1996-10-31 08:10:14 +01:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* miscadmin.h
|
2004-03-24 23:40:29 +01:00
|
|
|
* This file contains general postgres administration and initialization
|
1997-09-07 07:04:48 +02:00
|
|
|
* stuff that used to be spread out between the following files:
|
|
|
|
* globals.h global variables
|
|
|
|
* pdir.h directory path crud
|
|
|
|
* pinit.h postgres initialization
|
|
|
|
* pmod.h processing modes
|
2004-03-24 23:40:29 +01:00
|
|
|
* Over time, this has also become the preferred place for widely known
|
|
|
|
* resource-limitation stuff, such as work_mem and check_stack_depth().
|
1996-10-31 08:10:14 +01:00
|
|
|
*
|
2009-01-01 18:24:05 +01:00
|
|
|
* Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
|
2000-01-26 06:58:53 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-10-31 08:10:14 +01:00
|
|
|
*
|
Allow read only connections during recovery, known as Hot Standby.
Enabled by recovery_connections = on (default) and forcing archive recovery using a recovery.conf. Recovery processing now emulates the original transactions as they are replayed, providing full locking and MVCC behaviour for read only queries. Recovery must enter consistent state before connections are allowed, so there is a delay, typically short, before connections succeed. Replay of recovering transactions can conflict and in some cases deadlock with queries during recovery; these result in query cancellation after max_standby_delay seconds have expired. Infrastructure changes have minor effects on normal running, though introduce four new types of WAL record.
New test mode "make standbycheck" allows regression tests of static command behaviour on a standby server while in recovery. Typical and extreme dynamic behaviours have been checked via code inspection and manual testing. Few port specific behaviours have been utilised, though primary testing has been on Linux only so far.
This commit is the basic patch. Additional changes will follow in this release to enhance some aspects of behaviour, notably improved handling of conflicts, deadlock detection and query cancellation. Changes to VACUUM FULL are also required.
Simon Riggs, with significant and lengthy review by Heikki Linnakangas, including streamlined redesign of snapshot creation and two-phase commit.
Important contributions from Florian Pflug, Mark Kirkwood, Merlin Moncure, Greg Stark, Gianni Ciolli, Gabriele Bartolini, Hannu Krosing, Robert Haas, Tatsuo Ishii, Hiroyuki Yamada plus support and feedback from many other community members.
2009-12-19 02:32:45 +01:00
|
|
|
* $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.216 2009/12/19 01:32:41 sriggs Exp $
|
1996-10-31 08:10:14 +01:00
|
|
|
*
|
|
|
|
* NOTES
|
2004-05-30 00:48:23 +02:00
|
|
|
* some of the information in this file should be moved to other files.
|
1996-10-31 08:10:14 +01:00
|
|
|
*
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
#ifndef MISCADMIN_H
|
|
|
|
#define MISCADMIN_H
|
|
|
|
|
2008-02-17 03:09:32 +01:00
|
|
|
#include "pgtime.h" /* for pg_time_t */
|
2007-08-03 01:39:45 +02:00
|
|
|
|
2002-05-05 02:03:29 +02:00
|
|
|
|
2008-02-20 23:46:24 +01:00
|
|
|
#define PG_BACKEND_VERSIONSTR "postgres (PostgreSQL) " PG_VERSION "\n"
|
2004-05-30 00:48:23 +02:00
|
|
|
|
|
|
|
|
2001-01-14 06:08:17 +01:00
|
|
|
/*****************************************************************************
|
2001-03-22 05:01:46 +01:00
|
|
|
* System interrupt and critical section handling
|
2001-01-14 06:08:17 +01:00
|
|
|
*
|
|
|
|
* There are two types of interrupts that a running backend needs to accept
|
|
|
|
* without messing up its state: QueryCancel (SIGINT) and ProcDie (SIGTERM).
|
|
|
|
* In both cases, we need to be able to clean up the current transaction
|
|
|
|
* gracefully, so we can't respond to the interrupt instantaneously ---
|
|
|
|
* there's no guarantee that internal data structures would be self-consistent
|
2001-03-22 05:01:46 +01:00
|
|
|
* if the code is interrupted at an arbitrary instant. Instead, the signal
|
2001-01-14 06:08:17 +01:00
|
|
|
* handlers set flags that are checked periodically during execution.
|
|
|
|
*
|
|
|
|
* The CHECK_FOR_INTERRUPTS() macro is called at strategically located spots
|
|
|
|
* where it is normally safe to accept a cancel or die interrupt. In some
|
|
|
|
* cases, we invoke CHECK_FOR_INTERRUPTS() inside low-level subroutines that
|
|
|
|
* might sometimes be called in contexts that do *not* want to allow a cancel
|
2001-01-19 23:08:47 +01:00
|
|
|
* or die interrupt. The HOLD_INTERRUPTS() and RESUME_INTERRUPTS() macros
|
|
|
|
* allow code to ensure that no cancel or die interrupt will be accepted,
|
2001-03-22 05:01:46 +01:00
|
|
|
* even if CHECK_FOR_INTERRUPTS() gets called in a subroutine. The interrupt
|
2002-01-02 00:16:22 +01:00
|
|
|
* will be held off until CHECK_FOR_INTERRUPTS() is done outside any
|
|
|
|
* HOLD_INTERRUPTS() ... RESUME_INTERRUPTS() section.
|
2001-01-14 06:08:17 +01:00
|
|
|
*
|
|
|
|
* Special mechanisms are used to let an interrupt be accepted when we are
|
2001-09-29 06:02:27 +02:00
|
|
|
* waiting for a lock or when we are waiting for command input (but, of
|
2001-10-25 07:50:21 +02:00
|
|
|
* course, only if the interrupt holdoff counter is zero). See the
|
2001-01-14 06:08:17 +01:00
|
|
|
* related code for details.
|
|
|
|
*
|
2001-01-19 23:08:47 +01:00
|
|
|
* A related, but conceptually distinct, mechanism is the "critical section"
|
|
|
|
* mechanism. A critical section not only holds off cancel/die interrupts,
|
2003-07-27 19:10:07 +02:00
|
|
|
* but causes any ereport(ERROR) or ereport(FATAL) to become ereport(PANIC)
|
2003-08-04 02:43:34 +02:00
|
|
|
* --- that is, a system-wide reset is forced. Needless to say, only really
|
|
|
|
* *critical* code should be marked as a critical section! Currently, this
|
2003-07-27 19:10:07 +02:00
|
|
|
* mechanism is only used for XLOG-related code.
|
2001-01-19 23:08:47 +01:00
|
|
|
*
|
2001-01-14 06:08:17 +01:00
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/* in globals.c */
|
|
|
|
/* these are marked volatile because they are set by signal handlers: */
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT volatile bool InterruptPending;
|
2001-01-14 06:08:17 +01:00
|
|
|
extern volatile bool QueryCancelPending;
|
|
|
|
extern volatile bool ProcDiePending;
|
2001-03-22 05:01:46 +01:00
|
|
|
|
2001-01-14 06:08:17 +01:00
|
|
|
/* these are marked volatile because they are examined by signal handlers: */
|
|
|
|
extern volatile bool ImmediateInterruptOK;
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT volatile uint32 InterruptHoldoffCount;
|
|
|
|
extern PGDLLIMPORT volatile uint32 CritSectionCount;
|
2001-01-14 06:08:17 +01:00
|
|
|
|
2004-03-24 23:40:29 +01:00
|
|
|
/* in tcop/postgres.c */
|
2001-01-14 06:08:17 +01:00
|
|
|
extern void ProcessInterrupts(void);
|
|
|
|
|
2004-02-08 23:28:57 +01:00
|
|
|
#ifndef WIN32
|
2004-05-30 00:48:23 +02:00
|
|
|
|
2001-01-14 06:08:17 +01:00
|
|
|
#define CHECK_FOR_INTERRUPTS() \
|
2004-01-09 22:08:50 +01:00
|
|
|
do { \
|
|
|
|
if (InterruptPending) \
|
|
|
|
ProcessInterrupts(); \
|
|
|
|
} while(0)
|
2004-08-29 07:07:03 +02:00
|
|
|
#else /* WIN32 */
|
2004-05-30 00:48:23 +02:00
|
|
|
|
2004-02-08 23:28:57 +01:00
|
|
|
#define CHECK_FOR_INTERRUPTS() \
|
|
|
|
do { \
|
2005-10-25 17:15:16 +02:00
|
|
|
if (UNBLOCKED_SIGNAL_QUEUE()) \
|
|
|
|
pgwin32_dispatch_queued_signals(); \
|
2004-02-08 23:28:57 +01:00
|
|
|
if (InterruptPending) \
|
|
|
|
ProcessInterrupts(); \
|
2004-02-10 04:42:45 +01:00
|
|
|
} while(0)
|
2004-08-29 07:07:03 +02:00
|
|
|
#endif /* WIN32 */
|
2004-02-08 23:28:57 +01:00
|
|
|
|
2001-01-14 06:08:17 +01:00
|
|
|
|
2001-03-22 05:01:46 +01:00
|
|
|
#define HOLD_INTERRUPTS() (InterruptHoldoffCount++)
|
2001-01-19 23:08:47 +01:00
|
|
|
|
|
|
|
#define RESUME_INTERRUPTS() \
|
2004-01-09 22:08:50 +01:00
|
|
|
do { \
|
|
|
|
Assert(InterruptHoldoffCount > 0); \
|
|
|
|
InterruptHoldoffCount--; \
|
|
|
|
} while(0)
|
2001-01-19 23:08:47 +01:00
|
|
|
|
2001-03-22 05:01:46 +01:00
|
|
|
#define START_CRIT_SECTION() (CritSectionCount++)
|
2001-01-14 06:08:17 +01:00
|
|
|
|
|
|
|
#define END_CRIT_SECTION() \
|
2004-01-09 22:08:50 +01:00
|
|
|
do { \
|
|
|
|
Assert(CritSectionCount > 0); \
|
|
|
|
CritSectionCount--; \
|
|
|
|
} while(0)
|
|
|
|
|
2004-01-26 23:59:54 +01:00
|
|
|
|
1996-10-31 08:10:14 +01:00
|
|
|
/*****************************************************************************
|
1997-09-07 07:04:48 +02:00
|
|
|
* globals.h -- *
|
1996-10-31 08:10:14 +01:00
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* from utils/init/globals.c
|
|
|
|
*/
|
2004-01-26 23:59:54 +01:00
|
|
|
extern pid_t PostmasterPid;
|
2003-05-28 20:19:09 +02:00
|
|
|
extern bool IsPostmasterEnvironment;
|
2009-01-05 03:27:45 +01:00
|
|
|
extern PGDLLIMPORT bool IsUnderPostmaster;
|
2003-05-28 20:19:09 +02:00
|
|
|
|
|
|
|
extern bool ExitOnAnyError;
|
|
|
|
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT char *DataDir;
|
1996-10-31 08:10:14 +01:00
|
|
|
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT int NBuffers;
|
2004-05-30 00:48:23 +02:00
|
|
|
extern int MaxBackends;
|
2007-04-16 20:30:04 +02:00
|
|
|
extern int MaxConnections;
|
2004-05-30 00:48:23 +02:00
|
|
|
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT int MyProcPid;
|
2008-02-17 03:09:32 +01:00
|
|
|
extern PGDLLIMPORT pg_time_t MyStartTime;
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT struct Port *MyProcPort;
|
1998-09-01 06:40:42 +02:00
|
|
|
extern long MyCancelKey;
|
Install a "dead man switch" to allow the postmaster to detect cases where
a backend has done exit(0) or exit(1) without having disengaged itself
from shared memory. We are at risk for this whenever third-party code is
loaded into a backend, since such code might not know it's supposed to go
through proc_exit() instead. Also, it is reported that under Windows
there are ways to externally kill a process that cause the status code
returned to the postmaster to be indistinguishable from a voluntary exit
(thank you, Microsoft). If this does happen then the system is probably
hosed --- for instance, the dead session might still be holding locks.
So the best recovery method is to treat this like a backend crash.
The dead man switch is armed for a particular child process when it
acquires a regular PGPROC, and disarmed when the PGPROC is released;
these should be the first and last touches of shared memory resources
in a backend, or close enough anyway. This choice means there is no
coverage for auxiliary processes, but I doubt we need that, since they
shouldn't be executing any user-provided code anyway.
This patch also improves the management of the EXEC_BACKEND
ShmemBackendArray array a bit, by reducing search costs.
Although this problem is of long standing, the lack of field complaints
seems to mean it's not critical enough to risk back-patching; at least
not till we get some more testing of this mechanism.
2009-05-05 21:59:00 +02:00
|
|
|
extern int MyPMChildSlot;
|
1998-07-09 05:29:11 +02:00
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
extern char OutputFileName[];
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT char my_exec_path[];
|
2004-05-17 16:35:34 +02:00
|
|
|
extern char pkglib_path[];
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2004-05-28 07:13:32 +02:00
|
|
|
#ifdef EXEC_BACKEND
|
|
|
|
extern char postgres_exec_path[];
|
|
|
|
#endif
|
1996-10-31 08:10:14 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* done in storage/backendid.h for now.
|
|
|
|
*
|
|
|
|
* extern BackendId MyBackendId;
|
|
|
|
*/
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT Oid MyDatabaseId;
|
1996-10-31 08:10:14 +01:00
|
|
|
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT Oid MyDatabaseTableSpace;
|
2004-06-18 08:14:31 +02:00
|
|
|
|
2003-07-29 02:03:19 +02:00
|
|
|
/*
|
|
|
|
* Date/Time Configuration
|
1997-03-25 09:11:24 +01:00
|
|
|
*
|
2003-07-29 02:03:19 +02:00
|
|
|
* DateStyle defines the output formatting choice for date/time types:
|
|
|
|
* USE_POSTGRES_DATES specifies traditional Postgres format
|
|
|
|
* USE_ISO_DATES specifies ISO-compliant format
|
|
|
|
* USE_SQL_DATES specifies Oracle/Ingres-compliant format
|
|
|
|
* USE_GERMAN_DATES specifies German-style dd.mm/yyyy
|
1997-03-25 09:11:24 +01:00
|
|
|
*
|
2003-07-29 02:03:19 +02:00
|
|
|
* DateOrder defines the field order to be assumed when reading an
|
|
|
|
* ambiguous date (anything not in YYYY-MM-DD format, with a four-digit
|
|
|
|
* year field first, is taken to be ambiguous):
|
|
|
|
* DATEORDER_YMD specifies field order yy-mm-dd
|
|
|
|
* DATEORDER_DMY specifies field order dd-mm-yy ("European" convention)
|
|
|
|
* DATEORDER_MDY specifies field order mm-dd-yy ("US" convention)
|
1997-03-25 09:11:24 +01:00
|
|
|
*
|
2003-07-29 02:03:19 +02:00
|
|
|
* In the Postgres and SQL DateStyles, DateOrder also selects output field
|
|
|
|
* order: day comes before month in DMY style, else month comes before day.
|
|
|
|
*
|
|
|
|
* The user-visible "DateStyle" run-time parameter subsumes both of these.
|
1997-03-18 17:36:50 +01:00
|
|
|
*/
|
|
|
|
|
2003-07-29 02:03:19 +02:00
|
|
|
/* valid DateStyle values */
|
1997-09-07 07:04:48 +02:00
|
|
|
#define USE_POSTGRES_DATES 0
|
|
|
|
#define USE_ISO_DATES 1
|
|
|
|
#define USE_SQL_DATES 2
|
1997-12-05 00:58:01 +01:00
|
|
|
#define USE_GERMAN_DATES 3
|
2007-03-01 15:52:04 +01:00
|
|
|
#define USE_XSD_DATES 4
|
1997-03-25 09:11:24 +01:00
|
|
|
|
2003-07-29 02:03:19 +02:00
|
|
|
/* valid DateOrder values */
|
|
|
|
#define DATEORDER_YMD 0
|
|
|
|
#define DATEORDER_DMY 1
|
|
|
|
#define DATEORDER_MDY 2
|
|
|
|
|
1997-09-08 04:41:22 +02:00
|
|
|
extern int DateStyle;
|
2003-07-29 02:03:19 +02:00
|
|
|
extern int DateOrder;
|
2009-06-11 16:49:15 +02:00
|
|
|
|
2008-11-09 01:28:35 +01:00
|
|
|
/*
|
|
|
|
* IntervalStyles
|
2009-06-11 16:49:15 +02:00
|
|
|
* INTSTYLE_POSTGRES Like Postgres < 8.4 when DateStyle = 'iso'
|
|
|
|
* INTSTYLE_POSTGRES_VERBOSE Like Postgres < 8.4 when DateStyle != 'iso'
|
|
|
|
* INTSTYLE_SQL_STANDARD SQL standard interval literals
|
|
|
|
* INTSTYLE_ISO_8601 ISO-8601-basic formatted intervals
|
2008-11-09 01:28:35 +01:00
|
|
|
*/
|
2008-11-11 03:42:33 +01:00
|
|
|
#define INTSTYLE_POSTGRES 0
|
|
|
|
#define INTSTYLE_POSTGRES_VERBOSE 1
|
|
|
|
#define INTSTYLE_SQL_STANDARD 2
|
|
|
|
#define INTSTYLE_ISO_8601 3
|
2008-11-09 01:28:35 +01:00
|
|
|
|
|
|
|
extern int IntervalStyle;
|
2003-07-29 02:03:19 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* HasCTZSet is true if user has set timezone as a numeric offset from UTC.
|
|
|
|
* If so, CTimeZone is the timezone offset in seconds (using the Unix-ish
|
|
|
|
* sign convention, ie, positive offset is west of UTC, rather than the
|
|
|
|
* SQL-ish convention that positive is east of UTC).
|
|
|
|
*/
|
1997-09-08 04:41:22 +02:00
|
|
|
extern bool HasCTZSet;
|
|
|
|
extern int CTimeZone;
|
1997-01-26 16:32:28 +01:00
|
|
|
|
2003-07-29 02:03:19 +02:00
|
|
|
#define MAXTZLEN 10 /* max TZ name len, not counting tr. null */
|
|
|
|
|
2000-05-31 02:28:42 +02:00
|
|
|
extern bool enableFsync;
|
1999-05-25 18:15:34 +02:00
|
|
|
extern bool allowSystemTableMods;
|
2007-07-25 14:22:54 +02:00
|
|
|
extern PGDLLIMPORT int work_mem;
|
|
|
|
extern PGDLLIMPORT int maintenance_work_mem;
|
2004-02-06 20:36:18 +01:00
|
|
|
|
|
|
|
extern int VacuumCostPageHit;
|
|
|
|
extern int VacuumCostPageMiss;
|
|
|
|
extern int VacuumCostPageDirty;
|
|
|
|
extern int VacuumCostLimit;
|
2004-08-06 06:15:09 +02:00
|
|
|
extern int VacuumCostDelay;
|
2004-02-10 04:42:45 +01:00
|
|
|
|
|
|
|
extern int VacuumCostBalance;
|
2004-08-29 07:07:03 +02:00
|
|
|
extern bool VacuumCostActive;
|
1997-08-14 18:11:41 +02:00
|
|
|
|
2000-05-31 02:28:42 +02:00
|
|
|
|
2004-03-24 23:40:29 +01:00
|
|
|
/* in tcop/postgres.c */
|
|
|
|
extern void check_stack_depth(void);
|
|
|
|
|
Allow read only connections during recovery, known as Hot Standby.
Enabled by recovery_connections = on (default) and forcing archive recovery using a recovery.conf. Recovery processing now emulates the original transactions as they are replayed, providing full locking and MVCC behaviour for read only queries. Recovery must enter consistent state before connections are allowed, so there is a delay, typically short, before connections succeed. Replay of recovering transactions can conflict and in some cases deadlock with queries during recovery; these result in query cancellation after max_standby_delay seconds have expired. Infrastructure changes have minor effects on normal running, though introduce four new types of WAL record.
New test mode "make standbycheck" allows regression tests of static command behaviour on a standby server while in recovery. Typical and extreme dynamic behaviours have been checked via code inspection and manual testing. Few port specific behaviours have been utilised, though primary testing has been on Linux only so far.
This commit is the basic patch. Additional changes will follow in this release to enhance some aspects of behaviour, notably improved handling of conflicts, deadlock detection and query cancellation. Changes to VACUUM FULL are also required.
Simon Riggs, with significant and lengthy review by Heikki Linnakangas, including streamlined redesign of snapshot creation and two-phase commit.
Important contributions from Florian Pflug, Mark Kirkwood, Merlin Moncure, Greg Stark, Gianni Ciolli, Gabriele Bartolini, Hannu Krosing, Robert Haas, Tatsuo Ishii, Hiroyuki Yamada plus support and feedback from many other community members.
2009-12-19 02:32:45 +01:00
|
|
|
/* in tcop/utility.c */
|
|
|
|
extern void PreventCommandDuringRecovery(void);
|
|
|
|
|
|
|
|
/* in utils/misc/guc.c */
|
|
|
|
extern int trace_recovery_messages;
|
|
|
|
int trace_recovery(int trace_level);
|
2004-03-24 23:40:29 +01:00
|
|
|
|
1996-10-31 08:10:14 +01:00
|
|
|
/*****************************************************************************
|
1997-09-07 07:04:48 +02:00
|
|
|
* pdir.h -- *
|
|
|
|
* POSTGRES directory path definitions. *
|
1996-10-31 08:10:14 +01:00
|
|
|
*****************************************************************************/
|
|
|
|
|
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function. It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user. However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.
The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue. GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation. Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement. (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)
Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.
Security: CVE-2009-4136
2009-12-09 22:57:51 +01:00
|
|
|
/* flags to be OR'd to form sec_context */
|
|
|
|
#define SECURITY_LOCAL_USERID_CHANGE 0x0001
|
|
|
|
#define SECURITY_RESTRICTED_OPERATION 0x0002
|
|
|
|
|
1998-04-05 23:04:50 +02:00
|
|
|
extern char *DatabasePath;
|
|
|
|
|
1996-10-31 08:10:14 +01:00
|
|
|
/* now in utils/init/miscinit.c */
|
2000-01-13 19:26:18 +01:00
|
|
|
extern void SetDatabasePath(const char *path);
|
1998-09-01 06:40:42 +02:00
|
|
|
|
2005-06-28 07:09:14 +02:00
|
|
|
extern char *GetUserNameFromId(Oid roleid);
|
2005-10-15 04:49:52 +02:00
|
|
|
extern Oid GetUserId(void);
|
|
|
|
extern Oid GetOuterUserId(void);
|
|
|
|
extern Oid GetSessionUserId(void);
|
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function. It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user. However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.
The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue. GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation. Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement. (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)
Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.
Security: CVE-2009-4136
2009-12-09 22:57:51 +01:00
|
|
|
extern void GetUserIdAndSecContext(Oid *userid, int *sec_context);
|
|
|
|
extern void SetUserIdAndSecContext(Oid userid, int sec_context);
|
|
|
|
extern bool InLocalUserIdChange(void);
|
|
|
|
extern bool InSecurityRestrictedOperation(void);
|
2008-01-03 22:23:15 +01:00
|
|
|
extern void GetUserIdAndContext(Oid *userid, bool *sec_def_context);
|
|
|
|
extern void SetUserIdAndContext(Oid userid, bool sec_def_context);
|
2005-06-28 07:09:14 +02:00
|
|
|
extern void InitializeSessionUserId(const char *rolename);
|
2001-09-08 17:24:00 +02:00
|
|
|
extern void InitializeSessionUserIdStandalone(void);
|
2005-07-26 00:12:34 +02:00
|
|
|
extern void SetSessionAuthorization(Oid userid, bool is_superuser);
|
2005-10-15 04:49:52 +02:00
|
|
|
extern Oid GetCurrentRoleId(void);
|
2005-07-26 00:12:34 +02:00
|
|
|
extern void SetCurrentRoleId(Oid roleid, bool is_superuser);
|
2000-09-19 20:18:04 +02:00
|
|
|
|
2000-11-04 13:43:24 +01:00
|
|
|
extern void SetDataDir(const char *dir);
|
2005-07-04 06:51:52 +02:00
|
|
|
extern void ChangeToDataDir(void);
|
2004-10-10 01:13:22 +02:00
|
|
|
extern char *make_absolute_path(const char *path);
|
2000-11-04 13:43:24 +01:00
|
|
|
|
2001-06-13 23:44:41 +02:00
|
|
|
/* in utils/misc/superuser.c */
|
|
|
|
extern bool superuser(void); /* current user is superuser */
|
2005-10-15 04:49:52 +02:00
|
|
|
extern bool superuser_arg(Oid roleid); /* given user is superuser */
|
2001-06-13 23:44:41 +02:00
|
|
|
|
|
|
|
|
1996-10-31 08:10:14 +01:00
|
|
|
/*****************************************************************************
|
1997-09-07 07:04:48 +02:00
|
|
|
* pmod.h -- *
|
|
|
|
* POSTGRES processing mode definitions. *
|
1996-10-31 08:10:14 +01:00
|
|
|
*****************************************************************************/
|
2001-09-27 18:29:13 +02:00
|
|
|
|
1996-10-31 08:10:14 +01:00
|
|
|
/*
|
|
|
|
* Description:
|
2000-04-12 19:17:23 +02:00
|
|
|
* There are three processing modes in POSTGRES. They are
|
2001-01-14 06:08:17 +01:00
|
|
|
* BootstrapProcessing or "bootstrap," InitProcessing or
|
1996-10-31 08:10:14 +01:00
|
|
|
* "initialization," and NormalProcessing or "normal."
|
|
|
|
*
|
1999-10-06 23:58:18 +02:00
|
|
|
* The first two processing modes are used during special times. When the
|
1996-10-31 08:10:14 +01:00
|
|
|
* system state indicates bootstrap processing, transactions are all given
|
2001-01-14 06:08:17 +01:00
|
|
|
* transaction id "one" and are consequently guaranteed to commit. This mode
|
1996-10-31 08:10:14 +01:00
|
|
|
* is used during the initial generation of template databases.
|
|
|
|
*
|
2001-01-14 06:08:17 +01:00
|
|
|
* Initialization mode: used while starting a backend, until all normal
|
2001-03-22 05:01:46 +01:00
|
|
|
* initialization is complete. Some code behaves differently when executed
|
2001-01-14 06:08:17 +01:00
|
|
|
* in this mode to enable system bootstrapping.
|
1999-10-06 23:58:18 +02:00
|
|
|
*
|
|
|
|
* If a POSTGRES binary is in normal mode, then all code may be executed
|
2000-04-12 19:17:23 +02:00
|
|
|
* normally.
|
1996-10-31 08:10:14 +01:00
|
|
|
*/
|
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
typedef enum ProcessingMode
|
|
|
|
{
|
2001-10-28 07:26:15 +01:00
|
|
|
BootstrapProcessing, /* bootstrap creation of template database */
|
|
|
|
InitProcessing, /* initializing system */
|
|
|
|
NormalProcessing /* normal processing */
|
1997-09-08 23:56:23 +02:00
|
|
|
} ProcessingMode;
|
1996-10-31 08:10:14 +01:00
|
|
|
|
2000-01-13 19:26:18 +01:00
|
|
|
extern ProcessingMode Mode;
|
|
|
|
|
|
|
|
#define IsBootstrapProcessingMode() ((bool)(Mode == BootstrapProcessing))
|
|
|
|
#define IsInitProcessingMode() ((bool)(Mode == InitProcessing))
|
|
|
|
#define IsNormalProcessingMode() ((bool)(Mode == NormalProcessing))
|
|
|
|
|
|
|
|
#define SetProcessingMode(mode) \
|
2000-04-12 19:17:23 +02:00
|
|
|
do { \
|
2001-01-14 06:08:17 +01:00
|
|
|
AssertArg((mode) == BootstrapProcessing || \
|
|
|
|
(mode) == InitProcessing || \
|
|
|
|
(mode) == NormalProcessing); \
|
|
|
|
Mode = (mode); \
|
2000-04-12 19:17:23 +02:00
|
|
|
} while(0)
|
1996-10-31 08:10:14 +01:00
|
|
|
|
2000-01-13 19:26:18 +01:00
|
|
|
#define GetProcessingMode() Mode
|
1997-09-08 04:41:22 +02:00
|
|
|
|
2001-09-27 18:29:13 +02:00
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* pinit.h -- *
|
|
|
|
* POSTGRES initialization and cleanup definitions. *
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/* in utils/init/postinit.c */
|
2009-08-29 21:26:52 +02:00
|
|
|
extern void pg_split_opts(char **argv, int *argcp, char *optstr);
|
2009-09-01 02:09:42 +02:00
|
|
|
extern void InitPostgres(const char *in_dbname, Oid dboid, const char *username,
|
2009-08-12 22:53:31 +02:00
|
|
|
char *out_dbname);
|
2001-09-27 18:29:13 +02:00
|
|
|
extern void BaseInit(void);
|
|
|
|
|
|
|
|
/* in utils/init/miscinit.c */
|
2006-01-05 11:07:46 +01:00
|
|
|
extern bool IgnoreSystemIndexes;
|
2009-01-03 21:03:08 +01:00
|
|
|
extern PGDLLIMPORT bool process_shared_preload_libraries_in_progress;
|
2006-08-15 20:26:59 +02:00
|
|
|
extern char *shared_preload_libraries_string;
|
|
|
|
extern char *local_preload_libraries_string;
|
2006-08-08 21:15:09 +02:00
|
|
|
|
2003-09-24 20:54:02 +02:00
|
|
|
extern void SetReindexProcessing(Oid heapOid, Oid indexOid);
|
2004-08-01 19:32:22 +02:00
|
|
|
extern void ResetReindexProcessing(void);
|
2003-09-24 20:54:02 +02:00
|
|
|
extern bool ReindexIsProcessingHeap(Oid heapOid);
|
|
|
|
extern bool ReindexIsProcessingIndex(Oid indexOid);
|
2005-07-04 06:51:52 +02:00
|
|
|
extern void CreateDataDirLockFile(bool amPostmaster);
|
2003-07-27 23:49:55 +02:00
|
|
|
extern void CreateSocketLockFile(const char *socketfile, bool amPostmaster);
|
2001-01-27 01:05:31 +01:00
|
|
|
extern void TouchSocketLockFile(void);
|
2002-05-05 02:03:29 +02:00
|
|
|
extern void RecordSharedMemoryInLockFile(unsigned long id1,
|
2002-09-04 22:31:48 +02:00
|
|
|
unsigned long id2);
|
2000-07-02 17:21:27 +02:00
|
|
|
extern void ValidatePgVersion(const char *path);
|
2006-08-15 20:26:59 +02:00
|
|
|
extern void process_shared_preload_libraries(void);
|
|
|
|
extern void process_local_preload_libraries(void);
|
2008-12-11 08:34:09 +01:00
|
|
|
extern void pg_bindtextdomain(const char *domain);
|
2000-07-02 17:21:27 +02:00
|
|
|
|
2008-04-23 15:44:59 +02:00
|
|
|
/* in access/transam/xlog.c */
|
|
|
|
extern bool BackupInProgress(void);
|
|
|
|
extern void CancelBackup(void);
|
|
|
|
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* MISCADMIN_H */
|