PostgreSQL Source Code  git master
signalfuncs.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * signalfuncs.c
4  * Functions for signaling backends
5  *
6  * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
7  * Portions Copyright (c) 1994, Regents of the University of California
8  *
9  *
10  * IDENTIFICATION
11  * src/backend/storage/ipc/signalfuncs.c
12  *
13  *-------------------------------------------------------------------------
14  */
15 #include "postgres.h"
16 
17 #include <signal.h>
18 
19 #include "catalog/pg_authid.h"
20 #include "miscadmin.h"
21 #include "postmaster/syslogger.h"
22 #include "storage/pmsignal.h"
23 #include "storage/proc.h"
24 #include "storage/procarray.h"
25 #include "utils/acl.h"
26 #include "utils/builtins.h"
27 
28 
29 /*
30  * Send a signal to another backend.
31  *
32  * The signal is delivered if the user is either a superuser or the same
33  * role as the backend being signaled. For "dangerous" signals, an explicit
34  * check for superuser needs to be done prior to calling this function.
35  *
36  * Returns 0 on success, 1 on general failure, 2 on normal permission error
37  * and 3 if the caller needs to be a superuser.
38  *
39  * In the event of a general failure (return code 1), a warning message will
40  * be emitted. For permission errors, doing that is the responsibility of
41  * the caller.
42  */
43 #define SIGNAL_BACKEND_SUCCESS 0
44 #define SIGNAL_BACKEND_ERROR 1
45 #define SIGNAL_BACKEND_NOPERMISSION 2
46 #define SIGNAL_BACKEND_NOSUPERUSER 3
47 static int
48 pg_signal_backend(int pid, int sig)
49 {
50  PGPROC *proc = BackendPidGetProc(pid);
51 
52  /*
53  * BackendPidGetProc returns NULL if the pid isn't valid; but by the time
54  * we reach kill(), a process for which we get a valid proc here might
55  * have terminated on its own. There's no way to acquire a lock on an
56  * arbitrary process to prevent that. But since so far all the callers of
57  * this mechanism involve some request for ending the process anyway, that
58  * it might end on its own first is not a problem.
59  */
60  if (proc == NULL)
61  {
62  /*
63  * This is just a warning so a loop-through-resultset will not abort
64  * if one backend terminated on its own during the run.
65  */
66  ereport(WARNING,
67  (errmsg("PID %d is not a PostgreSQL server process", pid)));
68  return SIGNAL_BACKEND_ERROR;
69  }
70 
71  /* Only allow superusers to signal superuser-owned backends. */
72  if (superuser_arg(proc->roleId) && !superuser())
73  return SIGNAL_BACKEND_NOSUPERUSER;
74 
75  /* Users can signal backends they have role membership in. */
76  if (!has_privs_of_role(GetUserId(), proc->roleId) &&
77  !has_privs_of_role(GetUserId(), DEFAULT_ROLE_SIGNAL_BACKENDID))
78  return SIGNAL_BACKEND_NOPERMISSION;
79 
80  /*
81  * Can the process we just validated above end, followed by the pid being
82  * recycled for a new process, before reaching here? Then we'd be trying
83  * to kill the wrong thing. Seems near impossible when sequential pid
84  * assignment and wraparound is used. Perhaps it could happen on a system
85  * where pid re-use is randomized. That race condition possibility seems
86  * too unlikely to worry about.
87  */
88 
89  /* If we have setsid(), signal the backend's whole process group */
90 #ifdef HAVE_SETSID
91  if (kill(-pid, sig))
92 #else
93  if (kill(pid, sig))
94 #endif
95  {
96  /* Again, just a warning to allow loops */
97  ereport(WARNING,
98  (errmsg("could not send signal to process %d: %m", pid)));
99  return SIGNAL_BACKEND_ERROR;
100  }
101  return SIGNAL_BACKEND_SUCCESS;
102 }
103 
104 /*
105  * Signal to cancel a backend process. This is allowed if you are a member of
106  * the role whose process is being canceled.
107  *
108  * Note that only superusers can signal superuser-owned processes.
109  */
110 Datum
111 pg_cancel_backend(PG_FUNCTION_ARGS)
112 {
113  int r = pg_signal_backend(PG_GETARG_INT32(0), SIGINT);
114 
115  if (r == SIGNAL_BACKEND_NOSUPERUSER)
116  ereport(ERROR,
117  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
118  errmsg("must be a superuser to cancel superuser query")));
119 
120  if (r == SIGNAL_BACKEND_NOPERMISSION)
121  ereport(ERROR,
122  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
123  errmsg("must be a member of the role whose query is being canceled or member of pg_signal_backend")));
124 
125  PG_RETURN_BOOL(r == SIGNAL_BACKEND_SUCCESS);
126 }
127 
128 /*
129  * Signal to terminate a backend process. This is allowed if you are a member
130  * of the role whose process is being terminated.
131  *
132  * Note that only superusers can signal superuser-owned processes.
133  */
134 Datum
135 pg_terminate_backend(PG_FUNCTION_ARGS)
136 {
137  int r = pg_signal_backend(PG_GETARG_INT32(0), SIGTERM);
138 
139  if (r == SIGNAL_BACKEND_NOSUPERUSER)
140  ereport(ERROR,
141  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
142  errmsg("must be a superuser to terminate superuser process")));
143 
144  if (r == SIGNAL_BACKEND_NOPERMISSION)
145  ereport(ERROR,
146  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
147  errmsg("must be a member of the role whose process is being terminated or member of pg_signal_backend")));
148 
149  PG_RETURN_BOOL(r == SIGNAL_BACKEND_SUCCESS);
150 }
151 
152 /*
153  * Signal to reload the database configuration
154  *
155  * Permission checking for this function is managed through the normal
156  * GRANT system.
157  */
158 Datum
159 pg_reload_conf(PG_FUNCTION_ARGS)
160 {
161  if (kill(PostmasterPid, SIGHUP))
162  {
163  ereport(WARNING,
164  (errmsg("failed to send signal to postmaster: %m")));
165  PG_RETURN_BOOL(false);
166  }
167 
168  PG_RETURN_BOOL(true);
169 }
170 
171 
172 /*
173  * Rotate log file
174  *
175  * This function is kept to support adminpack 1.0.
176  */
177 Datum
178 pg_rotate_logfile(PG_FUNCTION_ARGS)
179 {
180  if (!superuser())
181  ereport(ERROR,
182  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
183  errmsg("must be superuser to rotate log files with adminpack 1.0"),
184  /* translator: %s is a SQL function name */
185  errhint("Consider using %s, which is part of core, instead.",
186  "pg_logfile_rotate()")));
187 
188  if (!Logging_collector)
189  {
190  ereport(WARNING,
191  (errmsg("rotation not possible because log collection not active")));
192  PG_RETURN_BOOL(false);
193  }
194 
195  SendPostmasterSignal(PMSIGNAL_ROTATE_LOGFILE);
196  PG_RETURN_BOOL(true);
197 }
198 
199 /*
200  * Rotate log file
201  *
202  * Permission checking for this function is managed through the normal
203  * GRANT system.
204  */
205 Datum
206 pg_rotate_logfile_v2(PG_FUNCTION_ARGS)
207 {
208  if (!Logging_collector)
209  {
210  ereport(WARNING,
211  (errmsg("rotation not possible because log collection not active")));
212  PG_RETURN_BOOL(false);
213  }
214 
215  SendPostmasterSignal(PMSIGNAL_ROTATE_LOGFILE);
216  PG_RETURN_BOOL(true);
217 }
pg_rotate_logfile
Datum pg_rotate_logfile(PG_FUNCTION_ARGS)
Definition: signalfuncs.c:178
PG_GETARG_INT32
#define PG_GETARG_INT32(n)
Definition: fmgr.h:269
errhint
int errhint(const char *fmt,...)
Definition: elog.c:1068
pg_rotate_logfile_v2
Datum pg_rotate_logfile_v2(PG_FUNCTION_ARGS)
Definition: signalfuncs.c:206
GetUserId
Oid GetUserId(void)
Definition: miscinit.c:476
BackendPidGetProc
PGPROC * BackendPidGetProc(int pid)
Definition: procarray.c:3032
has_privs_of_role
bool has_privs_of_role(Oid member, Oid role)
Definition: acl.c:4892
PGPROC::roleId
Oid roleId
Definition: proc.h:146
errcode
int errcode(int sqlerrcode)
Definition: elog.c:610
superuser
bool superuser(void)
Definition: superuser.c:46
kill
#define kill(pid, sig)
Definition: win32_port.h:454
pg_cancel_backend
Datum pg_cancel_backend(PG_FUNCTION_ARGS)
Definition: signalfuncs.c:111
SIGNAL_BACKEND_SUCCESS
#define SIGNAL_BACKEND_SUCCESS
Definition: signalfuncs.c:43
pg_signal_backend
static int pg_signal_backend(int pid, int sig)
Definition: signalfuncs.c:48
Logging_collector
bool Logging_collector
Definition: syslogger.c:69
SIGNAL_BACKEND_NOSUPERUSER
#define SIGNAL_BACKEND_NOSUPERUSER
Definition: signalfuncs.c:46
ERRCODE_INSUFFICIENT_PRIVILEGE
#define ERRCODE_INSUFFICIENT_PRIVILEGE
ERROR
#define ERROR
Definition: elog.h:43
SIGHUP
#define SIGHUP
Definition: win32_port.h:159
superuser_arg
bool superuser_arg(Oid roleid)
Definition: superuser.c:56
SIGNAL_BACKEND_NOPERMISSION
#define SIGNAL_BACKEND_NOPERMISSION
Definition: signalfuncs.c:45
pg_reload_conf
Datum pg_reload_conf(PG_FUNCTION_ARGS)
Definition: signalfuncs.c:159
PostmasterPid
pid_t PostmasterPid
Definition: globals.c:95
WARNING
#define WARNING
Definition: elog.h:40
PG_RETURN_BOOL
#define PG_RETURN_BOOL(x)
Definition: fmgr.h:358
Datum
uintptr_t Datum
Definition: postgres.h:367
SIGNAL_BACKEND_ERROR
#define SIGNAL_BACKEND_ERROR
Definition: signalfuncs.c:44
sig
static int sig
Definition: pg_ctl.c:84
ereport
#define ereport(elevel,...)
Definition: elog.h:144
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:821
pg_terminate_backend
Datum pg_terminate_backend(PG_FUNCTION_ARGS)
Definition: signalfuncs.c:135
pg_authid.h
PG_FUNCTION_ARGS
#define PG_FUNCTION_ARGS
Definition: fmgr.h:193
SendPostmasterSignal
void SendPostmasterSignal(PMSignalReason reason)
Definition: pmsignal.c:146
PGPROC
Definition: proc.h:112