PostgreSQL Source Code  git master
miscinit.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * miscinit.c
4  * miscellaneous initialization support stuff
5  *
6  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
7  * Portions Copyright (c) 1994, Regents of the University of California
8  *
9  *
10  * IDENTIFICATION
11  * src/backend/utils/init/miscinit.c
12  *
13  *-------------------------------------------------------------------------
14  */
15 #include "postgres.h"
16 
17 #include <sys/param.h>
18 #include <signal.h>
19 #include <time.h>
20 #include <sys/file.h>
21 #include <sys/stat.h>
22 #include <sys/time.h>
23 #include <fcntl.h>
24 #include <unistd.h>
25 #include <grp.h>
26 #include <pwd.h>
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
29 #include <utime.h>
30 
31 #include "access/htup_details.h"
32 #include "catalog/pg_authid.h"
33 #include "common/file_perm.h"
34 #include "libpq/libpq.h"
35 #include "libpq/pqsignal.h"
36 #include "mb/pg_wchar.h"
37 #include "miscadmin.h"
38 #include "pgstat.h"
39 #include "postmaster/autovacuum.h"
40 #include "postmaster/interrupt.h"
41 #include "postmaster/postmaster.h"
42 #include "replication/slotsync.h"
43 #include "storage/fd.h"
44 #include "storage/ipc.h"
45 #include "storage/latch.h"
46 #include "storage/pg_shmem.h"
47 #include "storage/pmsignal.h"
48 #include "storage/proc.h"
49 #include "storage/procarray.h"
50 #include "utils/builtins.h"
51 #include "utils/guc.h"
52 #include "utils/inval.h"
53 #include "utils/memutils.h"
54 #include "utils/pidfile.h"
55 #include "utils/syscache.h"
56 #include "utils/varlena.h"
57 
58 
59 #define DIRECTORY_LOCK_FILE "postmaster.pid"
60 
62 
64 
65 /* List of lock files to be removed at proc exit */
66 static List *lock_files = NIL;
67 
69 
70 /* ----------------------------------------------------------------
71  * ignoring system indexes support stuff
72  *
73  * NOTE: "ignoring system indexes" means we do not use the system indexes
74  * for lookups (either in hardwired catalog accesses or in planner-generated
75  * plans). We do, however, still update the indexes when a catalog
76  * modification is made.
77  * ----------------------------------------------------------------
78  */
79 
80 bool IgnoreSystemIndexes = false;
81 
82 
83 /* ----------------------------------------------------------------
84  * common process startup code
85  * ----------------------------------------------------------------
86  */
87 
88 /*
89  * Initialize the basic environment for a postmaster child
90  *
91  * Should be called as early as possible after the child's startup. However,
92  * on EXEC_BACKEND builds it does need to be after read_backend_variables().
93  */
94 void
96 {
97  IsUnderPostmaster = true; /* we are a postmaster subprocess now */
98 
99  /*
100  * Start our win32 signal implementation. This has to be done after we
101  * read the backend variables, because we need to pick up the signal pipe
102  * from the parent process.
103  */
104 #ifdef WIN32
106 #endif
107 
108  /*
109  * Set reference point for stack-depth checking. This might seem
110  * redundant in !EXEC_BACKEND builds, but it's better to keep the depth
111  * logic the same with and without that build option.
112  */
113  (void) set_stack_base();
114 
116 
117  /*
118  * make sure stderr is in binary mode before anything can possibly be
119  * written to it, in case it's actually the syslogger pipe, so the pipe
120  * chunking protocol isn't disturbed. Non-logpipe data gets translated on
121  * redirection (e.g. via pg_ctl -l) anyway.
122  */
123 #ifdef WIN32
124  _setmode(fileno(stderr), _O_BINARY);
125 #endif
126 
127  /* We don't want the postmaster's proc_exit() handlers */
128  on_exit_reset();
129 
130  /* In EXEC_BACKEND case we will not have inherited BlockSig etc values */
131 #ifdef EXEC_BACKEND
132  pqinitmask();
133 #endif
134 
135  /* Initialize process-local latch support */
139 
140  /*
141  * If possible, make this process a group leader, so that the postmaster
142  * can signal any child processes too. Not all processes will have
143  * children, but for consistency we make all postmaster child processes do
144  * this.
145  */
146 #ifdef HAVE_SETSID
147  if (setsid() < 0)
148  elog(FATAL, "setsid() failed: %m");
149 #endif
150 
151  /*
152  * Every postmaster child process is expected to respond promptly to
153  * SIGQUIT at all times. Therefore we centrally remove SIGQUIT from
154  * BlockSig and install a suitable signal handler. (Client-facing
155  * processes may choose to replace this default choice of handler with
156  * quickdie().) All other blockable signals remain blocked for now.
157  */
159 
160  sigdelset(&BlockSig, SIGQUIT);
161  sigprocmask(SIG_SETMASK, &BlockSig, NULL);
162 
163  /* Request a signal if the postmaster dies, if possible. */
165 
166  /* Don't give the pipe to subprograms that we execute. */
167 #ifndef WIN32
168  if (fcntl(postmaster_alive_fds[POSTMASTER_FD_WATCH], F_SETFD, FD_CLOEXEC) < 0)
169  ereport(FATAL,
171  errmsg_internal("could not set postmaster death monitoring pipe to FD_CLOEXEC mode: %m")));
172 #endif
173 }
174 
175 /*
176  * Initialize the basic environment for a standalone process.
177  *
178  * argv0 has to be suitable to find the program's executable.
179  */
180 void
182 {
184 
186 
187  /*
188  * Start our win32 signal implementation
189  */
190 #ifdef WIN32
192 #endif
193 
195 
196  /* Initialize process-local latch support */
200 
201  /*
202  * For consistency with InitPostmasterChild, initialize signal mask here.
203  * But we don't unblock SIGQUIT or provide a default handler for it.
204  */
205  pqinitmask();
206  sigprocmask(SIG_SETMASK, &BlockSig, NULL);
207 
208  /* Compute paths, no postmaster to inherit from */
209  if (my_exec_path[0] == '\0')
210  {
211  if (find_my_exec(argv0, my_exec_path) < 0)
212  elog(FATAL, "%s: could not locate my own executable path",
213  argv0);
214  }
215 
216  if (pkglib_path[0] == '\0')
218 }
219 
220 void
222 {
224  Assert(MyProc != NULL);
225 
227 
228  if (FeBeWaitSet)
230  MyLatch);
231 
232  /*
233  * Set the shared latch as the local one might have been set. This
234  * shouldn't normally be necessary as code is supposed to check the
235  * condition before waiting for the latch, but a bit care can't hurt.
236  */
237  SetLatch(MyLatch);
238 }
239 
240 void
242 {
245 }
246 
247 void
249 {
251  Assert(MyProc != NULL && MyLatch == &MyProc->procLatch);
252 
254 
255  if (FeBeWaitSet)
257  MyLatch);
258 
259  SetLatch(MyLatch);
260 }
261 
262 const char *
264 {
265  const char *backendDesc = "unknown process type";
266 
267  switch (backendType)
268  {
269  case B_INVALID:
270  backendDesc = "not initialized";
271  break;
272  case B_ARCHIVER:
273  backendDesc = "archiver";
274  break;
275  case B_AUTOVAC_LAUNCHER:
276  backendDesc = "autovacuum launcher";
277  break;
278  case B_AUTOVAC_WORKER:
279  backendDesc = "autovacuum worker";
280  break;
281  case B_BACKEND:
282  backendDesc = "client backend";
283  break;
284  case B_BG_WORKER:
285  backendDesc = "background worker";
286  break;
287  case B_BG_WRITER:
288  backendDesc = "background writer";
289  break;
290  case B_CHECKPOINTER:
291  backendDesc = "checkpointer";
292  break;
293  case B_LOGGER:
294  backendDesc = "logger";
295  break;
296  case B_SLOTSYNC_WORKER:
297  backendDesc = "slotsync worker";
298  break;
300  backendDesc = "standalone backend";
301  break;
302  case B_STARTUP:
303  backendDesc = "startup";
304  break;
305  case B_WAL_RECEIVER:
306  backendDesc = "walreceiver";
307  break;
308  case B_WAL_SENDER:
309  backendDesc = "walsender";
310  break;
311  case B_WAL_SUMMARIZER:
312  backendDesc = "walsummarizer";
313  break;
314  case B_WAL_WRITER:
315  backendDesc = "walwriter";
316  break;
317  }
318 
319  return backendDesc;
320 }
321 
322 /* ----------------------------------------------------------------
323  * database path / name support stuff
324  * ----------------------------------------------------------------
325  */
326 
327 void
328 SetDatabasePath(const char *path)
329 {
330  /* This should happen only once per process */
333 }
334 
335 /*
336  * Validate the proposed data directory.
337  *
338  * Also initialize file and directory create modes and mode mask.
339  */
340 void
342 {
343  struct stat stat_buf;
344 
345  Assert(DataDir);
346 
347  if (stat(DataDir, &stat_buf) != 0)
348  {
349  if (errno == ENOENT)
350  ereport(FATAL,
352  errmsg("data directory \"%s\" does not exist",
353  DataDir)));
354  else
355  ereport(FATAL,
357  errmsg("could not read permissions of directory \"%s\": %m",
358  DataDir)));
359  }
360 
361  /* eventual chdir would fail anyway, but let's test ... */
362  if (!S_ISDIR(stat_buf.st_mode))
363  ereport(FATAL,
364  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
365  errmsg("specified data directory \"%s\" is not a directory",
366  DataDir)));
367 
368  /*
369  * Check that the directory belongs to my userid; if not, reject.
370  *
371  * This check is an essential part of the interlock that prevents two
372  * postmasters from starting in the same directory (see CreateLockFile()).
373  * Do not remove or weaken it.
374  *
375  * XXX can we safely enable this check on Windows?
376  */
377 #if !defined(WIN32) && !defined(__CYGWIN__)
378  if (stat_buf.st_uid != geteuid())
379  ereport(FATAL,
380  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
381  errmsg("data directory \"%s\" has wrong ownership",
382  DataDir),
383  errhint("The server must be started by the user that owns the data directory.")));
384 #endif
385 
386  /*
387  * Check if the directory has correct permissions. If not, reject.
388  *
389  * Only two possible modes are allowed, 0700 and 0750. The latter mode
390  * indicates that group read/execute should be allowed on all newly
391  * created files and directories.
392  *
393  * XXX temporarily suppress check when on Windows, because there may not
394  * be proper support for Unix-y file permissions. Need to think of a
395  * reasonable check to apply on Windows.
396  */
397 #if !defined(WIN32) && !defined(__CYGWIN__)
398  if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
399  ereport(FATAL,
400  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
401  errmsg("data directory \"%s\" has invalid permissions",
402  DataDir),
403  errdetail("Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).")));
404 #endif
405 
406  /*
407  * Reset creation modes and mask based on the mode of the data directory.
408  *
409  * The mask was set earlier in startup to disallow group permissions on
410  * newly created files and directories. However, if group read/execute
411  * are present on the data directory then modify the create modes and mask
412  * to allow group read/execute on newly created files and directories and
413  * set the data_directory_mode GUC.
414  *
415  * Suppress when on Windows, because there may not be proper support for
416  * Unix-y file permissions.
417  */
418 #if !defined(WIN32) && !defined(__CYGWIN__)
420 
421  umask(pg_mode_mask);
423 #endif
424 
425  /* Check for PG_VERSION */
427 }
428 
429 /*
430  * Set data directory, but make sure it's an absolute path. Use this,
431  * never set DataDir directly.
432  */
433 void
434 SetDataDir(const char *dir)
435 {
436  char *new;
437 
438  Assert(dir);
439 
440  /* If presented path is relative, convert to absolute */
441  new = make_absolute_path(dir);
442 
443  free(DataDir);
444  DataDir = new;
445 }
446 
447 /*
448  * Change working directory to DataDir. Most of the postmaster and backend
449  * code assumes that we are in DataDir so it can use relative paths to access
450  * stuff in and under the data directory. For convenience during path
451  * setup, however, we don't force the chdir to occur during SetDataDir.
452  */
453 void
455 {
456  Assert(DataDir);
457 
458  if (chdir(DataDir) < 0)
459  ereport(FATAL,
461  errmsg("could not change directory to \"%s\": %m",
462  DataDir)));
463 }
464 
465 
466 /* ----------------------------------------------------------------
467  * User ID state
468  *
469  * We have to track several different values associated with the concept
470  * of "user ID".
471  *
472  * AuthenticatedUserId is determined at connection start and never changes.
473  *
474  * SessionUserId is initially the same as AuthenticatedUserId, but can be
475  * changed by SET SESSION AUTHORIZATION (if AuthenticatedUserId is a
476  * superuser). This is the ID reported by the SESSION_USER SQL function.
477  *
478  * OuterUserId is the current user ID in effect at the "outer level" (outside
479  * any transaction or function). This is initially the same as SessionUserId,
480  * but can be changed by SET ROLE to any role that SessionUserId is a
481  * member of. (XXX rename to something like CurrentRoleId?)
482  *
483  * CurrentUserId is the current effective user ID; this is the one to use
484  * for all normal permissions-checking purposes. At outer level this will
485  * be the same as OuterUserId, but it changes during calls to SECURITY
486  * DEFINER functions, as well as locally in some specialized commands.
487  *
488  * SecurityRestrictionContext holds flags indicating reason(s) for changing
489  * CurrentUserId. In some cases we need to lock down operations that are
490  * not directly controlled by privilege settings, and this provides a
491  * convenient way to do it.
492  * ----------------------------------------------------------------
493  */
498 static const char *SystemUser = NULL;
499 
500 /* We also have to remember the superuser state of the session user */
501 static bool SessionUserIsSuperuser = false;
502 
504 
505 /* We also remember if a SET ROLE is currently active */
506 static bool SetRoleIsActive = false;
507 
508 /*
509  * GetUserId - get the current effective user ID.
510  *
511  * Note: there's no SetUserId() anymore; use SetUserIdAndSecContext().
512  */
513 Oid
515 {
517  return CurrentUserId;
518 }
519 
520 
521 /*
522  * GetOuterUserId/SetOuterUserId - get/set the outer-level user ID.
523  */
524 Oid
526 {
528  return OuterUserId;
529 }
530 
531 
532 static void
534 {
536  Assert(OidIsValid(userid));
537  OuterUserId = userid;
538 
539  /* We force the effective user ID to match, too */
540  CurrentUserId = userid;
541 }
542 
543 
544 /*
545  * GetSessionUserId/SetSessionUserId - get/set the session user ID.
546  */
547 Oid
549 {
551  return SessionUserId;
552 }
553 
554 
555 static void
557 {
559  Assert(OidIsValid(userid));
560  SessionUserId = userid;
562  SetRoleIsActive = false;
563 
564  /* We force the effective user IDs to match, too */
565  OuterUserId = userid;
566  CurrentUserId = userid;
567 }
568 
569 /*
570  * Return the system user representing the authenticated identity.
571  * It is defined in InitializeSystemUser() as auth_method:authn_id.
572  */
573 const char *
575 {
576  return SystemUser;
577 }
578 
579 /*
580  * GetAuthenticatedUserId - get the authenticated user ID
581  */
582 Oid
584 {
586  return AuthenticatedUserId;
587 }
588 
589 
590 /*
591  * GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID
592  * and the SecurityRestrictionContext flags.
593  *
594  * Currently there are three valid bits in SecurityRestrictionContext:
595  *
596  * SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation
597  * that is temporarily changing CurrentUserId via these functions. This is
598  * needed to indicate that the actual value of CurrentUserId is not in sync
599  * with guc.c's internal state, so SET ROLE has to be disallowed.
600  *
601  * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
602  * that does not wish to trust called user-defined functions at all. The
603  * policy is to use this before operations, e.g. autovacuum and REINDEX, that
604  * enumerate relations of a database or schema and run functions associated
605  * with each found relation. The relation owner is the new user ID. Set this
606  * as soon as possible after locking the relation. Restore the old user ID as
607  * late as possible before closing the relation; restoring it shortly after
608  * close is also tolerable. If a command has both relation-enumerating and
609  * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit
610  * prevents not only SET ROLE, but various other changes of session state that
611  * normally is unprotected but might possibly be used to subvert the calling
612  * session later. An example is replacing an existing prepared statement with
613  * new code, which will then be executed with the outer session's permissions
614  * when the prepared statement is next used. These restrictions are fairly
615  * draconian, but the functions called in relation-enumerating operations are
616  * really supposed to be side-effect-free anyway.
617  *
618  * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should
619  * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to
620  * ensure that FORCE RLS does not mistakenly break referential integrity
621  * checks. Note that this is intentionally only checked when running as the
622  * owner of the table (which should always be the case for referential
623  * integrity checks).
624  *
625  * Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current
626  * value of CurrentUserId is valid; nor does SetUserIdAndSecContext require
627  * the new value to be valid. In fact, these routines had better not
628  * ever throw any kind of error. This is because they are used by
629  * StartTransaction and AbortTransaction to save/restore the settings,
630  * and during the first transaction within a backend, the value to be saved
631  * and perhaps restored is indeed invalid. We have to be able to get
632  * through AbortTransaction without asserting in case InitPostgres fails.
633  */
634 void
635 GetUserIdAndSecContext(Oid *userid, int *sec_context)
636 {
637  *userid = CurrentUserId;
638  *sec_context = SecurityRestrictionContext;
639 }
640 
641 void
642 SetUserIdAndSecContext(Oid userid, int sec_context)
643 {
644  CurrentUserId = userid;
645  SecurityRestrictionContext = sec_context;
646 }
647 
648 
649 /*
650  * InLocalUserIdChange - are we inside a local change of CurrentUserId?
651  */
652 bool
654 {
656 }
657 
658 /*
659  * InSecurityRestrictedOperation - are we inside a security-restricted command?
660  */
661 bool
663 {
665 }
666 
667 /*
668  * InNoForceRLSOperation - are we ignoring FORCE ROW LEVEL SECURITY ?
669  */
670 bool
672 {
674 }
675 
676 
677 /*
678  * These are obsolete versions of Get/SetUserIdAndSecContext that are
679  * only provided for bug-compatibility with some rather dubious code in
680  * pljava. We allow the userid to be set, but only when not inside a
681  * security restriction context.
682  */
683 void
684 GetUserIdAndContext(Oid *userid, bool *sec_def_context)
685 {
686  *userid = CurrentUserId;
687  *sec_def_context = InLocalUserIdChange();
688 }
689 
690 void
691 SetUserIdAndContext(Oid userid, bool sec_def_context)
692 {
693  /* We throw the same error SET ROLE would. */
695  ereport(ERROR,
696  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
697  errmsg("cannot set parameter \"%s\" within security-restricted operation",
698  "role")));
699  CurrentUserId = userid;
700  if (sec_def_context)
702  else
704 }
705 
706 
707 /*
708  * Check whether specified role has explicit REPLICATION privilege
709  */
710 bool
712 {
713  bool result = false;
714  HeapTuple utup;
715 
716  /* Superusers bypass all permission checking. */
717  if (superuser_arg(roleid))
718  return true;
719 
720  utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
721  if (HeapTupleIsValid(utup))
722  {
723  result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
724  ReleaseSysCache(utup);
725  }
726  return result;
727 }
728 
729 /*
730  * Initialize user identity during normal backend startup
731  */
732 void
733 InitializeSessionUserId(const char *rolename, Oid roleid, bool bypass_login_check)
734 {
735  HeapTuple roleTup;
736  Form_pg_authid rform;
737  char *rname;
738  bool is_superuser;
739 
740  /*
741  * Don't do scans if we're bootstrapping, none of the system catalogs
742  * exist yet, and they should be owned by postgres anyway.
743  */
745 
746  /* call only once */
748 
749  /*
750  * Make sure syscache entries are flushed for recent catalog changes. This
751  * allows us to find roles that were created on-the-fly during
752  * authentication.
753  */
755 
756  if (rolename != NULL)
757  {
758  roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(rolename));
759  if (!HeapTupleIsValid(roleTup))
760  ereport(FATAL,
761  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
762  errmsg("role \"%s\" does not exist", rolename)));
763  }
764  else
765  {
766  roleTup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
767  if (!HeapTupleIsValid(roleTup))
768  ereport(FATAL,
769  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
770  errmsg("role with OID %u does not exist", roleid)));
771  }
772 
773  rform = (Form_pg_authid) GETSTRUCT(roleTup);
774  roleid = rform->oid;
775  rname = NameStr(rform->rolname);
776 
777  AuthenticatedUserId = roleid;
778  is_superuser = rform->rolsuper;
779 
780  /* This sets OuterUserId/CurrentUserId too */
782 
783  /* Also mark our PGPROC entry with the authenticated user id */
784  /* (We assume this is an atomic store so no lock is needed) */
785  MyProc->roleId = roleid;
786 
787  /*
788  * These next checks are not enforced when in standalone mode, so that
789  * there is a way to recover from sillinesses like "UPDATE pg_authid SET
790  * rolcanlogin = false;".
791  */
792  if (IsUnderPostmaster)
793  {
794  /*
795  * Is role allowed to login at all?
796  */
797  if (!bypass_login_check && !rform->rolcanlogin)
798  ereport(FATAL,
799  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
800  errmsg("role \"%s\" is not permitted to log in",
801  rname)));
802 
803  /*
804  * Check connection limit for this role.
805  *
806  * There is a race condition here --- we create our PGPROC before
807  * checking for other PGPROCs. If two backends did this at about the
808  * same time, they might both think they were over the limit, while
809  * ideally one should succeed and one fail. Getting that to work
810  * exactly seems more trouble than it is worth, however; instead we
811  * just document that the connection limit is approximate.
812  */
813  if (rform->rolconnlimit >= 0 &&
814  !is_superuser &&
815  CountUserBackends(roleid) > rform->rolconnlimit)
816  ereport(FATAL,
817  (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
818  errmsg("too many connections for role \"%s\"",
819  rname)));
820  }
821 
822  /* Record username and superuser status as GUC settings too */
823  SetConfigOption("session_authorization", rname,
825  SetConfigOption("is_superuser",
826  is_superuser ? "on" : "off",
828 
829  ReleaseSysCache(roleTup);
830 }
831 
832 
833 /*
834  * Initialize user identity during special backend startup
835  */
836 void
838 {
839  /*
840  * This function should only be called in single-user mode, in autovacuum
841  * workers, in slot sync worker and in background workers.
842  */
845 
846  /* call only once */
848 
849  AuthenticatedUserId = BOOTSTRAP_SUPERUSERID;
850  SetSessionUserId(BOOTSTRAP_SUPERUSERID, true);
851 
852  /*
853  * XXX This should set SetConfigOption("session_authorization"), too.
854  * Since we don't, C code will get NULL, and current_setting() will get an
855  * empty string.
856  */
857  SetConfigOption("is_superuser", "on",
859 }
860 
861 /*
862  * Initialize the system user.
863  *
864  * This is built as auth_method:authn_id.
865  */
866 void
867 InitializeSystemUser(const char *authn_id, const char *auth_method)
868 {
869  char *system_user;
870 
871  /* call only once */
872  Assert(SystemUser == NULL);
873 
874  /*
875  * InitializeSystemUser should be called only when authn_id is not NULL,
876  * meaning that auth_method is valid.
877  */
878  Assert(authn_id != NULL);
879 
880  system_user = psprintf("%s:%s", auth_method, authn_id);
881 
882  /* Store SystemUser in long-lived storage */
885 }
886 
887 /*
888  * SQL-function SYSTEM_USER
889  */
890 Datum
892 {
893  const char *sysuser = GetSystemUser();
894 
895  if (sysuser)
897  else
898  PG_RETURN_NULL();
899 }
900 
901 /*
902  * Change session auth ID while running
903  *
904  * Note that we set the GUC variable is_superuser to indicate whether the
905  * current role is a superuser.
906  */
907 void
909 {
911 
912  SetConfigOption("is_superuser",
913  is_superuser ? "on" : "off",
915 }
916 
917 /*
918  * Report current role id
919  * This follows the semantics of SET ROLE, ie return the outer-level ID
920  * not the current effective ID, and return InvalidOid when the setting
921  * is logically SET ROLE NONE.
922  */
923 Oid
925 {
926  if (SetRoleIsActive)
927  return OuterUserId;
928  else
929  return InvalidOid;
930 }
931 
932 /*
933  * Change Role ID while running (SET ROLE)
934  *
935  * If roleid is InvalidOid, we are doing SET ROLE NONE: revert to the
936  * session user authorization. In this case the is_superuser argument
937  * is ignored.
938  *
939  * When roleid is not InvalidOid, the caller must have checked whether
940  * the session user has permission to become that role. (We cannot check
941  * here because this routine must be able to execute in a failed transaction
942  * to restore a prior value of the ROLE GUC variable.)
943  */
944 void
946 {
947  /*
948  * Get correct info if it's SET ROLE NONE
949  *
950  * If SessionUserId hasn't been set yet, just do nothing --- the eventual
951  * SetSessionUserId call will fix everything. This is needed since we
952  * will get called during GUC initialization.
953  */
954  if (!OidIsValid(roleid))
955  {
957  return;
958 
959  roleid = SessionUserId;
961 
962  SetRoleIsActive = false;
963  }
964  else
965  SetRoleIsActive = true;
966 
967  SetOuterUserId(roleid);
968 
969  SetConfigOption("is_superuser",
970  is_superuser ? "on" : "off",
972 }
973 
974 
975 /*
976  * Get user name from user oid, returns NULL for nonexistent roleid if noerr
977  * is true.
978  */
979 char *
980 GetUserNameFromId(Oid roleid, bool noerr)
981 {
982  HeapTuple tuple;
983  char *result;
984 
985  tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
986  if (!HeapTupleIsValid(tuple))
987  {
988  if (!noerr)
989  ereport(ERROR,
990  (errcode(ERRCODE_UNDEFINED_OBJECT),
991  errmsg("invalid role OID: %u", roleid)));
992  result = NULL;
993  }
994  else
995  {
996  result = pstrdup(NameStr(((Form_pg_authid) GETSTRUCT(tuple))->rolname));
997  ReleaseSysCache(tuple);
998  }
999  return result;
1000 }
1001 
1002 /* ------------------------------------------------------------------------
1003  * Client connection state shared with parallel workers
1004  *
1005  * ClientConnectionInfo contains pieces of information about the client that
1006  * need to be synced to parallel workers when they initialize.
1007  *-------------------------------------------------------------------------
1008  */
1009 
1011 
1012 /*
1013  * Intermediate representation of ClientConnectionInfo for easier
1014  * serialization. Variable-length fields are allocated right after this
1015  * header.
1016  */
1018 {
1019  int32 authn_id_len; /* strlen(authn_id), or -1 if NULL */
1022 
1023 /*
1024  * Calculate the space needed to serialize MyClientConnectionInfo.
1025  */
1026 Size
1028 {
1029  Size size = 0;
1030 
1032 
1035 
1036  return size;
1037 }
1038 
1039 /*
1040  * Serialize MyClientConnectionInfo for use by parallel workers.
1041  */
1042 void
1043 SerializeClientConnectionInfo(Size maxsize, char *start_address)
1044 {
1045  SerializedClientConnectionInfo serialized = {0};
1046 
1047  serialized.authn_id_len = -1;
1049 
1051  serialized.authn_id_len = strlen(MyClientConnectionInfo.authn_id);
1052 
1053  /* Copy serialized representation to buffer */
1054  Assert(maxsize >= sizeof(serialized));
1055  memcpy(start_address, &serialized, sizeof(serialized));
1056 
1057  maxsize -= sizeof(serialized);
1058  start_address += sizeof(serialized);
1059 
1060  /* Copy authn_id into the space after the struct */
1061  if (serialized.authn_id_len >= 0)
1062  {
1063  Assert(maxsize >= (serialized.authn_id_len + 1));
1064  memcpy(start_address,
1066  /* include the NULL terminator to ease deserialization */
1067  serialized.authn_id_len + 1);
1068  }
1069 }
1070 
1071 /*
1072  * Restore MyClientConnectionInfo from its serialized representation.
1073  */
1074 void
1076 {
1077  SerializedClientConnectionInfo serialized;
1078 
1079  memcpy(&serialized, conninfo, sizeof(serialized));
1080 
1081  /* Copy the fields back into place */
1084 
1085  if (serialized.authn_id_len >= 0)
1086  {
1087  char *authn_id;
1088 
1089  authn_id = conninfo + sizeof(serialized);
1091  authn_id);
1092  }
1093 }
1094 
1095 
1096 /*-------------------------------------------------------------------------
1097  * Interlock-file support
1098  *
1099  * These routines are used to create both a data-directory lockfile
1100  * ($DATADIR/postmaster.pid) and Unix-socket-file lockfiles ($SOCKFILE.lock).
1101  * Both kinds of files contain the same info initially, although we can add
1102  * more information to a data-directory lockfile after it's created, using
1103  * AddToDataDirLockFile(). See pidfile.h for documentation of the contents
1104  * of these lockfiles.
1105  *
1106  * On successful lockfile creation, a proc_exit callback to remove the
1107  * lockfile is automatically created.
1108  *-------------------------------------------------------------------------
1109  */
1110 
1111 /*
1112  * proc_exit callback to remove lockfiles.
1113  */
1114 static void
1116 {
1117  ListCell *l;
1118 
1119  foreach(l, lock_files)
1120  {
1121  char *curfile = (char *) lfirst(l);
1122 
1123  unlink(curfile);
1124  /* Should we complain if the unlink fails? */
1125  }
1126  /* Since we're about to exit, no need to reclaim storage */
1127  lock_files = NIL;
1128 
1129  /*
1130  * Lock file removal should always be the last externally visible action
1131  * of a postmaster or standalone backend, while we won't come here at all
1132  * when exiting postmaster child processes. Therefore, this is a good
1133  * place to log completion of shutdown. We could alternatively teach
1134  * proc_exit() to do it, but that seems uglier. In a standalone backend,
1135  * use NOTICE elevel to be less chatty.
1136  */
1138  (errmsg("database system is shut down")));
1139 }
1140 
1141 /*
1142  * Create a lockfile.
1143  *
1144  * filename is the path name of the lockfile to create.
1145  * amPostmaster is used to determine how to encode the output PID.
1146  * socketDir is the Unix socket directory path to include (possibly empty).
1147  * isDDLock and refName are used to determine what error message to produce.
1148  */
1149 static void
1150 CreateLockFile(const char *filename, bool amPostmaster,
1151  const char *socketDir,
1152  bool isDDLock, const char *refName)
1153 {
1154  int fd;
1155  char buffer[MAXPGPATH * 2 + 256];
1156  int ntries;
1157  int len;
1158  int encoded_pid;
1159  pid_t other_pid;
1160  pid_t my_pid,
1161  my_p_pid,
1162  my_gp_pid;
1163  const char *envvar;
1164 
1165  /*
1166  * If the PID in the lockfile is our own PID or our parent's or
1167  * grandparent's PID, then the file must be stale (probably left over from
1168  * a previous system boot cycle). We need to check this because of the
1169  * likelihood that a reboot will assign exactly the same PID as we had in
1170  * the previous reboot, or one that's only one or two counts larger and
1171  * hence the lockfile's PID now refers to an ancestor shell process. We
1172  * allow pg_ctl to pass down its parent shell PID (our grandparent PID)
1173  * via the environment variable PG_GRANDPARENT_PID; this is so that
1174  * launching the postmaster via pg_ctl can be just as reliable as
1175  * launching it directly. There is no provision for detecting
1176  * further-removed ancestor processes, but if the init script is written
1177  * carefully then all but the immediate parent shell will be root-owned
1178  * processes and so the kill test will fail with EPERM. Note that we
1179  * cannot get a false negative this way, because an existing postmaster
1180  * would surely never launch a competing postmaster or pg_ctl process
1181  * directly.
1182  */
1183  my_pid = getpid();
1184 
1185 #ifndef WIN32
1186  my_p_pid = getppid();
1187 #else
1188 
1189  /*
1190  * Windows hasn't got getppid(), but doesn't need it since it's not using
1191  * real kill() either...
1192  */
1193  my_p_pid = 0;
1194 #endif
1195 
1196  envvar = getenv("PG_GRANDPARENT_PID");
1197  if (envvar)
1198  my_gp_pid = atoi(envvar);
1199  else
1200  my_gp_pid = 0;
1201 
1202  /*
1203  * We need a loop here because of race conditions. But don't loop forever
1204  * (for example, a non-writable $PGDATA directory might cause a failure
1205  * that won't go away). 100 tries seems like plenty.
1206  */
1207  for (ntries = 0;; ntries++)
1208  {
1209  /*
1210  * Try to create the lock file --- O_EXCL makes this atomic.
1211  *
1212  * Think not to make the file protection weaker than 0600/0640. See
1213  * comments below.
1214  */
1215  fd = open(filename, O_RDWR | O_CREAT | O_EXCL, pg_file_create_mode);
1216  if (fd >= 0)
1217  break; /* Success; exit the retry loop */
1218 
1219  /*
1220  * Couldn't create the pid file. Probably it already exists.
1221  */
1222  if ((errno != EEXIST && errno != EACCES) || ntries > 100)
1223  ereport(FATAL,
1225  errmsg("could not create lock file \"%s\": %m",
1226  filename)));
1227 
1228  /*
1229  * Read the file to get the old owner's PID. Note race condition
1230  * here: file might have been deleted since we tried to create it.
1231  */
1232  fd = open(filename, O_RDONLY, pg_file_create_mode);
1233  if (fd < 0)
1234  {
1235  if (errno == ENOENT)
1236  continue; /* race condition; try again */
1237  ereport(FATAL,
1239  errmsg("could not open lock file \"%s\": %m",
1240  filename)));
1241  }
1242  pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_READ);
1243  if ((len = read(fd, buffer, sizeof(buffer) - 1)) < 0)
1244  ereport(FATAL,
1246  errmsg("could not read lock file \"%s\": %m",
1247  filename)));
1249  close(fd);
1250 
1251  if (len == 0)
1252  {
1253  ereport(FATAL,
1254  (errcode(ERRCODE_LOCK_FILE_EXISTS),
1255  errmsg("lock file \"%s\" is empty", filename),
1256  errhint("Either another server is starting, or the lock file is the remnant of a previous server startup crash.")));
1257  }
1258 
1259  buffer[len] = '\0';
1260  encoded_pid = atoi(buffer);
1261 
1262  /* if pid < 0, the pid is for postgres, not postmaster */
1263  other_pid = (pid_t) (encoded_pid < 0 ? -encoded_pid : encoded_pid);
1264 
1265  if (other_pid <= 0)
1266  elog(FATAL, "bogus data in lock file \"%s\": \"%s\"",
1267  filename, buffer);
1268 
1269  /*
1270  * Check to see if the other process still exists
1271  *
1272  * Per discussion above, my_pid, my_p_pid, and my_gp_pid can be
1273  * ignored as false matches.
1274  *
1275  * Normally kill() will fail with ESRCH if the given PID doesn't
1276  * exist.
1277  *
1278  * We can treat the EPERM-error case as okay because that error
1279  * implies that the existing process has a different userid than we
1280  * do, which means it cannot be a competing postmaster. A postmaster
1281  * cannot successfully attach to a data directory owned by a userid
1282  * other than its own, as enforced in checkDataDir(). Also, since we
1283  * create the lockfiles mode 0600/0640, we'd have failed above if the
1284  * lockfile belonged to another userid --- which means that whatever
1285  * process kill() is reporting about isn't the one that made the
1286  * lockfile. (NOTE: this last consideration is the only one that
1287  * keeps us from blowing away a Unix socket file belonging to an
1288  * instance of Postgres being run by someone else, at least on
1289  * machines where /tmp hasn't got a stickybit.)
1290  */
1291  if (other_pid != my_pid && other_pid != my_p_pid &&
1292  other_pid != my_gp_pid)
1293  {
1294  if (kill(other_pid, 0) == 0 ||
1295  (errno != ESRCH && errno != EPERM))
1296  {
1297  /* lockfile belongs to a live process */
1298  ereport(FATAL,
1299  (errcode(ERRCODE_LOCK_FILE_EXISTS),
1300  errmsg("lock file \"%s\" already exists",
1301  filename),
1302  isDDLock ?
1303  (encoded_pid < 0 ?
1304  errhint("Is another postgres (PID %d) running in data directory \"%s\"?",
1305  (int) other_pid, refName) :
1306  errhint("Is another postmaster (PID %d) running in data directory \"%s\"?",
1307  (int) other_pid, refName)) :
1308  (encoded_pid < 0 ?
1309  errhint("Is another postgres (PID %d) using socket file \"%s\"?",
1310  (int) other_pid, refName) :
1311  errhint("Is another postmaster (PID %d) using socket file \"%s\"?",
1312  (int) other_pid, refName))));
1313  }
1314  }
1315 
1316  /*
1317  * No, the creating process did not exist. However, it could be that
1318  * the postmaster crashed (or more likely was kill -9'd by a clueless
1319  * admin) but has left orphan backends behind. Check for this by
1320  * looking to see if there is an associated shmem segment that is
1321  * still in use.
1322  *
1323  * Note: because postmaster.pid is written in multiple steps, we might
1324  * not find the shmem ID values in it; we can't treat that as an
1325  * error.
1326  */
1327  if (isDDLock)
1328  {
1329  char *ptr = buffer;
1330  unsigned long id1,
1331  id2;
1332  int lineno;
1333 
1334  for (lineno = 1; lineno < LOCK_FILE_LINE_SHMEM_KEY; lineno++)
1335  {
1336  if ((ptr = strchr(ptr, '\n')) == NULL)
1337  break;
1338  ptr++;
1339  }
1340 
1341  if (ptr != NULL &&
1342  sscanf(ptr, "%lu %lu", &id1, &id2) == 2)
1343  {
1344  if (PGSharedMemoryIsInUse(id1, id2))
1345  ereport(FATAL,
1346  (errcode(ERRCODE_LOCK_FILE_EXISTS),
1347  errmsg("pre-existing shared memory block (key %lu, ID %lu) is still in use",
1348  id1, id2),
1349  errhint("Terminate any old server processes associated with data directory \"%s\".",
1350  refName)));
1351  }
1352  }
1353 
1354  /*
1355  * Looks like nobody's home. Unlink the file and try again to create
1356  * it. Need a loop because of possible race condition against other
1357  * would-be creators.
1358  */
1359  if (unlink(filename) < 0)
1360  ereport(FATAL,
1362  errmsg("could not remove old lock file \"%s\": %m",
1363  filename),
1364  errhint("The file seems accidentally left over, but "
1365  "it could not be removed. Please remove the file "
1366  "by hand and try again.")));
1367  }
1368 
1369  /*
1370  * Successfully created the file, now fill it. See comment in pidfile.h
1371  * about the contents. Note that we write the same first five lines into
1372  * both datadir and socket lockfiles; although more stuff may get added to
1373  * the datadir lockfile later.
1374  */
1375  snprintf(buffer, sizeof(buffer), "%d\n%s\n%ld\n%d\n%s\n",
1376  amPostmaster ? (int) my_pid : -((int) my_pid),
1377  DataDir,
1378  (long) MyStartTime,
1380  socketDir);
1381 
1382  /*
1383  * In a standalone backend, the next line (LOCK_FILE_LINE_LISTEN_ADDR)
1384  * will never receive data, so fill it in as empty now.
1385  */
1386  if (isDDLock && !amPostmaster)
1387  strlcat(buffer, "\n", sizeof(buffer));
1388 
1389  errno = 0;
1390  pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_WRITE);
1391  if (write(fd, buffer, strlen(buffer)) != strlen(buffer))
1392  {
1393  int save_errno = errno;
1394 
1395  close(fd);
1396  unlink(filename);
1397  /* if write didn't set errno, assume problem is no disk space */
1398  errno = save_errno ? save_errno : ENOSPC;
1399  ereport(FATAL,
1401  errmsg("could not write lock file \"%s\": %m", filename)));
1402  }
1404 
1405  pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_CREATE_SYNC);
1406  if (pg_fsync(fd) != 0)
1407  {
1408  int save_errno = errno;
1409 
1410  close(fd);
1411  unlink(filename);
1412  errno = save_errno;
1413  ereport(FATAL,
1415  errmsg("could not write lock file \"%s\": %m", filename)));
1416  }
1418  if (close(fd) != 0)
1419  {
1420  int save_errno = errno;
1421 
1422  unlink(filename);
1423  errno = save_errno;
1424  ereport(FATAL,
1426  errmsg("could not write lock file \"%s\": %m", filename)));
1427  }
1428 
1429  /*
1430  * Arrange to unlink the lock file(s) at proc_exit. If this is the first
1431  * one, set up the on_proc_exit function to do it; then add this lock file
1432  * to the list of files to unlink.
1433  */
1434  if (lock_files == NIL)
1436 
1437  /*
1438  * Use lcons so that the lock files are unlinked in reverse order of
1439  * creation; this is critical!
1440  */
1442 }
1443 
1444 /*
1445  * Create the data directory lockfile.
1446  *
1447  * When this is called, we must have already switched the working
1448  * directory to DataDir, so we can just use a relative path. This
1449  * helps ensure that we are locking the directory we should be.
1450  *
1451  * Note that the socket directory path line is initially written as empty.
1452  * postmaster.c will rewrite it upon creating the first Unix socket.
1453  */
1454 void
1455 CreateDataDirLockFile(bool amPostmaster)
1456 {
1457  CreateLockFile(DIRECTORY_LOCK_FILE, amPostmaster, "", true, DataDir);
1458 }
1459 
1460 /*
1461  * Create a lockfile for the specified Unix socket file.
1462  */
1463 void
1464 CreateSocketLockFile(const char *socketfile, bool amPostmaster,
1465  const char *socketDir)
1466 {
1467  char lockfile[MAXPGPATH];
1468 
1469  snprintf(lockfile, sizeof(lockfile), "%s.lock", socketfile);
1470  CreateLockFile(lockfile, amPostmaster, socketDir, false, socketfile);
1471 }
1472 
1473 /*
1474  * TouchSocketLockFiles -- mark socket lock files as recently accessed
1475  *
1476  * This routine should be called every so often to ensure that the socket
1477  * lock files have a recent mod or access date. That saves them
1478  * from being removed by overenthusiastic /tmp-directory-cleaner daemons.
1479  * (Another reason we should never have put the socket file in /tmp...)
1480  */
1481 void
1483 {
1484  ListCell *l;
1485 
1486  foreach(l, lock_files)
1487  {
1488  char *socketLockFile = (char *) lfirst(l);
1489 
1490  /* No need to touch the data directory lock file, we trust */
1491  if (strcmp(socketLockFile, DIRECTORY_LOCK_FILE) == 0)
1492  continue;
1493 
1494  /* we just ignore any error here */
1495  (void) utime(socketLockFile, NULL);
1496  }
1497 }
1498 
1499 
1500 /*
1501  * Add (or replace) a line in the data directory lock file.
1502  * The given string should not include a trailing newline.
1503  *
1504  * Note: because we don't truncate the file, if we were to rewrite a line
1505  * with less data than it had before, there would be garbage after the last
1506  * line. While we could fix that by adding a truncate call, that would make
1507  * the file update non-atomic, which we'd rather avoid. Therefore, callers
1508  * should endeavor never to shorten a line once it's been written.
1509  */
1510 void
1511 AddToDataDirLockFile(int target_line, const char *str)
1512 {
1513  int fd;
1514  int len;
1515  int lineno;
1516  char *srcptr;
1517  char *destptr;
1518  char srcbuffer[BLCKSZ];
1519  char destbuffer[BLCKSZ];
1520 
1521  fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
1522  if (fd < 0)
1523  {
1524  ereport(LOG,
1526  errmsg("could not open file \"%s\": %m",
1528  return;
1529  }
1530  pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_READ);
1531  len = read(fd, srcbuffer, sizeof(srcbuffer) - 1);
1533  if (len < 0)
1534  {
1535  ereport(LOG,
1537  errmsg("could not read from file \"%s\": %m",
1539  close(fd);
1540  return;
1541  }
1542  srcbuffer[len] = '\0';
1543 
1544  /*
1545  * Advance over lines we are not supposed to rewrite, then copy them to
1546  * destbuffer.
1547  */
1548  srcptr = srcbuffer;
1549  for (lineno = 1; lineno < target_line; lineno++)
1550  {
1551  char *eol = strchr(srcptr, '\n');
1552 
1553  if (eol == NULL)
1554  break; /* not enough lines in file yet */
1555  srcptr = eol + 1;
1556  }
1557  memcpy(destbuffer, srcbuffer, srcptr - srcbuffer);
1558  destptr = destbuffer + (srcptr - srcbuffer);
1559 
1560  /*
1561  * Fill in any missing lines before the target line, in case lines are
1562  * added to the file out of order.
1563  */
1564  for (; lineno < target_line; lineno++)
1565  {
1566  if (destptr < destbuffer + sizeof(destbuffer))
1567  *destptr++ = '\n';
1568  }
1569 
1570  /*
1571  * Write or rewrite the target line.
1572  */
1573  snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s\n", str);
1574  destptr += strlen(destptr);
1575 
1576  /*
1577  * If there are more lines in the old file, append them to destbuffer.
1578  */
1579  if ((srcptr = strchr(srcptr, '\n')) != NULL)
1580  {
1581  srcptr++;
1582  snprintf(destptr, destbuffer + sizeof(destbuffer) - destptr, "%s",
1583  srcptr);
1584  }
1585 
1586  /*
1587  * And rewrite the data. Since we write in a single kernel call, this
1588  * update should appear atomic to onlookers.
1589  */
1590  len = strlen(destbuffer);
1591  errno = 0;
1592  pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_WRITE);
1593  if (pg_pwrite(fd, destbuffer, len, 0) != len)
1594  {
1596  /* if write didn't set errno, assume problem is no disk space */
1597  if (errno == 0)
1598  errno = ENOSPC;
1599  ereport(LOG,
1601  errmsg("could not write to file \"%s\": %m",
1603  close(fd);
1604  return;
1605  }
1607  pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_ADDTODATADIR_SYNC);
1608  if (pg_fsync(fd) != 0)
1609  {
1610  ereport(LOG,
1612  errmsg("could not write to file \"%s\": %m",
1614  }
1616  if (close(fd) != 0)
1617  {
1618  ereport(LOG,
1620  errmsg("could not write to file \"%s\": %m",
1622  }
1623 }
1624 
1625 
1626 /*
1627  * Recheck that the data directory lock file still exists with expected
1628  * content. Return true if the lock file appears OK, false if it isn't.
1629  *
1630  * We call this periodically in the postmaster. The idea is that if the
1631  * lock file has been removed or replaced by another postmaster, we should
1632  * do a panic database shutdown. Therefore, we should return true if there
1633  * is any doubt: we do not want to cause a panic shutdown unnecessarily.
1634  * Transient failures like EINTR or ENFILE should not cause us to fail.
1635  * (If there really is something wrong, we'll detect it on a future recheck.)
1636  */
1637 bool
1639 {
1640  int fd;
1641  int len;
1642  long file_pid;
1643  char buffer[BLCKSZ];
1644 
1645  fd = open(DIRECTORY_LOCK_FILE, O_RDWR | PG_BINARY, 0);
1646  if (fd < 0)
1647  {
1648  /*
1649  * There are many foreseeable false-positive error conditions. For
1650  * safety, fail only on enumerated clearly-something-is-wrong
1651  * conditions.
1652  */
1653  switch (errno)
1654  {
1655  case ENOENT:
1656  case ENOTDIR:
1657  /* disaster */
1658  ereport(LOG,
1660  errmsg("could not open file \"%s\": %m",
1662  return false;
1663  default:
1664  /* non-fatal, at least for now */
1665  ereport(LOG,
1667  errmsg("could not open file \"%s\": %m; continuing anyway",
1669  return true;
1670  }
1671  }
1672  pgstat_report_wait_start(WAIT_EVENT_LOCK_FILE_RECHECKDATADIR_READ);
1673  len = read(fd, buffer, sizeof(buffer) - 1);
1675  if (len < 0)
1676  {
1677  ereport(LOG,
1679  errmsg("could not read from file \"%s\": %m",
1681  close(fd);
1682  return true; /* treat read failure as nonfatal */
1683  }
1684  buffer[len] = '\0';
1685  close(fd);
1686  file_pid = atol(buffer);
1687  if (file_pid == getpid())
1688  return true; /* all is well */
1689 
1690  /* Trouble: someone's overwritten the lock file */
1691  ereport(LOG,
1692  (errmsg("lock file \"%s\" contains wrong PID: %ld instead of %ld",
1693  DIRECTORY_LOCK_FILE, file_pid, (long) getpid())));
1694  return false;
1695 }
1696 
1697 
1698 /*-------------------------------------------------------------------------
1699  * Version checking support
1700  *-------------------------------------------------------------------------
1701  */
1702 
1703 /*
1704  * Determine whether the PG_VERSION file in directory `path' indicates
1705  * a data version compatible with the version of this program.
1706  *
1707  * If compatible, return. Otherwise, ereport(FATAL).
1708  */
1709 void
1710 ValidatePgVersion(const char *path)
1711 {
1712  char full_path[MAXPGPATH];
1713  FILE *file;
1714  int ret;
1715  long file_major;
1716  long my_major;
1717  char *endptr;
1718  char file_version_string[64];
1719  const char *my_version_string = PG_VERSION;
1720 
1721  my_major = strtol(my_version_string, &endptr, 10);
1722 
1723  snprintf(full_path, sizeof(full_path), "%s/PG_VERSION", path);
1724 
1725  file = AllocateFile(full_path, "r");
1726  if (!file)
1727  {
1728  if (errno == ENOENT)
1729  ereport(FATAL,
1730  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1731  errmsg("\"%s\" is not a valid data directory",
1732  path),
1733  errdetail("File \"%s\" is missing.", full_path)));
1734  else
1735  ereport(FATAL,
1737  errmsg("could not open file \"%s\": %m", full_path)));
1738  }
1739 
1740  file_version_string[0] = '\0';
1741  ret = fscanf(file, "%63s", file_version_string);
1742  file_major = strtol(file_version_string, &endptr, 10);
1743 
1744  if (ret != 1 || endptr == file_version_string)
1745  ereport(FATAL,
1746  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1747  errmsg("\"%s\" is not a valid data directory",
1748  path),
1749  errdetail("File \"%s\" does not contain valid data.",
1750  full_path),
1751  errhint("You might need to initdb.")));
1752 
1753  FreeFile(file);
1754 
1755  if (my_major != file_major)
1756  ereport(FATAL,
1757  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1758  errmsg("database files are incompatible with server"),
1759  errdetail("The data directory was initialized by PostgreSQL version %s, "
1760  "which is not compatible with this version %s.",
1761  file_version_string, my_version_string)));
1762 }
1763 
1764 /*-------------------------------------------------------------------------
1765  * Library preload support
1766  *-------------------------------------------------------------------------
1767  */
1768 
1769 /*
1770  * GUC variables: lists of library names to be preloaded at postmaster
1771  * start and at backend start
1772  */
1776 
1777 /* Flag telling that we are loading shared_preload_libraries */
1780 
1783 
1784 /*
1785  * load the shared libraries listed in 'libraries'
1786  *
1787  * 'gucname': name of GUC variable, for error reports
1788  * 'restricted': if true, force libraries to be in $libdir/plugins/
1789  */
1790 static void
1791 load_libraries(const char *libraries, const char *gucname, bool restricted)
1792 {
1793  char *rawstring;
1794  List *elemlist;
1795  ListCell *l;
1796 
1797  if (libraries == NULL || libraries[0] == '\0')
1798  return; /* nothing to do */
1799 
1800  /* Need a modifiable copy of string */
1801  rawstring = pstrdup(libraries);
1802 
1803  /* Parse string into list of filename paths */
1804  if (!SplitDirectoriesString(rawstring, ',', &elemlist))
1805  {
1806  /* syntax error in list */
1807  list_free_deep(elemlist);
1808  pfree(rawstring);
1809  ereport(LOG,
1810  (errcode(ERRCODE_SYNTAX_ERROR),
1811  errmsg("invalid list syntax in parameter \"%s\"",
1812  gucname)));
1813  return;
1814  }
1815 
1816  foreach(l, elemlist)
1817  {
1818  /* Note that filename was already canonicalized */
1819  char *filename = (char *) lfirst(l);
1820  char *expanded = NULL;
1821 
1822  /* If restricting, insert $libdir/plugins if not mentioned already */
1823  if (restricted && first_dir_separator(filename) == NULL)
1824  {
1825  expanded = psprintf("$libdir/plugins/%s", filename);
1826  filename = expanded;
1827  }
1828  load_file(filename, restricted);
1829  ereport(DEBUG1,
1830  (errmsg_internal("loaded library \"%s\"", filename)));
1831  if (expanded)
1832  pfree(expanded);
1833  }
1834 
1835  list_free_deep(elemlist);
1836  pfree(rawstring);
1837 }
1838 
1839 /*
1840  * process any libraries that should be preloaded at postmaster start
1841  */
1842 void
1844 {
1847  "shared_preload_libraries",
1848  false);
1851 }
1852 
1853 /*
1854  * process any libraries that should be preloaded at backend start
1855  */
1856 void
1858 {
1860  "session_preload_libraries",
1861  false);
1863  "local_preload_libraries",
1864  true);
1865 }
1866 
1867 /*
1868  * process any shared memory requests from preloaded libraries
1869  */
1870 void
1872 {
1874  if (shmem_request_hook)
1877 }
1878 
1879 void
1880 pg_bindtextdomain(const char *domain)
1881 {
1882 #ifdef ENABLE_NLS
1883  if (my_exec_path[0] != '\0')
1884  {
1885  char locale_path[MAXPGPATH];
1886 
1887  get_locale_path(my_exec_path, locale_path);
1888  bindtextdomain(domain, locale_path);
1889  pg_bind_textdomain_codeset(domain);
1890  }
1891 #endif
1892 }
void pqinitmask(void)
Definition: pqsignal.c:41
sigset_t BlockSig
Definition: pqsignal.c:23
#define CStringGetTextDatum(s)
Definition: builtins.h:97
#define NameStr(name)
Definition: c.h:733
signed int int32
Definition: c.h:481
#define PG_BINARY
Definition: c.h:1260
#define OidIsValid(objectId)
Definition: c.h:762
size_t Size
Definition: c.h:592
int find_my_exec(const char *argv0, char *retpath)
Definition: exec.c:160
void load_file(const char *filename, bool restricted)
Definition: dfmgr.c:144
int errcode_for_socket_access(void)
Definition: elog.c:955
int errmsg_internal(const char *fmt,...)
Definition: elog.c:1159
int errcode_for_file_access(void)
Definition: elog.c:882
int errdetail(const char *fmt,...)
Definition: elog.c:1205
int errhint(const char *fmt,...)
Definition: elog.c:1319
int errcode(int sqlerrcode)
Definition: elog.c:859
int errmsg(const char *fmt,...)
Definition: elog.c:1072
#define LOG
Definition: elog.h:31
#define FATAL
Definition: elog.h:41
#define DEBUG1
Definition: elog.h:30
#define ERROR
Definition: elog.h:39
#define elog(elevel,...)
Definition: elog.h:224
#define NOTICE
Definition: elog.h:35
#define ereport(elevel,...)
Definition: elog.h:149
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2583
int FreeFile(FILE *file)
Definition: fd.c:2781
int pg_fsync(int fd)
Definition: fd.c:386
int pg_file_create_mode
Definition: file_perm.c:19
void SetDataDirectoryCreatePerm(int dataDirMode)
Definition: file_perm.c:34
int pg_mode_mask
Definition: file_perm.c:25
int pg_dir_create_mode
Definition: file_perm.c:18
#define PG_MODE_MASK_GROUP
Definition: file_perm.h:29
#define PG_RETURN_NULL()
Definition: fmgr.h:345
#define PG_RETURN_DATUM(x)
Definition: fmgr.h:353
#define PG_FUNCTION_ARGS
Definition: fmgr.h:193
char pkglib_path[MAXPGPATH]
Definition: globals.c:79
bool IsUnderPostmaster
Definition: globals.c:117
int data_directory_mode
Definition: globals.c:74
char * DataDir
Definition: globals.c:68
bool IsPostmasterEnvironment
Definition: globals.c:116
pg_time_t MyStartTime
Definition: globals.c:46
struct Latch * MyLatch
Definition: globals.c:60
char * DatabasePath
Definition: globals.c:101
char my_exec_path[MAXPGPATH]
Definition: globals.c:78
void SetConfigOption(const char *name, const char *value, GucContext context, GucSource source)
Definition: guc.c:4275
@ PGC_S_DYNAMIC_DEFAULT
Definition: guc.h:110
@ PGC_S_OVERRIDE
Definition: guc.h:119
@ PGC_INTERNAL
Definition: guc.h:69
@ PGC_BACKEND
Definition: guc.h:73
UserAuth
Definition: hba.h:26
#define free(a)
Definition: header.h:65
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
#define GETSTRUCT(TUP)
Definition: htup_details.h:653
#define close(a)
Definition: win32.h:12
#define write(a, b, c)
Definition: win32.h:14
#define read(a, b, c)
Definition: win32.h:13
void SignalHandlerForCrashExit(SIGNAL_ARGS)
Definition: interrupt.c:73
void AcceptInvalidationMessages(void)
Definition: inval.c:806
void on_proc_exit(pg_on_exit_callback function, Datum arg)
Definition: ipc.c:309
void on_exit_reset(void)
Definition: ipc.c:416
void InitializeLatchWaitSet(void)
Definition: latch.c:346
void InitializeLatchSupport(void)
Definition: latch.c:232
void ModifyWaitEvent(WaitEventSet *set, int pos, uint32 events, Latch *latch)
Definition: latch.c:1049
void SetLatch(Latch *latch)
Definition: latch.c:632
void InitLatch(Latch *latch)
Definition: latch.c:394
#define WL_LATCH_SET
Definition: latch.h:127
#define FeBeWaitSetLatchPos
Definition: libpq.h:64
Assert(fmt[strlen(fmt) - 1] !='\n')
List * lcons(void *datum, List *list)
Definition: list.c:495
void list_free_deep(List *list)
Definition: list.c:1560
char * pstrdup(const char *in)
Definition: mcxt.c:1683
void pfree(void *pointer)
Definition: mcxt.c:1508
MemoryContext TopMemoryContext
Definition: mcxt.c:137
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition: mcxt.c:1670
ProcessingMode
Definition: miscadmin.h:443
@ InitProcessing
Definition: miscadmin.h:445
#define IsBootstrapProcessingMode()
Definition: miscadmin.h:451
#define AmAutoVacuumWorkerProcess()
Definition: miscadmin.h:372
#define SECURITY_NOFORCE_RLS
Definition: miscadmin.h:316
#define AmBackgroundWorkerProcess()
Definition: miscadmin.h:373
#define SECURITY_RESTRICTED_OPERATION
Definition: miscadmin.h:315
#define AmLogicalSlotSyncWorkerProcess()
Definition: miscadmin.h:375
#define SECURITY_LOCAL_USERID_CHANGE
Definition: miscadmin.h:314
BackendType
Definition: miscadmin.h:331
@ B_WAL_SUMMARIZER
Definition: miscadmin.h:357
@ B_WAL_WRITER
Definition: miscadmin.h:358
@ B_WAL_RECEIVER
Definition: miscadmin.h:356
@ B_CHECKPOINTER
Definition: miscadmin.h:354
@ B_WAL_SENDER
Definition: miscadmin.h:339
@ B_LOGGER
Definition: miscadmin.h:364
@ B_STARTUP
Definition: miscadmin.h:355
@ B_BG_WORKER
Definition: miscadmin.h:338
@ B_INVALID
Definition: miscadmin.h:332
@ B_STANDALONE_BACKEND
Definition: miscadmin.h:342
@ B_BG_WRITER
Definition: miscadmin.h:353
@ B_BACKEND
Definition: miscadmin.h:335
@ B_ARCHIVER
Definition: miscadmin.h:352
@ B_AUTOVAC_LAUNCHER
Definition: miscadmin.h:336
@ B_SLOTSYNC_WORKER
Definition: miscadmin.h:340
@ B_AUTOVAC_WORKER
Definition: miscadmin.h:337
void(* shmem_request_hook_type)(void)
Definition: miscadmin.h:506
struct SerializedClientConnectionInfo SerializedClientConnectionInfo
void ChangeToDataDir(void)
Definition: miscinit.c:454
char * GetUserNameFromId(Oid roleid, bool noerr)
Definition: miscinit.c:980
Oid GetOuterUserId(void)
Definition: miscinit.c:525
bool process_shared_preload_libraries_done
Definition: miscinit.c:1779
void process_shmem_requests(void)
Definition: miscinit.c:1871
static void SetOuterUserId(Oid userid)
Definition: miscinit.c:533
static List * lock_files
Definition: miscinit.c:66
void InitializeSessionUserId(const char *rolename, Oid roleid, bool bypass_login_check)
Definition: miscinit.c:733
void InitStandaloneProcess(const char *argv0)
Definition: miscinit.c:181
void SerializeClientConnectionInfo(Size maxsize, char *start_address)
Definition: miscinit.c:1043
void InitializeSystemUser(const char *authn_id, const char *auth_method)
Definition: miscinit.c:867
void InitializeSessionUserIdStandalone(void)
Definition: miscinit.c:837
void AddToDataDirLockFile(int target_line, const char *str)
Definition: miscinit.c:1511
void InitProcessLocalLatch(void)
Definition: miscinit.c:241
void GetUserIdAndSecContext(Oid *userid, int *sec_context)
Definition: miscinit.c:635
void SetSessionAuthorization(Oid userid, bool is_superuser)
Definition: miscinit.c:908
void process_session_preload_libraries(void)
Definition: miscinit.c:1857
static bool SessionUserIsSuperuser
Definition: miscinit.c:501
bool process_shmem_requests_in_progress
Definition: miscinit.c:1782
bool InSecurityRestrictedOperation(void)
Definition: miscinit.c:662
#define DIRECTORY_LOCK_FILE
Definition: miscinit.c:59
Oid GetUserId(void)
Definition: miscinit.c:514
static const char * SystemUser
Definition: miscinit.c:498
static Oid OuterUserId
Definition: miscinit.c:496
static int SecurityRestrictionContext
Definition: miscinit.c:503
Size EstimateClientConnectionInfoSpace(void)
Definition: miscinit.c:1027
const char * GetSystemUser(void)
Definition: miscinit.c:574
Oid GetSessionUserId(void)
Definition: miscinit.c:548
void SetCurrentRoleId(Oid roleid, bool is_superuser)
Definition: miscinit.c:945
bool IgnoreSystemIndexes
Definition: miscinit.c:80
Oid GetAuthenticatedUserId(void)
Definition: miscinit.c:583
static Oid SessionUserId
Definition: miscinit.c:495
bool InLocalUserIdChange(void)
Definition: miscinit.c:653
Datum system_user(PG_FUNCTION_ARGS)
Definition: miscinit.c:891
void SetDatabasePath(const char *path)
Definition: miscinit.c:328
void InitPostmasterChild(void)
Definition: miscinit.c:95
char * shared_preload_libraries_string
Definition: miscinit.c:1774
ClientConnectionInfo MyClientConnectionInfo
Definition: miscinit.c:1010
void process_shared_preload_libraries(void)
Definition: miscinit.c:1843
char * session_preload_libraries_string
Definition: miscinit.c:1773
static void SetSessionUserId(Oid userid, bool is_superuser)
Definition: miscinit.c:556
shmem_request_hook_type shmem_request_hook
Definition: miscinit.c:1781
char * local_preload_libraries_string
Definition: miscinit.c:1775
static Latch LocalLatchData
Definition: miscinit.c:68
const char * GetBackendTypeDesc(BackendType backendType)
Definition: miscinit.c:263
void TouchSocketLockFiles(void)
Definition: miscinit.c:1482
void RestoreClientConnectionInfo(char *conninfo)
Definition: miscinit.c:1075
static Oid CurrentUserId
Definition: miscinit.c:497
static bool SetRoleIsActive
Definition: miscinit.c:506
bool InNoForceRLSOperation(void)
Definition: miscinit.c:671
static Oid AuthenticatedUserId
Definition: miscinit.c:494
static void load_libraries(const char *libraries, const char *gucname, bool restricted)
Definition: miscinit.c:1791
ProcessingMode Mode
Definition: miscinit.c:61
Oid GetCurrentRoleId(void)
Definition: miscinit.c:924
void checkDataDir(void)
Definition: miscinit.c:341
static void UnlinkLockFiles(int status, Datum arg)
Definition: miscinit.c:1115
void SwitchToSharedLatch(void)
Definition: miscinit.c:221
BackendType MyBackendType
Definition: miscinit.c:63
void GetUserIdAndContext(Oid *userid, bool *sec_def_context)
Definition: miscinit.c:684
void SetDataDir(const char *dir)
Definition: miscinit.c:434
void SetUserIdAndContext(Oid userid, bool sec_def_context)
Definition: miscinit.c:691
bool process_shared_preload_libraries_in_progress
Definition: miscinit.c:1778
void pg_bindtextdomain(const char *domain)
Definition: miscinit.c:1880
bool has_rolreplication(Oid roleid)
Definition: miscinit.c:711
static void CreateLockFile(const char *filename, bool amPostmaster, const char *socketDir, bool isDDLock, const char *refName)
Definition: miscinit.c:1150
void ValidatePgVersion(const char *path)
Definition: miscinit.c:1710
void SetUserIdAndSecContext(Oid userid, int sec_context)
Definition: miscinit.c:642
bool RecheckDataDirLockFile(void)
Definition: miscinit.c:1638
void CreateDataDirLockFile(bool amPostmaster)
Definition: miscinit.c:1455
void SwitchBackToLocalLatch(void)
Definition: miscinit.c:248
void CreateSocketLockFile(const char *socketfile, bool amPostmaster, const char *socketDir)
Definition: miscinit.c:1464
NameData rolname
Definition: pg_authid.h:34
FormData_pg_authid * Form_pg_authid
Definition: pg_authid.h:56
bool rolreplication
Definition: pg_authid.h:40
void * arg
#define MAXPGPATH
const void size_t len
static char * argv0
Definition: pg_ctl.c:92
static bool is_superuser(Archive *fout)
Definition: pg_dump.c:4614
static char * filename
Definition: pg_dumpall.c:121
#define lfirst(lc)
Definition: pg_list.h:172
#define NIL
Definition: pg_list.h:68
#define LOCK_FILE_LINE_SHMEM_KEY
Definition: pidfile.h:43
void PostmasterDeathSignalInit(void)
Definition: pmsignal.c:437
void get_pkglib_path(const char *my_exec_path, char *ret_path)
Definition: path.c:878
void get_locale_path(const char *my_exec_path, char *ret_path)
Definition: path.c:887
char * make_absolute_path(const char *path)
Definition: path.c:729
char * first_dir_separator(const char *filename)
Definition: path.c:104
#define pg_pwrite
Definition: port.h:226
pqsigfunc pqsignal(int signo, pqsigfunc func)
#define snprintf
Definition: port.h:238
size_t strlcat(char *dst, const char *src, size_t siz)
Definition: strlcat.c:33
pg_stack_base_t set_stack_base(void)
Definition: postgres.c:3481
static Datum PointerGetDatum(const void *X)
Definition: postgres.h:322
uintptr_t Datum
Definition: postgres.h:64
static Datum ObjectIdGetDatum(Oid X)
Definition: postgres.h:252
#define InvalidOid
Definition: postgres_ext.h:36
unsigned int Oid
Definition: postgres_ext.h:31
void InitProcessGlobals(void)
Definition: postmaster.c:2032
int PostPortNumber
Definition: postmaster.c:190
int postmaster_alive_fds[2]
Definition: postmaster.c:479
#define POSTMASTER_FD_WATCH
Definition: postmaster.h:48
WaitEventSet * FeBeWaitSet
Definition: pqcomm.c:163
static int fd(const char *x, int i)
Definition: preproc-init.c:105
int CountUserBackends(Oid roleid)
Definition: procarray.c:3687
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
Size add_size(Size s1, Size s2)
Definition: shmem.c:493
void pgwin32_signal_initialize(void)
Definition: signal.c:79
static pg_noinline void Size size
Definition: slab.c:607
PGPROC * MyProc
Definition: proc.c:66
const char * authn_id
Definition: libpq-be.h:103
UserAuth auth_method
Definition: libpq-be.h:109
Definition: latch.h:113
Definition: pg_list.h:54
Oid roleId
Definition: proc.h:204
Latch procLatch
Definition: proc.h:165
unsigned short st_mode
Definition: win32_port.h:268
short st_uid
Definition: win32_port.h:270
bool superuser_arg(Oid roleid)
Definition: superuser.c:56
void ReleaseSysCache(HeapTuple tuple)
Definition: syscache.c:266
HeapTuple SearchSysCache1(int cacheId, Datum key1)
Definition: syscache.c:218
bool PGSharedMemoryIsInUse(unsigned long id1, unsigned long id2)
Definition: sysv_shmem.c:317
bool SplitDirectoriesString(char *rawstring, char separator, List **namelist)
Definition: varlena.c:3583
static void pgstat_report_wait_start(uint32 wait_event_info)
Definition: wait_event.h:88
static void pgstat_report_wait_end(void)
Definition: wait_event.h:104
#define stat
Definition: win32_port.h:284
#define SIGQUIT
Definition: win32_port.h:169
#define S_ISDIR(m)
Definition: win32_port.h:325
#define kill(pid, sig)
Definition: win32_port.h:485