael 570 GNC 33 : GetSystemUser(void)
571 : {
572 33 : return SystemUser;
573 : }
574 :
3090 rhaas 575 ECB : /*
576 : * GetAuthenticatedUserId - get the authenticated user ID
577 : */
578 : Oid
3090 rhaas 579 GIC 403 : GetAuthenticatedUserId(void)
3090 rhaas 580 ECB : {
163 peter 581 GNC 403 : Assert(OidIsValid(AuthenticatedUserId));
3090 rhaas 582 CBC 403 : return AuthenticatedUserId;
3090 rhaas 583 ECB : }
584 :
8250 peter_e 585 :
5575 tgl 586 : /*
587 : * GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID
588 : * and the SecurityRestrictionContext flags.
589 : *
2744 sfrost 590 : * Currently there are three valid bits in SecurityRestrictionContext:
4869 tgl 591 : *
592 : * SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation
593 : * that is temporarily changing CurrentUserId via these functions. This is
594 : * needed to indicate that the actual value of CurrentUserId is not in sync
595 : * with guc.c's internal state, so SET ROLE has to be disallowed.
596 : *
597 : * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
335 noah 598 : * that does not wish to trust called user-defined functions at all. The
599 : * policy is to use this before operations, e.g. autovacuum and REINDEX, that
600 : * enumerate relations of a database or schema and run functions associated
601 : * with each found relation. The relation owner is the new user ID. Set this
602 : * as soon as possible after locking the relation. Restore the old user ID as
603 : * late as possible before closing the relation; restoring it shortly after
604 : * close is also tolerable. If a command has both relation-enumerating and
605 : * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit
606 : * prevents not only SET ROLE, but various other changes of session state that
607 : * normally is unprotected but might possibly be used to subvert the calling
608 : * session later. An example is replacing an existing prepared statement with
609 : * new code, which will then be executed with the outer session's permissions
610 : * when the prepared statement is next used. These restrictions are fairly
611 : * draconian, but the functions called in relation-enumerating operations are
612 : * really supposed to be side-effect-free anyway.
613 : *
614 : * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should
615 : * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to
616 : * ensure that FORCE RLS does not mistakenly break referential integrity
617 : * checks. Note that this is intentionally only checked when running as the
618 : * owner of the table (which should always be the case for referential
619 : * integrity checks).
620 : *
621 : * Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current
622 : * value of CurrentUserId is valid; nor does SetUserIdAndSecContext require
623 : * the new value to be valid. In fact, these routines had better not
624 : * ever throw any kind of error. This is because they are used by
625 : * StartTransaction and AbortTransaction to save/restore the settings,
626 : * and during the first transaction within a backend, the value to be saved
627 : * and perhaps restored is indeed invalid. We have to be able to get
628 : * through AbortTransaction without asserting in case InitPostgres fails.
629 : */
630 : void
4869 tgl 631 GIC 873030 : GetUserIdAndSecContext(Oid *userid, int *sec_context)
632 : {
5575 633 873030 : *userid = CurrentUserId;
4869 634 873030 : *sec_context = SecurityRestrictionContext;
5575 635 873030 : }
636 :
637 : void
4869 638 832273 : SetUserIdAndSecContext(Oid userid, int sec_context)
639 : {
5575 640 832273 : CurrentUserId = userid;
4869 641 832273 : SecurityRestrictionContext = sec_context;
5575 642 832273 : }
643 :
644 :
645 : /*
646 : * InLocalUserIdChange - are we inside a local change of CurrentUserId?
647 : */
648 : bool
4869 649 13780 : InLocalUserIdChange(void)
650 : {
651 13780 : return (SecurityRestrictionContext & SECURITY_LOCAL_USERID_CHANGE) != 0;
652 : }
653 :
654 : /*
655 : * InSecurityRestrictedOperation - are we inside a security-restricted command?
656 : */
657 : bool
658 18550 : InSecurityRestrictedOperation(void)
5575 tgl 659 ECB : {
4869 tgl 660 GIC 18550 : return (SecurityRestrictionContext & SECURITY_RESTRICTED_OPERATION) != 0;
4869 tgl 661 ECB : }
662 :
2744 sfrost 663 : /*
664 : * InNoForceRLSOperation - are we ignoring FORCE ROW LEVEL SECURITY ?
665 : */
666 : bool
2744 sfrost 667 GIC 93 : InNoForceRLSOperation(void)
2744 sfrost 668 ECB : {
2744 sfrost 669 CBC 93 : return (SecurityRestrictionContext & SECURITY_NOFORCE_RLS) != 0;
2744 sfrost 670 ECB : }
671 :
672 :
673 : /*
674 : * These are obsolete versions of Get/SetUserIdAndSecContext that are
675 : * only provided for bug-compatibility with some rather dubious code in
676 : * pljava. We allow the userid to be set, but only when not inside a
4869 tgl 677 : * security restriction context.
678 : */
679 : void
4869 tgl 680 UIC 0 : GetUserIdAndContext(Oid *userid, bool *sec_def_context)
681 : {
682 0 : *userid = CurrentUserId;
683 0 : *sec_def_context = InLocalUserIdChange();
684 0 : }
685 :
4869 tgl 686 ECB : void
4869 tgl 687 UIC 0 : SetUserIdAndContext(Oid userid, bool sec_def_context)
4869 tgl 688 ECB : {
689 : /* We throw the same error SET ROLE would. */
4869 tgl 690 UIC 0 : if (InSecurityRestrictedOperation())
691 0 : ereport(ERROR,
692 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
693 : errmsg("cannot set parameter \"%s\" within security-restricted operation",
694 : "role")));
4869 tgl 695 LBC 0 : CurrentUserId = userid;
4869 tgl 696 UIC 0 : if (sec_def_context)
4869 tgl 697 LBC 0 : SecurityRestrictionContext |= SECURITY_LOCAL_USERID_CHANGE;
698 : else
4869 tgl 699 UIC 0 : SecurityRestrictionContext &= ~SECURITY_LOCAL_USERID_CHANGE;
5575 700 0 : }
701 :
702 :
703 : /*
704 : * Check whether specified role has explicit REPLICATION privilege
705 : */
706 : bool
3029 alvherre 707 GIC 1297 : has_rolreplication(Oid roleid)
3029 alvherre 708 EUB : {
3029 alvherre 709 GIC 1297 : bool result = false;
3029 alvherre 710 EUB : HeapTuple utup;
711 :
712 : /* Superusers bypass all permission checking. */
24 peter 713 GNC 1297 : if (superuser_arg(roleid))
714 1248 : return true;
715 :
3029 alvherre 716 GBC 49 : utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
3029 alvherre 717 GIC 49 : if (HeapTupleIsValid(utup))
718 : {
3029 alvherre 719 GBC 49 : result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
3029 alvherre 720 GIC 49 : ReleaseSysCache(utup);
721 : }
3029 alvherre 722 GBC 49 : return result;
3029 alvherre 723 EUB : }
724 :
725 : /*
726 : * Initialize user identity during normal backend startup
6467 tgl 727 : */
8250 peter_e 728 : void
2988 rhaas 729 GBC 10243 : InitializeSessionUserId(const char *rolename, Oid roleid)
730 : {
6494 tgl 731 EUB : HeapTuple roleTup;
732 : Form_pg_authid rform;
733 : char *rname;
734 :
735 : /*
736 : * Don't do scans if we're bootstrapping, none of the system catalogs
737 : * exist yet, and they should be owned by postgres anyway.
738 : */
163 peter 739 GNC 10243 : Assert(!IsBootstrapProcessingMode());
740 :
8006 peter_e 741 ECB : /* call only once */
163 peter 742 GNC 10243 : Assert(!OidIsValid(AuthenticatedUserId));
743 :
744 : /*
1418 tgl 745 ECB : * Make sure syscache entries are flushed for recent catalog changes. This
746 : * allows us to find roles that were created on-the-fly during
747 : * authentication.
1731 tmunro 748 : */
1731 tmunro 749 CBC 10243 : AcceptInvalidationMessages();
750 :
2988 rhaas 751 10243 : if (rolename != NULL)
2592 rhaas 752 ECB : {
2988 rhaas 753 GIC 8628 : roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(rolename));
2592 rhaas 754 CBC 8628 : if (!HeapTupleIsValid(roleTup))
2592 rhaas 755 GIC 2 : ereport(FATAL,
756 : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
757 : errmsg("role \"%s\" does not exist", rolename)));
758 : }
759 : else
760 : {
2988 rhaas 761 CBC 1615 : roleTup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
2592 rhaas 762 GIC 1615 : if (!HeapTupleIsValid(roleTup))
2592 rhaas 763 UIC 0 : ereport(FATAL,
764 : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
765 : errmsg("role with OID %u does not exist", roleid)));
766 : }
767 :
6494 tgl 768 GIC 10241 : rform = (Form_pg_authid) GETSTRUCT(roleTup);
1601 andres 769 10241 : roleid = rform->oid;
2592 rhaas 770 10241 : rname = NameStr(rform->rolname);
8179 tgl 771 ECB :
6494 tgl 772 GIC 10241 : AuthenticatedUserId = roleid;
3029 alvherre 773 10241 : AuthenticatedUserIsSuperuser = rform->rolsuper;
8006 peter_e 774 ECB :
775 : /* This sets OuterUserId/CurrentUserId too */
6467 tgl 776 GIC 10241 : SetSessionUserId(roleid, AuthenticatedUserIsSuperuser);
777 :
778 : /* Also mark our PGPROC entry with the authenticated user id */
779 : /* (We assume this is an atomic store so no lock is needed) */
6461 780 10241 : MyProc->roleId = roleid;
6461 tgl 781 ECB :
782 : /*
783 : * These next checks are not enforced when in standalone mode, so that
784 : * there is a way to recover from sillinesses like "UPDATE pg_authid SET
6385 bruce 785 : * rolcanlogin = false;".
6461 tgl 786 : */
4737 tgl 787 CBC 10241 : if (IsUnderPostmaster)
788 : {
789 : /*
790 : * Is role allowed to login at all?
791 : */
3029 alvherre 792 GIC 10241 : if (!rform->rolcanlogin)
6461 tgl 793 CBC 2 : ereport(FATAL,
6461 tgl 794 ECB : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
6461 tgl 795 EUB : errmsg("role \"%s\" is not permitted to log in",
796 : rname)));
797 :
798 : /*
799 : * Check connection limit for this role.
6461 tgl 800 ECB : *
801 : * There is a race condition here --- we create our PGPROC before
3260 bruce 802 : * checking for other PGPROCs. If two backends did this at about the
803 : * same time, they might both think they were over the limit, while
6461 tgl 804 : * ideally one should succeed and one fail. Getting that to work
6385 bruce 805 : * exactly seems more trouble than it is worth, however; instead we
806 : * just document that the connection limit is approximate.
807 : */
6461 tgl 808 CBC 10239 : if (rform->rolconnlimit >= 0 &&
6461 tgl 809 UIC 0 : !AuthenticatedUserIsSuperuser &&
810 0 : CountUserBackends(roleid) > rform->rolconnlimit)
811 0 : ereport(FATAL,
6461 tgl 812 ECB : (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
813 : errmsg("too many connections for role \"%s\"",
814 : rname)));
815 : }
816 :
817 : /* Record username and superuser status as GUC settings too */
2592 rhaas 818 GIC 10239 : SetConfigOption("session_authorization", rname,
7632 tgl 819 ECB : PGC_BACKEND, PGC_S_OVERRIDE);
7226 tgl 820 GIC 10239 : SetConfigOption("is_superuser",
821 10239 : AuthenticatedUserIsSuperuser ? "on" : "off",
822 : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
823 :
6494 tgl 824 CBC 10239 : ReleaseSysCache(roleTup);
8006 peter_e 825 10239 : }
826 :
827 :
828 : /*
829 : * Initialize user identity during special backend startup
830 : */
831 : void
7883 peter_e 832 GIC 961 : InitializeSessionUserIdStandalone(void)
833 : {
834 : /*
835 : * This function should only be called in single-user mode, in autovacuum
836 : * workers, and in background workers.
837 : */
163 peter 838 GNC 961 : Assert(!IsUnderPostmaster || IsAutoVacuumWorkerProcess() || IsBackgroundWorker);
839 :
7883 peter_e 840 ECB : /* call only once */
163 peter 841 GNC 961 : Assert(!OidIsValid(AuthenticatedUserId));
7883 peter_e 842 EUB :
6494 tgl 843 GBC 961 : AuthenticatedUserId = BOOTSTRAP_SUPERUSERID;
7883 peter_e 844 GIC 961 : AuthenticatedUserIsSuperuser = true;
845 :
6467 tgl 846 961 : SetSessionUserId(BOOTSTRAP_SUPERUSERID, true);
7883 peter_e 847 961 : }
848 :
849 : /*
850 : * Initialize the system user.
851 : *
852 : * This is built as auth_method:authn_id.
853 : */
854 : void
192 michael 855 GNC 119 : InitializeSystemUser(const char *authn_id, const char *auth_method)
856 : {
857 : char *system_user;
858 :
859 : /* call only once */
860 119 : Assert(SystemUser == NULL);
861 :
862 : /*
863 : * InitializeSystemUser should be called only when authn_id is not NULL,
864 : * meaning that auth_method is valid.
865 : */
866 119 : Assert(authn_id != NULL);
867 :
868 119 : system_user = psprintf("%s:%s", auth_method, authn_id);
869 :
870 : /* Store SystemUser in long-lived storage */
871 119 : SystemUser = MemoryContextStrdup(TopMemoryContext, system_user);
872 119 : pfree(system_user);
873 119 : }
874 :
875 : /*
876 : * SQL-function SYSTEM_USER
877 : */
878 : Datum
879 33 : system_user(PG_FUNCTION_ARGS)
880 : {
881 33 : const char *sysuser = GetSystemUser();
882 :
883 33 : if (sysuser)
884 22 : PG_RETURN_DATUM(CStringGetTextDatum(sysuser));
885 : else
886 11 : PG_RETURN_NULL();
887 : }
888 :
7969 tgl 889 ECB : /*
890 : * Change session auth ID while running
7643 891 : *
7226 892 : * Only a superuser may set auth ID to something other than himself. Note
893 : * that in case of multiple SETs in a single session, the original userid's
894 : * superuserness is what matters. But we set the GUC variable is_superuser
895 : * to indicate whether the *current* session userid is a superuser.
6467 896 : *
897 : * Note: this is not an especially clean place to do the permission check.
898 : * It's OK because the check does not require catalog access and can't
899 : * fail during an end-of-transaction GUC reversion, but we may someday
900 : * have to push it up into assign_session_authorization.
901 : */
902 : void
6467 tgl 903 CBC 13174 : SetSessionAuthorization(Oid userid, bool is_superuser)
904 : {
905 : /* Must have authenticated already, else can't make permission check */
163 peter 906 GNC 13174 : Assert(OidIsValid(AuthenticatedUserId));
907 :
6467 tgl 908 GIC 13174 : if (userid != AuthenticatedUserId &&
7632 tgl 909 CBC 1230 : !AuthenticatedUserIsSuperuser)
7198 tgl 910 UIC 0 : ereport(ERROR,
911 : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
6385 bruce 912 ECB : errmsg("permission denied to set session authorization")));
913 :
6467 tgl 914 CBC 13174 : SetSessionUserId(userid, is_superuser);
6467 tgl 915 ECB :
6467 tgl 916 GIC 13174 : SetConfigOption("is_superuser",
6467 tgl 917 ECB : is_superuser ? "on" : "off",
305 918 : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
6467 tgl 919 GIC 13174 : }
920 :
921 : /*
922 : * Report current role id
923 : * This follows the semantics of SET ROLE, ie return the outer-level ID
924 : * not the current effective ID, and return InvalidOid when the setting
925 : * is logically SET ROLE NONE.
6467 tgl 926 ECB : */
927 : Oid
6467 tgl 928 GIC 403 : GetCurrentRoleId(void)
929 : {
930 403 : if (SetRoleIsActive)
6467 tgl 931 LBC 0 : return OuterUserId;
932 : else
6467 tgl 933 GIC 403 : return InvalidOid;
934 : }
935 :
936 : /*
6467 tgl 937 ECB : * Change Role ID while running (SET ROLE)
938 : *
939 : * If roleid is InvalidOid, we are doing SET ROLE NONE: revert to the
940 : * session user authorization. In this case the is_superuser argument
941 : * is ignored.
942 : *
943 : * When roleid is not InvalidOid, the caller must have checked whether
944 : * the session user has permission to become that role. (We cannot check
945 : * here because this routine must be able to execute in a failed transaction
946 : * to restore a prior value of the ROLE GUC variable.)
947 : */
948 : void
6467 tgl 949 GIC 3835 : SetCurrentRoleId(Oid roleid, bool is_superuser)
6467 tgl 950 ECB : {
951 : /*
952 : * Get correct info if it's SET ROLE NONE
953 : *
954 : * If SessionUserId hasn't been set yet, just do nothing --- the eventual
955 : * SetSessionUserId call will fix everything. This is needed since we
956 : * will get called during GUC initialization.
957 : */
6467 tgl 958 GIC 3835 : if (!OidIsValid(roleid))
959 : {
960 3441 : if (!OidIsValid(SessionUserId))
961 1857 : return;
962 :
963 1584 : roleid = SessionUserId;
964 1584 : is_superuser = SessionUserIsSuperuser;
965 :
966 1584 : SetRoleIsActive = false;
967 : }
968 : else
969 394 : SetRoleIsActive = true;
970 :
971 1978 : SetOuterUserId(roleid);
972 :
7226 973 1978 : SetConfigOption("is_superuser",
7226 tgl 974 ECB : is_superuser ? "on" : "off",
975 : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
976 : }
8491 ishii 977 :
978 :
8237 peter_e 979 : /*
2892 andrew 980 : * Get user name from user oid, returns NULL for nonexistent roleid if noerr
2892 andrew 981 EUB : * is true.
982 : */
983 : char *
2892 andrew 984 GIC 9141 : GetUserNameFromId(Oid roleid, bool noerr)
8237 peter_e 985 ECB : {
986 : HeapTuple tuple;
8179 tgl 987 : char *result;
988 :
4802 rhaas 989 GIC 9141 : tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
8237 peter_e 990 CBC 9141 : if (!HeapTupleIsValid(tuple))
991 : {
2892 andrew 992 GIC 9 : if (!noerr)
2892 andrew 993 UIC 0 : ereport(ERROR,
994 : (errcode(ERRCODE_UNDEFINED_OBJECT),
995 : errmsg("invalid role OID: %u", roleid)));
2892 andrew 996 GIC 9 : result = NULL;
997 : }
998 : else
2892 andrew 999 ECB : {
2892 andrew 1000 GIC 9132 : result = pstrdup(NameStr(((Form_pg_authid) GETSTRUCT(tuple))->rolname));
2892 andrew 1001 CBC 9132 : ReleaseSysCache(tuple);
2892 andrew 1002 EUB : }
8179 tgl 1003 GIC 9141 : return result;
8237 peter_e 1004 ECB : }
1005 :
1006 : /* ------------------------------------------------------------------------
1007 : * Client connection state shared with parallel workers
1008 : *
1009 : * ClientConnectionInfo contains pieces of information about the client that
1010 : * need to be synced to parallel workers when they initialize.
1011 : *-------------------------------------------------------------------------
1012 : */
1013 :
1014 : ClientConnectionInfo MyClientConnectionInfo;
1015 :
1016 : /*
1017 : * Intermediate representation of ClientConnectionInfo for easier
1018 : * serialization. Variable-length fields are allocated right after this
1019 : * header.
1020 : */
1021 : typedef struct SerializedClientConnectionInfo
1022 : {
1023 : int32 authn_id_len; /* strlen(authn_id), or -1 if NULL */
1024 : UserAuth auth_method;
1025 : } SerializedClientConnectionInfo;
1026 :
1027 : /*
1028 : * Calculate the space needed to serialize MyClientConnectionInfo.
1029 : */
1030 : Size
228 michael 1031 GNC 403 : EstimateClientConnectionInfoSpace(void)
1032 : {
1033 403 : Size size = 0;
1034 :
1035 403 : size = add_size(size, sizeof(SerializedClientConnectionInfo));
1036 :
1037 403 : if (MyClientConnectionInfo.authn_id)
1038 2 : size = add_size(size, strlen(MyClientConnectionInfo.authn_id) + 1);
1039 :
1040 403 : return size;
1041 : }
1042 :
1043 : /*
1044 : * Serialize MyClientConnectionInfo for use by parallel workers.
1045 : */
1046 : void
1047 403 : SerializeClientConnectionInfo(Size maxsize, char *start_address)
1048 : {
1049 403 : SerializedClientConnectionInfo serialized = {0};
1050 :
1051 403 : serialized.authn_id_len = -1;
1052 403 : serialized.auth_method = MyClientConnectionInfo.auth_method;
1053 :
1054 403 : if (MyClientConnectionInfo.authn_id)
1055 2 : serialized.authn_id_len = strlen(MyClientConnectionInfo.authn_id);
1056 :
1057 : /* Copy serialized representation to buffer */
1058 403 : Assert(maxsize >= sizeof(serialized));
1059 403 : memcpy(start_address, &serialized, sizeof(serialized));
1060 :
1061 403 : maxsize -= sizeof(serialized);
1062 403 : start_address += sizeof(serialized);
1063 :
1064 : /* Copy authn_id into the space after the struct */
1065 403 : if (serialized.authn_id_len >= 0)
1066 : {
1067 2 : Assert(maxsize >= (serialized.authn_id_len + 1));
1068 2 : memcpy(start_address,
1069 2 : MyClientConnectionInfo.authn_id,
1070 : /* include the NULL terminator to ease deserialization */
1071 2 : serialized.authn_id_len + 1);
1072 : }
1073 403 : }
1074 :
1075 : /*
1076 : * Restore MyClientConnectionInfo from its serialized representation.
1077 : */
1078 : void
1079 1298 : RestoreClientConnectionInfo(char *conninfo)
1080 : {
1081 : SerializedClientConnectionInfo serialized;
1082 :
1083 1298 : memcpy(&serialized, conninfo, sizeof(serialized));
1084 :
1085 : /* Copy the fields back into place */
1086 1298 : MyClientConnectionInfo.authn_id = NULL;
1087 1298 : MyClientConnectionInfo.auth_method = serialized.auth_method;
1088 :
1089 1298 : if (serialized.authn_id_len >= 0)
1090 : {
1091 : char *authn_id;
1092 :
1093 4 : authn_id = conninfo + sizeof(serialized);
1094 4 : MyClientConnectionInfo.authn_id = MemoryContextStrdup(TopMemoryContext,
1095 : authn_id);
1096 : }
1097 1298 : }
1098 :
1099 :
1100 : /*-------------------------------------------------------------------------
1101 : * Interlock-file support
1102 : *
1103 : * These routines are used to create both a data-directory lockfile
1104 : * ($DATADIR/postmaster.pid) and Unix-socket-file lockfiles ($SOCKFILE.lock).
1105 : * Both kinds of files contain the same info initially, although we can add
1106 : * more information to a data-directory lockfile after it's created, using
1107 : * AddToDataDirLockFile(). See pidfile.h for documentation of the contents
1108 : * of these lockfiles.
1109 : *
1110 : * On successful lockfile creation, a proc_exit callback to remove the
1111 : * lockfile is automatically created.
1112 : *-------------------------------------------------------------------------
8491 ishii 1113 ECB : */
1114 :
1115 : /*
1116 : * proc_exit callback to remove lockfiles.
1117 : */
1118 : static void
3894 tgl 1119 GIC 1828 : UnlinkLockFiles(int status, Datum arg)
1120 : {
1121 : ListCell *l;
7188 bruce 1122 ECB :
3894 tgl 1123 GIC 4246 : foreach(l, lock_files)
7196 bruce 1124 ECB : {
3894 tgl 1125 CBC 2418 : char *curfile = (char *) lfirst(l);
1126 :
1127 2418 : unlink(curfile);
3894 tgl 1128 ECB : /* Should we complain if the unlink fails? */
1129 : }
1130 : /* Since we're about to exit, no need to reclaim storage */
3894 tgl 1131 GIC 1828 : lock_files = NIL;
1132 :
2614 tgl 1133 ECB : /*
1134 : * Lock file removal should always be the last externally visible action
1135 : * of a postmaster or standalone backend, while we won't come here at all
1136 : * when exiting postmaster child processes. Therefore, this is a good
1137 : * place to log completion of shutdown. We could alternatively teach
1138 : * proc_exit() to do it, but that seems uglier. In a standalone backend,
1139 : * use NOTICE elevel to be less chatty.
1140 : */
2614 tgl 1141 GIC 1828 : ereport(IsPostmasterEnvironment ? LOG : NOTICE,
1142 : (errmsg("database system is shut down")));
8491 ishii 1143 1828 : }
1144 :
1145 : /*
1146 : * Create a lockfile.
1147 : *
3894 tgl 1148 ECB : * filename is the path name of the lockfile to create.
1149 : * amPostmaster is used to determine how to encode the output PID.
1150 : * socketDir is the Unix socket directory path to include (possibly empty).
1151 : * isDDLock and refName are used to determine what error message to produce.
1152 : */
7196 1153 : static void
8062 tgl 1154 CBC 2420 : CreateLockFile(const char *filename, bool amPostmaster,
1155 : const char *socketDir,
8062 tgl 1156 ECB : bool isDDLock, const char *refName)
8491 ishii 1157 EUB : {
1158 : int fd;
1159 : char buffer[MAXPGPATH * 2 + 256];
7950 tgl 1160 ECB : int ntries;
1161 : int len;
1162 : int encoded_pid;
1163 : pid_t other_pid;
4973 1164 : pid_t my_pid,
1165 : my_p_pid,
1166 : my_gp_pid;
1167 : const char *envvar;
1168 :
1169 : /*
1170 : * If the PID in the lockfile is our own PID or our parent's or
1171 : * grandparent's PID, then the file must be stale (probably left over from
1172 : * a previous system boot cycle). We need to check this because of the
1173 : * likelihood that a reboot will assign exactly the same PID as we had in
1174 : * the previous reboot, or one that's only one or two counts larger and
1175 : * hence the lockfile's PID now refers to an ancestor shell process. We
1176 : * allow pg_ctl to pass down its parent shell PID (our grandparent PID)
1177 : * via the environment variable PG_GRANDPARENT_PID; this is so that
1178 : * launching the postmaster via pg_ctl can be just as reliable as
1179 : * launching it directly. There is no provision for detecting
1180 : * further-removed ancestor processes, but if the init script is written
1181 : * carefully then all but the immediate parent shell will be root-owned
1182 : * processes and so the kill test will fail with EPERM. Note that we
1183 : * cannot get a false negative this way, because an existing postmaster
1184 : * would surely never launch a competing postmaster or pg_ctl process
1185 : * directly.
1186 : */
4973 tgl 1187 GIC 2420 : my_pid = getpid();
1188 :
1189 : #ifndef WIN32
1190 2420 : my_p_pid = getppid();
1191 : #else
1192 :
1193 : /*
1194 : * Windows hasn't got getppid(), but doesn't need it since it's not using
4790 bruce 1195 ECB : * real kill() either...
1196 : */
4973 tgl 1197 : my_p_pid = 0;
1198 : #endif
1199 :
4973 tgl 1200 GIC 2420 : envvar = getenv("PG_GRANDPARENT_PID");
4973 tgl 1201 CBC 2420 : if (envvar)
1202 1025 : my_gp_pid = atoi(envvar);
1203 : else
1204 1395 : my_gp_pid = 0;
1205 :
1206 : /*
1207 : * We need a loop here because of race conditions. But don't loop forever
1208 : * (for example, a non-writable $PGDATA directory might cause a failure
1209 : * that won't go away). 100 tries seems like plenty.
1210 : */
7836 bruce 1211 2420 : for (ntries = 0;; ntries++)
1212 : {
8166 tgl 1213 ECB : /*
1214 : * Try to create the lock file --- O_EXCL makes this atomic.
6596 1215 : *
1828 sfrost 1216 : * Think not to make the file protection weaker than 0600/0640. See
1217 : * comments below.
8166 tgl 1218 : */
1828 sfrost 1219 CBC 2423 : fd = open(filename, O_RDWR | O_CREAT | O_EXCL, pg_file_create_mode);
8166 tgl 1220 GIC 2423 : if (fd >= 0)
1221 2418 : break; /* Success; exit the retry loop */
8053 bruce 1222 ECB :
8166 tgl 1223 : /*
1224 : * Couldn't create the pid file. Probably it already exists.
1225 : */
7950 tgl 1226 CBC 5 : if ((errno != EEXIST && errno != EACCES) || ntries > 100)
7198 tgl 1227 UIC 0 : ereport(FATAL,
1228 : (errcode_for_file_access(),
7198 tgl 1229 ECB : errmsg("could not create lock file \"%s\": %m",
1230 : filename)));
8397 bruce 1231 :
8491 ishii 1232 : /*
8166 tgl 1233 : * Read the file to get the old owner's PID. Note race condition
1234 : * here: file might have been deleted since we tried to create it.
8491 ishii 1235 : */
1828 sfrost 1236 GIC 5 : fd = open(filename, O_RDONLY, pg_file_create_mode);
8397 bruce 1237 CBC 5 : if (fd < 0)
1238 : {
8166 tgl 1239 UIC 0 : if (errno == ENOENT)
1240 0 : continue; /* race condition; try again */
7198 1241 0 : ereport(FATAL,
1242 : (errcode_for_file_access(),
7198 tgl 1243 ECB : errmsg("could not open lock file \"%s\": %m",
1244 : filename)));
1245 : }
2213 rhaas 1246 GIC 5 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_READ);
7032 tgl 1247 CBC 5 : if ((len = read(fd, buffer, sizeof(buffer) - 1)) < 0)
7198 tgl 1248 UIC 0 : ereport(FATAL,
1249 : (errcode_for_file_access(),
7198 tgl 1250 ECB : errmsg("could not read lock file \"%s\": %m",
1251 : filename)));
2213 rhaas 1252 GIC 5 : pgstat_report_wait_end();
8491 ishii 1253 CBC 5 : close(fd);
1254 :
3875 bruce 1255 GIC 5 : if (len == 0)
1256 : {
3875 bruce 1257 LBC 0 : ereport(FATAL,
3875 bruce 1258 ECB : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1259 : errmsg("lock file \"%s\" is empty", filename),
1260 : errhint("Either another server is starting, or the lock file is the remnant of a previous server startup crash.")));
1261 : }
1262 :
8166 tgl 1263 GIC 5 : buffer[len] = '\0';
1264 5 : encoded_pid = atoi(buffer);
1265 :
1266 : /* if pid < 0, the pid is for postgres, not postmaster */
1267 5 : other_pid = (pid_t) (encoded_pid < 0 ? -encoded_pid : encoded_pid);
1268 :
1269 5 : if (other_pid <= 0)
6502 tgl 1270 UIC 0 : elog(FATAL, "bogus data in lock file \"%s\": \"%s\"",
1271 : filename, buffer);
1272 :
1273 : /*
1274 : * Check to see if the other process still exists
1275 : *
1276 : * Per discussion above, my_pid, my_p_pid, and my_gp_pid can be
1277 : * ignored as false matches.
1278 : *
1279 : * Normally kill() will fail with ESRCH if the given PID doesn't
1280 : * exist.
1281 : *
1282 : * We can treat the EPERM-error case as okay because that error
6347 bruce 1283 ECB : * implies that the existing process has a different userid than we
1284 : * do, which means it cannot be a competing postmaster. A postmaster
1285 : * cannot successfully attach to a data directory owned by a userid
1286 : * other than its own, as enforced in checkDataDir(). Also, since we
1828 sfrost 1287 : * create the lockfiles mode 0600/0640, we'd have failed above if the
1288 : * lockfile belonged to another userid --- which means that whatever
1289 : * process kill() is reporting about isn't the one that made the
1290 : * lockfile. (NOTE: this last consideration is the only one that
1291 : * keeps us from blowing away a Unix socket file belonging to an
1292 : * instance of Postgres being run by someone else, at least on
1293 : * machines where /tmp hasn't got a stickybit.)
1294 : */
4973 tgl 1295 CBC 5 : if (other_pid != my_pid && other_pid != my_p_pid &&
1296 : other_pid != my_gp_pid)
1297 : {
7000 neilc 1298 GIC 5 : if (kill(other_pid, 0) == 0 ||
6303 bruce 1299 3 : (errno != ESRCH && errno != EPERM))
1300 : {
1301 : /* lockfile belongs to a live process */
7196 tgl 1302 2 : ereport(FATAL,
1303 : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1304 : errmsg("lock file \"%s\" already exists",
7196 tgl 1305 ECB : filename),
1306 : isDDLock ?
6764 1307 : (encoded_pid < 0 ?
1308 : errhint("Is another postgres (PID %d) running in data directory \"%s\"?",
1309 : (int) other_pid, refName) :
1310 : errhint("Is another postmaster (PID %d) running in data directory \"%s\"?",
1311 : (int) other_pid, refName)) :
1312 : (encoded_pid < 0 ?
1313 : errhint("Is another postgres (PID %d) using socket file \"%s\"?",
1314 : (int) other_pid, refName) :
1315 : errhint("Is another postmaster (PID %d) using socket file \"%s\"?",
1316 : (int) other_pid, refName))));
1317 : }
8491 ishii 1318 : }
1319 :
1320 : /*
1321 : * No, the creating process did not exist. However, it could be that
1322 : * the postmaster crashed (or more likely was kill -9'd by a clueless
1323 : * admin) but has left orphan backends behind. Check for this by
1324 : * looking to see if there is an associated shmem segment that is
1325 : * still in use.
1326 : *
1327 : * Note: because postmaster.pid is written in multiple steps, we might
1328 : * not find the shmem ID values in it; we can't treat that as an
1329 : * error.
1330 : */
8062 tgl 1331 GIC 3 : if (isDDLock)
1332 : {
4485 bruce 1333 1 : char *ptr = buffer;
1334 : unsigned long id1,
1335 : id2;
1336 : int lineno;
1337 :
4469 tgl 1338 7 : for (lineno = 1; lineno < LOCK_FILE_LINE_SHMEM_KEY; lineno++)
1339 : {
4486 bruce 1340 6 : if ((ptr = strchr(ptr, '\n')) == NULL)
4486 bruce 1341 UIC 0 : break;
4486 bruce 1342 GIC 6 : ptr++;
1343 : }
1344 :
4469 tgl 1345 1 : if (ptr != NULL &&
1346 1 : sscanf(ptr, "%lu %lu", &id1, &id2) == 2)
1347 : {
4486 bruce 1348 1 : if (PGSharedMemoryIsInUse(id1, id2))
4486 bruce 1349 UIC 0 : ereport(FATAL,
1350 : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1470 noah 1351 ECB : errmsg("pre-existing shared memory block (key %lu, ID %lu) is still in use",
1352 : id1, id2),
1353 : errhint("Terminate any old server processes associated with data directory \"%s\".",
1354 : refName)));
1355 : }
1356 : }
1357 :
1358 : /*
1359 : * Looks like nobody's home. Unlink the file and try again to create
1360 : * it. Need a loop because of possible race condition against other
1361 : * would-be creators.
1362 : */
8166 tgl 1363 GIC 3 : if (unlink(filename) < 0)
7198 tgl 1364 LBC 0 : ereport(FATAL,
7198 tgl 1365 ECB : (errcode_for_file_access(),
1366 : errmsg("could not remove old lock file \"%s\": %m",
1367 : filename),
1368 : errhint("The file seems accidentally left over, but "
1369 : "it could not be removed. Please remove the file "
1370 : "by hand and try again.")));
1371 : }
1372 :
1373 : /*
1374 : * Successfully created the file, now fill it. See comment in pidfile.h
3260 bruce 1375 : * about the contents. Note that we write the same first five lines into
1376 : * both datadir and socket lockfiles; although more stuff may get added to
1377 : * the datadir lockfile later.
1378 : */
4469 tgl 1379 GIC 2418 : snprintf(buffer, sizeof(buffer), "%d\n%s\n%ld\n%d\n%s\n",
1380 : amPostmaster ? (int) my_pid : -((int) my_pid),
1381 : DataDir,
1382 : (long) MyStartTime,
4469 tgl 1383 ECB : PostPortNumber,
3894 1384 : socketDir);
4469 1385 :
1386 : /*
1387 : * In a standalone backend, the next line (LOCK_FILE_LINE_LISTEN_ADDR)
1388 : * will never receive data, so fill it in as empty now.
1389 : */
3766 tgl 1390 CBC 2418 : if (isDDLock && !amPostmaster)
3766 tgl 1391 GBC 1230 : strlcat(buffer, "\n", sizeof(buffer));
1392 :
7977 tgl 1393 GIC 2418 : errno = 0;
2213 rhaas 1394 2418 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_WRITE);
8166 tgl 1395 2418 : if (write(fd, buffer, strlen(buffer)) != strlen(buffer))
1396 : {
8053 bruce 1397 UIC 0 : int save_errno = errno;
1398 :
8491 ishii 1399 0 : close(fd);
8166 tgl 1400 LBC 0 : unlink(filename);
7977 tgl 1401 ECB : /* if write didn't set errno, assume problem is no disk space */
7977 tgl 1402 UIC 0 : errno = save_errno ? save_errno : ENOSPC;
7198 tgl 1403 UBC 0 : ereport(FATAL,
7198 tgl 1404 EUB : (errcode_for_file_access(),
6385 bruce 1405 : errmsg("could not write lock file \"%s\": %m", filename)));
1406 : }
2213 rhaas 1407 GIC 2418 : pgstat_report_wait_end();
1408 :
1409 2418 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_SYNC);
4619 tgl 1410 CBC 2418 : if (pg_fsync(fd) != 0)
4619 tgl 1411 ECB : {
4619 tgl 1412 UBC 0 : int save_errno = errno;
1413 :
4619 tgl 1414 UIC 0 : close(fd);
1415 0 : unlink(filename);
4619 tgl 1416 LBC 0 : errno = save_errno;
1417 0 : ereport(FATAL,
1418 : (errcode_for_file_access(),
4619 tgl 1419 ECB : errmsg("could not write lock file \"%s\": %m", filename)));
1420 : }
2213 rhaas 1421 GBC 2418 : pgstat_report_wait_end();
4619 tgl 1422 GIC 2418 : if (close(fd) != 0)
1423 : {
7013 tgl 1424 UIC 0 : int save_errno = errno;
1425 :
1426 0 : unlink(filename);
7013 tgl 1427 LBC 0 : errno = save_errno;
1428 0 : ereport(FATAL,
1429 : (errcode_for_file_access(),
1430 : errmsg("could not write lock file \"%s\": %m", filename)));
7013 tgl 1431 ECB : }
1432 :
8166 1433 : /*
3602 bruce 1434 EUB : * Arrange to unlink the lock file(s) at proc_exit. If this is the first
1435 : * one, set up the on_proc_exit function to do it; then add this lock file
1436 : * to the list of files to unlink.
1437 : */
3894 tgl 1438 GIC 2418 : if (lock_files == NIL)
1439 1828 : on_proc_exit(UnlinkLockFiles, 0);
1440 :
1441 : /*
1442 : * Use lcons so that the lock files are unlinked in reverse order of
1443 : * creation; this is critical!
1444 : */
2807 1445 2418 : lock_files = lcons(pstrdup(filename), lock_files);
8166 1446 2418 : }
1447 :
1448 : /*
1449 : * Create the data directory lockfile.
1450 : *
1451 : * When this is called, we must have already switched the working
1452 : * directory to DataDir, so we can just use a relative path. This
1453 : * helps ensure that we are locking the directory we should be.
1454 : *
1455 : * Note that the socket directory path line is initially written as empty.
1456 : * postmaster.c will rewrite it upon creating the first Unix socket.
1457 : */
1458 : void
6488 tgl 1459 CBC 1830 : CreateDataDirLockFile(bool amPostmaster)
1460 : {
3894 tgl 1461 GIC 1830 : CreateLockFile(DIRECTORY_LOCK_FILE, amPostmaster, "", true, DataDir);
8491 ishii 1462 CBC 1828 : }
8316 peter_e 1463 ECB :
1464 : /*
1465 : * Create a lockfile for the specified Unix socket file.
6488 tgl 1466 : */
1467 : void
3894 tgl 1468 GIC 590 : CreateSocketLockFile(const char *socketfile, bool amPostmaster,
1469 : const char *socketDir)
1470 : {
1471 : char lockfile[MAXPGPATH];
1472 :
8166 1473 590 : snprintf(lockfile, sizeof(lockfile), "%s.lock", socketfile);
3894 1474 590 : CreateLockFile(lockfile, amPostmaster, socketDir, false, socketfile);
8166 1475 590 : }
1476 :
1477 : /*
1478 : * TouchSocketLockFiles -- mark socket lock files as recently accessed
1479 : *
1480 : * This routine should be called every so often to ensure that the socket
1481 : * lock files have a recent mod or access date. That saves them
1482 : * from being removed by overenthusiastic /tmp-directory-cleaner daemons.
1483 : * (Another reason we should never have put the socket file in /tmp...)
1484 : */
1485 : void
3894 tgl 1486 UIC 0 : TouchSocketLockFiles(void)
1487 : {
1488 : ListCell *l;
1489 :
1490 0 : foreach(l, lock_files)
1491 : {
1492 0 : char *socketLockFile = (char *) lfirst(l);
1493 :
1494 : /* No need to touch the data directory lock file, we trust */
3894 tgl 1495 LBC 0 : if (strcmp(socketLockFile, DIRECTORY_LOCK_FILE) == 0)
3894 tgl 1496 UIC 0 : continue;
3894 tgl 1497 ECB :
1498 : /* we just ignore any error here */
1143 tgl 1499 UIC 0 : (void) utime(socketLockFile, NULL);
1500 : }
8107 1501 0 : }
8107 tgl 1502 ECB :
1503 :
8062 1504 : /*
4469 tgl 1505 EUB : * Add (or replace) a line in the data directory lock file.
4469 tgl 1506 ECB : * The given string should not include a trailing newline.
1507 : *
1508 : * Note: because we don't truncate the file, if we were to rewrite a line
3894 1509 : * with less data than it had before, there would be garbage after the last
2111 1510 : * line. While we could fix that by adding a truncate call, that would make
1511 : * the file update non-atomic, which we'd rather avoid. Therefore, callers
1512 : * should endeavor never to shorten a line once it's been written.
8062 tgl 1513 EUB : */
1514 : void
4469 tgl 1515 GIC 4826 : AddToDataDirLockFile(int target_line, const char *str)
1516 : {
1517 : int fd;
1518 : int len;
1519 : int lineno;
1520 : char *srcptr;
1521 : char *destptr;
1522 : char srcbuffer[BLCKSZ];
1523 : char destbuffer[BLCKSZ];
1524 :
6488 1525 4826 : fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
8062 1526 4826 : if (fd < 0)
8062 tgl 1527 ECB : {
7198 tgl 1528 UBC 0 : ereport(LOG,
1529 : (errcode_for_file_access(),
1530 : errmsg("could not open file \"%s\": %m",
1531 : DIRECTORY_LOCK_FILE)));
8062 tgl 1532 UIC 0 : return;
1533 : }
2213 rhaas 1534 GIC 4826 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_READ);
3894 tgl 1535 4826 : len = read(fd, srcbuffer, sizeof(srcbuffer) - 1);
2213 rhaas 1536 4826 : pgstat_report_wait_end();
7032 tgl 1537 4826 : if (len < 0)
1538 : {
7198 tgl 1539 UIC 0 : ereport(LOG,
1540 : (errcode_for_file_access(),
1541 : errmsg("could not read from file \"%s\": %m",
1542 : DIRECTORY_LOCK_FILE)));
8062 tgl 1543 LBC 0 : close(fd);
8062 tgl 1544 UIC 0 : return;
1545 : }
3894 tgl 1546 GIC 4826 : srcbuffer[len] = '\0';
1547 :
1548 : /*
1549 : * Advance over lines we are not supposed to rewrite, then copy them to
1550 : * destbuffer.
1551 : */
1552 4826 : srcptr = srcbuffer;
4482 bruce 1553 33233 : for (lineno = 1; lineno < target_line; lineno++)
8062 tgl 1554 ECB : {
2111 tgl 1555 CBC 29000 : char *eol = strchr(srcptr, '\n');
1556 :
1557 29000 : if (eol == NULL)
1558 593 : break; /* not enough lines in file yet */
1559 28407 : srcptr = eol + 1;
1560 : }
3894 tgl 1561 GBC 4826 : memcpy(destbuffer, srcbuffer, srcptr - srcbuffer);
3894 tgl 1562 GIC 4826 : destptr = destbuffer + (srcptr - srcbuffer);
4469 tgl 1563 EUB :
2111 1564 : /*
1565 : * Fill in any missing lines before the target line, in case lines are
1566 : * added to the file out of order.
1567 : */
2111 tgl 1568 GIC 5419 : for (; lineno < target_line; lineno++)
1569 : {
1570 593 : if (destptr < destbuffer + sizeof(destbuffer))
2111 tgl 1571 CBC 593 : *destptr++ = '\n';
1572 : }
2111 tgl 1573 ECB :
4469 1574 : /*
1575 : * Write or rewrite the target line.
4469 tgl 1576 EUB : */
3894 tgl 1577 GIC 4826 : snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s\n", str);
3894 tgl 1578 GBC 4826 : destptr += strlen(destptr);
3894 tgl 1579 EUB :
1580 : /*
1581 : * If there are more lines in the old file, append them to destbuffer.
1582 : */
3894 tgl 1583 GIC 4826 : if ((srcptr = strchr(srcptr, '\n')) != NULL)
1584 : {
3894 tgl 1585 CBC 2411 : srcptr++;
1586 2411 : snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s",
1587 : srcptr);
3894 tgl 1588 EUB : }
1589 :
8062 1590 : /*
8053 bruce 1591 : * And rewrite the data. Since we write in a single kernel call, this
1592 : * update should appear atomic to onlookers.
1593 : */
3894 tgl 1594 GIC 4826 : len = strlen(destbuffer);
7977 1595 4826 : errno = 0;
2213 rhaas 1596 4826 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_WRITE);
192 tmunro 1597 4826 : if (pg_pwrite(fd, destbuffer, len, 0) != len)
1598 : {
2213 rhaas 1599 UIC 0 : pgstat_report_wait_end();
1600 : /* if write didn't set errno, assume problem is no disk space */
7977 tgl 1601 0 : if (errno == 0)
7977 tgl 1602 LBC 0 : errno = ENOSPC;
7198 1603 0 : ereport(LOG,
1604 : (errcode_for_file_access(),
1605 : errmsg("could not write to file \"%s\": %m",
1606 : DIRECTORY_LOCK_FILE)));
8062 tgl 1607 UIC 0 : close(fd);
1608 0 : return;
8062 tgl 1609 ECB : }
2213 rhaas 1610 CBC 4826 : pgstat_report_wait_end();
2213 rhaas 1611 GIC 4826 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_SYNC);
4619 tgl 1612 4826 : if (pg_fsync(fd) != 0)
1613 : {
4619 tgl 1614 UIC 0 : ereport(LOG,
1615 : (errcode_for_file_access(),
1616 : errmsg("could not write to file \"%s\": %m",
1617 : DIRECTORY_LOCK_FILE)));
1618 : }
2213 rhaas 1619 GIC 4826 : pgstat_report_wait_end();
4619 tgl 1620 4826 : if (close(fd) != 0)
1621 : {
7013 tgl 1622 UIC 0 : ereport(LOG,
7013 tgl 1623 ECB : (errcode_for_file_access(),
1624 : errmsg("could not write to file \"%s\": %m",
6488 1625 : DIRECTORY_LOCK_FILE)));
7013 1626 : }
1627 : }
1628 :
1629 :
1630 : /*
1631 : * Recheck that the data directory lock file still exists with expected
2062 peter_e 1632 : * content. Return true if the lock file appears OK, false if it isn't.
1633 : *
1634 : * We call this periodically in the postmaster. The idea is that if the
1635 : * lock file has been removed or replaced by another postmaster, we should
1636 : * do a panic database shutdown. Therefore, we should return true if there
2742 tgl 1637 : * is any doubt: we do not want to cause a panic shutdown unnecessarily.
1638 : * Transient failures like EINTR or ENFILE should not cause us to fail.
1639 : * (If there really is something wrong, we'll detect it on a future recheck.)
1640 : */
1641 : bool
2742 tgl 1642 GIC 11 : RecheckDataDirLockFile(void)
1643 : {
1644 : int fd;
1645 : int len;
1646 : long file_pid;
1647 : char buffer[BLCKSZ];
1648 :
1649 11 : fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
2742 tgl 1650 GBC 11 : if (fd < 0)
1651 : {
1652 : /*
1653 : * There are many foreseeable false-positive error conditions. For
2742 tgl 1654 EUB : * safety, fail only on enumerated clearly-something-is-wrong
1655 : * conditions.
1656 : */
2742 tgl 1657 UIC 0 : switch (errno)
1658 : {
2742 tgl 1659 UBC 0 : case ENOENT:
2742 tgl 1660 EUB : case ENOTDIR:
1661 : /* disaster */
2742 tgl 1662 UIC 0 : ereport(LOG,
2742 tgl 1663 EUB : (errcode_for_file_access(),
1664 : errmsg("could not open file \"%s\": %m",
1665 : DIRECTORY_LOCK_FILE)));
2742 tgl 1666 UIC 0 : return false;
1667 0 : default:
1668 : /* non-fatal, at least for now */
1669 0 : ereport(LOG,
1670 : (errcode_for_file_access(),
1671 : errmsg("could not open file \"%s\": %m; continuing anyway",
1672 : DIRECTORY_LOCK_FILE)));
1673 0 : return true;
1674 : }
1675 : }
2213 rhaas 1676 GIC 11 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_RECHECKDATADIR_READ);
2742 tgl 1677 11 : len = read(fd, buffer, sizeof(buffer) - 1);
2213 rhaas 1678 11 : pgstat_report_wait_end();
2742 tgl 1679 CBC 11 : if (len < 0)
1680 : {
2742 tgl 1681 UIC 0 : ereport(LOG,
1682 : (errcode_for_file_access(),
1683 : errmsg("could not read from file \"%s\": %m",
1684 : DIRECTORY_LOCK_FILE)));
1685 0 : close(fd);
1686 0 : return true; /* treat read failure as nonfatal */
1687 : }
2742 tgl 1688 GIC 11 : buffer[len] = '\0';
2742 tgl 1689 CBC 11 : close(fd);
1690 11 : file_pid = atol(buffer);
2742 tgl 1691 GIC 11 : if (file_pid == getpid())
2742 tgl 1692 GBC 11 : return true; /* all is well */
1693 :
1694 : /* Trouble: someone's overwritten the lock file */
2742 tgl 1695 UIC 0 : ereport(LOG,
2742 tgl 1696 EUB : (errmsg("lock file \"%s\" contains wrong PID: %ld instead of %ld",
1697 : DIRECTORY_LOCK_FILE, file_pid, (long) getpid())));
2742 tgl 1698 LBC 0 : return false;
2742 tgl 1699 ECB : }
1700 :
1701 :
1702 : /*-------------------------------------------------------------------------
8166 tgl 1703 EUB : * Version checking support
1704 : *-------------------------------------------------------------------------
1705 : */
1706 :
8316 peter_e 1707 : /*
1708 : * Determine whether the PG_VERSION file in directory `path' indicates
1709 : * a data version compatible with the version of this program.
8316 peter_e 1710 ECB : *
1711 : * If compatible, return. Otherwise, ereport(FATAL).
1712 : */
1713 : void
8316 peter_e 1714 GIC 12045 : ValidatePgVersion(const char *path)
1715 : {
8316 peter_e 1716 ECB : char full_path[MAXPGPATH];
8053 bruce 1717 : FILE *file;
1718 : int ret;
2428 tgl 1719 : long file_major;
1720 : long my_major;
8053 bruce 1721 : char *endptr;
2428 tgl 1722 : char file_version_string[64];
2428 tgl 1723 CBC 12045 : const char *my_version_string = PG_VERSION;
1724 :
1725 12045 : my_major = strtol(my_version_string, &endptr, 10);
8316 peter_e 1726 ECB :
7196 tgl 1727 GIC 12045 : snprintf(full_path, sizeof(full_path), "%s/PG_VERSION", path);
1728 :
8316 peter_e 1729 12045 : file = AllocateFile(full_path, "r");
1730 12045 : if (!file)
1731 : {
8316 peter_e 1732 LBC 0 : if (errno == ENOENT)
7198 tgl 1733 UIC 0 : ereport(FATAL,
7198 tgl 1734 ECB : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1735 : errmsg("\"%s\" is not a valid data directory",
1736 : path),
1737 : errdetail("File \"%s\" is missing.", full_path)));
1738 : else
7198 tgl 1739 UIC 0 : ereport(FATAL,
1740 : (errcode_for_file_access(),
6385 bruce 1741 ECB : errmsg("could not open file \"%s\": %m", full_path)));
8316 peter_e 1742 : }
1743 :
2428 tgl 1744 GIC 12045 : file_version_string[0] = '\0';
1745 12045 : ret = fscanf(file, "%63s", file_version_string);
1746 12045 : file_major = strtol(file_version_string, &endptr, 10);
2428 tgl 1747 ECB :
2428 tgl 1748 GIC 12045 : if (ret != 1 || endptr == file_version_string)
7188 bruce 1749 LBC 0 : ereport(FATAL,
7188 bruce 1750 ECB : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1751 : errmsg("\"%s\" is not a valid data directory",
1752 : path),
1753 : errdetail("File \"%s\" does not contain valid data.",
1754 : full_path),
1755 : errhint("You might need to initdb.")));
1756 :
8316 peter_e 1757 GIC 12045 : FreeFile(file);
8316 peter_e 1758 ECB :
2428 tgl 1759 CBC 12045 : if (my_major != file_major)
7198 tgl 1760 LBC 0 : ereport(FATAL,
7198 tgl 1761 ECB : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1762 : errmsg("database files are incompatible with server"),
2428 tgl 1763 EUB : errdetail("The data directory was initialized by PostgreSQL version %s, "
1764 : "which is not compatible with this version %s.",
1765 : file_version_string, my_version_string)));
8316 peter_e 1766 GBC 12045 : }
7325 bruce 1767 EUB :
1768 : /*-------------------------------------------------------------------------
1769 : * Library preload support
1770 : *-------------------------------------------------------------------------
1771 : */
1772 :
1773 : /*
6081 tgl 1774 ECB : * GUC variables: lists of library names to be preloaded at postmaster
1775 : * start and at backend start
1776 : */
1777 : char *session_preload_libraries_string = NULL;
6081 tgl 1778 EUB : char *shared_preload_libraries_string = NULL;
1779 : char *local_preload_libraries_string = NULL;
1780 :
1781 : /* Flag telling that we are loading shared_preload_libraries */
1782 : bool process_shared_preload_libraries_in_progress = false;
368 jdavis 1783 ECB : bool process_shared_preload_libraries_done = false;
5209 tgl 1784 :
1785 : shmem_request_hook_type shmem_request_hook = NULL;
331 rhaas 1786 EUB : bool process_shmem_requests_in_progress = false;
1787 :
1788 : /*
1789 : * load the shared libraries listed in 'libraries'
1790 : *
1791 : * 'gucname': name of GUC variable, for error reports
1792 : * 'restricted': if true, force libraries to be in $libdir/plugins/
1793 : */
1794 : static void
6080 tgl 1795 GIC 17105 : load_libraries(const char *libraries, const char *gucname, bool restricted)
1796 : {
1797 : char *rawstring;
1798 : List *elemlist;
1799 : ListCell *l;
1800 :
6081 1801 17105 : if (libraries == NULL || libraries[0] == '\0')
1802 17077 : return; /* nothing to do */
1803 :
1804 : /* Need a modifiable copy of string */
1805 28 : rawstring = pstrdup(libraries);
7325 bruce 1806 ECB :
1807 : /* Parse string into list of filename paths */
2119 tgl 1808 GIC 28 : if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1809 : {
1810 : /* syntax error in list */
2119 tgl 1811 UIC 0 : list_free_deep(elemlist);
7325 bruce 1812 0 : pfree(rawstring);
7198 tgl 1813 LBC 0 : ereport(LOG,
7198 tgl 1814 ECB : (errcode(ERRCODE_SYNTAX_ERROR),
1815 : errmsg("invalid list syntax in parameter \"%s\"",
1816 : gucname)));
7198 tgl 1817 UIC 0 : return;
1818 : }
1819 :
7325 bruce 1820 GIC 56 : foreach(l, elemlist)
7325 bruce 1821 EUB : {
1822 : /* Note that filename was already canonicalized */
2119 tgl 1823 GBC 28 : char *filename = (char *) lfirst(l);
2119 tgl 1824 GIC 28 : char *expanded = NULL;
1825 :
6081 tgl 1826 EUB : /* If restricting, insert $libdir/plugins if not mentioned already */
6080 tgl 1827 GIC 28 : if (restricted && first_dir_separator(filename) == NULL)
1828 : {
3465 peter_e 1829 UIC 0 : expanded = psprintf("$libdir/plugins/%s", filename);
6081 tgl 1830 UBC 0 : filename = expanded;
6081 tgl 1831 EUB : }
6080 tgl 1832 GIC 28 : load_file(filename, restricted);
3423 jdavis 1833 GBC 28 : ereport(DEBUG1,
1834 : (errmsg_internal("loaded library \"%s\"", filename)));
2119 tgl 1835 GIC 28 : if (expanded)
2119 tgl 1836 UIC 0 : pfree(expanded);
7325 bruce 1837 EUB : }
1838 :
2119 tgl 1839 GIC 28 : list_free_deep(elemlist);
7325 bruce 1840 CBC 28 : pfree(rawstring);
7325 bruce 1841 ECB : }
6081 tgl 1842 :
1843 : /*
1844 : * process any libraries that should be preloaded at postmaster start
6081 tgl 1845 EUB : */
1846 : void
6081 tgl 1847 GIC 913 : process_shared_preload_libraries(void)
1848 : {
5209 tgl 1849 GBC 913 : process_shared_preload_libraries_in_progress = true;
6081 1850 913 : load_libraries(shared_preload_libraries_string,
1851 : "shared_preload_libraries",
6081 tgl 1852 ECB : false);
5209 tgl 1853 CBC 913 : process_shared_preload_libraries_in_progress = false;
368 jdavis 1854 913 : process_shared_preload_libraries_done = true;
6081 tgl 1855 913 : }
6081 tgl 1856 ECB :
1857 : /*
1858 : * process any libraries that should be preloaded at backend start
6081 tgl 1859 EUB : */
1860 : void
3588 peter_e 1861 GIC 8096 : process_session_preload_libraries(void)
6081 tgl 1862 EUB : {
3588 peter_e 1863 GIC 8096 : load_libraries(session_preload_libraries_string,
1864 : "session_preload_libraries",
1865 : false);
6081 tgl 1866 8096 : load_libraries(local_preload_libraries_string,
1867 : "local_preload_libraries",
1868 : true);
1869 8096 : }
1870 :
1871 : /*
1872 : * process any shared memory requests from preloaded libraries
1873 : */
1874 : void
331 rhaas 1875 910 : process_shmem_requests(void)
1876 : {
1877 910 : process_shmem_requests_in_progress = true;
331 rhaas 1878 CBC 910 : if (shmem_request_hook)
331 rhaas 1879 GIC 6 : shmem_request_hook();
1880 910 : process_shmem_requests_in_progress = false;
1881 910 : }
1882 :
1883 : void
5232 peter_e 1884 1823 : pg_bindtextdomain(const char *domain)
1885 : {
1886 : #ifdef ENABLE_NLS
5295 alvherre 1887 CBC 1823 : if (my_exec_path[0] != '\0')
1888 : {
5050 bruce 1889 ECB : char locale_path[MAXPGPATH];
1890 :
5295 alvherre 1891 CBC 1823 : get_locale_path(my_exec_path, locale_path);
5295 alvherre 1892 GIC 1823 : bindtextdomain(domain, locale_path);
5114 heikki.linnakangas 1893 CBC 1823 : pg_bind_textdomain_codeset(domain);
5295 alvherre 1894 ECB : }
1895 : #endif
5295 alvherre 1896 GBC 1823 : }
|
