- 29 12月, 2010 1 次提交
-
-
由 Magnus Hagander 提交于
This privilege is required to do Streaming Replication, instead of superuser, making it possible to set up a SR slave that doesn't have write permissions on the master. Superuser privileges do NOT override this check, so in order to use the default superuser account for replication it must be explicitly granted the REPLICATION permissions. This is backwards incompatible change, in the interest of higher default security.
-
- 28 12月, 2010 2 次提交
-
-
由 Bruce Momjian 提交于
-
由 Bruce Momjian 提交于
postmaster.pid file is larger than in previous major versions. This is a bug introduced when I added lines to the file recently.
-
- 24 12月, 2010 1 次提交
-
-
由 Bruce Momjian 提交于
port and socket directory into postmaster.pid, and have pg_ctl read from that file, for use by PQping().
-
- 21 9月, 2010 1 次提交
-
-
由 Magnus Hagander 提交于
-
- 17 8月, 2010 1 次提交
-
-
由 Tom Lane 提交于
socket lockfile) when writing them. The lack of an fsync here may well explain two different reports we've seen of corrupted lockfile contents, which doesn't particularly bother the running server but can prevent a new server from starting if the old one crashes. Per suggestion from Alvaro. Back-patch to all supported versions.
-
- 21 4月, 2010 1 次提交
-
-
由 Tom Lane 提交于
database to connect to. This is necessary for the walsender code to work properly (it was previously using an untenable assumption that template1 would always be available to connect to). This also gets rid of a small security shortcoming that was introduced in the original patch to eliminate the flat authentication files: before, you could find out whether or not the requested database existed even if you couldn't pass the authentication checks. The changes needed to support this are mainly just to treat pg_authid and pg_auth_members as nailed relations, so that we can read them without having to be able to locate real pg_class entries for them. This mechanism was already debugged for pg_database, but we hadn't recognized the value of applying it to those catalogs too. Since the current code doesn't have support for accessing toast tables before we've brought up all of the relcache, remove pg_authid's toast table to ensure that no one can store an out-of-line toasted value of rolpassword. The case seems quite unlikely to occur in practice, and was effectively unsupported anyway in the old "flatfiles" implementation. Update genbki.pl to actually implement the same rules as bootstrap.c does for not-nullability of catalog columns. The previous coding was a bit cheesy but worked all right for the previous set of bootstrap catalogs. It does not work for pg_authid, where rolvaliduntil needs to be nullable. Initdb forced due to minor catalog changes (mainly the toast table removal).
-
- 26 2月, 2010 1 次提交
-
-
由 Bruce Momjian 提交于
-
- 15 2月, 2010 1 次提交
-
-
由 Robert Haas 提交于
The purpose of this change is to eliminate the need for every caller of SearchSysCache, SearchSysCacheCopy, SearchSysCacheExists, GetSysCacheOid, and SearchSysCacheList to know the maximum number of allowable keys for a syscache entry (currently 4). This will make it far easier to increase the maximum number of keys in a future release should we choose to do so, and it makes the code shorter, too. Design and review by Tom Lane.
-
- 08 2月, 2010 1 次提交
-
-
由 Tom Lane 提交于
of shared or nailed system catalogs. This has two key benefits: * The new CLUSTER-based VACUUM FULL can be applied safely to all catalogs. * We no longer have to use an unsafe reindex-in-place approach for reindexing shared catalogs. CLUSTER on nailed catalogs now works too, although I left it disabled on shared catalogs because the resulting pg_index.indisclustered update would only be visible in one database. Since reindexing shared system catalogs is now fully transactional and crash-safe, the former special cases in REINDEX behavior have been removed; shared catalogs are treated the same as non-shared. This commit does not do anything about the recently-discussed problem of deadlocks between VACUUM FULL/CLUSTER on a system catalog and other concurrent queries; will address that in a separate patch. As a stopgap, parallel_schedule has been tweaked to run vacuum.sql by itself, to avoid such failures during the regression tests.
-
- 03 1月, 2010 1 次提交
-
-
由 Bruce Momjian 提交于
-
- 10 12月, 2009 1 次提交
-
-
由 Tom Lane 提交于
an allegedly immutable index function. It was previously recognized that we had to prevent such a function from executing SET/RESET ROLE/SESSION AUTHORIZATION, or it could trivially obtain the privileges of the session user. However, since there is in general no privilege checking for changes of session-local state, it is also possible for such a function to change settings in a way that might subvert later operations in the same session. Examples include changing search_path to cause an unexpected function to be called, or replacing an existing prepared statement with another one that will execute a function of the attacker's choosing. The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against these threats, which are the same places previously deemed to need protection against the SET ROLE issue. GUC changes are still allowed, since there are many useful cases for that, but we prevent security problems by forcing a rollback of any GUC change after completing the operation. Other cases are handled by throwing an error if any change is attempted; these include temp table creation, closing a cursor, and creating or deleting a prepared statement. (In 7.4, the infrastructure to roll back GUC changes doesn't exist, so we settle for rejecting changes of "search_path" in these contexts.) Original report and patch by Gurjeet Singh, additional analysis by Tom Lane. Security: CVE-2009-4136
-
- 08 10月, 2009 1 次提交
-
-
由 Alvaro Herrera 提交于
Create a new catalog pg_db_role_setting where they are now stored, and better encapsulate the code that deals with settings into its realm. The old datconfig and rolconfig columns are removed. psql has gained a \drds command to display the settings. Backwards compatibility warning: while the backwards-compatible system views still have the config columns, they no longer completely represent the configuration for a user or database. Catalog version bumped.
-
- 28 8月, 2009 1 次提交
-
-
由 Tom Lane 提交于
script. To do this, have pg_ctl pass down its parent shell's PID in an environment variable PG_GRANDPARENT_PID, and teach CreateLockFile() to disregard that PID as a false match if it finds it in postmaster.pid. This allows us to cope with one level of postgres-owned shell process even with pg_ctl in the way, so it's just as safe as starting the postmaster directly. You still have to be careful about how you write the initscript though. Adjust the comments in contrib/start-scripts/ to not deprecate use of pg_ctl. Also, fix the ROTATELOGS option in the OSX script, which was indulging in exactly the sort of unsafe coding that renders this fix pointless :-(. A pipe inside the "sudo" will probably result in more than one postgres-owned process hanging around.
-
- 13 8月, 2009 1 次提交
-
-
由 Tom Lane 提交于
To make this work in the base case, pg_database now has a nailed-in-cache relation descriptor that is initialized using hardwired knowledge in relcache.c. This means pg_database is added to the set of relations that need to have a Schema_pg_xxx macro maintained in pg_attribute.h. When this path is taken, we'll have to do a seqscan of pg_database to find the row we need. In the normal case, we are able to do an indexscan to find the database's row by name. This is made possible by storing a global relcache init file that describes only the shared catalogs and their indexes (and therefore is usable by all backends in any database). A new backend loads this cache file, finds its database OID after an indexscan on pg_database, and then loads the local relcache init file for that database. This change should effectively eliminate number of databases as a factor in backend startup time, even with large numbers of databases. However, the real reason for doing it is as a first step towards getting rid of the flat files altogether. There are still several other sub-projects to be tackled before that can happen.
-
- 11 6月, 2009 1 次提交
-
-
由 Bruce Momjian 提交于
provided by Andrew.
-
- 08 4月, 2009 1 次提交
-
-
由 Heikki Linnakangas 提交于
already did that on Windows, but it's needed on other platforms too when LC_CTYPE=C. With other locales, we enforce (or trust) that the codeset of the locale matches the server encoding so we don't need to bind it explicitly. It should do no harm in that case either, but I don't have full faith in the PG encoding -> OS codeset mapping table yet. Per recent discussion on pgsql-hackers.
-
- 09 3月, 2009 1 次提交
-
-
由 Alvaro Herrera 提交于
too, so that the codeset is properly mapped on the newly added PL domains.
-
- 05 1月, 2009 1 次提交
-
-
由 Tom Lane 提交于
re-loading a library already loaded into the postmaster. ITAGAKI Takahiro
-
- 04 1月, 2009 1 次提交
-
-
由 Tom Lane 提交于
when loaded via shared_preload_libraries. Needed for support of pg_stat_statements, or pretty much anything else that wants a GUC to control size of a shared memory allocation.
-
- 02 1月, 2009 1 次提交
-
-
由 Bruce Momjian 提交于
-
- 11 12月, 2008 1 次提交
-
-
由 Peter Eisentraut 提交于
to the gettext domain name, to simplify parallel installations. Also, rename set_text_domain() to pg_bindtextdomain(), because that is what it does.
-
- 10 10月, 2008 1 次提交
-
-
由 Alvaro Herrera 提交于
the ereport macro. Included in this commit are enough files for starting plpgsql, plpython, plperl and pltcl translations.
-
- 28 3月, 2008 1 次提交
-
-
由 Bruce Momjian 提交于
Windows. Users should use their operating system tools instead.
-
- 04 1月, 2008 1 次提交
-
-
由 Tom Lane 提交于
and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600
-
- 02 1月, 2008 1 次提交
-
-
由 Bruce Momjian 提交于
-
- 11 9月, 2007 1 次提交
-
-
由 Tom Lane 提交于
transaction, unless rolled back or overridden by a SET clause for the same variable attached to a surrounding function call. Per discussion, these seem the best semantics. Note that this is an INCOMPATIBLE CHANGE: in 8.0 through 8.2, SET LOCAL's effects disappeared at subtransaction commit (leading to behavior that made little sense at the SQL level). I took advantage of the opportunity to rewrite and simplify the GUC variable save/restore logic a little bit. The old idea of a "tentative" value is gone; it was a hangover from before we had a stack. Also, we no longer need a stack entry for every nesting level, but only for those in which a variable's value actually changed.
-
- 03 9月, 2007 1 次提交
-
-
由 Tom Lane 提交于
There are still some loose ends: I didn't do anything about the SET FROM CURRENT idea yet, and it's not real clear whether we are happy with the interaction of SET LOCAL with function-local settings. The documentation is a bit spartan, too.
-
- 16 2月, 2007 1 次提交
-
-
由 Alvaro Herrera 提交于
continuously, and requests vacuum runs of "autovacuum workers" to postmaster. The workers do the actual vacuum work. This allows for future improvements, like allowing multiple autovacuum jobs running in parallel. For now, the code keeps the original behavior of having a single autovac process at any time by sleeping until the previous worker has finished.
-
- 02 2月, 2007 1 次提交
-
-
由 Bruce Momjian 提交于
Standard English uses "may", "can", and "might" in different ways: may - permission, "You may borrow my rake." can - ability, "I can lift that log." might - possibility, "It might rain today." Unfortunately, in conversational English, their use is often mixed, as in, "You may use this variable to do X", when in fact, "can" is a better choice. Similarly, "It may crash" is better stated, "It might crash".
-
- 06 1月, 2007 1 次提交
-
-
由 Bruce Momjian 提交于
back-stamped for this.
-
- 04 10月, 2006 1 次提交
-
-
由 Bruce Momjian 提交于
-
- 16 8月, 2006 2 次提交
-
-
由 Tom Lane 提交于
Per buildfarm results from warthog.
-
由 Tom Lane 提交于
such as debugging and performance measurement. This consists of two features: a table of "rendezvous variables" that allows separately-loaded shared libraries to communicate, and a new GUC setting "local_preload_libraries" that allows libraries to be loaded into specific sessions without explicit cooperation from the client application. To make local_preload_libraries as flexible as possible, we do not restrict its use to superusers; instead, it is restricted to load only libraries stored in $libdir/plugins/. The existing LOAD command has also been modified to allow non-superusers to LOAD libraries stored in this directory. This patch also renames the existing GUC variable preload_libraries to shared_preload_libraries (after a suggestion by Simon Riggs) and does some code refactoring in dfmgr.c to improve clarity. Korry Douglas, with a little help from Tom Lane.
-
- 09 8月, 2006 1 次提交
-
-
由 Tom Lane 提交于
loaded libraries: call functions _PG_init() and _PG_fini() if the library defines such symbols. Hence we no longer need to specify an initialization function in preload_libraries: we can assume that the library used the _PG_init() convention, instead. This removes one source of pilot error in use of preloaded libraries. Original patch by Ralf Engelschall, preload_libraries changes by me.
-
- 14 7月, 2006 1 次提交
-
-
由 Bruce Momjian 提交于
-
- 05 3月, 2006 1 次提交
-
-
由 Bruce Momjian 提交于
-
- 05 1月, 2006 2 次提交
-
-
由 Peter Eisentraut 提交于
http://archives.postgresql.org/pgsql-hackers/2006-01/msg00151.php for the complete plan.
-
由 Bruce Momjian 提交于
-
- 23 11月, 2005 1 次提交
-
-
由 Bruce Momjian 提交于
comment line where output as too long, and update typedefs for /lib directory. Also fix case where identifiers were used as variable names in the backend, but as typedefs in ecpg (favor the backend for indenting). Backpatch to 8.1.X.
-