PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
miscinit.c
Go to the documentation of this file.
1/*-------------------------------------------------------------------------
2 *
3 * miscinit.c
4 * miscellaneous initialization support stuff
5 *
6 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
8 *
9 *
10 * IDENTIFICATION
11 * src/backend/utils/init/miscinit.c
12 *
13 *-------------------------------------------------------------------------
14 */
15#include "postgres.h"
16
17#include <sys/param.h>
18#include <signal.h>
19#include <time.h>
20#include <sys/file.h>
21#include <sys/stat.h>
22#include <sys/time.h>
23#include <fcntl.h>
24#include <unistd.h>
25#include <grp.h>
26#include <pwd.h>
27#include <netinet/in.h>
28#include <arpa/inet.h>
29#include <utime.h>
30
31#include "access/htup_details.h"
32#include "access/parallel.h"
33#include "catalog/pg_authid.h"
34#include "common/file_perm.h"
35#include "libpq/libpq.h"
36#include "libpq/pqsignal.h"
37#include "mb/pg_wchar.h"
38#include "miscadmin.h"
39#include "pgstat.h"
44#include "storage/fd.h"
45#include "storage/ipc.h"
46#include "storage/latch.h"
47#include "storage/pg_shmem.h"
48#include "storage/pmsignal.h"
49#include "storage/proc.h"
50#include "storage/procarray.h"
51#include "utils/builtins.h"
52#include "utils/guc.h"
53#include "utils/inval.h"
54#include "utils/memutils.h"
55#include "utils/pidfile.h"
56#include "utils/syscache.h"
57#include "utils/varlena.h"
58
59
60#define DIRECTORY_LOCK_FILE "postmaster.pid"
61
63
65
66/* List of lock files to be removed at proc exit */
68
70
71/* ----------------------------------------------------------------
72 * ignoring system indexes support stuff
73 *
74 * NOTE: "ignoring system indexes" means we do not use the system indexes
75 * for lookups (either in hardwired catalog accesses or in planner-generated
76 * plans). We do, however, still update the indexes when a catalog
77 * modification is made.
78 * ----------------------------------------------------------------
79 */
80
82
83
84/* ----------------------------------------------------------------
85 * common process startup code
86 * ----------------------------------------------------------------
87 */
88
89/*
90 * Initialize the basic environment for a postmaster child
91 *
92 * Should be called as early as possible after the child's startup. However,
93 * on EXEC_BACKEND builds it does need to be after read_backend_variables().
94 */
95void
97{
98 IsUnderPostmaster = true; /* we are a postmaster subprocess now */
99
100 /*
101 * Start our win32 signal implementation. This has to be done after we
102 * read the backend variables, because we need to pick up the signal pipe
103 * from the parent process.
104 */
105#ifdef WIN32
107#endif
108
110
111 /*
112 * make sure stderr is in binary mode before anything can possibly be
113 * written to it, in case it's actually the syslogger pipe, so the pipe
114 * chunking protocol isn't disturbed. Non-logpipe data gets translated on
115 * redirection (e.g. via pg_ctl -l) anyway.
116 */
117#ifdef WIN32
118 _setmode(fileno(stderr), _O_BINARY);
119#endif
120
121 /* We don't want the postmaster's proc_exit() handlers */
123
124 /* In EXEC_BACKEND case we will not have inherited BlockSig etc values */
125#ifdef EXEC_BACKEND
126 pqinitmask();
127#endif
128
129 /* Initialize process-local latch support */
133
134 /*
135 * If possible, make this process a group leader, so that the postmaster
136 * can signal any child processes too. Not all processes will have
137 * children, but for consistency we make all postmaster child processes do
138 * this.
139 */
140#ifdef HAVE_SETSID
141 if (setsid() < 0)
142 elog(FATAL, "setsid() failed: %m");
143#endif
144
145 /*
146 * Every postmaster child process is expected to respond promptly to
147 * SIGQUIT at all times. Therefore we centrally remove SIGQUIT from
148 * BlockSig and install a suitable signal handler. (Client-facing
149 * processes may choose to replace this default choice of handler with
150 * quickdie().) All other blockable signals remain blocked for now.
151 */
153
154 sigdelset(&BlockSig, SIGQUIT);
155 sigprocmask(SIG_SETMASK, &BlockSig, NULL);
156
157 /* Request a signal if the postmaster dies, if possible. */
159
160 /* Don't give the pipe to subprograms that we execute. */
161#ifndef WIN32
162 if (fcntl(postmaster_alive_fds[POSTMASTER_FD_WATCH], F_SETFD, FD_CLOEXEC) < 0)
165 errmsg_internal("could not set postmaster death monitoring pipe to FD_CLOEXEC mode: %m")));
166#endif
167}
168
169/*
170 * Initialize the basic environment for a standalone process.
171 *
172 * argv0 has to be suitable to find the program's executable.
173 */
174void
176{
178
180
181 /*
182 * Start our win32 signal implementation
183 */
184#ifdef WIN32
186#endif
187
189
190 /* Initialize process-local latch support */
194
195 /*
196 * For consistency with InitPostmasterChild, initialize signal mask here.
197 * But we don't unblock SIGQUIT or provide a default handler for it.
198 */
199 pqinitmask();
200 sigprocmask(SIG_SETMASK, &BlockSig, NULL);
201
202 /* Compute paths, no postmaster to inherit from */
203 if (my_exec_path[0] == '\0')
204 {
206 elog(FATAL, "%s: could not locate my own executable path",
207 argv0);
208 }
209
210 if (pkglib_path[0] == '\0')
212}
213
214void
216{
218 Assert(MyProc != NULL);
219
221
222 if (FeBeWaitSet)
224 MyLatch);
225
226 /*
227 * Set the shared latch as the local one might have been set. This
228 * shouldn't normally be necessary as code is supposed to check the
229 * condition before waiting for the latch, but a bit care can't hurt.
230 */
232}
233
234void
236{
239}
240
241void
243{
245 Assert(MyProc != NULL && MyLatch == &MyProc->procLatch);
246
248
249 if (FeBeWaitSet)
251 MyLatch);
252
254}
255
256/*
257 * Return a human-readable string representation of a BackendType.
258 *
259 * The string is not localized here, but we mark the strings for translation
260 * so that callers can invoke _() on the result.
261 */
262const char *
264{
265 const char *backendDesc = gettext_noop("unknown process type");
266
267 switch (backendType)
268 {
269 case B_INVALID:
270 backendDesc = gettext_noop("not initialized");
271 break;
272 case B_ARCHIVER:
273 backendDesc = gettext_noop("archiver");
274 break;
276 backendDesc = gettext_noop("autovacuum launcher");
277 break;
278 case B_AUTOVAC_WORKER:
279 backendDesc = gettext_noop("autovacuum worker");
280 break;
281 case B_BACKEND:
282 backendDesc = gettext_noop("client backend");
283 break;
285 backendDesc = gettext_noop("dead-end client backend");
286 break;
287 case B_BG_WORKER:
288 backendDesc = gettext_noop("background worker");
289 break;
290 case B_BG_WRITER:
291 backendDesc = gettext_noop("background writer");
292 break;
293 case B_CHECKPOINTER:
294 backendDesc = gettext_noop("checkpointer");
295 break;
296 case B_IO_WORKER:
297 backendDesc = gettext_noop("io worker");
298 break;
299 case B_LOGGER:
300 backendDesc = gettext_noop("logger");
301 break;
303 backendDesc = gettext_noop("slotsync worker");
304 break;
306 backendDesc = gettext_noop("standalone backend");
307 break;
308 case B_STARTUP:
309 backendDesc = gettext_noop("startup");
310 break;
311 case B_WAL_RECEIVER:
312 backendDesc = gettext_noop("walreceiver");
313 break;
314 case B_WAL_SENDER:
315 backendDesc = gettext_noop("walsender");
316 break;
317 case B_WAL_SUMMARIZER:
318 backendDesc = gettext_noop("walsummarizer");
319 break;
320 case B_WAL_WRITER:
321 backendDesc = gettext_noop("walwriter");
322 break;
323 }
324
325 return backendDesc;
326}
327
328/* ----------------------------------------------------------------
329 * database path / name support stuff
330 * ----------------------------------------------------------------
331 */
332
333void
334SetDatabasePath(const char *path)
335{
336 /* This should happen only once per process */
339}
340
341/*
342 * Validate the proposed data directory.
343 *
344 * Also initialize file and directory create modes and mode mask.
345 */
346void
348{
349 struct stat stat_buf;
350
352
353 if (stat(DataDir, &stat_buf) != 0)
354 {
355 if (errno == ENOENT)
358 errmsg("data directory \"%s\" does not exist",
359 DataDir)));
360 else
363 errmsg("could not read permissions of directory \"%s\": %m",
364 DataDir)));
365 }
366
367 /* eventual chdir would fail anyway, but let's test ... */
368 if (!S_ISDIR(stat_buf.st_mode))
370 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
371 errmsg("specified data directory \"%s\" is not a directory",
372 DataDir)));
373
374 /*
375 * Check that the directory belongs to my userid; if not, reject.
376 *
377 * This check is an essential part of the interlock that prevents two
378 * postmasters from starting in the same directory (see CreateLockFile()).
379 * Do not remove or weaken it.
380 *
381 * XXX can we safely enable this check on Windows?
382 */
383#if !defined(WIN32) && !defined(__CYGWIN__)
384 if (stat_buf.st_uid != geteuid())
386 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
387 errmsg("data directory \"%s\" has wrong ownership",
388 DataDir),
389 errhint("The server must be started by the user that owns the data directory.")));
390#endif
391
392 /*
393 * Check if the directory has correct permissions. If not, reject.
394 *
395 * Only two possible modes are allowed, 0700 and 0750. The latter mode
396 * indicates that group read/execute should be allowed on all newly
397 * created files and directories.
398 *
399 * XXX temporarily suppress check when on Windows, because there may not
400 * be proper support for Unix-y file permissions. Need to think of a
401 * reasonable check to apply on Windows.
402 */
403#if !defined(WIN32) && !defined(__CYGWIN__)
404 if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
406 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
407 errmsg("data directory \"%s\" has invalid permissions",
408 DataDir),
409 errdetail("Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).")));
410#endif
411
412 /*
413 * Reset creation modes and mask based on the mode of the data directory.
414 *
415 * The mask was set earlier in startup to disallow group permissions on
416 * newly created files and directories. However, if group read/execute
417 * are present on the data directory then modify the create modes and mask
418 * to allow group read/execute on newly created files and directories and
419 * set the data_directory_mode GUC.
420 *
421 * Suppress when on Windows, because there may not be proper support for
422 * Unix-y file permissions.
423 */
424#if !defined(WIN32) && !defined(__CYGWIN__)
426
427 umask(pg_mode_mask);
429#endif
430
431 /* Check for PG_VERSION */
433}
434
435/*
436 * Set data directory, but make sure it's an absolute path. Use this,
437 * never set DataDir directly.
438 */
439void
440SetDataDir(const char *dir)
441{
442 char *new;
443
444 Assert(dir);
445
446 /* If presented path is relative, convert to absolute */
447 new = make_absolute_path(dir);
448
449 free(DataDir);
450 DataDir = new;
451}
452
453/*
454 * Change working directory to DataDir. Most of the postmaster and backend
455 * code assumes that we are in DataDir so it can use relative paths to access
456 * stuff in and under the data directory. For convenience during path
457 * setup, however, we don't force the chdir to occur during SetDataDir.
458 */
459void
461{
463
464 if (chdir(DataDir) < 0)
467 errmsg("could not change directory to \"%s\": %m",
468 DataDir)));
469}
470
471
472/* ----------------------------------------------------------------
473 * User ID state
474 *
475 * We have to track several different values associated with the concept
476 * of "user ID".
477 *
478 * AuthenticatedUserId is determined at connection start and never changes.
479 *
480 * SessionUserId is initially the same as AuthenticatedUserId, but can be
481 * changed by SET SESSION AUTHORIZATION (if AuthenticatedUserId is a
482 * superuser). This is the ID reported by the SESSION_USER SQL function.
483 *
484 * OuterUserId is the current user ID in effect at the "outer level" (outside
485 * any transaction or function). This is initially the same as SessionUserId,
486 * but can be changed by SET ROLE to any role that SessionUserId is a
487 * member of. (XXX rename to something like CurrentRoleId?)
488 *
489 * CurrentUserId is the current effective user ID; this is the one to use
490 * for all normal permissions-checking purposes. At outer level this will
491 * be the same as OuterUserId, but it changes during calls to SECURITY
492 * DEFINER functions, as well as locally in some specialized commands.
493 *
494 * SecurityRestrictionContext holds flags indicating reason(s) for changing
495 * CurrentUserId. In some cases we need to lock down operations that are
496 * not directly controlled by privilege settings, and this provides a
497 * convenient way to do it.
498 * ----------------------------------------------------------------
499 */
504static const char *SystemUser = NULL;
505
506/* We also have to remember the superuser state of the session user */
507static bool SessionUserIsSuperuser = false;
508
510
511/* We also remember if a SET ROLE is currently active */
512static bool SetRoleIsActive = false;
513
514/*
515 * GetUserId - get the current effective user ID.
516 *
517 * Note: there's no SetUserId() anymore; use SetUserIdAndSecContext().
518 */
519Oid
521{
523 return CurrentUserId;
524}
525
526
527/*
528 * GetOuterUserId/SetOuterUserId - get/set the outer-level user ID.
529 */
530Oid
532{
534 return OuterUserId;
535}
536
537
538static void
540{
542 Assert(OidIsValid(userid));
543 OuterUserId = userid;
544
545 /* We force the effective user ID to match, too */
546 CurrentUserId = userid;
547
548 /* Also update the is_superuser GUC to match OuterUserId's property */
549 SetConfigOption("is_superuser",
550 is_superuser ? "on" : "off",
552}
553
554
555/*
556 * GetSessionUserId/SetSessionUserId - get/set the session user ID.
557 */
558Oid
560{
562 return SessionUserId;
563}
564
565bool
567{
570}
571
572static void
574{
576 Assert(OidIsValid(userid));
577 SessionUserId = userid;
579}
580
581/*
582 * Return the system user representing the authenticated identity.
583 * It is defined in InitializeSystemUser() as auth_method:authn_id.
584 */
585const char *
587{
588 return SystemUser;
589}
590
591/*
592 * GetAuthenticatedUserId/SetAuthenticatedUserId - get/set the authenticated
593 * user ID
594 */
595Oid
597{
599 return AuthenticatedUserId;
600}
601
602void
604{
605 Assert(OidIsValid(userid));
606
607 /* call only once */
609
610 AuthenticatedUserId = userid;
611
612 /* Also mark our PGPROC entry with the authenticated user id */
613 /* (We assume this is an atomic store so no lock is needed) */
614 MyProc->roleId = userid;
615}
616
617
618/*
619 * GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID
620 * and the SecurityRestrictionContext flags.
621 *
622 * Currently there are three valid bits in SecurityRestrictionContext:
623 *
624 * SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation
625 * that is temporarily changing CurrentUserId via these functions. This is
626 * needed to indicate that the actual value of CurrentUserId is not in sync
627 * with guc.c's internal state, so SET ROLE has to be disallowed.
628 *
629 * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
630 * that does not wish to trust called user-defined functions at all. The
631 * policy is to use this before operations, e.g. autovacuum and REINDEX, that
632 * enumerate relations of a database or schema and run functions associated
633 * with each found relation. The relation owner is the new user ID. Set this
634 * as soon as possible after locking the relation. Restore the old user ID as
635 * late as possible before closing the relation; restoring it shortly after
636 * close is also tolerable. If a command has both relation-enumerating and
637 * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit
638 * prevents not only SET ROLE, but various other changes of session state that
639 * normally is unprotected but might possibly be used to subvert the calling
640 * session later. An example is replacing an existing prepared statement with
641 * new code, which will then be executed with the outer session's permissions
642 * when the prepared statement is next used. These restrictions are fairly
643 * draconian, but the functions called in relation-enumerating operations are
644 * really supposed to be side-effect-free anyway.
645 *
646 * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should
647 * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to
648 * ensure that FORCE RLS does not mistakenly break referential integrity
649 * checks. Note that this is intentionally only checked when running as the
650 * owner of the table (which should always be the case for referential
651 * integrity checks).
652 *
653 * Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current
654 * value of CurrentUserId is valid; nor does SetUserIdAndSecContext require
655 * the new value to be valid. In fact, these routines had better not
656 * ever throw any kind of error. This is because they are used by
657 * StartTransaction and AbortTransaction to save/restore the settings,
658 * and during the first transaction within a backend, the value to be saved
659 * and perhaps restored is indeed invalid. We have to be able to get
660 * through AbortTransaction without asserting in case InitPostgres fails.
661 */
662void
663GetUserIdAndSecContext(Oid *userid, int *sec_context)
664{
665 *userid = CurrentUserId;
666 *sec_context = SecurityRestrictionContext;
667}
668
669void
670SetUserIdAndSecContext(Oid userid, int sec_context)
671{
672 CurrentUserId = userid;
673 SecurityRestrictionContext = sec_context;
674}
675
676
677/*
678 * InLocalUserIdChange - are we inside a local change of CurrentUserId?
679 */
680bool
682{
684}
685
686/*
687 * InSecurityRestrictedOperation - are we inside a security-restricted command?
688 */
689bool
691{
693}
694
695/*
696 * InNoForceRLSOperation - are we ignoring FORCE ROW LEVEL SECURITY ?
697 */
698bool
700{
702}
703
704
705/*
706 * These are obsolete versions of Get/SetUserIdAndSecContext that are
707 * only provided for bug-compatibility with some rather dubious code in
708 * pljava. We allow the userid to be set, but only when not inside a
709 * security restriction context.
710 */
711void
712GetUserIdAndContext(Oid *userid, bool *sec_def_context)
713{
714 *userid = CurrentUserId;
715 *sec_def_context = InLocalUserIdChange();
716}
717
718void
719SetUserIdAndContext(Oid userid, bool sec_def_context)
720{
721 /* We throw the same error SET ROLE would. */
724 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
725 errmsg("cannot set parameter \"%s\" within security-restricted operation",
726 "role")));
727 CurrentUserId = userid;
728 if (sec_def_context)
730 else
731 SecurityRestrictionContext &= ~SECURITY_LOCAL_USERID_CHANGE;
732}
733
734
735/*
736 * Check whether specified role has explicit REPLICATION privilege
737 */
738bool
740{
741 bool result = false;
742 HeapTuple utup;
743
744 /* Superusers bypass all permission checking. */
745 if (superuser_arg(roleid))
746 return true;
747
748 utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
749 if (HeapTupleIsValid(utup))
750 {
751 result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
752 ReleaseSysCache(utup);
753 }
754 return result;
755}
756
757/*
758 * Initialize user identity during normal backend startup
759 */
760void
761InitializeSessionUserId(const char *rolename, Oid roleid,
762 bool bypass_login_check)
763{
764 HeapTuple roleTup;
765 Form_pg_authid rform;
766 char *rname;
767 bool is_superuser;
768
769 /*
770 * In a parallel worker, we don't have to do anything here.
771 * ParallelWorkerMain already set our output variables, and we aren't
772 * going to enforce either rolcanlogin or rolconnlimit. Furthermore, we
773 * don't really want to perform a catalog lookup for the role: we don't
774 * want to fail if it's been dropped.
775 */
777 {
778 Assert(bypass_login_check);
779 return;
780 }
781
782 /*
783 * Don't do scans if we're bootstrapping, none of the system catalogs
784 * exist yet, and they should be owned by postgres anyway.
785 */
787
788 /*
789 * Make sure syscache entries are flushed for recent catalog changes. This
790 * allows us to find roles that were created on-the-fly during
791 * authentication.
792 */
794
795 /*
796 * Look up the role, either by name if that's given or by OID if not.
797 */
798 if (rolename != NULL)
799 {
800 roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(rolename));
801 if (!HeapTupleIsValid(roleTup))
803 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
804 errmsg("role \"%s\" does not exist", rolename)));
805 }
806 else
807 {
808 roleTup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
809 if (!HeapTupleIsValid(roleTup))
811 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
812 errmsg("role with OID %u does not exist", roleid)));
813 }
814
815 rform = (Form_pg_authid) GETSTRUCT(roleTup);
816 roleid = rform->oid;
817 rname = NameStr(rform->rolname);
818 is_superuser = rform->rolsuper;
819
821
822 /*
823 * Set SessionUserId and related variables, including "role", via the GUC
824 * mechanisms.
825 *
826 * Note: ideally we would use PGC_S_DYNAMIC_DEFAULT here, so that
827 * session_authorization could subsequently be changed from
828 * pg_db_role_setting entries. Instead, session_authorization in
829 * pg_db_role_setting has no effect. Changing that would require solving
830 * two problems:
831 *
832 * 1. If pg_db_role_setting has values for both session_authorization and
833 * role, we could not be sure which order those would be applied in, and
834 * it would matter.
835 *
836 * 2. Sites may have years-old session_authorization entries. There's not
837 * been any particular reason to remove them. Ending the dormancy of
838 * those entries could seriously change application behavior, so only a
839 * major release should do that.
840 */
841 SetConfigOption("session_authorization", rname,
843
844 /*
845 * These next checks are not enforced when in standalone mode, so that
846 * there is a way to recover from sillinesses like "UPDATE pg_authid SET
847 * rolcanlogin = false;".
848 */
850 {
851 /*
852 * Is role allowed to login at all? (But background workers can
853 * override this by setting bypass_login_check.)
854 */
855 if (!bypass_login_check && !rform->rolcanlogin)
857 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
858 errmsg("role \"%s\" is not permitted to log in",
859 rname)));
860
861 /*
862 * Check connection limit for this role. We enforce the limit only
863 * for regular backends, since other process types have their own
864 * PGPROC pools.
865 *
866 * There is a race condition here --- we create our PGPROC before
867 * checking for other PGPROCs. If two backends did this at about the
868 * same time, they might both think they were over the limit, while
869 * ideally one should succeed and one fail. Getting that to work
870 * exactly seems more trouble than it is worth, however; instead we
871 * just document that the connection limit is approximate.
872 */
873 if (rform->rolconnlimit >= 0 &&
875 !is_superuser &&
876 CountUserBackends(roleid) > rform->rolconnlimit)
878 (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
879 errmsg("too many connections for role \"%s\"",
880 rname)));
881 }
882
883 ReleaseSysCache(roleTup);
884}
885
886
887/*
888 * Initialize user identity during special backend startup
889 */
890void
892{
893 /*
894 * This function should only be called in single-user mode, in autovacuum
895 * workers, in slot sync worker and in background workers.
896 */
899
900 /* call only once */
902
903 AuthenticatedUserId = BOOTSTRAP_SUPERUSERID;
904
905 /*
906 * XXX Ideally we'd do this via SetConfigOption("session_authorization"),
907 * but we lack the role name needed to do that, and we can't fetch it
908 * because one reason for this special case is to be able to start up even
909 * if something's happened to the BOOTSTRAP_SUPERUSERID's pg_authid row.
910 * Since we don't set the GUC itself, C code will see the value as NULL,
911 * and current_setting() will report an empty string within this session.
912 */
913 SetSessionAuthorization(BOOTSTRAP_SUPERUSERID, true);
914
915 /* We could do SetConfigOption("role"), but let's be consistent */
917}
918
919/*
920 * Initialize the system user.
921 *
922 * This is built as auth_method:authn_id.
923 */
924void
925InitializeSystemUser(const char *authn_id, const char *auth_method)
926{
927 char *system_user;
928
929 /* call only once */
930 Assert(SystemUser == NULL);
931
932 /*
933 * InitializeSystemUser should be called only when authn_id is not NULL,
934 * meaning that auth_method is valid.
935 */
936 Assert(authn_id != NULL);
937
938 system_user = psprintf("%s:%s", auth_method, authn_id);
939
940 /* Store SystemUser in long-lived storage */
943}
944
945/*
946 * SQL-function SYSTEM_USER
947 */
948Datum
950{
951 const char *sysuser = GetSystemUser();
952
953 if (sysuser)
955 else
957}
958
959/*
960 * Change session auth ID while running
961 *
962 * The SQL standard says that SET SESSION AUTHORIZATION implies SET ROLE NONE.
963 * We mechanize that at higher levels not here, because this is the GUC
964 * assign hook for "session_authorization", and it must be commutative with
965 * SetCurrentRoleId (the hook for "role") because guc.c provides no guarantees
966 * which will run first during cases such as transaction rollback. Therefore,
967 * we update derived state (OuterUserId/CurrentUserId/is_superuser) only if
968 * !SetRoleIsActive.
969 */
970void
972{
974
975 if (!SetRoleIsActive)
977}
978
979/*
980 * Report current role id
981 * This follows the semantics of SET ROLE, ie return the outer-level ID
982 * not the current effective ID, and return InvalidOid when the setting
983 * is logically SET ROLE NONE.
984 */
985Oid
987{
988 if (SetRoleIsActive)
989 return OuterUserId;
990 else
991 return InvalidOid;
992}
993
994/*
995 * Change Role ID while running (SET ROLE)
996 *
997 * If roleid is InvalidOid, we are doing SET ROLE NONE: revert to the
998 * session user authorization. In this case the is_superuser argument
999 * is ignored.
1000 *
1001 * When roleid is not InvalidOid, the caller must have checked whether
1002 * the session user has permission to become that role. (We cannot check
1003 * here because this routine must be able to execute in a failed transaction
1004 * to restore a prior value of the ROLE GUC variable.)
1005 */
1006void
1008{
1009 /*
1010 * Get correct info if it's SET ROLE NONE
1011 *
1012 * If SessionUserId hasn't been set yet, do nothing beyond updating
1013 * SetRoleIsActive --- the eventual SetSessionAuthorization call will
1014 * update the derived state. This is needed since we will get called
1015 * during GUC initialization.
1016 */
1017 if (!OidIsValid(roleid))
1018 {
1019 SetRoleIsActive = false;
1020
1022 return;
1023
1024 roleid = SessionUserId;
1026 }
1027 else
1028 SetRoleIsActive = true;
1029
1031}
1032
1033
1034/*
1035 * Get user name from user oid, returns NULL for nonexistent roleid if noerr
1036 * is true.
1037 */
1038char *
1039GetUserNameFromId(Oid roleid, bool noerr)
1040{
1041 HeapTuple tuple;
1042 char *result;
1043
1044 tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
1045 if (!HeapTupleIsValid(tuple))
1046 {
1047 if (!noerr)
1048 ereport(ERROR,
1049 (errcode(ERRCODE_UNDEFINED_OBJECT),
1050 errmsg("invalid role OID: %u", roleid)));
1051 result = NULL;
1052 }
1053 else
1054 {
1055 result = pstrdup(NameStr(((Form_pg_authid) GETSTRUCT(tuple))->rolname));
1056 ReleaseSysCache(tuple);
1057 }
1058 return result;
1059}
1060
1061/* ------------------------------------------------------------------------
1062 * Client connection state shared with parallel workers
1063 *
1064 * ClientConnectionInfo contains pieces of information about the client that
1065 * need to be synced to parallel workers when they initialize.
1066 *-------------------------------------------------------------------------
1067 */
1068
1070
1071/*
1072 * Intermediate representation of ClientConnectionInfo for easier
1073 * serialization. Variable-length fields are allocated right after this
1074 * header.
1075 */
1077{
1078 int32 authn_id_len; /* strlen(authn_id), or -1 if NULL */
1081
1082/*
1083 * Calculate the space needed to serialize MyClientConnectionInfo.
1084 */
1085Size
1087{
1088 Size size = 0;
1089
1090 size = add_size(size, sizeof(SerializedClientConnectionInfo));
1091
1093 size = add_size(size, strlen(MyClientConnectionInfo.authn_id) + 1);
1094
1095 return size;
1096}
1097
1098/*
1099 * Serialize MyClientConnectionInfo for use by parallel workers.
1100 */
1101void
1102SerializeClientConnectionInfo(Size maxsize, char *start_address)
1103{
1104 SerializedClientConnectionInfo serialized = {0};
1105
1106 serialized.authn_id_len = -1;
1108
1110 serialized.authn_id_len = strlen(MyClientConnectionInfo.authn_id);
1111
1112 /* Copy serialized representation to buffer */
1113 Assert(maxsize >= sizeof(serialized));
1114 memcpy(start_address, &serialized, sizeof(serialized));
1115
1116 maxsize -= sizeof(serialized);
1117 start_address += sizeof(serialized);
1118
1119 /* Copy authn_id into the space after the struct */
1120 if (serialized.authn_id_len >= 0)
1121 {
1122 Assert(maxsize >= (serialized.authn_id_len + 1));
1123 memcpy(start_address,
1125 /* include the NULL terminator to ease deserialization */
1126 serialized.authn_id_len + 1);
1127 }
1128}
1129
1130/*
1131 * Restore MyClientConnectionInfo from its serialized representation.
1132 */
1133void
1135{
1137
1138 memcpy(&serialized, conninfo, sizeof(serialized));
1139
1140 /* Copy the fields back into place */
1143
1144 if (serialized.authn_id_len >= 0)
1145 {
1146 char *authn_id;
1147
1148 authn_id = conninfo + sizeof(serialized);
1150 authn_id);
1151 }
1152}
1153
1154
1155/*-------------------------------------------------------------------------
1156 * Interlock-file support
1157 *
1158 * These routines are used to create both a data-directory lockfile
1159 * ($DATADIR/postmaster.pid) and Unix-socket-file lockfiles ($SOCKFILE.lock).
1160 * Both kinds of files contain the same info initially, although we can add
1161 * more information to a data-directory lockfile after it's created, using
1162 * AddToDataDirLockFile(). See pidfile.h for documentation of the contents
1163 * of these lockfiles.
1164 *
1165 * On successful lockfile creation, a proc_exit callback to remove the
1166 * lockfile is automatically created.
1167 *-------------------------------------------------------------------------
1168 */
1169
1170/*
1171 * proc_exit callback to remove lockfiles.
1172 */
1173static void
1175{
1176 ListCell *l;
1177
1178 foreach(l, lock_files)
1179 {
1180 char *curfile = (char *) lfirst(l);
1181
1182 unlink(curfile);
1183 /* Should we complain if the unlink fails? */
1184 }
1185 /* Since we're about to exit, no need to reclaim storage */
1186 lock_files = NIL;
1187
1188 /*
1189 * Lock file removal should always be the last externally visible action
1190 * of a postmaster or standalone backend, while we won't come here at all
1191 * when exiting postmaster child processes. Therefore, this is a good
1192 * place to log completion of shutdown. We could alternatively teach
1193 * proc_exit() to do it, but that seems uglier. In a standalone backend,
1194 * use NOTICE elevel to be less chatty.
1195 */
1197 (errmsg("database system is shut down")));
1198}
1199
1200/*
1201 * Create a lockfile.
1202 *
1203 * filename is the path name of the lockfile to create.
1204 * amPostmaster is used to determine how to encode the output PID.
1205 * socketDir is the Unix socket directory path to include (possibly empty).
1206 * isDDLock and refName are used to determine what error message to produce.
1207 */
1208static void
1209CreateLockFile(const char *filename, bool amPostmaster,
1210 const char *socketDir,
1211 bool isDDLock, const char *refName)
1212{
1213 int fd;
1214 char buffer[MAXPGPATH * 2 + 256];
1215 int ntries;
1216 int len;
1217 int encoded_pid;
1218 pid_t other_pid;
1219 pid_t my_pid,
1220 my_p_pid,
1221 my_gp_pid;
1222 const char *envvar;
1223
1224 /*
1225 * If the PID in the lockfile is our own PID or our parent's or
1226 * grandparent's PID, then the file must be stale (probably left over from
1227 * a previous system boot cycle). We need to check this because of the
1228 * likelihood that a reboot will assign exactly the same PID as we had in
1229 * the previous reboot, or one that's only one or two counts larger and
1230 * hence the lockfile's PID now refers to an ancestor shell process. We
1231 * allow pg_ctl to pass down its parent shell PID (our grandparent PID)
1232 * via the environment variable PG_GRANDPARENT_PID; this is so that
1233 * launching the postmaster via pg_ctl can be just as reliable as
1234 * launching it directly. There is no provision for detecting
1235 * further-removed ancestor processes, but if the init script is written
1236 * carefully then all but the immediate parent shell will be root-owned
1237 * processes and so the kill test will fail with EPERM. Note that we
1238 * cannot get a false negative this way, because an existing postmaster
1239 * would surely never launch a competing postmaster or pg_ctl process
1240 * directly.
1241 */
1242 my_pid = getpid();
1243
1244#ifndef WIN32
1245 my_p_pid = getppid();
1246#else
1247
1248 /*
1249 * Windows hasn't got getppid(), but doesn't need it since it's not using
1250 * real kill() either...
1251 */
1252 my_p_pid = 0;
1253#endif
1254
1255 envvar = getenv("PG_GRANDPARENT_PID");
1256 if (envvar)
1257 my_gp_pid = atoi(envvar);
1258 else
1259 my_gp_pid = 0;
1260
1261 /*
1262 * We need a loop here because of race conditions. But don't loop forever
1263 * (for example, a non-writable $PGDATA directory might cause a failure
1264 * that won't go away). 100 tries seems like plenty.
1265 */
1266 for (ntries = 0;; ntries++)
1267 {
1268 /*
1269 * Try to create the lock file --- O_EXCL makes this atomic.
1270 *
1271 * Think not to make the file protection weaker than 0600/0640. See
1272 * comments below.
1273 */
1274 fd = open(filename, O_RDWR | O_CREAT | O_EXCL, pg_file_create_mode);
1275 if (fd >= 0)
1276 break; /* Success; exit the retry loop */
1277
1278 /*
1279 * Couldn't create the pid file. Probably it already exists.
1280 */
1281 if ((errno != EEXIST && errno != EACCES) || ntries > 100)
1282 ereport(FATAL,
1284 errmsg("could not create lock file \"%s\": %m",
1285 filename)));
1286
1287 /*
1288 * Read the file to get the old owner's PID. Note race condition
1289 * here: file might have been deleted since we tried to create it.
1290 */
1291 fd = open(filename, O_RDONLY, pg_file_create_mode);
1292 if (fd < 0)
1293 {
1294 if (errno == ENOENT)
1295 continue; /* race condition; try again */
1296 ereport(FATAL,
1298 errmsg("could not open lock file \"%s\": %m",
1299 filename)));
1300 }
1301 pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_READ);
1302 if ((len = read(fd, buffer, sizeof(buffer) - 1)) < 0)
1303 ereport(FATAL,
1305 errmsg("could not read lock file \"%s\": %m",
1306 filename)));
1308 close(fd);
1309
1310 if (len == 0)
1311 {
1312 ereport(FATAL,
1313 (errcode(ERRCODE_LOCK_FILE_EXISTS),
1314 errmsg("lock file \"%s\" is empty", filename),
1315 errhint("Either another server is starting, or the lock file is the remnant of a previous server startup crash.")));
1316 }
1317
1318 buffer[len] = '\0';
1319 encoded_pid = atoi(buffer);
1320
1321 /* if pid < 0, the pid is for postgres, not postmaster */
1322 other_pid = (pid_t) (encoded_pid < 0 ? -encoded_pid : encoded_pid);
1323
1324 if (other_pid <= 0)
1325 elog(FATAL, "bogus data in lock file \"%s\": \"%s\"",
1326 filename, buffer);
1327
1328 /*
1329 * Check to see if the other process still exists
1330 *
1331 * Per discussion above, my_pid, my_p_pid, and my_gp_pid can be
1332 * ignored as false matches.
1333 *
1334 * Normally kill() will fail with ESRCH if the given PID doesn't
1335 * exist.
1336 *
1337 * We can treat the EPERM-error case as okay because that error
1338 * implies that the existing process has a different userid than we
1339 * do, which means it cannot be a competing postmaster. A postmaster
1340 * cannot successfully attach to a data directory owned by a userid
1341 * other than its own, as enforced in checkDataDir(). Also, since we
1342 * create the lockfiles mode 0600/0640, we'd have failed above if the
1343 * lockfile belonged to another userid --- which means that whatever
1344 * process kill() is reporting about isn't the one that made the
1345 * lockfile. (NOTE: this last consideration is the only one that
1346 * keeps us from blowing away a Unix socket file belonging to an
1347 * instance of Postgres being run by someone else, at least on
1348 * machines where /tmp hasn't got a stickybit.)
1349 */
1350 if (other_pid != my_pid && other_pid != my_p_pid &&
1351 other_pid != my_gp_pid)
1352 {
1353 if (kill(other_pid, 0) == 0 ||
1354 (errno != ESRCH && errno != EPERM))
1355 {
1356 /* lockfile belongs to a live process */
1357 ereport(FATAL,
1358 (errcode(ERRCODE_LOCK_FILE_EXISTS),
1359 errmsg("lock file \"%s\" already exists",
1360 filename),
1361 isDDLock ?
1362 (encoded_pid < 0 ?
1363 errhint("Is another postgres (PID %d) running in data directory \"%s\"?",
1364 (int) other_pid, refName) :
1365 errhint("Is another postmaster (PID %d) running in data directory \"%s\"?",
1366 (int) other_pid, refName)) :
1367 (encoded_pid < 0 ?
1368 errhint("Is another postgres (PID %d) using socket file \"%s\"?",
1369 (int) other_pid, refName) :
1370 errhint("Is another postmaster (PID %d) using socket file \"%s\"?",
1371 (int) other_pid, refName))));
1372 }
1373 }
1374
1375 /*
1376 * No, the creating process did not exist. However, it could be that
1377 * the postmaster crashed (or more likely was kill -9'd by a clueless
1378 * admin) but has left orphan backends behind. Check for this by
1379 * looking to see if there is an associated shmem segment that is
1380 * still in use.
1381 *
1382 * Note: because postmaster.pid is written in multiple steps, we might
1383 * not find the shmem ID values in it; we can't treat that as an
1384 * error.
1385 */
1386 if (isDDLock)
1387 {
1388 char *ptr = buffer;
1389 unsigned long id1,
1390 id2;
1391 int lineno;
1392
1393 for (lineno = 1; lineno < LOCK_FILE_LINE_SHMEM_KEY; lineno++)
1394 {
1395 if ((ptr = strchr(ptr, '\n')) == NULL)
1396 break;
1397 ptr++;
1398 }
1399
1400 if (ptr != NULL &&
1401 sscanf(ptr, "%lu %lu", &id1, &id2) == 2)
1402 {
1403 if (PGSharedMemoryIsInUse(id1, id2))
1404 ereport(FATAL,
1405 (errcode(ERRCODE_LOCK_FILE_EXISTS),
1406 errmsg("pre-existing shared memory block (key %lu, ID %lu) is still in use",
1407 id1, id2),
1408 errhint("Terminate any old server processes associated with data directory \"%s\".",
1409 refName)));
1410 }
1411 }
1412
1413 /*
1414 * Looks like nobody's home. Unlink the file and try again to create
1415 * it. Need a loop because of possible race condition against other
1416 * would-be creators.
1417 */
1418 if (unlink(filename) < 0)
1419 ereport(FATAL,
1421 errmsg("could not remove old lock file \"%s\": %m",
1422 filename),
1423 errhint("The file seems accidentally left over, but "
1424 "it could not be removed. Please remove the file "
1425 "by hand and try again.")));
1426 }
1427
1428 /*
1429 * Successfully created the file, now fill it. See comment in pidfile.h
1430 * about the contents. Note that we write the same first five lines into
1431 * both datadir and socket lockfiles; although more stuff may get added to
1432 * the datadir lockfile later.
1433 */
1434 snprintf(buffer, sizeof(buffer), "%d\n%s\n" INT64_FORMAT "\n%d\n%s\n",
1435 amPostmaster ? (int) my_pid : -((int) my_pid),
1436 DataDir,
1439 socketDir);
1440
1441 /*
1442 * In a standalone backend, the next line (LOCK_FILE_LINE_LISTEN_ADDR)
1443 * will never receive data, so fill it in as empty now.
1444 */
1445 if (isDDLock && !amPostmaster)
1446 strlcat(buffer, "\n", sizeof(buffer));
1447
1448 errno = 0;
1449 pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_WRITE);
1450 if (write(fd, buffer, strlen(buffer)) != strlen(buffer))
1451 {
1452 int save_errno = errno;
1453
1454 close(fd);
1455 unlink(filename);
1456 /* if write didn't set errno, assume problem is no disk space */
1457 errno = save_errno ? save_errno : ENOSPC;
1458 ereport(FATAL,
1460 errmsg("could not write lock file \"%s\": %m", filename)));
1461 }
1463
1464 pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_SYNC);
1465 if (pg_fsync(fd) != 0)
1466 {
1467 int save_errno = errno;
1468
1469 close(fd);
1470 unlink(filename);
1471 errno = save_errno;
1472 ereport(FATAL,
1474 errmsg("could not write lock file \"%s\": %m", filename)));
1475 }
1477 if (close(fd) != 0)
1478 {
1479 int save_errno = errno;
1480
1481 unlink(filename);
1482 errno = save_errno;
1483 ereport(FATAL,
1485 errmsg("could not write lock file \"%s\": %m", filename)));
1486 }
1487
1488 /*
1489 * Arrange to unlink the lock file(s) at proc_exit. If this is the first
1490 * one, set up the on_proc_exit function to do it; then add this lock file
1491 * to the list of files to unlink.
1492 */
1493 if (lock_files == NIL)
1495
1496 /*
1497 * Use lcons so that the lock files are unlinked in reverse order of
1498 * creation; this is critical!
1499 */
1501}
1502
1503/*
1504 * Create the data directory lockfile.
1505 *
1506 * When this is called, we must have already switched the working
1507 * directory to DataDir, so we can just use a relative path. This
1508 * helps ensure that we are locking the directory we should be.
1509 *
1510 * Note that the socket directory path line is initially written as empty.
1511 * postmaster.c will rewrite it upon creating the first Unix socket.
1512 */
1513void
1514CreateDataDirLockFile(bool amPostmaster)
1515{
1516 CreateLockFile(DIRECTORY_LOCK_FILE, amPostmaster, "", true, DataDir);
1517}
1518
1519/*
1520 * Create a lockfile for the specified Unix socket file.
1521 */
1522void
1523CreateSocketLockFile(const char *socketfile, bool amPostmaster,
1524 const char *socketDir)
1525{
1526 char lockfile[MAXPGPATH];
1527
1528 snprintf(lockfile, sizeof(lockfile), "%s.lock", socketfile);
1529 CreateLockFile(lockfile, amPostmaster, socketDir, false, socketfile);
1530}
1531
1532/*
1533 * TouchSocketLockFiles -- mark socket lock files as recently accessed
1534 *
1535 * This routine should be called every so often to ensure that the socket
1536 * lock files have a recent mod or access date. That saves them
1537 * from being removed by overenthusiastic /tmp-directory-cleaner daemons.
1538 * (Another reason we should never have put the socket file in /tmp...)
1539 */
1540void
1542{
1543 ListCell *l;
1544
1545 foreach(l, lock_files)
1546 {
1547 char *socketLockFile = (char *) lfirst(l);
1548
1549 /* No need to touch the data directory lock file, we trust */
1550 if (strcmp(socketLockFile, DIRECTORY_LOCK_FILE) == 0)
1551 continue;
1552
1553 /* we just ignore any error here */
1554 (void) utime(socketLockFile, NULL);
1555 }
1556}
1557
1558
1559/*
1560 * Add (or replace) a line in the data directory lock file.
1561 * The given string should not include a trailing newline.
1562 *
1563 * Note: because we don't truncate the file, if we were to rewrite a line
1564 * with less data than it had before, there would be garbage after the last
1565 * line. While we could fix that by adding a truncate call, that would make
1566 * the file update non-atomic, which we'd rather avoid. Therefore, callers
1567 * should endeavor never to shorten a line once it's been written.
1568 */
1569void
1570AddToDataDirLockFile(int target_line, const char *str)
1571{
1572 int fd;
1573 int len;
1574 int lineno;
1575 char *srcptr;
1576 char *destptr;
1577 char srcbuffer[BLCKSZ];
1578 char destbuffer[BLCKSZ];
1579
1580 fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
1581 if (fd < 0)
1582 {
1583 ereport(LOG,
1585 errmsg("could not open file \"%s\": %m",
1587 return;
1588 }
1589 pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_READ);
1590 len = read(fd, srcbuffer, sizeof(srcbuffer) - 1);
1592 if (len < 0)
1593 {
1594 ereport(LOG,
1596 errmsg("could not read from file \"%s\": %m",
1598 close(fd);
1599 return;
1600 }
1601 srcbuffer[len] = '\0';
1602
1603 /*
1604 * Advance over lines we are not supposed to rewrite, then copy them to
1605 * destbuffer.
1606 */
1607 srcptr = srcbuffer;
1608 for (lineno = 1; lineno < target_line; lineno++)
1609 {
1610 char *eol = strchr(srcptr, '\n');
1611
1612 if (eol == NULL)
1613 break; /* not enough lines in file yet */
1614 srcptr = eol + 1;
1615 }
1616 memcpy(destbuffer, srcbuffer, srcptr - srcbuffer);
1617 destptr = destbuffer + (srcptr - srcbuffer);
1618
1619 /*
1620 * Fill in any missing lines before the target line, in case lines are
1621 * added to the file out of order.
1622 */
1623 for (; lineno < target_line; lineno++)
1624 {
1625 if (destptr < destbuffer + sizeof(destbuffer))
1626 *destptr++ = '\n';
1627 }
1628
1629 /*
1630 * Write or rewrite the target line.
1631 */
1632 snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s\n", str);
1633 destptr += strlen(destptr);
1634
1635 /*
1636 * If there are more lines in the old file, append them to destbuffer.
1637 */
1638 if ((srcptr = strchr(srcptr, '\n')) != NULL)
1639 {
1640 srcptr++;
1641 snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s",
1642 srcptr);
1643 }
1644
1645 /*
1646 * And rewrite the data. Since we write in a single kernel call, this
1647 * update should appear atomic to onlookers.
1648 */
1649 len = strlen(destbuffer);
1650 errno = 0;
1651 pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_WRITE);
1652 if (pg_pwrite(fd, destbuffer, len, 0) != len)
1653 {
1655 /* if write didn't set errno, assume problem is no disk space */
1656 if (errno == 0)
1657 errno = ENOSPC;
1658 ereport(LOG,
1660 errmsg("could not write to file \"%s\": %m",
1662 close(fd);
1663 return;
1664 }
1666 pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_SYNC);
1667 if (pg_fsync(fd) != 0)
1668 {
1669 ereport(LOG,
1671 errmsg("could not write to file \"%s\": %m",
1673 }
1675 if (close(fd) != 0)
1676 {
1677 ereport(LOG,
1679 errmsg("could not write to file \"%s\": %m",
1681 }
1682}
1683
1684
1685/*
1686 * Recheck that the data directory lock file still exists with expected
1687 * content. Return true if the lock file appears OK, false if it isn't.
1688 *
1689 * We call this periodically in the postmaster. The idea is that if the
1690 * lock file has been removed or replaced by another postmaster, we should
1691 * do a panic database shutdown. Therefore, we should return true if there
1692 * is any doubt: we do not want to cause a panic shutdown unnecessarily.
1693 * Transient failures like EINTR or ENFILE should not cause us to fail.
1694 * (If there really is something wrong, we'll detect it on a future recheck.)
1695 */
1696bool
1698{
1699 int fd;
1700 int len;
1701 long file_pid;
1702 char buffer[BLCKSZ];
1703
1704 fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
1705 if (fd < 0)
1706 {
1707 /*
1708 * There are many foreseeable false-positive error conditions. For
1709 * safety, fail only on enumerated clearly-something-is-wrong
1710 * conditions.
1711 */
1712 switch (errno)
1713 {
1714 case ENOENT:
1715 case ENOTDIR:
1716 /* disaster */
1717 ereport(LOG,
1719 errmsg("could not open file \"%s\": %m",
1721 return false;
1722 default:
1723 /* non-fatal, at least for now */
1724 ereport(LOG,
1726 errmsg("could not open file \"%s\": %m; continuing anyway",
1728 return true;
1729 }
1730 }
1731 pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_RECHECKDATADIR_READ);
1732 len = read(fd, buffer, sizeof(buffer) - 1);
1734 if (len < 0)
1735 {
1736 ereport(LOG,
1738 errmsg("could not read from file \"%s\": %m",
1740 close(fd);
1741 return true; /* treat read failure as nonfatal */
1742 }
1743 buffer[len] = '\0';
1744 close(fd);
1745 file_pid = atol(buffer);
1746 if (file_pid == getpid())
1747 return true; /* all is well */
1748
1749 /* Trouble: someone's overwritten the lock file */
1750 ereport(LOG,
1751 (errmsg("lock file \"%s\" contains wrong PID: %ld instead of %ld",
1752 DIRECTORY_LOCK_FILE, file_pid, (long) getpid())));
1753 return false;
1754}
1755
1756
1757/*-------------------------------------------------------------------------
1758 * Version checking support
1759 *-------------------------------------------------------------------------
1760 */
1761
1762/*
1763 * Determine whether the PG_VERSION file in directory `path' indicates
1764 * a data version compatible with the version of this program.
1765 *
1766 * If compatible, return. Otherwise, ereport(FATAL).
1767 */
1768void
1769ValidatePgVersion(const char *path)
1770{
1771 char full_path[MAXPGPATH];
1772 FILE *file;
1773 int ret;
1774 long file_major;
1775 long my_major;
1776 char *endptr;
1777 char file_version_string[64];
1778 const char *my_version_string = PG_VERSION;
1779
1780 my_major = strtol(my_version_string, &endptr, 10);
1781
1782 snprintf(full_path, sizeof(full_path), "%s/PG_VERSION", path);
1783
1784 file = AllocateFile(full_path, "r");
1785 if (!file)
1786 {
1787 if (errno == ENOENT)
1788 ereport(FATAL,
1789 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1790 errmsg("\"%s\" is not a valid data directory",
1791 path),
1792 errdetail("File \"%s\" is missing.", full_path)));
1793 else
1794 ereport(FATAL,
1796 errmsg("could not open file \"%s\": %m", full_path)));
1797 }
1798
1799 file_version_string[0] = '\0';
1800 ret = fscanf(file, "%63s", file_version_string);
1801 file_major = strtol(file_version_string, &endptr, 10);
1802
1803 if (ret != 1 || endptr == file_version_string)
1804 ereport(FATAL,
1805 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1806 errmsg("\"%s\" is not a valid data directory",
1807 path),
1808 errdetail("File \"%s\" does not contain valid data.",
1809 full_path),
1810 errhint("You might need to initdb.")));
1811
1812 FreeFile(file);
1813
1814 if (my_major != file_major)
1815 ereport(FATAL,
1816 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1817 errmsg("database files are incompatible with server"),
1818 errdetail("The data directory was initialized by PostgreSQL version %s, "
1819 "which is not compatible with this version %s.",
1820 file_version_string, my_version_string)));
1821}
1822
1823/*-------------------------------------------------------------------------
1824 * Library preload support
1825 *-------------------------------------------------------------------------
1826 */
1827
1828/*
1829 * GUC variables: lists of library names to be preloaded at postmaster
1830 * start and at backend start
1831 */
1835
1836/* Flag telling that we are loading shared_preload_libraries */
1839
1842
1843/*
1844 * load the shared libraries listed in 'libraries'
1845 *
1846 * 'gucname': name of GUC variable, for error reports
1847 * 'restricted': if true, force libraries to be in $libdir/plugins/
1848 */
1849static void
1850load_libraries(const char *libraries, const char *gucname, bool restricted)
1851{
1852 char *rawstring;
1853 List *elemlist;
1854 ListCell *l;
1855
1856 if (libraries == NULL || libraries[0] == '\0')
1857 return; /* nothing to do */
1858
1859 /* Need a modifiable copy of string */
1860 rawstring = pstrdup(libraries);
1861
1862 /* Parse string into list of filename paths */
1863 if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1864 {
1865 /* syntax error in list */
1866 list_free_deep(elemlist);
1867 pfree(rawstring);
1868 ereport(LOG,
1869 (errcode(ERRCODE_SYNTAX_ERROR),
1870 errmsg("invalid list syntax in parameter \"%s\"",
1871 gucname)));
1872 return;
1873 }
1874
1875 foreach(l, elemlist)
1876 {
1877 /* Note that filename was already canonicalized */
1878 char *filename = (char *) lfirst(l);
1879 char *expanded = NULL;
1880
1881 /* If restricting, insert $libdir/plugins if not mentioned already */
1882 if (restricted && first_dir_separator(filename) == NULL)
1883 {
1884 expanded = psprintf("$libdir/plugins/%s", filename);
1885 filename = expanded;
1886 }
1887 load_file(filename, restricted);
1889 (errmsg_internal("loaded library \"%s\"", filename)));
1890 if (expanded)
1891 pfree(expanded);
1892 }
1893
1894 list_free_deep(elemlist);
1895 pfree(rawstring);
1896}
1897
1898/*
1899 * process any libraries that should be preloaded at postmaster start
1900 */
1901void
1903{
1906 "shared_preload_libraries",
1907 false);
1910}
1911
1912/*
1913 * process any libraries that should be preloaded at backend start
1914 */
1915void
1917{
1919 "session_preload_libraries",
1920 false);
1922 "local_preload_libraries",
1923 true);
1924}
1925
1926/*
1927 * process any shared memory requests from preloaded libraries
1928 */
1929void
1931{
1936}
1937
1938void
1939pg_bindtextdomain(const char *domain)
1940{
1941#ifdef ENABLE_NLS
1942 if (my_exec_path[0] != '\0')
1943 {
1944 char locale_path[MAXPGPATH];
1945
1946 get_locale_path(my_exec_path, locale_path);
1947 bindtextdomain(domain, locale_path);
1948 pg_bind_textdomain_codeset(domain);
1949 }
1950#endif
1951}
bool InitializingParallelWorker
Definition: parallel.c:121
void pqinitmask(void)
Definition: pqsignal.c:41
sigset_t BlockSig
Definition: pqsignal.c:23
#define CStringGetTextDatum(s)
Definition: builtins.h:97
#define NameStr(name)
Definition: c.h:717
#define gettext_noop(x)
Definition: c.h:1167
#define INT64_FORMAT
Definition: c.h:520
#define PG_BINARY
Definition: c.h:1244
int32_t int32
Definition: c.h:498
#define OidIsValid(objectId)
Definition: c.h:746
size_t Size
Definition: c.h:576
int find_my_exec(const char *argv0, char *retpath)
Definition: exec.c:160
void load_file(const char *filename, bool restricted)
Definition: dfmgr.c:134
int errcode_for_socket_access(void)
Definition: elog.c:954
int errmsg_internal(const char *fmt,...)
Definition: elog.c:1158
int errcode_for_file_access(void)
Definition: elog.c:877
int errdetail(const char *fmt,...)
Definition: elog.c:1204
int errhint(const char *fmt,...)
Definition: elog.c:1318
int errcode(int sqlerrcode)
Definition: elog.c:854
int errmsg(const char *fmt,...)
Definition: elog.c:1071
#define LOG
Definition: elog.h:31
#define FATAL
Definition: elog.h:41
#define DEBUG1
Definition: elog.h:30
#define ERROR
Definition: elog.h:39
#define elog(elevel,...)
Definition: elog.h:226
#define NOTICE
Definition: elog.h:35
#define ereport(elevel,...)
Definition: elog.h:149
int FreeFile(FILE *file)
Definition: fd.c:2843
int pg_fsync(int fd)
Definition: fd.c:386
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2644
int pg_file_create_mode
Definition: file_perm.c:19
void SetDataDirectoryCreatePerm(int dataDirMode)
Definition: file_perm.c:34
int pg_mode_mask
Definition: file_perm.c:25
int pg_dir_create_mode
Definition: file_perm.c:18
#define PG_MODE_MASK_GROUP
Definition: file_perm.h:29
#define PG_RETURN_NULL()
Definition: fmgr.h:345
#define PG_RETURN_DATUM(x)
Definition: fmgr.h:353
#define PG_FUNCTION_ARGS
Definition: fmgr.h:193
char pkglib_path[MAXPGPATH]
Definition: globals.c:83
bool IsUnderPostmaster
Definition: globals.c:121
int data_directory_mode
Definition: globals.c:78
char * DataDir
Definition: globals.c:72
bool IsPostmasterEnvironment
Definition: globals.c:120
pg_time_t MyStartTime
Definition: globals.c:49
struct Latch * MyLatch
Definition: globals.c:64
char * DatabasePath
Definition: globals.c:105
char my_exec_path[MAXPGPATH]
Definition: globals.c:82
void SetConfigOption(const char *name, const char *value, GucContext context, GucSource source)
Definition: guc.c:4332
@ PGC_S_DYNAMIC_DEFAULT
Definition: guc.h:114
@ PGC_S_OVERRIDE
Definition: guc.h:123
@ PGC_INTERNAL
Definition: guc.h:73
@ PGC_BACKEND
Definition: guc.h:77
Assert(PointerIsAligned(start, uint64))
const char * str
UserAuth
Definition: hba.h:26
#define free(a)
Definition: header.h:65
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
static void * GETSTRUCT(const HeapTupleData *tuple)
Definition: htup_details.h:728
#define close(a)
Definition: win32.h:12
#define write(a, b, c)
Definition: win32.h:14
#define read(a, b, c)
Definition: win32.h:13
void SignalHandlerForCrashExit(SIGNAL_ARGS)
Definition: interrupt.c:77
void AcceptInvalidationMessages(void)
Definition: inval.c:929
void on_proc_exit(pg_on_exit_callback function, Datum arg)
Definition: ipc.c:309
void on_exit_reset(void)
Definition: ipc.c:416
void InitializeLatchWaitSet(void)
Definition: latch.c:35
void SetLatch(Latch *latch)
Definition: latch.c:288
void InitLatch(Latch *latch)
Definition: latch.c:63
#define FeBeWaitSetLatchPos
Definition: libpq.h:64
List * lcons(void *datum, List *list)
Definition: list.c:495
void list_free_deep(List *list)
Definition: list.c:1560
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition: mcxt.c:2309
char * pstrdup(const char *in)
Definition: mcxt.c:2322
void pfree(void *pointer)
Definition: mcxt.c:2147
MemoryContext TopMemoryContext
Definition: mcxt.c:165
ProcessingMode
Definition: miscadmin.h:469
@ InitProcessing
Definition: miscadmin.h:471
#define IsBootstrapProcessingMode()
Definition: miscadmin.h:477
#define AmAutoVacuumWorkerProcess()
Definition: miscadmin.h:383
#define SECURITY_NOFORCE_RLS
Definition: miscadmin.h:320
#define AmBackgroundWorkerProcess()
Definition: miscadmin.h:384
#define SECURITY_RESTRICTED_OPERATION
Definition: miscadmin.h:319
#define AmLogicalSlotSyncWorkerProcess()
Definition: miscadmin.h:386
#define SECURITY_LOCAL_USERID_CHANGE
Definition: miscadmin.h:318
#define AmRegularBackendProcess()
Definition: miscadmin.h:381
BackendType
Definition: miscadmin.h:338
@ B_WAL_SUMMARIZER
Definition: miscadmin.h:367
@ B_WAL_WRITER
Definition: miscadmin.h:368
@ B_WAL_RECEIVER
Definition: miscadmin.h:366
@ B_CHECKPOINTER
Definition: miscadmin.h:363
@ B_WAL_SENDER
Definition: miscadmin.h:347
@ B_IO_WORKER
Definition: miscadmin.h:364
@ B_LOGGER
Definition: miscadmin.h:374
@ B_STARTUP
Definition: miscadmin.h:365
@ B_BG_WORKER
Definition: miscadmin.h:346
@ B_INVALID
Definition: miscadmin.h:339
@ B_STANDALONE_BACKEND
Definition: miscadmin.h:350
@ B_BG_WRITER
Definition: miscadmin.h:362
@ B_BACKEND
Definition: miscadmin.h:342
@ B_ARCHIVER
Definition: miscadmin.h:361
@ B_AUTOVAC_LAUNCHER
Definition: miscadmin.h:344
@ B_SLOTSYNC_WORKER
Definition: miscadmin.h:348
@ B_DEAD_END_BACKEND
Definition: miscadmin.h:343
@ B_AUTOVAC_WORKER
Definition: miscadmin.h:345
void(* shmem_request_hook_type)(void)
Definition: miscadmin.h:533
struct SerializedClientConnectionInfo SerializedClientConnectionInfo
void ChangeToDataDir(void)
Definition: miscinit.c:460
Oid GetOuterUserId(void)
Definition: miscinit.c:531
bool process_shared_preload_libraries_done
Definition: miscinit.c:1838
void process_shmem_requests(void)
Definition: miscinit.c:1930
static List * lock_files
Definition: miscinit.c:67
void InitializeSessionUserId(const char *rolename, Oid roleid, bool bypass_login_check)
Definition: miscinit.c:761
void InitStandaloneProcess(const char *argv0)
Definition: miscinit.c:175
void SerializeClientConnectionInfo(Size maxsize, char *start_address)
Definition: miscinit.c:1102
void InitializeSystemUser(const char *authn_id, const char *auth_method)
Definition: miscinit.c:925
void InitializeSessionUserIdStandalone(void)
Definition: miscinit.c:891
void AddToDataDirLockFile(int target_line, const char *str)
Definition: miscinit.c:1570
void InitProcessLocalLatch(void)
Definition: miscinit.c:235
void GetUserIdAndSecContext(Oid *userid, int *sec_context)
Definition: miscinit.c:663
void SetSessionAuthorization(Oid userid, bool is_superuser)
Definition: miscinit.c:971
void process_session_preload_libraries(void)
Definition: miscinit.c:1916
static bool SessionUserIsSuperuser
Definition: miscinit.c:507
bool process_shmem_requests_in_progress
Definition: miscinit.c:1841
const char * GetSystemUser(void)
Definition: miscinit.c:586
bool InSecurityRestrictedOperation(void)
Definition: miscinit.c:690
#define DIRECTORY_LOCK_FILE
Definition: miscinit.c:60
Oid GetUserId(void)
Definition: miscinit.c:520
static const char * SystemUser
Definition: miscinit.c:504
static Oid OuterUserId
Definition: miscinit.c:502
bool GetSessionUserIsSuperuser(void)
Definition: miscinit.c:566
const char * GetBackendTypeDesc(BackendType backendType)
Definition: miscinit.c:263
static int SecurityRestrictionContext
Definition: miscinit.c:509
static void SetOuterUserId(Oid userid, bool is_superuser)
Definition: miscinit.c:539
Size EstimateClientConnectionInfoSpace(void)
Definition: miscinit.c:1086
Oid GetSessionUserId(void)
Definition: miscinit.c:559
void SetCurrentRoleId(Oid roleid, bool is_superuser)
Definition: miscinit.c:1007
bool IgnoreSystemIndexes
Definition: miscinit.c:81
Oid GetAuthenticatedUserId(void)
Definition: miscinit.c:596
static Oid SessionUserId
Definition: miscinit.c:501
bool InLocalUserIdChange(void)
Definition: miscinit.c:681
Datum system_user(PG_FUNCTION_ARGS)
Definition: miscinit.c:949
void SetDatabasePath(const char *path)
Definition: miscinit.c:334
void InitPostmasterChild(void)
Definition: miscinit.c:96
char * shared_preload_libraries_string
Definition: miscinit.c:1833
ClientConnectionInfo MyClientConnectionInfo
Definition: miscinit.c:1069
void process_shared_preload_libraries(void)
Definition: miscinit.c:1902
char * session_preload_libraries_string
Definition: miscinit.c:1832
static void SetSessionUserId(Oid userid, bool is_superuser)
Definition: miscinit.c:573
shmem_request_hook_type shmem_request_hook
Definition: miscinit.c:1840
char * local_preload_libraries_string
Definition: miscinit.c:1834
static Latch LocalLatchData
Definition: miscinit.c:69
void TouchSocketLockFiles(void)
Definition: miscinit.c:1541
void RestoreClientConnectionInfo(char *conninfo)
Definition: miscinit.c:1134
static Oid CurrentUserId
Definition: miscinit.c:503
static bool SetRoleIsActive
Definition: miscinit.c:512
bool InNoForceRLSOperation(void)
Definition: miscinit.c:699
static Oid AuthenticatedUserId
Definition: miscinit.c:500
static void load_libraries(const char *libraries, const char *gucname, bool restricted)
Definition: miscinit.c:1850
ProcessingMode Mode
Definition: miscinit.c:62
void SetAuthenticatedUserId(Oid userid)
Definition: miscinit.c:603
Oid GetCurrentRoleId(void)
Definition: miscinit.c:986
void checkDataDir(void)
Definition: miscinit.c:347
static void UnlinkLockFiles(int status, Datum arg)
Definition: miscinit.c:1174
void SwitchToSharedLatch(void)
Definition: miscinit.c:215
BackendType MyBackendType
Definition: miscinit.c:64
void GetUserIdAndContext(Oid *userid, bool *sec_def_context)
Definition: miscinit.c:712
void SetDataDir(const char *dir)
Definition: miscinit.c:440
void SetUserIdAndContext(Oid userid, bool sec_def_context)
Definition: miscinit.c:719
bool process_shared_preload_libraries_in_progress
Definition: miscinit.c:1837
void pg_bindtextdomain(const char *domain)
Definition: miscinit.c:1939
bool has_rolreplication(Oid roleid)
Definition: miscinit.c:739
char * GetUserNameFromId(Oid roleid, bool noerr)
Definition: miscinit.c:1039
static void CreateLockFile(const char *filename, bool amPostmaster, const char *socketDir, bool isDDLock, const char *refName)
Definition: miscinit.c:1209
void ValidatePgVersion(const char *path)
Definition: miscinit.c:1769
void SetUserIdAndSecContext(Oid userid, int sec_context)
Definition: miscinit.c:670
bool RecheckDataDirLockFile(void)
Definition: miscinit.c:1697
void CreateDataDirLockFile(bool amPostmaster)
Definition: miscinit.c:1514
void SwitchBackToLocalLatch(void)
Definition: miscinit.c:242
void CreateSocketLockFile(const char *socketfile, bool amPostmaster, const char *socketDir)
Definition: miscinit.c:1523
NameData rolname
Definition: pg_authid.h:34
FormData_pg_authid * Form_pg_authid
Definition: pg_authid.h:56
bool rolreplication
Definition: pg_authid.h:40
void * arg
#define MAXPGPATH
const void size_t len
static char * argv0
Definition: pg_ctl.c:93
static bool is_superuser(Archive *fout)
Definition: pg_dump.c:4899
static char * filename
Definition: pg_dumpall.c:125
#define lfirst(lc)
Definition: pg_list.h:172
#define NIL
Definition: pg_list.h:68
#define LOCK_FILE_LINE_SHMEM_KEY
Definition: pidfile.h:43
void PostmasterDeathSignalInit(void)
Definition: pmsignal.c:407
#define pqsignal
Definition: port.h:531
void get_pkglib_path(const char *my_exec_path, char *ret_path)
Definition: path.c:956
void get_locale_path(const char *my_exec_path, char *ret_path)
Definition: path.c:965
#define pg_pwrite
Definition: port.h:227
#define snprintf
Definition: port.h:239
char * make_absolute_path(const char *path)
Definition: path.c:807
char * first_dir_separator(const char *filename)
Definition: path.c:110
size_t strlcat(char *dst, const char *src, size_t siz)
Definition: strlcat.c:33
static Datum PointerGetDatum(const void *X)
Definition: postgres.h:327
uintptr_t Datum
Definition: postgres.h:69
static Datum ObjectIdGetDatum(Oid X)
Definition: postgres.h:257
#define InvalidOid
Definition: postgres_ext.h:35
unsigned int Oid
Definition: postgres_ext.h:30
void InitProcessGlobals(void)
Definition: postmaster.c:1932
int PostPortNumber
Definition: postmaster.c:203
int postmaster_alive_fds[2]
Definition: postmaster.c:483
#define POSTMASTER_FD_WATCH
Definition: postmaster.h:83
WaitEventSet * FeBeWaitSet
Definition: pqcomm.c:166
static int fd(const char *x, int i)
Definition: preproc-init.c:105
int CountUserBackends(Oid roleid)
Definition: procarray.c:3700
char * psprintf(const char *fmt,...)
Definition: psprintf.c:43
Size add_size(Size s1, Size s2)
Definition: shmem.c:491
void pgwin32_signal_initialize(void)
Definition: signal.c:79
PGPROC * MyProc
Definition: proc.c:67
const char * authn_id
Definition: libpq-be.h:99
UserAuth auth_method
Definition: libpq-be.h:105
Definition: latch.h:114
Definition: pg_list.h:54
Oid roleId
Definition: proc.h:209
Latch procLatch
Definition: proc.h:170
unsigned short st_mode
Definition: win32_port.h:258
short st_uid
Definition: win32_port.h:260
bool superuser_arg(Oid roleid)
Definition: superuser.c:56
void ReleaseSysCache(HeapTuple tuple)
Definition: syscache.c:269
HeapTuple SearchSysCache1(int cacheId, Datum key1)
Definition: syscache.c:221
bool PGSharedMemoryIsInUse(unsigned long id1, unsigned long id2)
Definition: sysv_shmem.c:317
static char * authn_id
Definition: validator.c:41
bool SplitDirectoriesString(char *rawstring, char separator, List **namelist)
Definition: varlena.c:3652
static void pgstat_report_wait_start(uint32 wait_event_info)
Definition: wait_event.h:85
static void pgstat_report_wait_end(void)
Definition: wait_event.h:101
void ModifyWaitEvent(WaitEventSet *set, int pos, uint32 events, Latch *latch)
Definition: waiteventset.c:655
void InitializeWaitEventSupport(void)
Definition: waiteventset.c:240
#define WL_LATCH_SET
Definition: waiteventset.h:34
#define stat
Definition: win32_port.h:274
#define SIGQUIT
Definition: win32_port.h:159
#define S_ISDIR(m)
Definition: win32_port.h:315
#define kill(pid, sig)
Definition: win32_port.h:493