search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add eager and lazy freezing strategies to VACUUM.
[pgsql.git] / src / common / exec.c
blob93b2faf2c4073a153fe3245fd75959d22ac362ba
1 /*-------------------------------------------------------------------------
2 *
3 * exec.c
4 * Functions for finding and validating executable files
5 *
6 *
7 * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
9 *
10 *
11 * IDENTIFICATION
12 * src/common/exec.c
13 *
14 *-------------------------------------------------------------------------
15 */
16
17 #ifndef FRONTEND
18 #include "postgres.h"
19 #else
20 #include "postgres_fe.h"
21 #endif
22
23 #include <signal.h>
24 #include <sys/stat.h>
25 #include <sys/wait.h>
26 #include <unistd.h>
27
28 #ifdef EXEC_BACKEND
29 #if defined(HAVE_SYS_PERSONALITY_H)
30 #include <sys/personality.h>
31 #elif defined(HAVE_SYS_PROCCTL_H)
32 #include <sys/procctl.h>
33 #endif
34 #endif
35
36 /* Inhibit mingw CRT's auto-globbing of command line arguments */
37 #if defined(WIN32) && !defined(_MSC_VER)
38 extern int _CRT_glob = 0; /* 0 turns off globbing; 1 turns it on */
39 #endif
40
41 /*
42 * Hacky solution to allow expressing both frontend and backend error reports
43 * in one macro call. First argument of log_error is an errcode() call of
44 * some sort (ignored if FRONTEND); the rest are errmsg_internal() arguments,
45 * i.e. message string and any parameters for it.
46 *
47 * Caller must provide the gettext wrapper around the message string, if
48 * appropriate, so that it gets translated in the FRONTEND case; this
49 * motivates using errmsg_internal() not errmsg(). We handle appending a
50 * newline, if needed, inside the macro, so that there's only one translatable
51 * string per call not two.
52 */
53 #ifndef FRONTEND
54 #define log_error(errcodefn, ...) \
55 ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__)))
56 #else
57 #define log_error(errcodefn, ...) \
58 (fprintf(stderr, __VA_ARGS__), fputc('\n', stderr))
59 #endif
60
61 #ifdef _MSC_VER
62 #define getcwd(cwd,len) GetCurrentDirectory(len, cwd)
63 #endif
64
65 static int resolve_symlinks(char *path);
66
67 #ifdef WIN32
68 static BOOL GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser);
69 #endif
70
71 /*
72 * validate_exec -- validate "path" as an executable file
73 *
74 * returns 0 if the file is found and no error is encountered.
75 * -1 if the regular file "path" does not exist or cannot be executed.
76 * -2 if the file is otherwise valid but cannot be read.
77 * in the failure cases, errno is set appropriately
78 */
79 int
80 validate_exec(const char *path)
81 {
82 struct stat buf;
83 int is_r;
84 int is_x;
85
86 #ifdef WIN32
87 char path_exe[MAXPGPATH + sizeof(".exe") - 1];
88
89 /* Win32 requires a .exe suffix for stat() */
90 if (strlen(path) >= strlen(".exe") &&
91 pg_strcasecmp(path + strlen(path) - strlen(".exe"), ".exe") != 0)
92 {
93 strlcpy(path_exe, path, sizeof(path_exe) - 4);
94 strcat(path_exe, ".exe");
95 path = path_exe;
96 }
97 #endif
98
99 /*
100 * Ensure that the file exists and is a regular file.
101 *
102 * XXX if you have a broken system where stat() looks at the symlink
103 * instead of the underlying file, you lose.
104 */
105 if (stat(path, &buf) < 0)
106 return -1;
107
108 if (!S_ISREG(buf.st_mode))
109 {
110 /*
111 * POSIX offers no errno code that's simply "not a regular file". If
112 * it's a directory we can use EISDIR. Otherwise, it's most likely a
113 * device special file, and EPERM (Operation not permitted) isn't too
114 * horribly off base.
115 */
116 errno = S_ISDIR(buf.st_mode) ? EISDIR : EPERM;
117 return -1;
118 }
119
120 /*
121 * Ensure that the file is both executable and readable (required for
122 * dynamic loading).
123 */
124 #ifndef WIN32
125 is_r = (access(path, R_OK) == 0);
126 is_x = (access(path, X_OK) == 0);
127 /* access() will set errno if it returns -1 */
128 #else
129 is_r = buf.st_mode & S_IRUSR;
130 is_x = buf.st_mode & S_IXUSR;
131 errno = EACCES; /* appropriate thing if we return nonzero */
132 #endif
133 return is_x ? (is_r ? 0 : -2) : -1;
134 }
135
136
137 /*
138 * find_my_exec -- find an absolute path to a valid executable
139 *
140 * argv0 is the name passed on the command line
141 * retpath is the output area (must be of size MAXPGPATH)
142 * Returns 0 if OK, -1 if error.
143 *
144 * The reason we have to work so hard to find an absolute path is that
145 * on some platforms we can't do dynamic loading unless we know the
146 * executable's location. Also, we need a full path not a relative
147 * path because we will later change working directory. Finally, we want
148 * a true path not a symlink location, so that we can locate other files
149 * that are part of our installation relative to the executable.
150 */
151 int
152 find_my_exec(const char *argv0, char *retpath)
153 {
154 char cwd[MAXPGPATH],
155 test_path[MAXPGPATH];
156 char *path;
157
158 if (!getcwd(cwd, MAXPGPATH))
159 {
160 log_error(errcode_for_file_access(),
161 _("could not identify current directory: %m"));
162 return -1;
163 }
164
165 /*
166 * If argv0 contains a separator, then PATH wasn't used.
167 */
168 if (first_dir_separator(argv0) != NULL)
169 {
170 if (is_absolute_path(argv0))
171 strlcpy(retpath, argv0, MAXPGPATH);
172 else
173 join_path_components(retpath, cwd, argv0);
174 canonicalize_path(retpath);
175
176 if (validate_exec(retpath) == 0)
177 return resolve_symlinks(retpath);
178
179 log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE),
180 _("invalid binary \"%s\": %m"), retpath);
181 return -1;
182 }
183
184 #ifdef WIN32
185 /* Win32 checks the current directory first for names without slashes */
186 join_path_components(retpath, cwd, argv0);
187 if (validate_exec(retpath) == 0)
188 return resolve_symlinks(retpath);
189 #endif
190
191 /*
192 * Since no explicit path was supplied, the user must have been relying on
193 * PATH. We'll search the same PATH.
194 */
195 if ((path = getenv("PATH")) && *path)
196 {
197 char *startp = NULL,
198 *endp = NULL;
199
200 do
201 {
202 if (!startp)
203 startp = path;
204 else
205 startp = endp + 1;
206
207 endp = first_path_var_separator(startp);
208 if (!endp)
209 endp = startp + strlen(startp); /* point to end */
210
211 strlcpy(test_path, startp, Min(endp - startp + 1, MAXPGPATH));
212
213 if (is_absolute_path(test_path))
214 join_path_components(retpath, test_path, argv0);
215 else
216 {
217 join_path_components(retpath, cwd, test_path);
218 join_path_components(retpath, retpath, argv0);
219 }
220 canonicalize_path(retpath);
221
222 switch (validate_exec(retpath))
223 {
224 case 0: /* found ok */
225 return resolve_symlinks(retpath);
226 case -1: /* wasn't even a candidate, keep looking */
227 break;
228 case -2: /* found but disqualified */
229 log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE),
230 _("could not read binary \"%s\": %m"),
231 retpath);
232 break;
233 }
234 } while (*endp);
235 }
236
237 log_error(errcode(ERRCODE_UNDEFINED_FILE),
238 _("could not find a \"%s\" to execute"), argv0);
239 return -1;
240 }
241
242
243 /*
244 * resolve_symlinks - resolve symlinks to the underlying file
245 *
246 * Replace "path" by the absolute path to the referenced file.
247 *
248 * Returns 0 if OK, -1 if error.
249 *
250 * Note: we are not particularly tense about producing nice error messages
251 * because we are not really expecting error here; we just determined that
252 * the symlink does point to a valid executable.
253 *
254 * Here we test HAVE_READLINK, which excludes Windows. There's no point in
255 * using our junction point-based replacement code for this, because that only
256 * works for directories.
257 */
258 static int
259 resolve_symlinks(char *path)
260 {
261 #ifdef HAVE_READLINK
262 struct stat buf;
263 char orig_wd[MAXPGPATH],
264 link_buf[MAXPGPATH];
265 char *fname;
266
267 /*
268 * To resolve a symlink properly, we have to chdir into its directory and
269 * then chdir to where the symlink points; otherwise we may fail to
270 * resolve relative links correctly (consider cases involving mount
271 * points, for example). After following the final symlink, we use
272 * getcwd() to figure out where the heck we're at.
273 *
274 * One might think we could skip all this if path doesn't point to a
275 * symlink to start with, but that's wrong. We also want to get rid of
276 * any directory symlinks that are present in the given path. We expect
277 * getcwd() to give us an accurate, symlink-free path.
278 */
279 if (!getcwd(orig_wd, MAXPGPATH))
280 {
281 log_error(errcode_for_file_access(),
282 _("could not identify current directory: %m"));
283 return -1;
284 }
285
286 for (;;)
287 {
288 char *lsep;
289 int rllen;
290
291 lsep = last_dir_separator(path);
292 if (lsep)
293 {
294 *lsep = '\0';
295 if (chdir(path) == -1)
296 {
297 log_error(errcode_for_file_access(),
298 _("could not change directory to \"%s\": %m"), path);
299 return -1;
300 }
301 fname = lsep + 1;
302 }
303 else
304 fname = path;
305
306 if (lstat(fname, &buf) < 0 ||
307 !S_ISLNK(buf.st_mode))
308 break;
309
310 errno = 0;
311 rllen = readlink(fname, link_buf, sizeof(link_buf));
312 if (rllen < 0 || rllen >= sizeof(link_buf))
313 {
314 log_error(errcode_for_file_access(),
315 _("could not read symbolic link \"%s\": %m"), fname);
316 return -1;
317 }
318 link_buf[rllen] = '\0';
319 strcpy(path, link_buf);
320 }
321
322 /* must copy final component out of 'path' temporarily */
323 strlcpy(link_buf, fname, sizeof(link_buf));
324
325 if (!getcwd(path, MAXPGPATH))
326 {
327 log_error(errcode_for_file_access(),
328 _("could not identify current directory: %m"));
329 return -1;
330 }
331 join_path_components(path, path, link_buf);
332 canonicalize_path(path);
333
334 if (chdir(orig_wd) == -1)
335 {
336 log_error(errcode_for_file_access(),
337 _("could not change directory to \"%s\": %m"), orig_wd);
338 return -1;
339 }
340 #endif /* HAVE_READLINK */
341
342 return 0;
343 }
344
345
346 /*
347 * Find another program in our binary's directory,
348 * then make sure it is the proper version.
349 */
350 int
351 find_other_exec(const char *argv0, const char *target,
352 const char *versionstr, char *retpath)
353 {
354 char cmd[MAXPGPATH];
355 char line[MAXPGPATH];
356
357 if (find_my_exec(argv0, retpath) < 0)
358 return -1;
359
360 /* Trim off program name and keep just directory */
361 *last_dir_separator(retpath) = '\0';
362 canonicalize_path(retpath);
363
364 /* Now append the other program's name */
365 snprintf(retpath + strlen(retpath), MAXPGPATH - strlen(retpath),
366 "/%s%s", target, EXE);
367
368 if (validate_exec(retpath) != 0)
369 return -1;
370
371 snprintf(cmd, sizeof(cmd), "\"%s\" -V", retpath);
372
373 if (!pipe_read_line(cmd, line, sizeof(line)))
374 return -1;
375
376 if (strcmp(line, versionstr) != 0)
377 return -2;
378
379 return 0;
380 }
381
382
383 /*
384 * Execute a command in a pipe and read the first line from it.
385 */
386 char *
387 pipe_read_line(char *cmd, char *line, int maxsize)
388 {
389 FILE *pgver;
390
391 fflush(NULL);
392
393 errno = 0;
394 if ((pgver = popen(cmd, "r")) == NULL)
395 {
396 perror("popen failure");
397 return NULL;
398 }
399
400 errno = 0;
401 if (fgets(line, maxsize, pgver) == NULL)
402 {
403 if (feof(pgver))
404 fprintf(stderr, "no data was returned by command \"%s\"\n", cmd);
405 else
406 perror("fgets failure");
407 pclose(pgver); /* no error checking */
408 return NULL;
409 }
410
411 if (pclose_check(pgver))
412 return NULL;
413
414 return line;
415 }
416
417
418 /*
419 * pclose() plus useful error reporting
420 */
421 int
422 pclose_check(FILE *stream)
423 {
424 int exitstatus;
425 char *reason;
426
427 exitstatus = pclose(stream);
428
429 if (exitstatus == 0)
430 return 0; /* all is well */
431
432 if (exitstatus == -1)
433 {
434 /* pclose() itself failed, and hopefully set errno */
435 log_error(errcode(ERRCODE_SYSTEM_ERROR),
436 _("%s() failed: %m"), "pclose");
437 }
438 else
439 {
440 reason = wait_result_to_str(exitstatus);
441 log_error(errcode(ERRCODE_SYSTEM_ERROR),
442 "%s", reason);
443 pfree(reason);
444 }
445 return exitstatus;
446 }
447
448 /*
449 * set_pglocale_pgservice
450 *
451 * Set application-specific locale and service directory
452 *
453 * This function takes the value of argv[0] rather than a full path.
454 *
455 * (You may be wondering why this is in exec.c. It requires this module's
456 * services and doesn't introduce any new dependencies, so this seems as
457 * good as anyplace.)
458 */
459 void
460 set_pglocale_pgservice(const char *argv0, const char *app)
461 {
462 char path[MAXPGPATH];
463 char my_exec_path[MAXPGPATH];
464
465 /* don't set LC_ALL in the backend */
466 if (strcmp(app, PG_TEXTDOMAIN("postgres")) != 0)
467 {
468 setlocale(LC_ALL, "");
469
470 /*
471 * One could make a case for reproducing here PostmasterMain()'s test
472 * for whether the process is multithreaded. Unlike the postmaster,
473 * no frontend program calls sigprocmask() or otherwise provides for
474 * mutual exclusion between signal handlers. While frontends using
475 * fork(), if multithreaded, are formally exposed to undefined
476 * behavior, we have not witnessed a concrete bug. Therefore,
477 * complaining about multithreading here may be mere pedantry.
478 */
479 }
480
481 if (find_my_exec(argv0, my_exec_path) < 0)
482 return;
483
484 #ifdef ENABLE_NLS
485 get_locale_path(my_exec_path, path);
486 bindtextdomain(app, path);
487 textdomain(app);
488 /* set for libpq to use, but don't override existing setting */
489 setenv("PGLOCALEDIR", path, 0);
490 #endif
491
492 if (getenv("PGSYSCONFDIR") == NULL)
493 {
494 get_etc_path(my_exec_path, path);
495 /* set for libpq to use */
496 setenv("PGSYSCONFDIR", path, 0);
497 }
498 }
499
500 #ifdef EXEC_BACKEND
501 /*
502 * For the benefit of PostgreSQL developers testing EXEC_BACKEND on Unix
503 * systems (code paths normally exercised only on Windows), provide a way to
504 * disable address space layout randomization, if we know how on this platform.
505 * Otherwise, backends may fail to attach to shared memory at the fixed address
506 * chosen by the postmaster. (See also the macOS-specific hack in
507 * sysv_shmem.c.)
508 */
509 int
510 pg_disable_aslr(void)
511 {
512 #if defined(HAVE_SYS_PERSONALITY_H)
513 return personality(ADDR_NO_RANDOMIZE);
514 #elif defined(HAVE_SYS_PROCCTL_H) && defined(PROC_ASLR_FORCE_DISABLE)
515 int data = PROC_ASLR_FORCE_DISABLE;
516
517 return procctl(P_PID, 0, PROC_ASLR_CTL, &data);
518 #else
519 errno = ENOSYS;
520 return -1;
521 #endif
522 }
523 #endif
524
525 #ifdef WIN32
526
527 /*
528 * AddUserToTokenDacl(HANDLE hToken)
529 *
530 * This function adds the current user account to the restricted
531 * token used when we create a restricted process.
532 *
533 * This is required because of some security changes in Windows
534 * that appeared in patches to XP/2K3 and in Vista/2008.
535 *
536 * On these machines, the Administrator account is not included in
537 * the default DACL - you just get Administrators + System. For
538 * regular users you get User + System. Because we strip Administrators
539 * when we create the restricted token, we are left with only System
540 * in the DACL which leads to access denied errors for later CreatePipe()
541 * and CreateProcess() calls when running as Administrator.
542 *
543 * This function fixes this problem by modifying the DACL of the
544 * token the process will use, and explicitly re-adding the current
545 * user account. This is still secure because the Administrator account
546 * inherits its privileges from the Administrators group - it doesn't
547 * have any of its own.
548 */
549 BOOL
550 AddUserToTokenDacl(HANDLE hToken)
551 {
552 int i;
553 ACL_SIZE_INFORMATION asi;
554 ACCESS_ALLOWED_ACE *pace;
555 DWORD dwNewAclSize;
556 DWORD dwSize = 0;
557 DWORD dwTokenInfoLength = 0;
558 PACL pacl = NULL;
559 PTOKEN_USER pTokenUser = NULL;
560 TOKEN_DEFAULT_DACL tddNew;
561 TOKEN_DEFAULT_DACL *ptdd = NULL;
562 TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl;
563 BOOL ret = FALSE;
564
565 /* Figure out the buffer size for the DACL info */
566 if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize))
567 {
568 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
569 {
570 ptdd = (TOKEN_DEFAULT_DACL *) LocalAlloc(LPTR, dwSize);
571 if (ptdd == NULL)
572 {
573 log_error(errcode(ERRCODE_OUT_OF_MEMORY),
574 _("out of memory"));
575 goto cleanup;
576 }
577
578 if (!GetTokenInformation(hToken, tic, (LPVOID) ptdd, dwSize, &dwSize))
579 {
580 log_error(errcode(ERRCODE_SYSTEM_ERROR),
581 "could not get token information: error code %lu",
582 GetLastError());
583 goto cleanup;
584 }
585 }
586 else
587 {
588 log_error(errcode(ERRCODE_SYSTEM_ERROR),
589 "could not get token information buffer size: error code %lu",
590 GetLastError());
591 goto cleanup;
592 }
593 }
594
595 /* Get the ACL info */
596 if (!GetAclInformation(ptdd->DefaultDacl, (LPVOID) &asi,
597 (DWORD) sizeof(ACL_SIZE_INFORMATION),
598 AclSizeInformation))
599 {
600 log_error(errcode(ERRCODE_SYSTEM_ERROR),
601 "could not get ACL information: error code %lu",
602 GetLastError());
603 goto cleanup;
604 }
605
606 /* Get the current user SID */
607 if (!GetTokenUser(hToken, &pTokenUser))
608 goto cleanup; /* callee printed a message */
609
610 /* Figure out the size of the new ACL */
611 dwNewAclSize = asi.AclBytesInUse + sizeof(ACCESS_ALLOWED_ACE) +
612 GetLengthSid(pTokenUser->User.Sid) - sizeof(DWORD);
613
614 /* Allocate the ACL buffer & initialize it */
615 pacl = (PACL) LocalAlloc(LPTR, dwNewAclSize);
616 if (pacl == NULL)
617 {
618 log_error(errcode(ERRCODE_OUT_OF_MEMORY),
619 _("out of memory"));
620 goto cleanup;
621 }
622
623 if (!InitializeAcl(pacl, dwNewAclSize, ACL_REVISION))
624 {
625 log_error(errcode(ERRCODE_SYSTEM_ERROR),
626 "could not initialize ACL: error code %lu", GetLastError());
627 goto cleanup;
628 }
629
630 /* Loop through the existing ACEs, and build the new ACL */
631 for (i = 0; i < (int) asi.AceCount; i++)
632 {
633 if (!GetAce(ptdd->DefaultDacl, i, (LPVOID *) &pace))
634 {
635 log_error(errcode(ERRCODE_SYSTEM_ERROR),
636 "could not get ACE: error code %lu", GetLastError());
637 goto cleanup;
638 }
639
640 if (!AddAce(pacl, ACL_REVISION, MAXDWORD, pace, ((PACE_HEADER) pace)->AceSize))
641 {
642 log_error(errcode(ERRCODE_SYSTEM_ERROR),
643 "could not add ACE: error code %lu", GetLastError());
644 goto cleanup;
645 }
646 }
647
648 /* Add the new ACE for the current user */
649 if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid))
650 {
651 log_error(errcode(ERRCODE_SYSTEM_ERROR),
652 "could not add access allowed ACE: error code %lu",
653 GetLastError());
654 goto cleanup;
655 }
656
657 /* Set the new DACL in the token */
658 tddNew.DefaultDacl = pacl;
659
660 if (!SetTokenInformation(hToken, tic, (LPVOID) &tddNew, dwNewAclSize))
661 {
662 log_error(errcode(ERRCODE_SYSTEM_ERROR),
663 "could not set token information: error code %lu",
664 GetLastError());
665 goto cleanup;
666 }
667
668 ret = TRUE;
669
670 cleanup:
671 if (pTokenUser)
672 LocalFree((HLOCAL) pTokenUser);
673
674 if (pacl)
675 LocalFree((HLOCAL) pacl);
676
677 if (ptdd)
678 LocalFree((HLOCAL) ptdd);
679
680 return ret;
681 }
682
683 /*
684 * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
685 *
686 * Get the users token information from a process token.
687 *
688 * The caller of this function is responsible for calling LocalFree() on the
689 * returned TOKEN_USER memory.
690 */
691 static BOOL
692 GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
693 {
694 DWORD dwLength;
695
696 *ppTokenUser = NULL;
697
698 if (!GetTokenInformation(hToken,
699 TokenUser,
700 NULL,
701 0,
702 &dwLength))
703 {
704 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
705 {
706 *ppTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, dwLength);
707
708 if (*ppTokenUser == NULL)
709 {
710 log_error(errcode(ERRCODE_OUT_OF_MEMORY),
711 _("out of memory"));
712 return FALSE;
713 }
714 }
715 else
716 {
717 log_error(errcode(ERRCODE_SYSTEM_ERROR),
718 "could not get token information buffer size: error code %lu",
719 GetLastError());
720 return FALSE;
721 }
722 }
723
724 if (!GetTokenInformation(hToken,
725 TokenUser,
726 *ppTokenUser,
727 dwLength,
728 &dwLength))
729 {
730 LocalFree(*ppTokenUser);
731 *ppTokenUser = NULL;
732
733 log_error(errcode(ERRCODE_SYSTEM_ERROR),
734 "could not get token information: error code %lu",
735 GetLastError());
736 return FALSE;
737 }
738
739 /* Memory in *ppTokenUser is LocalFree():d by the caller */
740 return TRUE;
741 }
742
743 #endif
Postgresql Clone from git://git.postgresql.org/git/postgresql.git