From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Jan Wieck <JanWieck(at)Yahoo(dot)com>, Philip Warner <pjw(at)rhyme(dot)com(dot)au>, PostgreSQL HACKERS <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: fcntl(SETLK) [was Re: 2nd update on TOAST] |
Date: | 2000-07-08 14:26:17 |
Message-ID: | Pine.LNX.4.21.0007081516550.348-100000@localhost.localdomain |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane writes:
> Bruce and I were just talking by phone about this, and we realized that
> there is a completely different approach to making that decision: if you
> want to know whether there's an old postmaster connected to a socket
> file, try to connect to the old postmaster!
It seems that that would completely reverse the assumption of risk.
Currently, the postmaster may fail to start because there's a stale socket
file lying around, out of respect to a running colleague. With this idea
it would be the running postmaster's job to "defend" his socket against
newly starting colleagues. That doesn't seem fair.
What are our problems?
There's a possible DoS attack when someone else comes first and creates a
file /tmp/.s.PGSQL.5432. But detecting whether there's another program
running on that socket (if it's a socket) isn't going to help because you
most likely won't be able to delete it anyway. The solution to this is to
make the path of the socket file configurable more easily so that the
administrator has the choice of putting it a safer place that he prepared
appropriately.
A complementary solution is of course to add an option to run without Unix
socket, since we don't rely on the socket file for data directory locking
anymore. In fact, does anybody mind if I add such an option? We can have
tcpip_socket = yes|no
unix_socket = yes|no
(Security-conscious users may choose to turn off both. :-))
The other problem is a socket file left behind by a crashed postmaster. I
don't consider this such a big problem; a crashed postmaster is not the
normal mode of operation. The friendly message we have right now seems
alright to me. And it's a way of tell that the postmaster crashed at all.
One idea to get the pid in there somewhere is creating a socket file
"/tmp/.s.PGSQL.port.pid" and making /tmp/.s.PGSQL.port a symlink to it.
Then clients don't know the difference, but the server knows the pid and
can take appropriate action. Or make the symlink the other way around, not
sure.
--
Peter Eisentraut Sernanders väg 10:115
peter_e(at)gmx(dot)net 75262 Uppsala
http://yi.org/peter-e/ Sweden
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2000-07-08 14:31:27 | Re: Re: postgres TODO |
Previous Message | Peter Eisentraut | 2000-07-08 14:25:49 | Re: crypt and MD5 - still not wanted |