Age Owner Branch data TLA Line data Source code
1 : : /*-------------------------------------------------------------------------
2 : : *
3 : : * miscinit.c
4 : : * miscellaneous initialization support stuff
5 : : *
6 : : * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
7 : : * Portions Copyright (c) 1994, Regents of the University of California
8 : : *
9 : : *
10 : : * IDENTIFICATION
11 : : * src/backend/utils/init/miscinit.c
12 : : *
13 : : *-------------------------------------------------------------------------
14 : : */
15 : : #include "postgres.h"
16 : :
17 : : #include <sys/param.h>
18 : : #include <signal.h>
19 : : #include <time.h>
20 : : #include <sys/file.h>
21 : : #include <sys/stat.h>
22 : : #include <sys/time.h>
23 : : #include <fcntl.h>
24 : : #include <unistd.h>
25 : : #include <grp.h>
26 : : #include <pwd.h>
27 : : #include <netinet/in.h>
28 : : #include <arpa/inet.h>
29 : : #include <utime.h>
30 : :
31 : : #include "access/htup_details.h"
32 : : #include "catalog/pg_authid.h"
33 : : #include "common/file_perm.h"
34 : : #include "libpq/libpq.h"
35 : : #include "libpq/pqsignal.h"
36 : : #include "mb/pg_wchar.h"
37 : : #include "miscadmin.h"
38 : : #include "pgstat.h"
39 : : #include "postmaster/autovacuum.h"
40 : : #include "postmaster/interrupt.h"
41 : : #include "postmaster/postmaster.h"
42 : : #include "replication/slotsync.h"
43 : : #include "storage/fd.h"
44 : : #include "storage/ipc.h"
45 : : #include "storage/latch.h"
46 : : #include "storage/pg_shmem.h"
47 : : #include "storage/pmsignal.h"
48 : : #include "storage/proc.h"
49 : : #include "storage/procarray.h"
50 : : #include "utils/builtins.h"
51 : : #include "utils/guc.h"
52 : : #include "utils/inval.h"
53 : : #include "utils/memutils.h"
54 : : #include "utils/pidfile.h"
55 : : #include "utils/syscache.h"
56 : : #include "utils/varlena.h"
57 : :
58 : :
59 : : #define DIRECTORY_LOCK_FILE "postmaster.pid"
60 : :
61 : : ProcessingMode Mode = InitProcessing;
62 : :
63 : : BackendType MyBackendType;
64 : :
65 : : /* List of lock files to be removed at proc exit */
66 : : static List *lock_files = NIL;
67 : :
68 : : static Latch LocalLatchData;
69 : :
70 : : /* ----------------------------------------------------------------
71 : : * ignoring system indexes support stuff
72 : : *
73 : : * NOTE: "ignoring system indexes" means we do not use the system indexes
74 : : * for lookups (either in hardwired catalog accesses or in planner-generated
75 : : * plans). We do, however, still update the indexes when a catalog
76 : : * modification is made.
77 : : * ----------------------------------------------------------------
78 : : */
79 : :
80 : : bool IgnoreSystemIndexes = false;
81 : :
82 : :
83 : : /* ----------------------------------------------------------------
84 : : * common process startup code
85 : : * ----------------------------------------------------------------
86 : : */
87 : :
88 : : /*
89 : : * Initialize the basic environment for a postmaster child
90 : : *
91 : : * Should be called as early as possible after the child's startup. However,
92 : : * on EXEC_BACKEND builds it does need to be after read_backend_variables().
93 : : */
94 : : void
1495 peter@eisentraut.org 95 :CBC 19794 : InitPostmasterChild(void)
96 : : {
97 : 19794 : IsUnderPostmaster = true; /* we are a postmaster subprocess now */
98 : :
99 : : /*
100 : : * Start our win32 signal implementation. This has to be done after we
101 : : * read the backend variables, because we need to pick up the signal pipe
102 : : * from the parent process.
103 : : */
104 : : #ifdef WIN32
105 : : pgwin32_signal_initialize();
106 : : #endif
107 : :
108 : : /*
109 : : * Set reference point for stack-depth checking. This might seem
110 : : * redundant in !EXEC_BACKEND builds, but it's better to keep the depth
111 : : * logic the same with and without that build option.
112 : : */
787 tgl@sss.pgh.pa.us 113 : 19794 : (void) set_stack_base();
114 : :
1495 peter@eisentraut.org 115 : 19794 : InitProcessGlobals();
116 : :
117 : : /*
118 : : * make sure stderr is in binary mode before anything can possibly be
119 : : * written to it, in case it's actually the syslogger pipe, so the pipe
120 : : * chunking protocol isn't disturbed. Non-logpipe data gets translated on
121 : : * redirection (e.g. via pg_ctl -l) anyway.
122 : : */
123 : : #ifdef WIN32
124 : : _setmode(fileno(stderr), _O_BINARY);
125 : : #endif
126 : :
127 : : /* We don't want the postmaster's proc_exit() handlers */
128 : 19794 : on_exit_reset();
129 : :
130 : : /* In EXEC_BACKEND case we will not have inherited BlockSig etc values */
131 : : #ifdef EXEC_BACKEND
132 : : pqinitmask();
133 : : #endif
134 : :
135 : : /* Initialize process-local latch support */
136 : 19794 : InitializeLatchSupport();
458 tmunro@postgresql.or 137 : 19794 : InitProcessLocalLatch();
1354 138 : 19794 : InitializeLatchWaitSet();
139 : :
140 : : /*
141 : : * If possible, make this process a group leader, so that the postmaster
142 : : * can signal any child processes too. Not all processes will have
143 : : * children, but for consistency we make all postmaster child processes do
144 : : * this.
145 : : */
146 : : #ifdef HAVE_SETSID
1495 peter@eisentraut.org 147 [ - + ]: 19794 : if (setsid() < 0)
1495 peter@eisentraut.org 148 [ # # ]:UBC 0 : elog(FATAL, "setsid() failed: %m");
149 : : #endif
150 : :
151 : : /*
152 : : * Every postmaster child process is expected to respond promptly to
153 : : * SIGQUIT at all times. Therefore we centrally remove SIGQUIT from
154 : : * BlockSig and install a suitable signal handler. (Client-facing
155 : : * processes may choose to replace this default choice of handler with
156 : : * quickdie().) All other blockable signals remain blocked for now.
157 : : */
1306 tgl@sss.pgh.pa.us 158 :CBC 19794 : pqsignal(SIGQUIT, SignalHandlerForCrashExit);
159 : :
160 : 19794 : sigdelset(&BlockSig, SIGQUIT);
436 tmunro@postgresql.or 161 : 19794 : sigprocmask(SIG_SETMASK, &BlockSig, NULL);
162 : :
163 : : /* Request a signal if the postmaster dies, if possible. */
1495 peter@eisentraut.org 164 : 19794 : PostmasterDeathSignalInit();
165 : :
166 : : /* Don't give the pipe to subprograms that we execute. */
167 : : #ifndef WIN32
408 tmunro@postgresql.or 168 [ - + ]: 19794 : if (fcntl(postmaster_alive_fds[POSTMASTER_FD_WATCH], F_SETFD, FD_CLOEXEC) < 0)
408 tmunro@postgresql.or 169 [ # # ]:UBC 0 : ereport(FATAL,
170 : : (errcode_for_socket_access(),
171 : : errmsg_internal("could not set postmaster death monitoring pipe to FD_CLOEXEC mode: %m")));
172 : : #endif
1495 peter@eisentraut.org 173 :CBC 19794 : }
174 : :
175 : : /*
176 : : * Initialize the basic environment for a standalone process.
177 : : *
178 : : * argv0 has to be suitable to find the program's executable.
179 : : */
180 : : void
181 : 192 : InitStandaloneProcess(const char *argv0)
182 : : {
183 [ - + ]: 192 : Assert(!IsPostmasterEnvironment);
184 : :
601 andres@anarazel.de 185 : 192 : MyBackendType = B_STANDALONE_BACKEND;
186 : :
187 : : /*
188 : : * Start our win32 signal implementation
189 : : */
190 : : #ifdef WIN32
191 : : pgwin32_signal_initialize();
192 : : #endif
193 : :
1495 peter@eisentraut.org 194 : 192 : InitProcessGlobals();
195 : :
196 : : /* Initialize process-local latch support */
197 : 192 : InitializeLatchSupport();
458 tmunro@postgresql.or 198 : 192 : InitProcessLocalLatch();
1354 199 : 192 : InitializeLatchWaitSet();
200 : :
201 : : /*
202 : : * For consistency with InitPostmasterChild, initialize signal mask here.
203 : : * But we don't unblock SIGQUIT or provide a default handler for it.
204 : : */
1306 tgl@sss.pgh.pa.us 205 : 192 : pqinitmask();
436 tmunro@postgresql.or 206 : 192 : sigprocmask(SIG_SETMASK, &BlockSig, NULL);
207 : :
208 : : /* Compute paths, no postmaster to inherit from */
1495 peter@eisentraut.org 209 [ + - ]: 192 : if (my_exec_path[0] == '\0')
210 : : {
211 [ - + ]: 192 : if (find_my_exec(argv0, my_exec_path) < 0)
1495 peter@eisentraut.org 212 [ # # ]:UBC 0 : elog(FATAL, "%s: could not locate my own executable path",
213 : : argv0);
214 : : }
215 : :
1495 peter@eisentraut.org 216 [ + - ]:CBC 192 : if (pkglib_path[0] == '\0')
217 : 192 : get_pkglib_path(my_exec_path, pkglib_path);
218 : 192 : }
219 : :
220 : : void
221 : 19673 : SwitchToSharedLatch(void)
222 : : {
223 [ - + ]: 19673 : Assert(MyLatch == &LocalLatchData);
224 [ - + ]: 19673 : Assert(MyProc != NULL);
225 : :
226 : 19673 : MyLatch = &MyProc->procLatch;
227 : :
228 [ + + ]: 19673 : if (FeBeWaitSet)
1140 tmunro@postgresql.or 229 : 11323 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetLatchPos, WL_LATCH_SET,
230 : : MyLatch);
231 : :
232 : : /*
233 : : * Set the shared latch as the local one might have been set. This
234 : : * shouldn't normally be necessary as code is supposed to check the
235 : : * condition before waiting for the latch, but a bit care can't hurt.
236 : : */
1495 peter@eisentraut.org 237 : 19673 : SetLatch(MyLatch);
238 : 19673 : }
239 : :
240 : : void
458 tmunro@postgresql.or 241 : 20722 : InitProcessLocalLatch(void)
242 : : {
243 : 20722 : MyLatch = &LocalLatchData;
244 : 20722 : InitLatch(MyLatch);
245 : 20722 : }
246 : :
247 : : void
1495 peter@eisentraut.org 248 : 18143 : SwitchBackToLocalLatch(void)
249 : : {
250 [ - + ]: 18143 : Assert(MyLatch != &LocalLatchData);
251 [ + - - + ]: 18143 : Assert(MyProc != NULL && MyLatch == &MyProc->procLatch);
252 : :
253 : 18143 : MyLatch = &LocalLatchData;
254 : :
255 [ + + ]: 18143 : if (FeBeWaitSet)
1140 tmunro@postgresql.or 256 : 11265 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetLatchPos, WL_LATCH_SET,
257 : : MyLatch);
258 : :
1495 peter@eisentraut.org 259 : 18143 : SetLatch(MyLatch);
260 : 18143 : }
261 : :
262 : : const char *
263 : 35690 : GetBackendTypeDesc(BackendType backendType)
264 : : {
265 : 35690 : const char *backendDesc = "unknown process type";
266 : :
267 [ + + + + : 35690 : switch (backendType)
+ + + + +
+ + + + +
+ + - ]
268 : : {
269 : 56 : case B_INVALID:
270 : 56 : backendDesc = "not initialized";
271 : 56 : break;
601 andres@anarazel.de 272 : 151 : case B_ARCHIVER:
273 : 151 : backendDesc = "archiver";
274 : 151 : break;
1495 peter@eisentraut.org 275 : 2608 : case B_AUTOVAC_LAUNCHER:
276 : 2608 : backendDesc = "autovacuum launcher";
277 : 2608 : break;
278 : 961 : case B_AUTOVAC_WORKER:
279 : 961 : backendDesc = "autovacuum worker";
280 : 961 : break;
281 : 23554 : case B_BACKEND:
282 : 23554 : backendDesc = "client backend";
283 : 23554 : break;
284 : 56 : case B_BG_WORKER:
285 : 56 : backendDesc = "background worker";
286 : 56 : break;
287 : 1543 : case B_BG_WRITER:
288 : 1543 : backendDesc = "background writer";
289 : 1543 : break;
290 : 1867 : case B_CHECKPOINTER:
291 : 1867 : backendDesc = "checkpointer";
292 : 1867 : break;
601 andres@anarazel.de 293 : 57 : case B_LOGGER:
294 : 57 : backendDesc = "logger";
295 : 57 : break;
52 akapila@postgresql.o 296 :GNC 60 : case B_SLOTSYNC_WORKER:
297 : 60 : backendDesc = "slotsync worker";
298 : 60 : break;
601 andres@anarazel.de 299 :CBC 56 : case B_STANDALONE_BACKEND:
300 : 56 : backendDesc = "standalone backend";
301 : 56 : break;
1495 peter@eisentraut.org 302 : 892 : case B_STARTUP:
303 : 892 : backendDesc = "startup";
304 : 892 : break;
305 : 387 : case B_WAL_RECEIVER:
306 : 387 : backendDesc = "walreceiver";
307 : 387 : break;
308 : 1938 : case B_WAL_SENDER:
309 : 1938 : backendDesc = "walsender";
310 : 1938 : break;
116 rhaas@postgresql.org 311 :GNC 68 : case B_WAL_SUMMARIZER:
312 : 68 : backendDesc = "walsummarizer";
313 : 68 : break;
1495 peter@eisentraut.org 314 :CBC 1436 : case B_WAL_WRITER:
315 : 1436 : backendDesc = "walwriter";
316 : 1436 : break;
317 : : }
318 : :
319 : 35690 : return backendDesc;
320 : : }
321 : :
322 : : /* ----------------------------------------------------------------
323 : : * database path / name support stuff
324 : : * ----------------------------------------------------------------
325 : : */
326 : :
327 : : void
8858 peter_e@gmx.net 328 : 13286 : SetDatabasePath(const char *path)
329 : : {
330 : : /* This should happen only once per process */
5359 tgl@sss.pgh.pa.us 331 [ - + ]: 13286 : Assert(!DatabasePath);
332 : 13286 : DatabasePath = MemoryContextStrdup(TopMemoryContext, path);
10141 scrappy@hub.org 333 : 13286 : }
334 : :
335 : : /*
336 : : * Validate the proposed data directory.
337 : : *
338 : : * Also initialize file and directory create modes and mode mask.
339 : : */
340 : : void
2199 sfrost@snowman.net 341 : 901 : checkDataDir(void)
342 : : {
343 : : struct stat stat_buf;
344 : :
345 [ - + ]: 901 : Assert(DataDir);
346 : :
347 [ - + ]: 901 : if (stat(DataDir, &stat_buf) != 0)
348 : : {
2199 sfrost@snowman.net 349 [ # # ]:UBC 0 : if (errno == ENOENT)
350 [ # # ]: 0 : ereport(FATAL,
351 : : (errcode_for_file_access(),
352 : : errmsg("data directory \"%s\" does not exist",
353 : : DataDir)));
354 : : else
355 [ # # ]: 0 : ereport(FATAL,
356 : : (errcode_for_file_access(),
357 : : errmsg("could not read permissions of directory \"%s\": %m",
358 : : DataDir)));
359 : : }
360 : :
361 : : /* eventual chdir would fail anyway, but let's test ... */
2199 sfrost@snowman.net 362 [ - + ]:CBC 901 : if (!S_ISDIR(stat_buf.st_mode))
2199 sfrost@snowman.net 363 [ # # ]:UBC 0 : ereport(FATAL,
364 : : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
365 : : errmsg("specified data directory \"%s\" is not a directory",
366 : : DataDir)));
367 : :
368 : : /*
369 : : * Check that the directory belongs to my userid; if not, reject.
370 : : *
371 : : * This check is an essential part of the interlock that prevents two
372 : : * postmasters from starting in the same directory (see CreateLockFile()).
373 : : * Do not remove or weaken it.
374 : : *
375 : : * XXX can we safely enable this check on Windows?
376 : : */
377 : : #if !defined(WIN32) && !defined(__CYGWIN__)
2199 sfrost@snowman.net 378 [ - + ]:CBC 901 : if (stat_buf.st_uid != geteuid())
2199 sfrost@snowman.net 379 [ # # ]:UBC 0 : ereport(FATAL,
380 : : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
381 : : errmsg("data directory \"%s\" has wrong ownership",
382 : : DataDir),
383 : : errhint("The server must be started by the user that owns the data directory.")));
384 : : #endif
385 : :
386 : : /*
387 : : * Check if the directory has correct permissions. If not, reject.
388 : : *
389 : : * Only two possible modes are allowed, 0700 and 0750. The latter mode
390 : : * indicates that group read/execute should be allowed on all newly
391 : : * created files and directories.
392 : : *
393 : : * XXX temporarily suppress check when on Windows, because there may not
394 : : * be proper support for Unix-y file permissions. Need to think of a
395 : : * reasonable check to apply on Windows.
396 : : */
397 : : #if !defined(WIN32) && !defined(__CYGWIN__)
2199 sfrost@snowman.net 398 [ - + ]:CBC 901 : if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
2199 sfrost@snowman.net 399 [ # # ]:UBC 0 : ereport(FATAL,
400 : : (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
401 : : errmsg("data directory \"%s\" has invalid permissions",
402 : : DataDir),
403 : : errdetail("Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).")));
404 : : #endif
405 : :
406 : : /*
407 : : * Reset creation modes and mask based on the mode of the data directory.
408 : : *
409 : : * The mask was set earlier in startup to disallow group permissions on
410 : : * newly created files and directories. However, if group read/execute
411 : : * are present on the data directory then modify the create modes and mask
412 : : * to allow group read/execute on newly created files and directories and
413 : : * set the data_directory_mode GUC.
414 : : *
415 : : * Suppress when on Windows, because there may not be proper support for
416 : : * Unix-y file permissions.
417 : : */
418 : : #if !defined(WIN32) && !defined(__CYGWIN__)
2199 sfrost@snowman.net 419 :CBC 901 : SetDataDirectoryCreatePerm(stat_buf.st_mode);
420 : :
421 : 901 : umask(pg_mode_mask);
422 : 901 : data_directory_mode = pg_dir_create_mode;
423 : : #endif
424 : :
425 : : /* Check for PG_VERSION */
426 : 901 : ValidatePgVersion(DataDir);
427 : 901 : }
428 : :
429 : : /*
430 : : * Set data directory, but make sure it's an absolute path. Use this,
431 : : * never set DataDir directly.
432 : : */
433 : : void
8537 tgl@sss.pgh.pa.us 434 : 904 : SetDataDir(const char *dir)
435 : : {
436 : : char *new;
437 : :
534 peter@eisentraut.org 438 [ - + ]: 904 : Assert(dir);
439 : :
440 : : /* If presented path is relative, convert to absolute */
7127 tgl@sss.pgh.pa.us 441 : 904 : new = make_absolute_path(dir);
442 : :
668 peter@eisentraut.org 443 : 904 : free(DataDir);
7127 tgl@sss.pgh.pa.us 444 : 904 : DataDir = new;
445 : 904 : }
446 : :
447 : : /*
448 : : * Change working directory to DataDir. Most of the postmaster and backend
449 : : * code assumes that we are in DataDir so it can use relative paths to access
450 : : * stuff in and under the data directory. For convenience during path
451 : : * setup, however, we don't force the chdir to occur during SetDataDir.
452 : : */
453 : : void
6859 454 : 901 : ChangeToDataDir(void)
455 : : {
534 peter@eisentraut.org 456 [ - + ]: 901 : Assert(DataDir);
457 : :
6859 tgl@sss.pgh.pa.us 458 [ - + ]: 901 : if (chdir(DataDir) < 0)
6859 tgl@sss.pgh.pa.us 459 [ # # ]:UBC 0 : ereport(FATAL,
460 : : (errcode_for_file_access(),
461 : : errmsg("could not change directory to \"%s\": %m",
462 : : DataDir)));
6859 tgl@sss.pgh.pa.us 463 :CBC 901 : }
464 : :
465 : :
466 : : /* ----------------------------------------------------------------
467 : : * User ID state
468 : : *
469 : : * We have to track several different values associated with the concept
470 : : * of "user ID".
471 : : *
472 : : * AuthenticatedUserId is determined at connection start and never changes.
473 : : *
474 : : * SessionUserId is initially the same as AuthenticatedUserId, but can be
475 : : * changed by SET SESSION AUTHORIZATION (if AuthenticatedUserId is a
476 : : * superuser). This is the ID reported by the SESSION_USER SQL function.
477 : : *
478 : : * OuterUserId is the current user ID in effect at the "outer level" (outside
479 : : * any transaction or function). This is initially the same as SessionUserId,
480 : : * but can be changed by SET ROLE to any role that SessionUserId is a
481 : : * member of. (XXX rename to something like CurrentRoleId?)
482 : : *
483 : : * CurrentUserId is the current effective user ID; this is the one to use
484 : : * for all normal permissions-checking purposes. At outer level this will
485 : : * be the same as OuterUserId, but it changes during calls to SECURITY
486 : : * DEFINER functions, as well as locally in some specialized commands.
487 : : *
488 : : * SecurityRestrictionContext holds flags indicating reason(s) for changing
489 : : * CurrentUserId. In some cases we need to lock down operations that are
490 : : * not directly controlled by privilege settings, and this provides a
491 : : * convenient way to do it.
492 : : * ----------------------------------------------------------------
493 : : */
494 : : static Oid AuthenticatedUserId = InvalidOid;
495 : : static Oid SessionUserId = InvalidOid;
496 : : static Oid OuterUserId = InvalidOid;
497 : : static Oid CurrentUserId = InvalidOid;
498 : : static const char *SystemUser = NULL;
499 : :
500 : : /* We also have to remember the superuser state of the session user */
501 : : static bool SessionUserIsSuperuser = false;
502 : :
503 : : static int SecurityRestrictionContext = 0;
504 : :
505 : : /* We also remember if a SET ROLE is currently active */
506 : : static bool SetRoleIsActive = false;
507 : :
508 : : /*
509 : : * GetUserId - get the current effective user ID.
510 : : *
511 : : * Note: there's no SetUserId() anymore; use SetUserIdAndSecContext().
512 : : */
513 : : Oid
8608 peter_e@gmx.net 514 : 5880609 : GetUserId(void)
515 : : {
534 peter@eisentraut.org 516 [ - + ]: 5880609 : Assert(OidIsValid(CurrentUserId));
8608 peter_e@gmx.net 517 : 5880609 : return CurrentUserId;
518 : : }
519 : :
520 : :
521 : : /*
522 : : * GetOuterUserId/SetOuterUserId - get/set the outer-level user ID.
523 : : */
524 : : Oid
6838 tgl@sss.pgh.pa.us 525 : 736 : GetOuterUserId(void)
526 : : {
534 peter@eisentraut.org 527 [ - + ]: 736 : Assert(OidIsValid(OuterUserId));
6838 tgl@sss.pgh.pa.us 528 : 736 : return OuterUserId;
529 : : }
530 : :
531 : :
532 : : static void
533 : 2033 : SetOuterUserId(Oid userid)
534 : : {
534 peter@eisentraut.org 535 [ - + ]: 2033 : Assert(SecurityRestrictionContext == 0);
536 [ - + ]: 2033 : Assert(OidIsValid(userid));
6838 tgl@sss.pgh.pa.us 537 : 2033 : OuterUserId = userid;
538 : :
539 : : /* We force the effective user ID to match, too */
540 : 2033 : CurrentUserId = userid;
541 : 2033 : }
542 : :
543 : :
544 : : /*
545 : : * GetSessionUserId/SetSessionUserId - get/set the session user ID.
546 : : */
547 : : Oid
8608 peter_e@gmx.net 548 : 28205 : GetSessionUserId(void)
549 : : {
534 peter@eisentraut.org 550 [ - + ]: 28205 : Assert(OidIsValid(SessionUserId));
8608 peter_e@gmx.net 551 : 28205 : return SessionUserId;
552 : : }
553 : :
554 : :
555 : : static void
6838 tgl@sss.pgh.pa.us 556 : 30265 : SetSessionUserId(Oid userid, bool is_superuser)
557 : : {
534 peter@eisentraut.org 558 [ - + ]: 30265 : Assert(SecurityRestrictionContext == 0);
559 [ - + ]: 30265 : Assert(OidIsValid(userid));
6838 tgl@sss.pgh.pa.us 560 : 30265 : SessionUserId = userid;
561 : 30265 : SessionUserIsSuperuser = is_superuser;
562 : 30265 : SetRoleIsActive = false;
563 : :
564 : : /* We force the effective user IDs to match, too */
565 : 30265 : OuterUserId = userid;
566 : 30265 : CurrentUserId = userid;
8621 peter_e@gmx.net 567 : 30265 : }
568 : :
569 : : /*
570 : : * Return the system user representing the authenticated identity.
571 : : * It is defined in InitializeSystemUser() as auth_method:authn_id.
572 : : */
573 : : const char *
563 michael@paquier.xyz 574 : 33 : GetSystemUser(void)
575 : : {
576 : 33 : return SystemUser;
577 : : }
578 : :
579 : : /*
580 : : * GetAuthenticatedUserId - get the authenticated user ID
581 : : */
582 : : Oid
3461 rhaas@postgresql.org 583 : 17127 : GetAuthenticatedUserId(void)
584 : : {
534 peter@eisentraut.org 585 [ - + ]: 17127 : Assert(OidIsValid(AuthenticatedUserId));
3461 rhaas@postgresql.org 586 : 17127 : return AuthenticatedUserId;
587 : : }
588 : :
589 : :
590 : : /*
591 : : * GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID
592 : : * and the SecurityRestrictionContext flags.
593 : : *
594 : : * Currently there are three valid bits in SecurityRestrictionContext:
595 : : *
596 : : * SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation
597 : : * that is temporarily changing CurrentUserId via these functions. This is
598 : : * needed to indicate that the actual value of CurrentUserId is not in sync
599 : : * with guc.c's internal state, so SET ROLE has to be disallowed.
600 : : *
601 : : * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
602 : : * that does not wish to trust called user-defined functions at all. The
603 : : * policy is to use this before operations, e.g. autovacuum and REINDEX, that
604 : : * enumerate relations of a database or schema and run functions associated
605 : : * with each found relation. The relation owner is the new user ID. Set this
606 : : * as soon as possible after locking the relation. Restore the old user ID as
607 : : * late as possible before closing the relation; restoring it shortly after
608 : : * close is also tolerable. If a command has both relation-enumerating and
609 : : * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit
610 : : * prevents not only SET ROLE, but various other changes of session state that
611 : : * normally is unprotected but might possibly be used to subvert the calling
612 : : * session later. An example is replacing an existing prepared statement with
613 : : * new code, which will then be executed with the outer session's permissions
614 : : * when the prepared statement is next used. These restrictions are fairly
615 : : * draconian, but the functions called in relation-enumerating operations are
616 : : * really supposed to be side-effect-free anyway.
617 : : *
618 : : * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should
619 : : * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to
620 : : * ensure that FORCE RLS does not mistakenly break referential integrity
621 : : * checks. Note that this is intentionally only checked when running as the
622 : : * owner of the table (which should always be the case for referential
623 : : * integrity checks).
624 : : *
625 : : * Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current
626 : : * value of CurrentUserId is valid; nor does SetUserIdAndSecContext require
627 : : * the new value to be valid. In fact, these routines had better not
628 : : * ever throw any kind of error. This is because they are used by
629 : : * StartTransaction and AbortTransaction to save/restore the settings,
630 : : * and during the first transaction within a backend, the value to be saved
631 : : * and perhaps restored is indeed invalid. We have to be able to get
632 : : * through AbortTransaction without asserting in case InitPostgres fails.
633 : : */
634 : : void
5240 tgl@sss.pgh.pa.us 635 : 748377 : GetUserIdAndSecContext(Oid *userid, int *sec_context)
636 : : {
5946 637 : 748377 : *userid = CurrentUserId;
5240 638 : 748377 : *sec_context = SecurityRestrictionContext;
5946 639 : 748377 : }
640 : :
641 : : void
5240 642 : 648268 : SetUserIdAndSecContext(Oid userid, int sec_context)
643 : : {
5946 644 : 648268 : CurrentUserId = userid;
5240 645 : 648268 : SecurityRestrictionContext = sec_context;
5946 646 : 648268 : }
647 : :
648 : :
649 : : /*
650 : : * InLocalUserIdChange - are we inside a local change of CurrentUserId?
651 : : */
652 : : bool
5240 653 : 16535 : InLocalUserIdChange(void)
654 : : {
655 : 16535 : return (SecurityRestrictionContext & SECURITY_LOCAL_USERID_CHANGE) != 0;
656 : : }
657 : :
658 : : /*
659 : : * InSecurityRestrictedOperation - are we inside a security-restricted command?
660 : : */
661 : : bool
662 : 21410 : InSecurityRestrictedOperation(void)
663 : : {
664 : 21410 : return (SecurityRestrictionContext & SECURITY_RESTRICTED_OPERATION) != 0;
665 : : }
666 : :
667 : : /*
668 : : * InNoForceRLSOperation - are we ignoring FORCE ROW LEVEL SECURITY ?
669 : : */
670 : : bool
3115 sfrost@snowman.net 671 : 93 : InNoForceRLSOperation(void)
672 : : {
673 : 93 : return (SecurityRestrictionContext & SECURITY_NOFORCE_RLS) != 0;
674 : : }
675 : :
676 : :
677 : : /*
678 : : * These are obsolete versions of Get/SetUserIdAndSecContext that are
679 : : * only provided for bug-compatibility with some rather dubious code in
680 : : * pljava. We allow the userid to be set, but only when not inside a
681 : : * security restriction context.
682 : : */
683 : : void
5240 tgl@sss.pgh.pa.us 684 :UBC 0 : GetUserIdAndContext(Oid *userid, bool *sec_def_context)
685 : : {
686 : 0 : *userid = CurrentUserId;
687 : 0 : *sec_def_context = InLocalUserIdChange();
688 : 0 : }
689 : :
690 : : void
691 : 0 : SetUserIdAndContext(Oid userid, bool sec_def_context)
692 : : {
693 : : /* We throw the same error SET ROLE would. */
694 [ # # ]: 0 : if (InSecurityRestrictedOperation())
695 [ # # ]: 0 : ereport(ERROR,
696 : : (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
697 : : errmsg("cannot set parameter \"%s\" within security-restricted operation",
698 : : "role")));
699 : 0 : CurrentUserId = userid;
700 [ # # ]: 0 : if (sec_def_context)
701 : 0 : SecurityRestrictionContext |= SECURITY_LOCAL_USERID_CHANGE;
702 : : else
703 : 0 : SecurityRestrictionContext &= ~SECURITY_LOCAL_USERID_CHANGE;
5946 704 : 0 : }
705 : :
706 : :
707 : : /*
708 : : * Check whether specified role has explicit REPLICATION privilege
709 : : */
710 : : bool
3400 alvherre@alvh.no-ip. 711 :CBC 1557 : has_rolreplication(Oid roleid)
712 : : {
713 : 1557 : bool result = false;
714 : : HeapTuple utup;
715 : :
716 : : /* Superusers bypass all permission checking. */
395 peter@eisentraut.org 717 [ + + ]: 1557 : if (superuser_arg(roleid))
718 : 1501 : return true;
719 : :
3400 alvherre@alvh.no-ip. 720 : 56 : utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
721 [ + - ]: 56 : if (HeapTupleIsValid(utup))
722 : : {
723 : 56 : result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
724 : 56 : ReleaseSysCache(utup);
725 : : }
726 : 56 : return result;
727 : : }
728 : :
729 : : /*
730 : : * Initialize user identity during normal backend startup
731 : : */
732 : : void
185 michael@paquier.xyz 733 :GNC 12902 : InitializeSessionUserId(const char *rolename, Oid roleid, bool bypass_login_check)
734 : : {
735 : : HeapTuple roleTup;
736 : : Form_pg_authid rform;
737 : : char *rname;
738 : : bool is_superuser;
739 : :
740 : : /*
741 : : * Don't do scans if we're bootstrapping, none of the system catalogs
742 : : * exist yet, and they should be owned by postgres anyway.
743 : : */
534 peter@eisentraut.org 744 [ - + ]:CBC 12902 : Assert(!IsBootstrapProcessingMode());
745 : :
746 : : /* call only once */
747 [ - + ]: 12902 : Assert(!OidIsValid(AuthenticatedUserId));
748 : :
749 : : /*
750 : : * Make sure syscache entries are flushed for recent catalog changes. This
751 : : * allows us to find roles that were created on-the-fly during
752 : : * authentication.
753 : : */
2102 tmunro@postgresql.or 754 : 12902 : AcceptInvalidationMessages();
755 : :
3359 rhaas@postgresql.org 756 [ + + ]: 12902 : if (rolename != NULL)
757 : : {
758 : 11121 : roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(rolename));
2963 759 [ + + ]: 11121 : if (!HeapTupleIsValid(roleTup))
760 [ + - ]: 2 : ereport(FATAL,
761 : : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
762 : : errmsg("role \"%s\" does not exist", rolename)));
763 : : }
764 : : else
765 : : {
3359 766 : 1781 : roleTup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
2963 767 [ - + ]: 1781 : if (!HeapTupleIsValid(roleTup))
2963 rhaas@postgresql.org 768 [ # # ]:UBC 0 : ereport(FATAL,
769 : : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
770 : : errmsg("role with OID %u does not exist", roleid)));
771 : : }
772 : :
6865 tgl@sss.pgh.pa.us 773 :CBC 12900 : rform = (Form_pg_authid) GETSTRUCT(roleTup);
1972 andres@anarazel.de 774 : 12900 : roleid = rform->oid;
2963 rhaas@postgresql.org 775 : 12900 : rname = NameStr(rform->rolname);
776 : :
6865 tgl@sss.pgh.pa.us 777 : 12900 : AuthenticatedUserId = roleid;
276 nathan@postgresql.or 778 :GNC 12900 : is_superuser = rform->rolsuper;
779 : :
780 : : /* This sets OuterUserId/CurrentUserId too */
781 : 12900 : SetSessionUserId(roleid, is_superuser);
782 : :
783 : : /* Also mark our PGPROC entry with the authenticated user id */
784 : : /* (We assume this is an atomic store so no lock is needed) */
6832 tgl@sss.pgh.pa.us 785 :CBC 12900 : MyProc->roleId = roleid;
786 : :
787 : : /*
788 : : * These next checks are not enforced when in standalone mode, so that
789 : : * there is a way to recover from sillinesses like "UPDATE pg_authid SET
790 : : * rolcanlogin = false;".
791 : : */
5108 792 [ + - ]: 12900 : if (IsUnderPostmaster)
793 : : {
794 : : /*
795 : : * Is role allowed to login at all?
796 : : */
185 michael@paquier.xyz 797 [ + + + + ]:GNC 12900 : if (!bypass_login_check && !rform->rolcanlogin)
6832 tgl@sss.pgh.pa.us 798 [ + - ]:CBC 3 : ereport(FATAL,
799 : : (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
800 : : errmsg("role \"%s\" is not permitted to log in",
801 : : rname)));
802 : :
803 : : /*
804 : : * Check connection limit for this role.
805 : : *
806 : : * There is a race condition here --- we create our PGPROC before
807 : : * checking for other PGPROCs. If two backends did this at about the
808 : : * same time, they might both think they were over the limit, while
809 : : * ideally one should succeed and one fail. Getting that to work
810 : : * exactly seems more trouble than it is worth, however; instead we
811 : : * just document that the connection limit is approximate.
812 : : */
813 [ - + ]: 12897 : if (rform->rolconnlimit >= 0 &&
276 nathan@postgresql.or 814 [ # # ]:UNC 0 : !is_superuser &&
6832 tgl@sss.pgh.pa.us 815 [ # # ]:UBC 0 : CountUserBackends(roleid) > rform->rolconnlimit)
816 [ # # ]: 0 : ereport(FATAL,
817 : : (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
818 : : errmsg("too many connections for role \"%s\"",
819 : : rname)));
820 : : }
821 : :
822 : : /* Record username and superuser status as GUC settings too */
2963 rhaas@postgresql.org 823 :CBC 12897 : SetConfigOption("session_authorization", rname,
824 : : PGC_BACKEND, PGC_S_OVERRIDE);
7597 tgl@sss.pgh.pa.us 825 [ + + ]: 12897 : SetConfigOption("is_superuser",
826 : : is_superuser ? "on" : "off",
827 : : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
828 : :
6865 829 : 12897 : ReleaseSysCache(roleTup);
8377 peter_e@gmx.net 830 : 12897 : }
831 : :
832 : :
833 : : /*
834 : : * Initialize user identity during special backend startup
835 : : */
836 : : void
8254 837 : 1464 : InitializeSessionUserIdStandalone(void)
838 : : {
839 : : /*
840 : : * This function should only be called in single-user mode, in autovacuum
841 : : * workers, in slot sync worker and in background workers.
842 : : */
41 heikki.linnakangas@i 843 [ + + + + :GNC 1464 : Assert(!IsUnderPostmaster || AmAutoVacuumWorkerProcess() ||
+ + - + ]
844 : : AmLogicalSlotSyncWorkerProcess() || AmBackgroundWorkerProcess());
845 : :
846 : : /* call only once */
534 peter@eisentraut.org 847 [ - + ]:CBC 1464 : Assert(!OidIsValid(AuthenticatedUserId));
848 : :
6865 tgl@sss.pgh.pa.us 849 : 1464 : AuthenticatedUserId = BOOTSTRAP_SUPERUSERID;
6838 850 : 1464 : SetSessionUserId(BOOTSTRAP_SUPERUSERID, true);
851 : :
852 : : /*
853 : : * XXX This should set SetConfigOption("session_authorization"), too.
854 : : * Since we don't, C code will get NULL, and current_setting() will get an
855 : : * empty string.
856 : : */
160 noah@leadboat.com 857 : 1464 : SetConfigOption("is_superuser", "on",
858 : : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
8254 peter_e@gmx.net 859 : 1464 : }
860 : :
861 : : /*
862 : : * Initialize the system user.
863 : : *
864 : : * This is built as auth_method:authn_id.
865 : : */
866 : : void
563 michael@paquier.xyz 867 : 148 : InitializeSystemUser(const char *authn_id, const char *auth_method)
868 : : {
869 : : char *system_user;
870 : :
871 : : /* call only once */
872 [ - + ]: 148 : Assert(SystemUser == NULL);
873 : :
874 : : /*
875 : : * InitializeSystemUser should be called only when authn_id is not NULL,
876 : : * meaning that auth_method is valid.
877 : : */
878 [ - + ]: 148 : Assert(authn_id != NULL);
879 : :
880 : 148 : system_user = psprintf("%s:%s", auth_method, authn_id);
881 : :
882 : : /* Store SystemUser in long-lived storage */
883 : 148 : SystemUser = MemoryContextStrdup(TopMemoryContext, system_user);
884 : 148 : pfree(system_user);
885 : 148 : }
886 : :
887 : : /*
888 : : * SQL-function SYSTEM_USER
889 : : */
890 : : Datum
891 : 33 : system_user(PG_FUNCTION_ARGS)
892 : : {
893 : 33 : const char *sysuser = GetSystemUser();
894 : :
895 [ + + ]: 33 : if (sysuser)
896 : 22 : PG_RETURN_DATUM(CStringGetTextDatum(sysuser));
897 : : else
898 : 11 : PG_RETURN_NULL();
899 : : }
900 : :
901 : : /*
902 : : * Change session auth ID while running
903 : : *
904 : : * Note that we set the GUC variable is_superuser to indicate whether the
905 : : * current role is a superuser.
906 : : */
907 : : void
6838 tgl@sss.pgh.pa.us 908 : 15901 : SetSessionAuthorization(Oid userid, bool is_superuser)
909 : : {
910 : 15901 : SetSessionUserId(userid, is_superuser);
911 : :
912 [ + + ]: 15901 : SetConfigOption("is_superuser",
913 : : is_superuser ? "on" : "off",
914 : : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
915 : 15901 : }
916 : :
917 : : /*
918 : : * Report current role id
919 : : * This follows the semantics of SET ROLE, ie return the outer-level ID
920 : : * not the current effective ID, and return InvalidOid when the setting
921 : : * is logically SET ROLE NONE.
922 : : */
923 : : Oid
924 : 414 : GetCurrentRoleId(void)
925 : : {
926 [ - + ]: 414 : if (SetRoleIsActive)
6838 tgl@sss.pgh.pa.us 927 :UBC 0 : return OuterUserId;
928 : : else
6838 tgl@sss.pgh.pa.us 929 :CBC 414 : return InvalidOid;
930 : : }
931 : :
932 : : /*
933 : : * Change Role ID while running (SET ROLE)
934 : : *
935 : : * If roleid is InvalidOid, we are doing SET ROLE NONE: revert to the
936 : : * session user authorization. In this case the is_superuser argument
937 : : * is ignored.
938 : : *
939 : : * When roleid is not InvalidOid, the caller must have checked whether
940 : : * the session user has permission to become that role. (We cannot check
941 : : * here because this routine must be able to execute in a failed transaction
942 : : * to restore a prior value of the ROLE GUC variable.)
943 : : */
944 : : void
945 : 2961 : SetCurrentRoleId(Oid roleid, bool is_superuser)
946 : : {
947 : : /*
948 : : * Get correct info if it's SET ROLE NONE
949 : : *
950 : : * If SessionUserId hasn't been set yet, just do nothing --- the eventual
951 : : * SetSessionUserId call will fix everything. This is needed since we
952 : : * will get called during GUC initialization.
953 : : */
954 [ + + ]: 2961 : if (!OidIsValid(roleid))
955 : : {
956 [ + + ]: 2550 : if (!OidIsValid(SessionUserId))
957 : 928 : return;
958 : :
959 : 1622 : roleid = SessionUserId;
960 : 1622 : is_superuser = SessionUserIsSuperuser;
961 : :
962 : 1622 : SetRoleIsActive = false;
963 : : }
964 : : else
965 : 411 : SetRoleIsActive = true;
966 : :
967 : 2033 : SetOuterUserId(roleid);
968 : :
7597 969 [ + + ]: 2033 : SetConfigOption("is_superuser",
970 : : is_superuser ? "on" : "off",
971 : : PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT);
972 : : }
973 : :
974 : :
975 : : /*
976 : : * Get user name from user oid, returns NULL for nonexistent roleid if noerr
977 : : * is true.
978 : : */
979 : : char *
3263 andrew@dunslane.net 980 : 9181 : GetUserNameFromId(Oid roleid, bool noerr)
981 : : {
982 : : HeapTuple tuple;
983 : : char *result;
984 : :
5173 rhaas@postgresql.org 985 : 9181 : tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
8608 peter_e@gmx.net 986 [ + + ]: 9181 : if (!HeapTupleIsValid(tuple))
987 : : {
3263 andrew@dunslane.net 988 [ - + ]: 9 : if (!noerr)
3263 andrew@dunslane.net 989 [ # # ]:UBC 0 : ereport(ERROR,
990 : : (errcode(ERRCODE_UNDEFINED_OBJECT),
991 : : errmsg("invalid role OID: %u", roleid)));
3263 andrew@dunslane.net 992 :CBC 9 : result = NULL;
993 : : }
994 : : else
995 : : {
996 : 9172 : result = pstrdup(NameStr(((Form_pg_authid) GETSTRUCT(tuple))->rolname));
997 : 9172 : ReleaseSysCache(tuple);
998 : : }
8550 tgl@sss.pgh.pa.us 999 : 9181 : return result;
1000 : : }
1001 : :
1002 : : /* ------------------------------------------------------------------------
1003 : : * Client connection state shared with parallel workers
1004 : : *
1005 : : * ClientConnectionInfo contains pieces of information about the client that
1006 : : * need to be synced to parallel workers when they initialize.
1007 : : *-------------------------------------------------------------------------
1008 : : */
1009 : :
1010 : : ClientConnectionInfo MyClientConnectionInfo;
1011 : :
1012 : : /*
1013 : : * Intermediate representation of ClientConnectionInfo for easier
1014 : : * serialization. Variable-length fields are allocated right after this
1015 : : * header.
1016 : : */
1017 : : typedef struct SerializedClientConnectionInfo
1018 : : {
1019 : : int32 authn_id_len; /* strlen(authn_id), or -1 if NULL */
1020 : : UserAuth auth_method;
1021 : : } SerializedClientConnectionInfo;
1022 : :
1023 : : /*
1024 : : * Calculate the space needed to serialize MyClientConnectionInfo.
1025 : : */
1026 : : Size
599 michael@paquier.xyz 1027 : 414 : EstimateClientConnectionInfoSpace(void)
1028 : : {
1029 : 414 : Size size = 0;
1030 : :
1031 : 414 : size = add_size(size, sizeof(SerializedClientConnectionInfo));
1032 : :
1033 [ + + ]: 414 : if (MyClientConnectionInfo.authn_id)
1034 : 2 : size = add_size(size, strlen(MyClientConnectionInfo.authn_id) + 1);
1035 : :
1036 : 414 : return size;
1037 : : }
1038 : :
1039 : : /*
1040 : : * Serialize MyClientConnectionInfo for use by parallel workers.
1041 : : */
1042 : : void
1043 : 414 : SerializeClientConnectionInfo(Size maxsize, char *start_address)
1044 : : {
1045 : 414 : SerializedClientConnectionInfo serialized = {0};
1046 : :
1047 : 414 : serialized.authn_id_len = -1;
1048 : 414 : serialized.auth_method = MyClientConnectionInfo.auth_method;
1049 : :
1050 [ + + ]: 414 : if (MyClientConnectionInfo.authn_id)
1051 : 2 : serialized.authn_id_len = strlen(MyClientConnectionInfo.authn_id);
1052 : :
1053 : : /* Copy serialized representation to buffer */
1054 [ - + ]: 414 : Assert(maxsize >= sizeof(serialized));
1055 : 414 : memcpy(start_address, &serialized, sizeof(serialized));
1056 : :
1057 : 414 : maxsize -= sizeof(serialized);
1058 : 414 : start_address += sizeof(serialized);
1059 : :
1060 : : /* Copy authn_id into the space after the struct */
1061 [ + + ]: 414 : if (serialized.authn_id_len >= 0)
1062 : : {
1063 [ - + ]: 2 : Assert(maxsize >= (serialized.authn_id_len + 1));
1064 : 2 : memcpy(start_address,
1065 : 2 : MyClientConnectionInfo.authn_id,
1066 : : /* include the NULL terminator to ease deserialization */
1067 : 2 : serialized.authn_id_len + 1);
1068 : : }
1069 : 414 : }
1070 : :
1071 : : /*
1072 : : * Restore MyClientConnectionInfo from its serialized representation.
1073 : : */
1074 : : void
1075 : 1322 : RestoreClientConnectionInfo(char *conninfo)
1076 : : {
1077 : : SerializedClientConnectionInfo serialized;
1078 : :
1079 : 1322 : memcpy(&serialized, conninfo, sizeof(serialized));
1080 : :
1081 : : /* Copy the fields back into place */
1082 : 1322 : MyClientConnectionInfo.authn_id = NULL;
1083 : 1322 : MyClientConnectionInfo.auth_method = serialized.auth_method;
1084 : :
1085 [ + + ]: 1322 : if (serialized.authn_id_len >= 0)
1086 : : {
1087 : : char *authn_id;
1088 : :
1089 : 4 : authn_id = conninfo + sizeof(serialized);
1090 : 4 : MyClientConnectionInfo.authn_id = MemoryContextStrdup(TopMemoryContext,
1091 : : authn_id);
1092 : : }
1093 : 1322 : }
1094 : :
1095 : :
1096 : : /*-------------------------------------------------------------------------
1097 : : * Interlock-file support
1098 : : *
1099 : : * These routines are used to create both a data-directory lockfile
1100 : : * ($DATADIR/postmaster.pid) and Unix-socket-file lockfiles ($SOCKFILE.lock).
1101 : : * Both kinds of files contain the same info initially, although we can add
1102 : : * more information to a data-directory lockfile after it's created, using
1103 : : * AddToDataDirLockFile(). See pidfile.h for documentation of the contents
1104 : : * of these lockfiles.
1105 : : *
1106 : : * On successful lockfile creation, a proc_exit callback to remove the
1107 : : * lockfile is automatically created.
1108 : : *-------------------------------------------------------------------------
1109 : : */
1110 : :
1111 : : /*
1112 : : * proc_exit callback to remove lockfiles.
1113 : : */
1114 : : static void
4265 tgl@sss.pgh.pa.us 1115 : 899 : UnlinkLockFiles(int status, Datum arg)
1116 : : {
1117 : : ListCell *l;
1118 : :
1119 [ + - + + : 2523 : foreach(l, lock_files)
+ + ]
1120 : : {
1121 : 1624 : char *curfile = (char *) lfirst(l);
1122 : :
1123 : 1624 : unlink(curfile);
1124 : : /* Should we complain if the unlink fails? */
1125 : : }
1126 : : /* Since we're about to exit, no need to reclaim storage */
1127 : 899 : lock_files = NIL;
1128 : :
1129 : : /*
1130 : : * Lock file removal should always be the last externally visible action
1131 : : * of a postmaster or standalone backend, while we won't come here at all
1132 : : * when exiting postmaster child processes. Therefore, this is a good
1133 : : * place to log completion of shutdown. We could alternatively teach
1134 : : * proc_exit() to do it, but that seems uglier. In a standalone backend,
1135 : : * use NOTICE elevel to be less chatty.
1136 : : */
2985 1137 [ + + + + ]: 899 : ereport(IsPostmasterEnvironment ? LOG : NOTICE,
1138 : : (errmsg("database system is shut down")));
8862 ishii@postgresql.org 1139 : 899 : }
1140 : :
1141 : : /*
1142 : : * Create a lockfile.
1143 : : *
1144 : : * filename is the path name of the lockfile to create.
1145 : : * amPostmaster is used to determine how to encode the output PID.
1146 : : * socketDir is the Unix socket directory path to include (possibly empty).
1147 : : * isDDLock and refName are used to determine what error message to produce.
1148 : : */
1149 : : static void
8433 tgl@sss.pgh.pa.us 1150 : 1626 : CreateLockFile(const char *filename, bool amPostmaster,
1151 : : const char *socketDir,
1152 : : bool isDDLock, const char *refName)
1153 : : {
1154 : : int fd;
1155 : : char buffer[MAXPGPATH * 2 + 256];
1156 : : int ntries;
1157 : : int len;
1158 : : int encoded_pid;
1159 : : pid_t other_pid;
1160 : : pid_t my_pid,
1161 : : my_p_pid,
1162 : : my_gp_pid;
1163 : : const char *envvar;
1164 : :
1165 : : /*
1166 : : * If the PID in the lockfile is our own PID or our parent's or
1167 : : * grandparent's PID, then the file must be stale (probably left over from
1168 : : * a previous system boot cycle). We need to check this because of the
1169 : : * likelihood that a reboot will assign exactly the same PID as we had in
1170 : : * the previous reboot, or one that's only one or two counts larger and
1171 : : * hence the lockfile's PID now refers to an ancestor shell process. We
1172 : : * allow pg_ctl to pass down its parent shell PID (our grandparent PID)
1173 : : * via the environment variable PG_GRANDPARENT_PID; this is so that
1174 : : * launching the postmaster via pg_ctl can be just as reliable as
1175 : : * launching it directly. There is no provision for detecting
1176 : : * further-removed ancestor processes, but if the init script is written
1177 : : * carefully then all but the immediate parent shell will be root-owned
1178 : : * processes and so the kill test will fail with EPERM. Note that we
1179 : : * cannot get a false negative this way, because an existing postmaster
1180 : : * would surely never launch a competing postmaster or pg_ctl process
1181 : : * directly.
1182 : : */
5344 1183 : 1626 : my_pid = getpid();
1184 : :
1185 : : #ifndef WIN32
1186 : 1626 : my_p_pid = getppid();
1187 : : #else
1188 : :
1189 : : /*
1190 : : * Windows hasn't got getppid(), but doesn't need it since it's not using
1191 : : * real kill() either...
1192 : : */
1193 : : my_p_pid = 0;
1194 : : #endif
1195 : :
1196 : 1626 : envvar = getenv("PG_GRANDPARENT_PID");
1197 [ + + ]: 1626 : if (envvar)
1198 : 1289 : my_gp_pid = atoi(envvar);
1199 : : else
1200 : 337 : my_gp_pid = 0;
1201 : :
1202 : : /*
1203 : : * We need a loop here because of race conditions. But don't loop forever
1204 : : * (for example, a non-writable $PGDATA directory might cause a failure
1205 : : * that won't go away). 100 tries seems like plenty.
1206 : : */
8207 bruce@momjian.us 1207 : 1626 : for (ntries = 0;; ntries++)
1208 : : {
1209 : : /*
1210 : : * Try to create the lock file --- O_EXCL makes this atomic.
1211 : : *
1212 : : * Think not to make the file protection weaker than 0600/0640. See
1213 : : * comments below.
1214 : : */
2199 sfrost@snowman.net 1215 : 1629 : fd = open(filename, O_RDWR | O_CREAT | O_EXCL, pg_file_create_mode);
8537 tgl@sss.pgh.pa.us 1216 [ + + ]: 1629 : if (fd >= 0)
1217 : 1624 : break; /* Success; exit the retry loop */
1218 : :
1219 : : /*
1220 : : * Couldn't create the pid file. Probably it already exists.
1221 : : */
8321 1222 [ - + - - : 5 : if ((errno != EEXIST && errno != EACCES) || ntries > 100)
- + ]
7569 tgl@sss.pgh.pa.us 1223 [ # # ]:UBC 0 : ereport(FATAL,
1224 : : (errcode_for_file_access(),
1225 : : errmsg("could not create lock file \"%s\": %m",
1226 : : filename)));
1227 : :
1228 : : /*
1229 : : * Read the file to get the old owner's PID. Note race condition
1230 : : * here: file might have been deleted since we tried to create it.
1231 : : */
2199 sfrost@snowman.net 1232 :CBC 5 : fd = open(filename, O_RDONLY, pg_file_create_mode);
8768 bruce@momjian.us 1233 [ - + ]: 5 : if (fd < 0)
1234 : : {
8537 tgl@sss.pgh.pa.us 1235 [ # # ]:UBC 0 : if (errno == ENOENT)
1236 : 0 : continue; /* race condition; try again */
7569 1237 [ # # ]: 0 : ereport(FATAL,
1238 : : (errcode_for_file_access(),
1239 : : errmsg("could not open lock file \"%s\": %m",
1240 : : filename)));
1241 : : }
2584 rhaas@postgresql.org 1242 :CBC 5 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_READ);
7403 tgl@sss.pgh.pa.us 1243 [ - + ]: 5 : if ((len = read(fd, buffer, sizeof(buffer) - 1)) < 0)
7569 tgl@sss.pgh.pa.us 1244 [ # # ]:UBC 0 : ereport(FATAL,
1245 : : (errcode_for_file_access(),
1246 : : errmsg("could not read lock file \"%s\": %m",
1247 : : filename)));
2584 rhaas@postgresql.org 1248 :CBC 5 : pgstat_report_wait_end();
8862 ishii@postgresql.org 1249 : 5 : close(fd);
1250 : :
4246 bruce@momjian.us 1251 [ - + ]: 5 : if (len == 0)
1252 : : {
4246 bruce@momjian.us 1253 [ # # ]:UBC 0 : ereport(FATAL,
1254 : : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1255 : : errmsg("lock file \"%s\" is empty", filename),
1256 : : errhint("Either another server is starting, or the lock file is the remnant of a previous server startup crash.")));
1257 : : }
1258 : :
8537 tgl@sss.pgh.pa.us 1259 :CBC 5 : buffer[len] = '\0';
1260 : 5 : encoded_pid = atoi(buffer);
1261 : :
1262 : : /* if pid < 0, the pid is for postgres, not postmaster */
1263 : 5 : other_pid = (pid_t) (encoded_pid < 0 ? -encoded_pid : encoded_pid);
1264 : :
1265 [ - + ]: 5 : if (other_pid <= 0)
6873 tgl@sss.pgh.pa.us 1266 [ # # ]:UBC 0 : elog(FATAL, "bogus data in lock file \"%s\": \"%s\"",
1267 : : filename, buffer);
1268 : :
1269 : : /*
1270 : : * Check to see if the other process still exists
1271 : : *
1272 : : * Per discussion above, my_pid, my_p_pid, and my_gp_pid can be
1273 : : * ignored as false matches.
1274 : : *
1275 : : * Normally kill() will fail with ESRCH if the given PID doesn't
1276 : : * exist.
1277 : : *
1278 : : * We can treat the EPERM-error case as okay because that error
1279 : : * implies that the existing process has a different userid than we
1280 : : * do, which means it cannot be a competing postmaster. A postmaster
1281 : : * cannot successfully attach to a data directory owned by a userid
1282 : : * other than its own, as enforced in checkDataDir(). Also, since we
1283 : : * create the lockfiles mode 0600/0640, we'd have failed above if the
1284 : : * lockfile belonged to another userid --- which means that whatever
1285 : : * process kill() is reporting about isn't the one that made the
1286 : : * lockfile. (NOTE: this last consideration is the only one that
1287 : : * keeps us from blowing away a Unix socket file belonging to an
1288 : : * instance of Postgres being run by someone else, at least on
1289 : : * machines where /tmp hasn't got a stickybit.)
1290 : : */
5344 tgl@sss.pgh.pa.us 1291 [ + - + - :CBC 5 : if (other_pid != my_pid && other_pid != my_p_pid &&
+ - ]
1292 : : other_pid != my_gp_pid)
1293 : : {
7371 neilc@samurai.com 1294 [ + + ]: 5 : if (kill(other_pid, 0) == 0 ||
6674 bruce@momjian.us 1295 [ - + - - ]: 3 : (errno != ESRCH && errno != EPERM))
1296 : : {
1297 : : /* lockfile belongs to a live process */
7567 tgl@sss.pgh.pa.us 1298 [ + - + - : 2 : ereport(FATAL,
- + - - ]
1299 : : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1300 : : errmsg("lock file \"%s\" already exists",
1301 : : filename),
1302 : : isDDLock ?
1303 : : (encoded_pid < 0 ?
1304 : : errhint("Is another postgres (PID %d) running in data directory \"%s\"?",
1305 : : (int) other_pid, refName) :
1306 : : errhint("Is another postmaster (PID %d) running in data directory \"%s\"?",
1307 : : (int) other_pid, refName)) :
1308 : : (encoded_pid < 0 ?
1309 : : errhint("Is another postgres (PID %d) using socket file \"%s\"?",
1310 : : (int) other_pid, refName) :
1311 : : errhint("Is another postmaster (PID %d) using socket file \"%s\"?",
1312 : : (int) other_pid, refName))));
1313 : : }
1314 : : }
1315 : :
1316 : : /*
1317 : : * No, the creating process did not exist. However, it could be that
1318 : : * the postmaster crashed (or more likely was kill -9'd by a clueless
1319 : : * admin) but has left orphan backends behind. Check for this by
1320 : : * looking to see if there is an associated shmem segment that is
1321 : : * still in use.
1322 : : *
1323 : : * Note: because postmaster.pid is written in multiple steps, we might
1324 : : * not find the shmem ID values in it; we can't treat that as an
1325 : : * error.
1326 : : */
8433 1327 [ + + ]: 3 : if (isDDLock)
1328 : : {
4856 bruce@momjian.us 1329 : 1 : char *ptr = buffer;
1330 : : unsigned long id1,
1331 : : id2;
1332 : : int lineno;
1333 : :
4840 tgl@sss.pgh.pa.us 1334 [ + + ]: 7 : for (lineno = 1; lineno < LOCK_FILE_LINE_SHMEM_KEY; lineno++)
1335 : : {
4857 bruce@momjian.us 1336 [ - + ]: 6 : if ((ptr = strchr(ptr, '\n')) == NULL)
4857 bruce@momjian.us 1337 :UBC 0 : break;
4857 bruce@momjian.us 1338 :CBC 6 : ptr++;
1339 : : }
1340 : :
4840 tgl@sss.pgh.pa.us 1341 [ + - ]: 1 : if (ptr != NULL &&
1342 [ + - ]: 1 : sscanf(ptr, "%lu %lu", &id1, &id2) == 2)
1343 : : {
4857 bruce@momjian.us 1344 [ - + ]: 1 : if (PGSharedMemoryIsInUse(id1, id2))
4857 bruce@momjian.us 1345 [ # # ]:UBC 0 : ereport(FATAL,
1346 : : (errcode(ERRCODE_LOCK_FILE_EXISTS),
1347 : : errmsg("pre-existing shared memory block (key %lu, ID %lu) is still in use",
1348 : : id1, id2),
1349 : : errhint("Terminate any old server processes associated with data directory \"%s\".",
1350 : : refName)));
1351 : : }
1352 : : }
1353 : :
1354 : : /*
1355 : : * Looks like nobody's home. Unlink the file and try again to create
1356 : : * it. Need a loop because of possible race condition against other
1357 : : * would-be creators.
1358 : : */
8537 tgl@sss.pgh.pa.us 1359 [ - + ]:CBC 3 : if (unlink(filename) < 0)
7569 tgl@sss.pgh.pa.us 1360 [ # # ]:UBC 0 : ereport(FATAL,
1361 : : (errcode_for_file_access(),
1362 : : errmsg("could not remove old lock file \"%s\": %m",
1363 : : filename),
1364 : : errhint("The file seems accidentally left over, but "
1365 : : "it could not be removed. Please remove the file "
1366 : : "by hand and try again.")));
1367 : : }
1368 : :
1369 : : /*
1370 : : * Successfully created the file, now fill it. See comment in pidfile.h
1371 : : * about the contents. Note that we write the same first five lines into
1372 : : * both datadir and socket lockfiles; although more stuff may get added to
1373 : : * the datadir lockfile later.
1374 : : */
4840 tgl@sss.pgh.pa.us 1375 [ + + ]:CBC 1624 : snprintf(buffer, sizeof(buffer), "%d\n%s\n%ld\n%d\n%s\n",
1376 : : amPostmaster ? (int) my_pid : -((int) my_pid),
1377 : : DataDir,
1378 : : (long) MyStartTime,
1379 : : PostPortNumber,
1380 : : socketDir);
1381 : :
1382 : : /*
1383 : : * In a standalone backend, the next line (LOCK_FILE_LINE_LISTEN_ADDR)
1384 : : * will never receive data, so fill it in as empty now.
1385 : : */
4137 1386 [ + + + + ]: 1624 : if (isDDLock && !amPostmaster)
1387 : 166 : strlcat(buffer, "\n", sizeof(buffer));
1388 : :
8348 1389 : 1624 : errno = 0;
2584 rhaas@postgresql.org 1390 : 1624 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_WRITE);
8537 tgl@sss.pgh.pa.us 1391 [ - + ]: 1624 : if (write(fd, buffer, strlen(buffer)) != strlen(buffer))
1392 : : {
8424 bruce@momjian.us 1393 :UBC 0 : int save_errno = errno;
1394 : :
8862 ishii@postgresql.org 1395 : 0 : close(fd);
8537 tgl@sss.pgh.pa.us 1396 : 0 : unlink(filename);
1397 : : /* if write didn't set errno, assume problem is no disk space */
8348 1398 [ # # ]: 0 : errno = save_errno ? save_errno : ENOSPC;
7569 1399 [ # # ]: 0 : ereport(FATAL,
1400 : : (errcode_for_file_access(),
1401 : : errmsg("could not write lock file \"%s\": %m", filename)));
1402 : : }
2584 rhaas@postgresql.org 1403 :CBC 1624 : pgstat_report_wait_end();
1404 : :
1405 : 1624 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_SYNC);
4990 tgl@sss.pgh.pa.us 1406 [ - + ]: 1624 : if (pg_fsync(fd) != 0)
1407 : : {
4990 tgl@sss.pgh.pa.us 1408 :UBC 0 : int save_errno = errno;
1409 : :
1410 : 0 : close(fd);
1411 : 0 : unlink(filename);
1412 : 0 : errno = save_errno;
1413 [ # # ]: 0 : ereport(FATAL,
1414 : : (errcode_for_file_access(),
1415 : : errmsg("could not write lock file \"%s\": %m", filename)));
1416 : : }
2584 rhaas@postgresql.org 1417 :CBC 1624 : pgstat_report_wait_end();
4990 tgl@sss.pgh.pa.us 1418 [ - + ]: 1624 : if (close(fd) != 0)
1419 : : {
7384 tgl@sss.pgh.pa.us 1420 :UBC 0 : int save_errno = errno;
1421 : :
1422 : 0 : unlink(filename);
1423 : 0 : errno = save_errno;
1424 [ # # ]: 0 : ereport(FATAL,
1425 : : (errcode_for_file_access(),
1426 : : errmsg("could not write lock file \"%s\": %m", filename)));
1427 : : }
1428 : :
1429 : : /*
1430 : : * Arrange to unlink the lock file(s) at proc_exit. If this is the first
1431 : : * one, set up the on_proc_exit function to do it; then add this lock file
1432 : : * to the list of files to unlink.
1433 : : */
4265 tgl@sss.pgh.pa.us 1434 [ + + ]:CBC 1624 : if (lock_files == NIL)
1435 : 899 : on_proc_exit(UnlinkLockFiles, 0);
1436 : :
1437 : : /*
1438 : : * Use lcons so that the lock files are unlinked in reverse order of
1439 : : * creation; this is critical!
1440 : : */
3178 1441 : 1624 : lock_files = lcons(pstrdup(filename), lock_files);
8537 1442 : 1624 : }
1443 : :
1444 : : /*
1445 : : * Create the data directory lockfile.
1446 : : *
1447 : : * When this is called, we must have already switched the working
1448 : : * directory to DataDir, so we can just use a relative path. This
1449 : : * helps ensure that we are locking the directory we should be.
1450 : : *
1451 : : * Note that the socket directory path line is initially written as empty.
1452 : : * postmaster.c will rewrite it upon creating the first Unix socket.
1453 : : */
1454 : : void
6859 1455 : 901 : CreateDataDirLockFile(bool amPostmaster)
1456 : : {
4265 1457 : 901 : CreateLockFile(DIRECTORY_LOCK_FILE, amPostmaster, "", true, DataDir);
8862 ishii@postgresql.org 1458 : 899 : }
1459 : :
1460 : : /*
1461 : : * Create a lockfile for the specified Unix socket file.
1462 : : */
1463 : : void
4265 tgl@sss.pgh.pa.us 1464 : 725 : CreateSocketLockFile(const char *socketfile, bool amPostmaster,
1465 : : const char *socketDir)
1466 : : {
1467 : : char lockfile[MAXPGPATH];
1468 : :
8537 1469 : 725 : snprintf(lockfile, sizeof(lockfile), "%s.lock", socketfile);
4265 1470 : 725 : CreateLockFile(lockfile, amPostmaster, socketDir, false, socketfile);
8537 1471 : 725 : }
1472 : :
1473 : : /*
1474 : : * TouchSocketLockFiles -- mark socket lock files as recently accessed
1475 : : *
1476 : : * This routine should be called every so often to ensure that the socket
1477 : : * lock files have a recent mod or access date. That saves them
1478 : : * from being removed by overenthusiastic /tmp-directory-cleaner daemons.
1479 : : * (Another reason we should never have put the socket file in /tmp...)
1480 : : */
1481 : : void
4265 tgl@sss.pgh.pa.us 1482 :UBC 0 : TouchSocketLockFiles(void)
1483 : : {
1484 : : ListCell *l;
1485 : :
1486 [ # # # # : 0 : foreach(l, lock_files)
# # ]
1487 : : {
1488 : 0 : char *socketLockFile = (char *) lfirst(l);
1489 : :
1490 : : /* No need to touch the data directory lock file, we trust */
1491 [ # # ]: 0 : if (strcmp(socketLockFile, DIRECTORY_LOCK_FILE) == 0)
1492 : 0 : continue;
1493 : :
1494 : : /* we just ignore any error here */
1514 1495 : 0 : (void) utime(socketLockFile, NULL);
1496 : : }
8478 1497 : 0 : }
1498 : :
1499 : :
1500 : : /*
1501 : : * Add (or replace) a line in the data directory lock file.
1502 : : * The given string should not include a trailing newline.
1503 : : *
1504 : : * Note: because we don't truncate the file, if we were to rewrite a line
1505 : : * with less data than it had before, there would be garbage after the last
1506 : : * line. While we could fix that by adding a truncate call, that would make
1507 : : * the file update non-atomic, which we'd rather avoid. Therefore, callers
1508 : : * should endeavor never to shorten a line once it's been written.
1509 : : */
1510 : : void
4840 tgl@sss.pgh.pa.us 1511 :CBC 4583 : AddToDataDirLockFile(int target_line, const char *str)
1512 : : {
1513 : : int fd;
1514 : : int len;
1515 : : int lineno;
1516 : : char *srcptr;
1517 : : char *destptr;
1518 : : char srcbuffer[BLCKSZ];
1519 : : char destbuffer[BLCKSZ];
1520 : :
6859 1521 : 4583 : fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
8433 1522 [ - + ]: 4583 : if (fd < 0)
1523 : : {
7569 tgl@sss.pgh.pa.us 1524 [ # # ]:UBC 0 : ereport(LOG,
1525 : : (errcode_for_file_access(),
1526 : : errmsg("could not open file \"%s\": %m",
1527 : : DIRECTORY_LOCK_FILE)));
8433 1528 : 0 : return;
1529 : : }
2584 rhaas@postgresql.org 1530 :CBC 4583 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_READ);
4265 tgl@sss.pgh.pa.us 1531 : 4583 : len = read(fd, srcbuffer, sizeof(srcbuffer) - 1);
2584 rhaas@postgresql.org 1532 : 4583 : pgstat_report_wait_end();
7403 tgl@sss.pgh.pa.us 1533 [ - + ]: 4583 : if (len < 0)
1534 : : {
7569 tgl@sss.pgh.pa.us 1535 [ # # ]:UBC 0 : ereport(LOG,
1536 : : (errcode_for_file_access(),
1537 : : errmsg("could not read from file \"%s\": %m",
1538 : : DIRECTORY_LOCK_FILE)));
8433 1539 : 0 : close(fd);
1540 : 0 : return;
1541 : : }
4265 tgl@sss.pgh.pa.us 1542 :CBC 4583 : srcbuffer[len] = '\0';
1543 : :
1544 : : /*
1545 : : * Advance over lines we are not supposed to rewrite, then copy them to
1546 : : * destbuffer.
1547 : : */
1548 : 4583 : srcptr = srcbuffer;
4853 bruce@momjian.us 1549 [ + + ]: 31407 : for (lineno = 1; lineno < target_line; lineno++)
1550 : : {
2482 tgl@sss.pgh.pa.us 1551 : 27552 : char *eol = strchr(srcptr, '\n');
1552 : :
1553 [ + + ]: 27552 : if (eol == NULL)
1554 : 728 : break; /* not enough lines in file yet */
1555 : 26824 : srcptr = eol + 1;
1556 : : }
4265 1557 : 4583 : memcpy(destbuffer, srcbuffer, srcptr - srcbuffer);
1558 : 4583 : destptr = destbuffer + (srcptr - srcbuffer);
1559 : :
1560 : : /*
1561 : : * Fill in any missing lines before the target line, in case lines are
1562 : : * added to the file out of order.
1563 : : */
2482 1564 [ + + ]: 5311 : for (; lineno < target_line; lineno++)
1565 : : {
1566 [ + - ]: 728 : if (destptr < destbuffer + sizeof(destbuffer))
1567 : 728 : *destptr++ = '\n';
1568 : : }
1569 : :
1570 : : /*
1571 : : * Write or rewrite the target line.
1572 : : */
4265 1573 : 4583 : snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s\n", str);
1574 : 4583 : destptr += strlen(destptr);
1575 : :
1576 : : /*
1577 : : * If there are more lines in the old file, append them to destbuffer.
1578 : : */
1579 [ + + ]: 4583 : if ((srcptr = strchr(srcptr, '\n')) != NULL)
1580 : : {
1581 : 2962 : srcptr++;
1582 : 2962 : snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s",
1583 : : srcptr);
1584 : : }
1585 : :
1586 : : /*
1587 : : * And rewrite the data. Since we write in a single kernel call, this
1588 : : * update should appear atomic to onlookers.
1589 : : */
1590 : 4583 : len = strlen(destbuffer);
8348 1591 : 4583 : errno = 0;
2584 rhaas@postgresql.org 1592 : 4583 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_WRITE);
563 tmunro@postgresql.or 1593 [ - + ]: 4583 : if (pg_pwrite(fd, destbuffer, len, 0) != len)
1594 : : {
2584 rhaas@postgresql.org 1595 :UBC 0 : pgstat_report_wait_end();
1596 : : /* if write didn't set errno, assume problem is no disk space */
8348 tgl@sss.pgh.pa.us 1597 [ # # ]: 0 : if (errno == 0)
1598 : 0 : errno = ENOSPC;
7569 1599 [ # # ]: 0 : ereport(LOG,
1600 : : (errcode_for_file_access(),
1601 : : errmsg("could not write to file \"%s\": %m",
1602 : : DIRECTORY_LOCK_FILE)));
8433 1603 : 0 : close(fd);
1604 : 0 : return;
1605 : : }
2584 rhaas@postgresql.org 1606 :CBC 4583 : pgstat_report_wait_end();
1607 : 4583 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_SYNC);
4990 tgl@sss.pgh.pa.us 1608 [ - + ]: 4583 : if (pg_fsync(fd) != 0)
1609 : : {
4990 tgl@sss.pgh.pa.us 1610 [ # # ]:UBC 0 : ereport(LOG,
1611 : : (errcode_for_file_access(),
1612 : : errmsg("could not write to file \"%s\": %m",
1613 : : DIRECTORY_LOCK_FILE)));
1614 : : }
2584 rhaas@postgresql.org 1615 :CBC 4583 : pgstat_report_wait_end();
4990 tgl@sss.pgh.pa.us 1616 [ - + ]: 4583 : if (close(fd) != 0)
1617 : : {
7384 tgl@sss.pgh.pa.us 1618 [ # # ]:UBC 0 : ereport(LOG,
1619 : : (errcode_for_file_access(),
1620 : : errmsg("could not write to file \"%s\": %m",
1621 : : DIRECTORY_LOCK_FILE)));
1622 : : }
1623 : : }
1624 : :
1625 : :
1626 : : /*
1627 : : * Recheck that the data directory lock file still exists with expected
1628 : : * content. Return true if the lock file appears OK, false if it isn't.
1629 : : *
1630 : : * We call this periodically in the postmaster. The idea is that if the
1631 : : * lock file has been removed or replaced by another postmaster, we should
1632 : : * do a panic database shutdown. Therefore, we should return true if there
1633 : : * is any doubt: we do not want to cause a panic shutdown unnecessarily.
1634 : : * Transient failures like EINTR or ENFILE should not cause us to fail.
1635 : : * (If there really is something wrong, we'll detect it on a future recheck.)
1636 : : */
1637 : : bool
3113 tgl@sss.pgh.pa.us 1638 :CBC 12 : RecheckDataDirLockFile(void)
1639 : : {
1640 : : int fd;
1641 : : int len;
1642 : : long file_pid;
1643 : : char buffer[BLCKSZ];
1644 : :
1645 : 12 : fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
1646 [ - + ]: 12 : if (fd < 0)
1647 : : {
1648 : : /*
1649 : : * There are many foreseeable false-positive error conditions. For
1650 : : * safety, fail only on enumerated clearly-something-is-wrong
1651 : : * conditions.
1652 : : */
3113 tgl@sss.pgh.pa.us 1653 [ # # ]:UBC 0 : switch (errno)
1654 : : {
1655 : 0 : case ENOENT:
1656 : : case ENOTDIR:
1657 : : /* disaster */
1658 [ # # ]: 0 : ereport(LOG,
1659 : : (errcode_for_file_access(),
1660 : : errmsg("could not open file \"%s\": %m",
1661 : : DIRECTORY_LOCK_FILE)));
1662 : 0 : return false;
1663 : 0 : default:
1664 : : /* non-fatal, at least for now */
1665 [ # # ]: 0 : ereport(LOG,
1666 : : (errcode_for_file_access(),
1667 : : errmsg("could not open file \"%s\": %m; continuing anyway",
1668 : : DIRECTORY_LOCK_FILE)));
1669 : 0 : return true;
1670 : : }
1671 : : }
2584 rhaas@postgresql.org 1672 :CBC 12 : pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_RECHECKDATADIR_READ);
3113 tgl@sss.pgh.pa.us 1673 : 12 : len = read(fd, buffer, sizeof(buffer) - 1);
2584 rhaas@postgresql.org 1674 : 12 : pgstat_report_wait_end();
3113 tgl@sss.pgh.pa.us 1675 [ - + ]: 12 : if (len < 0)
1676 : : {
3113 tgl@sss.pgh.pa.us 1677 [ # # ]:UBC 0 : ereport(LOG,
1678 : : (errcode_for_file_access(),
1679 : : errmsg("could not read from file \"%s\": %m",
1680 : : DIRECTORY_LOCK_FILE)));
1681 : 0 : close(fd);
1682 : 0 : return true; /* treat read failure as nonfatal */
1683 : : }
3113 tgl@sss.pgh.pa.us 1684 :CBC 12 : buffer[len] = '\0';
1685 : 12 : close(fd);
1686 : 12 : file_pid = atol(buffer);
1687 [ + - ]: 12 : if (file_pid == getpid())
1688 : 12 : return true; /* all is well */
1689 : :
1690 : : /* Trouble: someone's overwritten the lock file */
3113 tgl@sss.pgh.pa.us 1691 [ # # ]:UBC 0 : ereport(LOG,
1692 : : (errmsg("lock file \"%s\" contains wrong PID: %ld instead of %ld",
1693 : : DIRECTORY_LOCK_FILE, file_pid, (long) getpid())));
1694 : 0 : return false;
1695 : : }
1696 : :
1697 : :
1698 : : /*-------------------------------------------------------------------------
1699 : : * Version checking support
1700 : : *-------------------------------------------------------------------------
1701 : : */
1702 : :
1703 : : /*
1704 : : * Determine whether the PG_VERSION file in directory `path' indicates
1705 : : * a data version compatible with the version of this program.
1706 : : *
1707 : : * If compatible, return. Otherwise, ereport(FATAL).
1708 : : */
1709 : : void
8687 peter_e@gmx.net 1710 :CBC 14148 : ValidatePgVersion(const char *path)
1711 : : {
1712 : : char full_path[MAXPGPATH];
1713 : : FILE *file;
1714 : : int ret;
1715 : : long file_major;
1716 : : long my_major;
1717 : : char *endptr;
1718 : : char file_version_string[64];
2799 tgl@sss.pgh.pa.us 1719 : 14148 : const char *my_version_string = PG_VERSION;
1720 : :
1721 : 14148 : my_major = strtol(my_version_string, &endptr, 10);
1722 : :
7567 1723 : 14148 : snprintf(full_path, sizeof(full_path), "%s/PG_VERSION", path);
1724 : :
8687 peter_e@gmx.net 1725 : 14148 : file = AllocateFile(full_path, "r");
1726 [ - + ]: 14148 : if (!file)
1727 : : {
8687 peter_e@gmx.net 1728 [ # # ]:UBC 0 : if (errno == ENOENT)
7569 tgl@sss.pgh.pa.us 1729 [ # # ]: 0 : ereport(FATAL,
1730 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1731 : : errmsg("\"%s\" is not a valid data directory",
1732 : : path),
1733 : : errdetail("File \"%s\" is missing.", full_path)));
1734 : : else
1735 [ # # ]: 0 : ereport(FATAL,
1736 : : (errcode_for_file_access(),
1737 : : errmsg("could not open file \"%s\": %m", full_path)));
1738 : : }
1739 : :
2799 tgl@sss.pgh.pa.us 1740 :CBC 14148 : file_version_string[0] = '\0';
1741 : 14148 : ret = fscanf(file, "%63s", file_version_string);
1742 : 14148 : file_major = strtol(file_version_string, &endptr, 10);
1743 : :
1744 [ + - - + ]: 14148 : if (ret != 1 || endptr == file_version_string)
7559 bruce@momjian.us 1745 [ # # ]:UBC 0 : ereport(FATAL,
1746 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1747 : : errmsg("\"%s\" is not a valid data directory",
1748 : : path),
1749 : : errdetail("File \"%s\" does not contain valid data.",
1750 : : full_path),
1751 : : errhint("You might need to initdb.")));
1752 : :
8687 peter_e@gmx.net 1753 :CBC 14148 : FreeFile(file);
1754 : :
2799 tgl@sss.pgh.pa.us 1755 [ - + ]: 14148 : if (my_major != file_major)
7569 tgl@sss.pgh.pa.us 1756 [ # # ]:UBC 0 : ereport(FATAL,
1757 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1758 : : errmsg("database files are incompatible with server"),
1759 : : errdetail("The data directory was initialized by PostgreSQL version %s, "
1760 : : "which is not compatible with this version %s.",
1761 : : file_version_string, my_version_string)));
8687 peter_e@gmx.net 1762 :CBC 14148 : }
1763 : :
1764 : : /*-------------------------------------------------------------------------
1765 : : * Library preload support
1766 : : *-------------------------------------------------------------------------
1767 : : */
1768 : :
1769 : : /*
1770 : : * GUC variables: lists of library names to be preloaded at postmaster
1771 : : * start and at backend start
1772 : : */
1773 : : char *session_preload_libraries_string = NULL;
1774 : : char *shared_preload_libraries_string = NULL;
1775 : : char *local_preload_libraries_string = NULL;
1776 : :
1777 : : /* Flag telling that we are loading shared_preload_libraries */
1778 : : bool process_shared_preload_libraries_in_progress = false;
1779 : : bool process_shared_preload_libraries_done = false;
1780 : :
1781 : : shmem_request_hook_type shmem_request_hook = NULL;
1782 : : bool process_shmem_requests_in_progress = false;
1783 : :
1784 : : /*
1785 : : * load the shared libraries listed in 'libraries'
1786 : : *
1787 : : * 'gucname': name of GUC variable, for error reports
1788 : : * 'restricted': if true, force libraries to be in $libdir/plugins/
1789 : : */
1790 : : static void
6451 tgl@sss.pgh.pa.us 1791 : 21014 : load_libraries(const char *libraries, const char *gucname, bool restricted)
1792 : : {
1793 : : char *rawstring;
1794 : : List *elemlist;
1795 : : ListCell *l;
1796 : :
6452 1797 [ + - + + ]: 21014 : if (libraries == NULL || libraries[0] == '\0')
1798 : 20983 : return; /* nothing to do */
1799 : :
1800 : : /* Need a modifiable copy of string */
1801 : 31 : rawstring = pstrdup(libraries);
1802 : :
1803 : : /* Parse string into list of filename paths */
2490 1804 [ - + ]: 31 : if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1805 : : {
1806 : : /* syntax error in list */
2490 tgl@sss.pgh.pa.us 1807 :UBC 0 : list_free_deep(elemlist);
7696 bruce@momjian.us 1808 : 0 : pfree(rawstring);
7569 tgl@sss.pgh.pa.us 1809 [ # # ]: 0 : ereport(LOG,
1810 : : (errcode(ERRCODE_SYNTAX_ERROR),
1811 : : errmsg("invalid list syntax in parameter \"%s\"",
1812 : : gucname)));
1813 : 0 : return;
1814 : : }
1815 : :
7696 bruce@momjian.us 1816 [ + - + + :CBC 62 : foreach(l, elemlist)
+ + ]
1817 : : {
1818 : : /* Note that filename was already canonicalized */
2490 tgl@sss.pgh.pa.us 1819 : 31 : char *filename = (char *) lfirst(l);
1820 : 31 : char *expanded = NULL;
1821 : :
1822 : : /* If restricting, insert $libdir/plugins if not mentioned already */
6451 1823 [ - + - - ]: 31 : if (restricted && first_dir_separator(filename) == NULL)
1824 : : {
3836 peter_e@gmx.net 1825 :UBC 0 : expanded = psprintf("$libdir/plugins/%s", filename);
6452 tgl@sss.pgh.pa.us 1826 : 0 : filename = expanded;
1827 : : }
6451 tgl@sss.pgh.pa.us 1828 :CBC 31 : load_file(filename, restricted);
3794 jdavis@postgresql.or 1829 [ - + ]: 31 : ereport(DEBUG1,
1830 : : (errmsg_internal("loaded library \"%s\"", filename)));
2490 tgl@sss.pgh.pa.us 1831 [ - + ]: 31 : if (expanded)
2490 tgl@sss.pgh.pa.us 1832 :UBC 0 : pfree(expanded);
1833 : : }
1834 : :
2490 tgl@sss.pgh.pa.us 1835 :CBC 31 : list_free_deep(elemlist);
7696 bruce@momjian.us 1836 : 31 : pfree(rawstring);
1837 : : }
1838 : :
1839 : : /*
1840 : : * process any libraries that should be preloaded at postmaster start
1841 : : */
1842 : : void
6452 tgl@sss.pgh.pa.us 1843 : 782 : process_shared_preload_libraries(void)
1844 : : {
5580 1845 : 782 : process_shared_preload_libraries_in_progress = true;
6452 1846 : 782 : load_libraries(shared_preload_libraries_string,
1847 : : "shared_preload_libraries",
1848 : : false);
5580 1849 : 782 : process_shared_preload_libraries_in_progress = false;
739 jdavis@postgresql.or 1850 : 782 : process_shared_preload_libraries_done = true;
6452 tgl@sss.pgh.pa.us 1851 : 782 : }
1852 : :
1853 : : /*
1854 : : * process any libraries that should be preloaded at backend start
1855 : : */
1856 : : void
3959 peter_e@gmx.net 1857 : 10116 : process_session_preload_libraries(void)
1858 : : {
1859 : 10116 : load_libraries(session_preload_libraries_string,
1860 : : "session_preload_libraries",
1861 : : false);
6452 tgl@sss.pgh.pa.us 1862 : 10116 : load_libraries(local_preload_libraries_string,
1863 : : "local_preload_libraries",
1864 : : true);
1865 : 10116 : }
1866 : :
1867 : : /*
1868 : : * process any shared memory requests from preloaded libraries
1869 : : */
1870 : : void
702 rhaas@postgresql.org 1871 : 779 : process_shmem_requests(void)
1872 : : {
1873 : 779 : process_shmem_requests_in_progress = true;
1874 [ + + ]: 779 : if (shmem_request_hook)
1875 : 7 : shmem_request_hook();
1876 : 779 : process_shmem_requests_in_progress = false;
1877 : 779 : }
1878 : :
1879 : : void
5603 peter_e@gmx.net 1880 : 2002 : pg_bindtextdomain(const char *domain)
1881 : : {
1882 : : #ifdef ENABLE_NLS
5666 alvherre@alvh.no-ip. 1883 [ + - ]: 2002 : if (my_exec_path[0] != '\0')
1884 : : {
1885 : : char locale_path[MAXPGPATH];
1886 : :
1887 : 2002 : get_locale_path(my_exec_path, locale_path);
1888 : 2002 : bindtextdomain(domain, locale_path);
5485 heikki.linnakangas@i 1889 : 2002 : pg_bind_textdomain_codeset(domain);
1890 : : }
1891 : : #endif
5666 alvherre@alvh.no-ip. 1892 : 2002 : }
|
