Thread: Signals blocked during auth

Signals blocked during auth

From
Jan Wieck
Date:
Hi,
   fortunately  the problems with a malfunctioning client during   the authentication don't cause the v7.2  postmaster
to hang   any more (thanks to Peter and Tom). The client authentication   is moved into the forked off process.
 
   Now one little problem remains. If a bogus  client  causes  a   child  to  hang before becoming a real backend, this
childis   in the backend list of the postmaster, but  has  all  signals   blocked.  Thus, preventing the postmaster
frombeeing able to   shutdown.
 
   I think the correct behaviour should be to enable SIGTERM and   SIGQUIT  during  client  authentication and simply
exit(0)if   they occur. If so, what would be the best way  to  get  these   two signals out of the block mask?
 


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck@Yahoo.com #



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



Re: Signals blocked during auth

From
Tom Lane
Date:
Jan Wieck <JanWieck@Yahoo.com> writes:
>     Now one little problem remains. If a bogus  client  causes  a
>     child  to  hang before becoming a real backend, this child is
>     in the backend list of the postmaster, but  has  all  signals
>     blocked.  Thus, preventing the postmaster from beeing able to
>     shutdown.

I think this is fairly irrelevant, because a not-yet-backend should
have a fairly short timeout (a few seconds) before just shutting
down anyway, so that malfunctioning clients can't cause denial of
service; the particular case you mention is just one scenario.

I have been intending to implement this soon if Peter didn't.

OTOH, it'd be easy enough to turn on SIGTERM/SIGQUIT too, if you
think there's really any value in it.
        regards, tom lane


Re: Signals blocked during auth

From
Peter Eisentraut
Date:
Tom Lane writes:

> I think this is fairly irrelevant, because a not-yet-backend should
> have a fairly short timeout (a few seconds) before just shutting
> down anyway, so that malfunctioning clients can't cause denial of
> service; the particular case you mention is just one scenario.

I have a note here about an authentication timeout on the order of a few
minutes.  You never know what sort of things PAM or Kerberos can go
through behind the scenes.

> OTOH, it'd be easy enough to turn on SIGTERM/SIGQUIT too, if you
> think there's really any value in it.

I think that would be reasonable.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter



Re: Signals blocked during auth

From
Jan Wieck
Date:
Peter Eisentraut wrote:
> Tom Lane writes:
>
> > I think this is fairly irrelevant, because a not-yet-backend should
> > have a fairly short timeout (a few seconds) before just shutting
> > down anyway, so that malfunctioning clients can't cause denial of
> > service; the particular case you mention is just one scenario.
>
> I have a note here about an authentication timeout on the order of a few
> minutes.  You never know what sort of things PAM or Kerberos can go
> through behind the scenes.
>
> > OTOH, it'd be easy enough to turn on SIGTERM/SIGQUIT too, if you
> > think there's really any value in it.
>
> I think that would be reasonable.
   OK,  I'll go ahead and enable these two during authentication   with a special signal handler that simply does
exit(0).  The   postmaster  expects all it's children to suicide anytime soon   more or less bloody depending on if he
send'sTERM  or  QUIT.   But  at least, they have to terminate without waiting for the   client or otherwise
infinitely.


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck@Yahoo.com #



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com