1 /*-------------------------------------------------------------------------
4 * Functions for direct access to files
7 * Copyright (c) 2004-2019, PostgreSQL Global Development Group
9 * Author: Andreas Pflug <pgadmin@pse-consulting.de>
12 * src/backend/utils/adt/genfile.c
14 *-------------------------------------------------------------------------
23 #include "access/htup_details.h"
24 #include "access/xlog_internal.h"
25 #include "catalog/pg_authid.h"
26 #include "catalog/pg_tablespace_d.h"
27 #include "catalog/pg_type.h"
29 #include "mb/pg_wchar.h"
30 #include "miscadmin.h"
31 #include "postmaster/syslogger.h"
32 #include "storage/fd.h"
33 #include "utils/builtins.h"
34 #include "utils/memutils.h"
35 #include "utils/syscache.h"
36 #include "utils/timestamp.h"
42 bool include_dot_dirs;
47 * Convert a "text" filename argument to C string, and check it's allowable.
49 * Filename may be absolute or relative to the DataDir, but we only allow
50 * absolute paths that match DataDir or Log_directory.
52 * This does a privilege check against the 'pg_read_server_files' role, so
53 * this function is really only appropriate for callers who are only checking
54 * 'read' access. Do not use this function if you are looking for a check
55 * for 'write' or 'program' access without updating it to access the type
56 * of check as an argument and checking the appropriate role membership.
59 convert_and_check_filename(text *arg)
63 filename = text_to_cstring(arg);
64 canonicalize_path(filename); /* filename can change length here */
67 * Members of the 'pg_read_server_files' role are allowed to access any
68 * files on the server as the PG user, so no need to do any further checks
71 if (is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES))
74 /* User isn't a member of the default role, so check if it's allowable */
75 if (is_absolute_path(filename))
77 /* Disallow '/a/b/data/..' */
78 if (path_contains_parent_reference(filename))
80 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
81 (errmsg("reference to parent directory (\"..\") not allowed"))));
84 * Allow absolute paths if within DataDir or Log_directory, even
85 * though Log_directory might be outside DataDir.
87 if (!path_is_prefix_of_path(DataDir, filename) &&
88 (!is_absolute_path(Log_directory) ||
89 !path_is_prefix_of_path(Log_directory, filename)))
91 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
92 (errmsg("absolute path not allowed"))));
94 else if (!path_is_relative_and_below_cwd(filename))
96 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
97 (errmsg("path must be in or below the current directory"))));
104 * Read a section of a file, returning it as bytea
106 * Caller is responsible for all permissions checking.
108 * We read the whole of the file when bytes_to_read is negative.
111 read_binary_file(const char *filename, int64 seek_offset, int64 bytes_to_read,
118 if (bytes_to_read < 0)
121 bytes_to_read = -seek_offset;
126 if (stat(filename, &fst) < 0)
128 if (missing_ok && errno == ENOENT)
132 (errcode_for_file_access(),
133 errmsg("could not stat file \"%s\": %m", filename)));
136 bytes_to_read = fst.st_size - seek_offset;
140 /* not sure why anyone thought that int64 length was a good idea */
141 if (bytes_to_read > (MaxAllocSize - VARHDRSZ))
143 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
144 errmsg("requested length too large")));
146 if ((file = AllocateFile(filename, PG_BINARY_R)) == NULL)
148 if (missing_ok && errno == ENOENT)
152 (errcode_for_file_access(),
153 errmsg("could not open file \"%s\" for reading: %m",
157 if (fseeko(file, (off_t) seek_offset,
158 (seek_offset >= 0) ? SEEK_SET : SEEK_END) != 0)
160 (errcode_for_file_access(),
161 errmsg("could not seek in file \"%s\": %m", filename)));
163 buf = (bytea *) palloc((Size) bytes_to_read + VARHDRSZ);
165 nbytes = fread(VARDATA(buf), 1, (size_t) bytes_to_read, file);
169 (errcode_for_file_access(),
170 errmsg("could not read file \"%s\": %m", filename)));
172 SET_VARSIZE(buf, nbytes + VARHDRSZ);
180 * Similar to read_binary_file, but we verify that the contents are valid
181 * in the database encoding.
184 read_text_file(const char *filename, int64 seek_offset, int64 bytes_to_read,
189 buf = read_binary_file(filename, seek_offset, bytes_to_read, missing_ok);
193 /* Make sure the input is valid */
194 pg_verifymbstr(VARDATA(buf), VARSIZE(buf) - VARHDRSZ, false);
196 /* OK, we can cast it to text safely */
204 * Read a section of a file, returning it as text
206 * This function is kept to support adminpack 1.0.
209 pg_read_file(PG_FUNCTION_ARGS)
211 text *filename_t = PG_GETARG_TEXT_PP(0);
212 int64 seek_offset = 0;
213 int64 bytes_to_read = -1;
214 bool missing_ok = false;
220 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
221 (errmsg("must be superuser to read files with adminpack 1.0"),
222 /* translator: %s is a SQL function name */
223 errhint("Consider using %s, which is part of core, instead.",
224 "pg_file_read()"))));
226 /* handle optional arguments */
229 seek_offset = PG_GETARG_INT64(1);
230 bytes_to_read = PG_GETARG_INT64(2);
232 if (bytes_to_read < 0)
234 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
235 errmsg("requested length cannot be negative")));
238 missing_ok = PG_GETARG_BOOL(3);
240 filename = convert_and_check_filename(filename_t);
242 result = read_text_file(filename, seek_offset, bytes_to_read, missing_ok);
244 PG_RETURN_TEXT_P(result);
250 * Read a section of a file, returning it as text
252 * No superuser check done here- instead privileges are handled by the
256 pg_read_file_v2(PG_FUNCTION_ARGS)
258 text *filename_t = PG_GETARG_TEXT_PP(0);
259 int64 seek_offset = 0;
260 int64 bytes_to_read = -1;
261 bool missing_ok = false;
265 /* handle optional arguments */
268 seek_offset = PG_GETARG_INT64(1);
269 bytes_to_read = PG_GETARG_INT64(2);
271 if (bytes_to_read < 0)
273 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
274 errmsg("requested length cannot be negative")));
277 missing_ok = PG_GETARG_BOOL(3);
279 filename = convert_and_check_filename(filename_t);
281 result = read_text_file(filename, seek_offset, bytes_to_read, missing_ok);
283 PG_RETURN_TEXT_P(result);
289 * Read a section of a file, returning it as bytea
292 pg_read_binary_file(PG_FUNCTION_ARGS)
294 text *filename_t = PG_GETARG_TEXT_PP(0);
295 int64 seek_offset = 0;
296 int64 bytes_to_read = -1;
297 bool missing_ok = false;
301 /* handle optional arguments */
304 seek_offset = PG_GETARG_INT64(1);
305 bytes_to_read = PG_GETARG_INT64(2);
307 if (bytes_to_read < 0)
309 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
310 errmsg("requested length cannot be negative")));
313 missing_ok = PG_GETARG_BOOL(3);
315 filename = convert_and_check_filename(filename_t);
317 result = read_binary_file(filename, seek_offset,
318 bytes_to_read, missing_ok);
320 PG_RETURN_BYTEA_P(result);
327 * Wrapper functions for the 1 and 3 argument variants of pg_read_file_v2()
328 * and pg_read_binary_file().
330 * These are necessary to pass the sanity check in opr_sanity, which checks
331 * that all built-in functions that share the implementing C function take
332 * the same number of arguments.
335 pg_read_file_off_len(PG_FUNCTION_ARGS)
337 return pg_read_file_v2(fcinfo);
341 pg_read_file_all(PG_FUNCTION_ARGS)
343 return pg_read_file_v2(fcinfo);
347 pg_read_binary_file_off_len(PG_FUNCTION_ARGS)
349 return pg_read_binary_file(fcinfo);
353 pg_read_binary_file_all(PG_FUNCTION_ARGS)
355 return pg_read_binary_file(fcinfo);
362 pg_stat_file(PG_FUNCTION_ARGS)
364 text *filename_t = PG_GETARG_TEXT_PP(0);
371 bool missing_ok = false;
373 /* check the optional argument */
375 missing_ok = PG_GETARG_BOOL(1);
377 filename = convert_and_check_filename(filename_t);
379 if (stat(filename, &fst) < 0)
381 if (missing_ok && errno == ENOENT)
385 (errcode_for_file_access(),
386 errmsg("could not stat file \"%s\": %m", filename)));
390 * This record type had better match the output parameters declared for me
393 tupdesc = CreateTemplateTupleDesc(6);
394 TupleDescInitEntry(tupdesc, (AttrNumber) 1,
395 "size", INT8OID, -1, 0);
396 TupleDescInitEntry(tupdesc, (AttrNumber) 2,
397 "access", TIMESTAMPTZOID, -1, 0);
398 TupleDescInitEntry(tupdesc, (AttrNumber) 3,
399 "modification", TIMESTAMPTZOID, -1, 0);
400 TupleDescInitEntry(tupdesc, (AttrNumber) 4,
401 "change", TIMESTAMPTZOID, -1, 0);
402 TupleDescInitEntry(tupdesc, (AttrNumber) 5,
403 "creation", TIMESTAMPTZOID, -1, 0);
404 TupleDescInitEntry(tupdesc, (AttrNumber) 6,
405 "isdir", BOOLOID, -1, 0);
406 BlessTupleDesc(tupdesc);
408 memset(isnull, false, sizeof(isnull));
410 values[0] = Int64GetDatum((int64) fst.st_size);
411 values[1] = TimestampTzGetDatum(time_t_to_timestamptz(fst.st_atime));
412 values[2] = TimestampTzGetDatum(time_t_to_timestamptz(fst.st_mtime));
413 /* Unix has file status change time, while Win32 has creation time */
414 #if !defined(WIN32) && !defined(__CYGWIN__)
415 values[3] = TimestampTzGetDatum(time_t_to_timestamptz(fst.st_ctime));
419 values[4] = TimestampTzGetDatum(time_t_to_timestamptz(fst.st_ctime));
421 values[5] = BoolGetDatum(S_ISDIR(fst.st_mode));
423 tuple = heap_form_tuple(tupdesc, values, isnull);
427 PG_RETURN_DATUM(HeapTupleGetDatum(tuple));
431 * stat a file (1 argument version)
433 * note: this wrapper is necessary to pass the sanity check in opr_sanity,
434 * which checks that all built-in functions that share the implementing C
435 * function take the same number of arguments
438 pg_stat_file_1arg(PG_FUNCTION_ARGS)
440 return pg_stat_file(fcinfo);
444 * List a directory (returns the filenames only)
447 pg_ls_dir(PG_FUNCTION_ARGS)
449 FuncCallContext *funcctx;
451 directory_fctx *fctx;
452 MemoryContext oldcontext;
454 if (SRF_IS_FIRSTCALL())
456 bool missing_ok = false;
457 bool include_dot_dirs = false;
459 /* check the optional arguments */
462 if (!PG_ARGISNULL(1))
463 missing_ok = PG_GETARG_BOOL(1);
464 if (!PG_ARGISNULL(2))
465 include_dot_dirs = PG_GETARG_BOOL(2);
468 funcctx = SRF_FIRSTCALL_INIT();
469 oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);
471 fctx = palloc(sizeof(directory_fctx));
472 fctx->location = convert_and_check_filename(PG_GETARG_TEXT_PP(0));
474 fctx->include_dot_dirs = include_dot_dirs;
475 fctx->dirdesc = AllocateDir(fctx->location);
479 if (missing_ok && errno == ENOENT)
481 MemoryContextSwitchTo(oldcontext);
482 SRF_RETURN_DONE(funcctx);
486 (errcode_for_file_access(),
487 errmsg("could not open directory \"%s\": %m",
490 funcctx->user_fctx = fctx;
491 MemoryContextSwitchTo(oldcontext);
494 funcctx = SRF_PERCALL_SETUP();
495 fctx = (directory_fctx *) funcctx->user_fctx;
497 while ((de = ReadDir(fctx->dirdesc, fctx->location)) != NULL)
499 if (!fctx->include_dot_dirs &&
500 (strcmp(de->d_name, ".") == 0 ||
501 strcmp(de->d_name, "..") == 0))
504 SRF_RETURN_NEXT(funcctx, CStringGetTextDatum(de->d_name));
507 FreeDir(fctx->dirdesc);
509 SRF_RETURN_DONE(funcctx);
513 * List a directory (1 argument version)
515 * note: this wrapper is necessary to pass the sanity check in opr_sanity,
516 * which checks that all built-in functions that share the implementing C
517 * function take the same number of arguments.
520 pg_ls_dir_1arg(PG_FUNCTION_ARGS)
522 return pg_ls_dir(fcinfo);
525 /* Generic function to return a directory listing of files */
527 pg_ls_dir_files(FunctionCallInfo fcinfo, const char *dir, bool missing_ok)
529 FuncCallContext *funcctx;
531 directory_fctx *fctx;
533 if (SRF_IS_FIRSTCALL())
535 MemoryContext oldcontext;
538 funcctx = SRF_FIRSTCALL_INIT();
539 oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);
541 fctx = palloc(sizeof(directory_fctx));
543 tupdesc = CreateTemplateTupleDesc(3);
544 TupleDescInitEntry(tupdesc, (AttrNumber) 1, "name",
546 TupleDescInitEntry(tupdesc, (AttrNumber) 2, "size",
548 TupleDescInitEntry(tupdesc, (AttrNumber) 3, "modification",
549 TIMESTAMPTZOID, -1, 0);
550 funcctx->tuple_desc = BlessTupleDesc(tupdesc);
552 fctx->location = pstrdup(dir);
553 fctx->dirdesc = AllocateDir(fctx->location);
557 if (missing_ok && errno == ENOENT)
559 MemoryContextSwitchTo(oldcontext);
560 SRF_RETURN_DONE(funcctx);
564 (errcode_for_file_access(),
565 errmsg("could not open directory \"%s\": %m",
569 funcctx->user_fctx = fctx;
570 MemoryContextSwitchTo(oldcontext);
573 funcctx = SRF_PERCALL_SETUP();
574 fctx = (directory_fctx *) funcctx->user_fctx;
576 while ((de = ReadDir(fctx->dirdesc, fctx->location)) != NULL)
580 char path[MAXPGPATH * 2];
584 /* Skip hidden files */
585 if (de->d_name[0] == '.')
588 /* Get the file info */
589 snprintf(path, sizeof(path), "%s/%s", fctx->location, de->d_name);
590 if (stat(path, &attrib) < 0)
592 (errcode_for_file_access(),
593 errmsg("could not stat directory \"%s\": %m", dir)));
595 /* Ignore anything but regular files */
596 if (!S_ISREG(attrib.st_mode))
599 values[0] = CStringGetTextDatum(de->d_name);
600 values[1] = Int64GetDatum((int64) attrib.st_size);
601 values[2] = TimestampTzGetDatum(time_t_to_timestamptz(attrib.st_mtime));
602 memset(nulls, 0, sizeof(nulls));
604 tuple = heap_form_tuple(funcctx->tuple_desc, values, nulls);
605 SRF_RETURN_NEXT(funcctx, HeapTupleGetDatum(tuple));
608 FreeDir(fctx->dirdesc);
609 SRF_RETURN_DONE(funcctx);
612 /* Function to return the list of files in the log directory */
614 pg_ls_logdir(PG_FUNCTION_ARGS)
616 return pg_ls_dir_files(fcinfo, Log_directory, false);
619 /* Function to return the list of files in the WAL directory */
621 pg_ls_waldir(PG_FUNCTION_ARGS)
623 return pg_ls_dir_files(fcinfo, XLOGDIR, false);
627 * Generic function to return the list of files in pgsql_tmp
630 pg_ls_tmpdir(FunctionCallInfo fcinfo, Oid tblspc)
632 char path[MAXPGPATH];
634 if (!SearchSysCacheExists1(TABLESPACEOID, ObjectIdGetDatum(tblspc)))
636 (errcode(ERRCODE_UNDEFINED_OBJECT),
637 errmsg("tablespace with OID %u does not exist",
640 TempTablespacePath(path, tblspc);
641 return pg_ls_dir_files(fcinfo, path, true);
645 * Function to return the list of temporary files in the pg_default tablespace's
646 * pgsql_tmp directory
649 pg_ls_tmpdir_noargs(PG_FUNCTION_ARGS)
651 return pg_ls_tmpdir(fcinfo, DEFAULTTABLESPACE_OID);
655 * Function to return the list of temporary files in the specified tablespace's
656 * pgsql_tmp directory
659 pg_ls_tmpdir_1arg(PG_FUNCTION_ARGS)
661 return pg_ls_tmpdir(fcinfo, PG_GETARG_OID(0));
665 * Function to return the list of files in the WAL archive status directory.
668 pg_ls_archive_statusdir(PG_FUNCTION_ARGS)
670 return pg_ls_dir_files(fcinfo, XLOGDIR "/archive_status", true);