Add code to prevent transaction ID wraparound by enforcing a safe limit

in GetNewTransactionId(). Since the limit value has to be computed before we run any real transactions, this requires adding code to database startup to scan pg_database and determine the oldest datfrozenxid. This can conveniently be combined with the first stage of an attack on the problem that the 'flat file' copies of pg_shadow and pg_group are not properly updated during WAL recovery. The code I've added to startup resides in a new file src/backend/utils/init/flatfiles.c, and it is responsible for rewriting the flat files as well as initializing the XID wraparound limit value. This will eventually allow us to get rid of GetRawDatabaseInfo too, but we'll need an initdb so we can add a trigger to pg_database.
2025-11-10 17:42:29 +03:00 · 2005-02-20 02:22:07 +00:00
parent 617d16f4ff
commit 60b2444cc3
15 changed files with 1191 additions and 571 deletions
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -37,7 +37,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.443 2005/01/12 16:38:17 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.444 2005/02/20 02:21:54 tgl Exp $
 *
 * NOTES
 *
@@ -903,12 +903,10 @@ PostmasterMain(int argc, char *argv[])
 	pgstat_init();

 	/*
-	 * Load cached files for client authentication.
+	 * Load configuration files for client authentication.
 	 */
 	load_hba();
 	load_ident();
-	load_user();
-	load_group();

 	/*
 	 * We're ready to rock and roll...
@@ -1797,6 +1795,8 @@ SIGHUP_handler(SIGNAL_ARGS)
 		if (SysLoggerPID != 0)
 			kill(SysLoggerPID, SIGHUP);
 		/* PgStatPID does not currently need SIGHUP */
+
+		/* Reload authentication config files too */
 		load_hba();
 		load_ident();

@@ -2006,6 +2006,14 @@ reaper(SIGNAL_ARGS)
 			 */
 			FatalError = false;

+			/*
+			 * Load the flat user/group files into postmaster's caches.
+			 * The startup process has recomputed these from the database
+			 * contents, so we wait till it finishes before loading them.
+			 */
+			load_user();
+			load_group();
+
 			/*
 			 * Crank up the background writer.	It doesn't matter if this
 			 * fails, we'll just try again later.
@@ -2662,7 +2670,7 @@ BackendRun(Port *port)
 	port->remote_port = strdup(remote_port);

 	/*
-	 * In EXEC_BACKEND case, we didn't inherit the contents of pg_hba.c
+	 * In EXEC_BACKEND case, we didn't inherit the contents of pg_hba.conf
 	 * etcetera from the postmaster, and have to load them ourselves.
 	 * Build the PostmasterContext (which didn't exist before, in this
 	 * process) to contain the data.