1/*-------------------------------------------------------------------------
4 * Functions for signaling backends
6 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
11 * src/backend/storage/ipc/signalfuncs.c
13 *-------------------------------------------------------------------------
27#include "utils/fmgrprotos.h"
31 * Send a signal to another backend.
33 * The signal is delivered if the user is either a superuser or the same
34 * role as the backend being signaled. For "dangerous" signals, an explicit
35 * check for superuser needs to be done prior to calling this function.
37 * Returns 0 on success, 1 on general failure, 2 on normal permission error,
38 * 3 if the caller needs to be a superuser, and 4 if the caller needs to have
39 * privileges of pg_signal_autovacuum_worker.
41 * In the event of a general failure (return code 1), a warning message will
42 * be emitted. For permission errors, doing that is the responsibility of
45 #define SIGNAL_BACKEND_SUCCESS 0
46 #define SIGNAL_BACKEND_ERROR 1
47 #define SIGNAL_BACKEND_NOPERMISSION 2
48 #define SIGNAL_BACKEND_NOSUPERUSER 3
49 #define SIGNAL_BACKEND_NOAUTOVAC 4
56 * BackendPidGetProc returns NULL if the pid isn't valid; but by the time
57 * we reach kill(), a process for which we get a valid proc here might
58 * have terminated on its own. There's no way to acquire a lock on an
59 * arbitrary process to prevent that. But since so far all the callers of
60 * this mechanism involve some request for ending the process anyway, that
61 * it might end on its own first is not a problem.
63 * Note that proc will also be NULL if the pid refers to an auxiliary
64 * process or the postmaster (neither of which can be signaled via
65 * pg_signal_backend()).
70 * This is just a warning so a loop-through-resultset will not abort
71 * if one backend terminated on its own during the run.
74 (
errmsg(
"PID %d is not a PostgreSQL backend process", pid)));
80 * Only allow superusers to signal superuser-owned backends. Any process
81 * not advertising a role might have the importance of a superuser-owned
82 * backend, so treat it that way. As an exception, we allow roles with
83 * privileges of pg_signal_autovacuum_worker to signal autovacuum workers
84 * (which do not advertise a role).
86 * Otherwise, users can signal backends for roles they have privileges of.
106 * Can the process we just validated above end, followed by the pid being
107 * recycled for a new process, before reaching here? Then we'd be trying
108 * to kill the wrong thing. Seems near impossible when sequential pid
109 * assignment and wraparound is used. Perhaps it could happen on a system
110 * where pid re-use is randomized. That race condition possibility seems
111 * too unlikely to worry about.
114 /* If we have setsid(), signal the backend's whole process group */
121 /* Again, just a warning to allow loops */
123 (
errmsg(
"could not send signal to process %d: %m", pid)));
130 * Signal to cancel a backend process. This is allowed if you are a member of
131 * the role whose process is being canceled.
133 * Note that only superusers can signal superuser-owned processes.
142 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
143 errmsg(
"permission denied to cancel query"),
144 errdetail(
"Only roles with the %s attribute may cancel queries of roles with the %s attribute.",
145 "SUPERUSER",
"SUPERUSER")));
149 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
150 errmsg(
"permission denied to cancel query"),
151 errdetail(
"Only roles with privileges of the \"%s\" role may cancel autovacuum workers.",
152 "pg_signal_autovacuum_worker")));
156 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
157 errmsg(
"permission denied to cancel query"),
158 errdetail(
"Only roles with privileges of the role whose query is being canceled or with privileges of the \"%s\" role may cancel this query.",
159 "pg_signal_backend")));
165 * Wait until there is no backend process with the given PID and return true.
166 * On timeout, a warning is emitted and false is returned.
172 * Wait in steps of waittime milliseconds until this function exits or
175 int64 waittime = 100;
178 * Initially remaining time is the entire timeout specified by the user.
180 int64 remainingtime = timeout;
183 * Check existence of the backend. If the backend still exists, then wait
184 * for waittime milliseconds, again check for the existence. Repeat this
185 * until timeout or an error occurs or a pending interrupt such as query
186 * cancel gets processed.
190 if (remainingtime < waittime)
191 waittime = remainingtime;
193 if (
kill(pid, 0) == -1)
199 (
errcode(ERRCODE_INTERNAL_ERROR),
200 errmsg(
"could not check the existence of the backend with PID %d: %m",
204 /* Process interrupts, if any, before waiting */
210 WAIT_EVENT_BACKEND_TERMINATION);
214 remainingtime -= waittime;
215 }
while (remainingtime > 0);
218 (
errmsg_plural(
"backend with PID %d did not terminate within %" PRId64
" millisecond",
219 "backend with PID %d did not terminate within %" PRId64
" milliseconds",
227 * Send a signal to terminate a backend process. This is allowed if you are a
228 * member of the role whose process is being terminated. If the timeout input
229 * argument is 0, then this function just signals the backend and returns
230 * true. If timeout is nonzero, then it waits until no process has the given
231 * PID; if the process ends within the timeout, true is returned, and if the
232 * timeout is exceeded, a warning is emitted and false is returned.
234 * Note that only superusers can signal superuser-owned processes.
241 int timeout;
/* milliseconds */
248 (
errcode(ERRCODE_NUMERIC_VALUE_OUT_OF_RANGE),
249 errmsg(
"\"timeout\" must not be negative")));
255 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
256 errmsg(
"permission denied to terminate process"),
257 errdetail(
"Only roles with the %s attribute may terminate processes of roles with the %s attribute.",
258 "SUPERUSER",
"SUPERUSER")));
262 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
263 errmsg(
"permission denied to terminate process"),
264 errdetail(
"Only roles with privileges of the \"%s\" role may terminate autovacuum workers.",
265 "pg_signal_autovacuum_worker")));
269 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
270 errmsg(
"permission denied to terminate process"),
271 errdetail(
"Only roles with privileges of the role whose process is being terminated or with privileges of the \"%s\" role may terminate this process.",
272 "pg_signal_backend")));
274 /* Wait only on success and if actually requested */
282 * Signal to reload the database configuration
284 * Permission checking for this function is managed through the normal
293 (
errmsg(
"failed to send signal to postmaster: %m")));
304 * Permission checking for this function is managed through the normal
313 (
errmsg(
"rotation not possible because log collection not active")));
bool has_privs_of_role(Oid member, Oid role)
BackendType pgstat_get_backend_type_by_proc_number(ProcNumber procNumber)
#define OidIsValid(objectId)
int errmsg_plural(const char *fmt_singular, const char *fmt_plural, unsigned long n,...)
int errdetail(const char *fmt,...)
int errcode(int sqlerrcode)
int errmsg(const char *fmt,...)
#define ereport(elevel,...)
#define PG_GETARG_INT64(n)
#define PG_GETARG_INT32(n)
#define PG_RETURN_BOOL(x)
void ResetLatch(Latch *latch)
int WaitLatch(Latch *latch, int wakeEvents, long timeout, uint32 wait_event_info)
#define CHECK_FOR_INTERRUPTS()
void SendPostmasterSignal(PMSignalReason reason)
@ PMSIGNAL_ROTATE_LOGFILE
#define GetNumberFromPGProc(proc)
PGPROC * BackendPidGetProc(int pid)
static int pg_signal_backend(int pid, int sig)
Datum pg_cancel_backend(PG_FUNCTION_ARGS)
#define SIGNAL_BACKEND_SUCCESS
#define SIGNAL_BACKEND_NOPERMISSION
Datum pg_rotate_logfile(PG_FUNCTION_ARGS)
#define SIGNAL_BACKEND_NOSUPERUSER
#define SIGNAL_BACKEND_NOAUTOVAC
Datum pg_reload_conf(PG_FUNCTION_ARGS)
Datum pg_terminate_backend(PG_FUNCTION_ARGS)
#define SIGNAL_BACKEND_ERROR
static bool pg_wait_until_termination(int pid, int64 timeout)
bool superuser_arg(Oid roleid)
#define WL_EXIT_ON_PM_DEATH