Treat EPERM as a non-error case when checking to see if old postmaster

is still alive. This improves our odds of not getting fooled by an unrelated process when checking a stale lock file. Other checks already in place, plus one newly added in checkDataDir(), ensure that we cannot attempt to usurp the place of a postmaster belonging to a different userid, so there is no need to error out. Add comments indicating the importance of these other checks.
2025-06-13 07:41:39 +03:00 · 2005-03-18 03:48:49 +00:00
parent d344505d1b
commit 7a969cad2e
2 changed files with 46 additions and 5 deletions
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/init/miscinit.c,v 1.137 2004/12/31 22:01:40 pgsql Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/init/miscinit.c,v 1.138 2005/03/18 03:48:49 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -505,6 +505,9 @@ CreateLockFile(const char *filename, bool amPostmaster,
 	{
 		/*
 		 * Try to create the lock file --- O_EXCL makes this atomic.
+		 *
+		 * Think not to make the file protection weaker than 0600.  See
+		 * comments below.
 		 */
 		fd = open(filename, O_RDWR | O_CREAT | O_EXCL, 0600);
 		if (fd >= 0)
@ -564,6 +567,21 @@ CreateLockFile(const char *filename, bool amPostmaster,
 		 * then all but the immediate parent shell will be root-owned processes
 		 * and so the kill test will fail with EPERM.
 		 *
+		 * We can treat the EPERM-error case as okay because that error implies
+		 * that the existing process has a different userid than we do, which
+		 * means it cannot be a competing postmaster.  A postmaster cannot
+		 * successfully attach to a data directory owned by a userid other
+		 * than its own.  (This is now checked directly in checkDataDir(),
+		 * but has been true for a long time because of the restriction that
+		 * the data directory isn't group- or world-accessible.)  Also,
+		 * since we create the lockfiles mode 600, we'd have failed above
+		 * if the lockfile belonged to another userid --- which means that
+		 * whatever process kill() is reporting about isn't the one that
+		 * made the lockfile.  (NOTE: this last consideration is the only
+		 * one that keeps us from blowing away a Unix socket file belonging
+		 * to an instance of Postgres being run by someone else, at least
+		 * on machines where /tmp hasn't got a stickybit.)
+		 *
 		 * Windows hasn't got getppid(), but doesn't need it since it's not
 		 * using real kill() either...
 		 *
@ -577,11 +595,11 @@ CreateLockFile(const char *filename, bool amPostmaster,
 			)
 		{
 			if (kill(other_pid, 0) == 0 ||
-				(errno != ESRCH
+				(errno != ESRCH &&
 #ifdef __BEOS__
-				 && errno != EINVAL
+				 errno != EINVAL &&
 #endif
-				 ))
+				 errno != EPERM))
 			{
 				/* lockfile belongs to a live process */
 				ereport(FATAL,