2005-03-10 08:14:03 +01:00
|
|
|
/*
|
|
|
|
* fork_process.c
|
|
|
|
* A simple wrapper on top of fork(). This does not handle the
|
|
|
|
* EXEC_BACKEND case; it might be extended to do so, but it would be
|
|
|
|
* considerably more complex.
|
|
|
|
*
|
2023-01-02 21:00:37 +01:00
|
|
|
* Copyright (c) 1996-2023, PostgreSQL Global Development Group
|
2005-03-10 08:14:03 +01:00
|
|
|
*
|
|
|
|
* IDENTIFICATION
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/backend/postmaster/fork_process.c
|
2005-03-10 08:14:03 +01:00
|
|
|
*/
|
|
|
|
#include "postgres.h"
|
|
|
|
|
2010-01-11 19:39:32 +01:00
|
|
|
#include <fcntl.h>
|
2023-01-12 00:34:23 +01:00
|
|
|
#include <signal.h>
|
2005-03-14 00:27:38 +01:00
|
|
|
#include <time.h>
|
2010-01-11 19:39:32 +01:00
|
|
|
#include <sys/stat.h>
|
2005-03-14 00:27:38 +01:00
|
|
|
#include <sys/time.h>
|
2005-03-10 08:14:03 +01:00
|
|
|
#include <unistd.h>
|
|
|
|
|
2023-01-12 00:34:23 +01:00
|
|
|
#include "libpq/pqsignal.h"
|
2019-11-12 04:00:16 +01:00
|
|
|
#include "postmaster/fork_process.h"
|
|
|
|
|
2005-03-16 01:02:39 +01:00
|
|
|
#ifndef WIN32
|
2005-03-10 08:14:03 +01:00
|
|
|
/*
|
|
|
|
* Wrapper for fork(). Return values are the same as those for fork():
|
|
|
|
* -1 if the fork failed, 0 in the child process, and the PID of the
|
2023-01-12 00:34:23 +01:00
|
|
|
* child in the parent process. Signals are blocked while forking, so
|
|
|
|
* the child must unblock.
|
2005-03-10 08:14:03 +01:00
|
|
|
*/
|
|
|
|
pid_t
|
|
|
|
fork_process(void)
|
|
|
|
{
|
|
|
|
pid_t result;
|
2014-06-19 02:12:47 +02:00
|
|
|
const char *oomfilename;
|
2023-01-12 00:34:23 +01:00
|
|
|
sigset_t save_mask;
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2005-03-10 08:14:03 +01:00
|
|
|
#ifdef LINUX_PROFILE
|
|
|
|
struct itimerval prof_itimer;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Flush stdio channels just before fork, to avoid double-output problems.
|
|
|
|
*/
|
2022-08-29 19:55:38 +02:00
|
|
|
fflush(NULL);
|
2005-03-10 08:14:03 +01:00
|
|
|
|
|
|
|
#ifdef LINUX_PROFILE
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2005-03-10 08:14:03 +01:00
|
|
|
/*
|
|
|
|
* Linux's fork() resets the profiling timer in the child process. If we
|
|
|
|
* want to profile child processes then we need to save and restore the
|
|
|
|
* timer setting. This is a waste of time if not profiling, however, so
|
|
|
|
* only do it if commanded by specific -DLINUX_PROFILE switch.
|
|
|
|
*/
|
|
|
|
getitimer(ITIMER_PROF, &prof_itimer);
|
|
|
|
#endif
|
|
|
|
|
2023-01-12 00:34:23 +01:00
|
|
|
/*
|
|
|
|
* We start postmaster children with signals blocked. This allows them to
|
|
|
|
* install their own handlers before unblocking, to avoid races where they
|
2023-05-19 23:24:48 +02:00
|
|
|
* might run the postmaster's handler and miss an important control
|
|
|
|
* signal. With more analysis this could potentially be relaxed.
|
2023-01-12 00:34:23 +01:00
|
|
|
*/
|
|
|
|
sigprocmask(SIG_SETMASK, &BlockSig, &save_mask);
|
2005-03-10 08:14:03 +01:00
|
|
|
result = fork();
|
2006-01-05 04:01:38 +01:00
|
|
|
if (result == 0)
|
2005-03-10 08:14:03 +01:00
|
|
|
{
|
|
|
|
/* fork succeeded, in child */
|
|
|
|
#ifdef LINUX_PROFILE
|
|
|
|
setitimer(ITIMER_PROF, &prof_itimer, NULL);
|
|
|
|
#endif
|
|
|
|
|
2010-01-11 19:39:32 +01:00
|
|
|
/*
|
|
|
|
* By default, Linux tends to kill the postmaster in out-of-memory
|
|
|
|
* situations, because it blames the postmaster for the sum of child
|
|
|
|
* process sizes *including shared memory*. (This is unbelievably
|
|
|
|
* stupid, but the kernel hackers seem uninterested in improving it.)
|
|
|
|
* Therefore it's often a good idea to protect the postmaster by
|
2014-06-19 02:12:47 +02:00
|
|
|
* setting its OOM score adjustment negative (which has to be done in
|
|
|
|
* a root-owned startup script). Since the adjustment is inherited by
|
|
|
|
* child processes, this would ordinarily mean that all the
|
|
|
|
* postmaster's children are equally protected against OOM kill, which
|
|
|
|
* is not such a good idea. So we provide this code to allow the
|
|
|
|
* children to change their OOM score adjustments again. Both the
|
|
|
|
* file name to write to and the value to write are controlled by
|
|
|
|
* environment variables, which can be set by the same startup script
|
|
|
|
* that did the original adjustment.
|
2012-06-13 21:34:57 +02:00
|
|
|
*/
|
2014-06-19 02:12:47 +02:00
|
|
|
oomfilename = getenv("PG_OOM_ADJUST_FILE");
|
2012-06-13 21:34:57 +02:00
|
|
|
|
2014-06-19 02:12:47 +02:00
|
|
|
if (oomfilename != NULL)
|
2010-01-11 19:39:32 +01:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Use open() not stdio, to ensure we control the open flags. Some
|
|
|
|
* Linux security environments reject anything but O_WRONLY.
|
|
|
|
*/
|
2014-06-19 02:12:47 +02:00
|
|
|
int fd = open(oomfilename, O_WRONLY, 0);
|
2010-01-11 19:39:32 +01:00
|
|
|
|
|
|
|
/* We ignore all errors */
|
|
|
|
if (fd >= 0)
|
|
|
|
{
|
2014-06-19 02:12:47 +02:00
|
|
|
const char *oomvalue = getenv("PG_OOM_ADJUST_VALUE");
|
2012-05-27 21:35:01 +02:00
|
|
|
int rc;
|
2010-01-11 19:39:32 +01:00
|
|
|
|
2014-06-19 02:12:47 +02:00
|
|
|
if (oomvalue == NULL) /* supply a useful default */
|
|
|
|
oomvalue = "0";
|
|
|
|
|
|
|
|
rc = write(fd, oomvalue, strlen(oomvalue));
|
2012-05-27 21:35:01 +02:00
|
|
|
(void) rc;
|
2010-01-11 19:39:32 +01:00
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
}
|
Reset OpenSSL randomness state in each postmaster child process.
Previously, if the postmaster initialized OpenSSL's PRNG (which it will do
when ssl=on in postgresql.conf), the same pseudo-random state would be
inherited by each forked child process. The problem is masked to a
considerable extent if the incoming connection uses SSL encryption, but
when it does not, identical pseudo-random state is made available to
functions like contrib/pgcrypto. The process's PID does get mixed into any
requested random output, but on most systems that still only results in 32K
or so distinct random sequences available across all Postgres sessions.
This might allow an attacker who has database access to guess the results
of "secure" operations happening in another session.
To fix, forcibly reset the PRNG after fork(). Each child process that has
need for random numbers from OpenSSL's generator will thereby be forced to
go through OpenSSL's normal initialization sequence, which should provide
much greater variability of the sequences. There are other ways we might
do this that would be slightly cheaper, but this approach seems the most
future-proof against SSL-related code changes.
This has been assigned CVE-2013-1900, but since the issue and the patch
have already been publicized on pgsql-hackers, there's no point in trying
to hide this commit.
Back-patch to all supported branches.
Marko Kreen
2013-03-27 23:50:21 +01:00
|
|
|
|
2020-11-06 13:21:28 +01:00
|
|
|
/* do post-fork initialization for random number generation */
|
|
|
|
pg_strong_random_init();
|
2005-03-10 08:14:03 +01:00
|
|
|
}
|
2023-01-12 00:34:23 +01:00
|
|
|
else
|
|
|
|
{
|
|
|
|
/* in parent, restore signal mask */
|
|
|
|
sigprocmask(SIG_SETMASK, &save_mask, NULL);
|
|
|
|
}
|
2005-03-10 08:14:03 +01:00
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2005-03-16 01:02:39 +01:00
|
|
|
#endif /* ! WIN32 */
|