Remove the use of the pg_auth flat file for client authentication.

(That flat file is now completely useless, but removal will come later.) To do this, postpone client authentication into the startup transaction that's run by InitPostgres. We still collect the startup packet and do SSL initialization (if needed) at the same time we did before. The AuthenticationTimeout is applied separately to startup packet collection and the actual authentication cycle. (This is a bit annoying, since it means a couple extra syscalls; but the signal handling requirements inside and outside a transaction are sufficiently different that it seems best to treat the timeouts as completely independent.) A small security disadvantage is that if the given database name is invalid, this will be reported to the client before any authentication happens. We could work around that by connecting to database "postgres" instead, but consensus seems to be that it's not worth introducing such surprising behavior. Processing of all command-line switches and GUC options received from the client is now postponed until after authentication. This means that PostAuthDelay is much less useful than it used to be --- if you need to investigate problems during InitPostgres you'll have to set PreAuthDelay instead. However, allowing an unauthenticated user to set any GUC options whatever seems a bit too risky, so we'll live with that.

Remove the use of the pg_auth flat file for client authentication.
(That flat file is now completely useless, but removal will come later.) To do this, postpone client authentication into the startup transaction that's run by InitPostgres. We still collect the startup packet and do SSL initialization (if needed) at the same time we did before. The AuthenticationTimeout is applied separately to startup packet collection and the actual authentication cycle. (This is a bit annoying, since it means a couple extra syscalls; but the signal handling requirements inside and outside a transaction are sufficiently different that it seems best to treat the timeouts as completely independent.) A small security disadvantage is that if the given database name is invalid, this will be reported to the client before any authentication happens. We could work around that by connecting to database "postgres" instead, but consensus seems to be that it's not worth introducing such surprising behavior. Processing of all command-line switches and GUC options received from the client is now postponed until after authentication. This means that PostAuthDelay is much less useful than it used to be --- if you need to investigate problems during InitPostgres you'll have to set PreAuthDelay instead. However, allowing an unauthenticated user to set any GUC options whatever seems a bit too risky, so we'll live with that.
e710b65c · Tom Lane · 585806cb · e710b65c · e710b65c · e710b65c
Commit e710b65c authored Aug 29, 2009 by Tom Lane
15 changed files
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.183 2009/06/25 11:30:08 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.184 2009/08/29 19:26:51 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -33,8 +33,10 @@
 #include "libpq/ip.h"
 #include "libpq/libpq.h"
 #include "libpq/pqformat.h"
+#include "miscadmin.h"
 #include "storage/ipc.h"
 /*----------------------------------------------------------------
 * Global authentication functions
 *----------------------------------------------------------------
@@ -281,6 +283,15 @@ ClientAuthentication(Port *port)
 				 errmsg("missing or erroneous pg_hba.conf file"),
 				 errhint("See server log for details.")));
+	/*
+	 * Enable immediate response to SIGTERM/SIGINT/timeout interrupts.
+	 * (We don't want this during hba_getauthmethod() because it might
+	 * have to do database access, eg for role membership checks.)
+	 */
+	ImmediateInterruptOK = true;
+	/* And don't forget to detect one that already arrived */
+	CHECK_FOR_INTERRUPTS();
 	/*
 	 * This is the first point where we have access to the hba record for the
 	 * current connection, so perform any verifications based on the hba
@@ -458,6 +469,9 @@ ClientAuthentication(Port *port)
 		sendAuthRequest(port, AUTH_REQ_OK);
 	else
 		auth_failed(port, status);
+	/* Done with authentication, so we should turn off immediate interrupts */
+	ImmediateInterruptOK = false;
 }
@@ -690,9 +704,6 @@ pg_krb5_recvauth(Port *port)
 	char	   *kusername;
 	char	   *cp;
-	if (get_role_line(port->user_name) == NULL)
-		return STATUS_ERROR;
 	ret = pg_krb5_init(port);
 	if (ret != STATUS_OK)
 		return ret;
@@ -1823,9 +1834,6 @@ authident(hbaPort *port)
 {
 	char		ident_user[IDENT_USERNAME_MAX + 1];
-	if (get_role_line(port->user_name) == NULL)
-		return STATUS_ERROR;
 	switch (port->raddr.addr.ss_family)
 	{
 		case AF_INET:

--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -9,7 +9,7 @@
 * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/backend/libpq/crypt.c,v 1.77 2009/01/01 17:23:42 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/crypt.c,v 1.78 2009/08/29 19:26:51 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -20,38 +20,63 @@
 #include <crypt.h>
 #endif
+#include "catalog/pg_authid.h"
 #include "libpq/crypt.h"
 #include "libpq/md5.h"
+#include "miscadmin.h"
+#include "utils/builtins.h"
+#include "utils/syscache.h"
 int
 md5_crypt_verify(const Port *port, const char *role, char *client_pass)
 {
-	char	   *shadow_pass = NULL,
-			   *valuntil = NULL,
-			   *crypt_pwd;
 	int			retval = STATUS_ERROR;
-	List	  **line;
+	char	   *shadow_pass,
-	ListCell   *token;
+			   *crypt_pwd;
+	TimestampTz vuntil = 0;
 	char	   *crypt_client_pass = client_pass;
+	HeapTuple	roleTup;
+	Datum		datum;
+	bool		isnull;
-	if ((line = get_role_line(role)) == NULL)
+	/*
-		return STATUS_ERROR;
+	 * Disable immediate interrupts while doing database access.  (Note
+	 * we don't bother to turn this back on if we hit one of the failure
+	 * conditions, since we can expect we'll just exit right away anyway.)
+	 */
+	ImmediateInterruptOK = false;
+	/* Get role info from pg_authid */
+	roleTup = SearchSysCache(AUTHNAME,
+							 PointerGetDatum(role),
+							 0, 0, 0);
+	if (!HeapTupleIsValid(roleTup))
+		return STATUS_ERROR;					/* no such user */
-	/* Skip over rolename */
+	datum = SysCacheGetAttr(AUTHNAME, roleTup,
-	token = list_head(*line);
+							Anum_pg_authid_rolpassword, &isnull);
-	if (token)
+	if (isnull)
-		token = lnext(token);
-	if (token)
 	{
-		shadow_pass = (char *) lfirst(token);
+		ReleaseSysCache(roleTup);
-		token = lnext(token);
+		return STATUS_ERROR;					/* user has no password */
-		if (token)
-			valuntil = (char *) lfirst(token);
 	}
+	shadow_pass = TextDatumGetCString(datum);
-	if (shadow_pass == NULL || *shadow_pass == '\0')
+	datum = SysCacheGetAttr(AUTHNAME, roleTup,
-		return STATUS_ERROR;
+							Anum_pg_authid_rolvaliduntil, &isnull);
+	if (!isnull)
+		vuntil = DatumGetTimestampTz(datum);
+	ReleaseSysCache(roleTup);
+	if (*shadow_pass == '\0')
+		return STATUS_ERROR;					/* empty password */
+	/* Re-enable immediate response to SIGTERM/SIGINT/timeout interrupts */
+	ImmediateInterruptOK = true;
+	/* And don't forget to detect one that already arrived */
+	CHECK_FOR_INTERRUPTS();
 	/*
 	 * Compare with the encrypted or plain password depending on the
@@ -119,25 +144,15 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass)
 	if (strcmp(crypt_client_pass, crypt_pwd) == 0)
 	{
 		/*
-		 * Password OK, now check to be sure we are not past valuntil
+		 * Password OK, now check to be sure we are not past rolvaliduntil
 		 */
-		if (valuntil == NULL || *valuntil == '\0')
+		if (isnull)
 			retval = STATUS_OK;
-		else
+		else if (vuntil < GetCurrentTimestamp())
-		{
-			TimestampTz vuntil;
-			vuntil = DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
-												   CStringGetDatum(valuntil),
-												ObjectIdGetDatum(InvalidOid),
-														 Int32GetDatum(-1)));
-			if (vuntil < GetCurrentTimestamp())
 			retval = STATUS_ERROR;
 		else
 			retval = STATUS_OK;
 	}
-	}
 	if (port->hba->auth_method == uaMD5)
 		pfree(crypt_pwd);

--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.188 2009/06/24 13:39:42 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.189 2009/08/29 19:26:51 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -29,9 +29,9 @@
 #include "libpq/libpq.h"
 #include "regex/regex.h"
 #include "storage/fd.h"
-#include "utils/flatfiles.h"
+#include "utils/acl.h"
 #include "utils/guc.h"
+#include "utils/lsyscache.h"
 #define atooid(x)  ((Oid) strtoul((x), NULL, 10))
@@ -42,31 +42,21 @@
 #define MAX_TOKEN	256
-/* pre-parsed content of HBA config file */
+/* pre-parsed content of HBA config file: list of HbaLine structs */
 static List *parsed_hba_lines = NIL;
 /*
- * These variables hold the pre-parsed contents of the ident
+ * These variables hold the pre-parsed contents of the ident usermap
- * configuration files, as well as the flat auth file.
+ * configuration file.  ident_lines is a list of sublists, one sublist for
- * Each is a list of sublists, one sublist for
+ * each (non-empty, non-comment) line of the file.  The sublist items are
- * each (non-empty, non-comment) line of the file.	Each sublist's
+ * palloc'd strings, one string per token on the line.  Note there will always
- * first item is an integer line number (so we can give somewhat-useful
+ * be at least one token, since blank lines are not entered in the data
- * location info in error messages).  Remaining items are palloc'd strings,
+ * structure.  ident_line_nums is an integer list containing the actual line
- * one string per token on the line.  Note there will always be at least
+ * number for each line represented in ident_lines.
- * one token, since blank lines are not entered in the data structure.
 */
-/* pre-parsed content of ident usermap file and corresponding line #s */
 static List *ident_lines = NIL;
 static List *ident_line_nums = NIL;
-/* pre-parsed content of flat auth file and corresponding line #s */
-static List *role_lines = NIL;
-static List *role_line_nums = NIL;
-/* sorted entries so we can do binary search lookups */
-static List **role_sorted = NULL;		/* sorted role list, for bsearch() */
-static int	role_length;
 static void tokenize_file(const char *filename, FILE *file,
 			  List **lines, List **line_nums);
@@ -434,70 +424,28 @@ tokenize_file(const char *filename, FILE *file,
 	}
 }
-/*
- * Compare two lines based on their role/member names.
- *
- * Used for bsearch() lookup.
- */
-static int
-role_bsearch_cmp(const void *role, const void *list)
-{
-	char	   *role2 = linitial(*(List **) list);
-	return strcmp(role, role2);
-}
-/*
- * Lookup a role name in the pg_auth file
- */
-List	  **
-get_role_line(const char *role)
-{
-	/* On some versions of Solaris, bsearch of zero items dumps core */
-	if (role_length == 0)
-		return NULL;
-	return (List **) bsearch((void *) role,
-							 (void *) role_sorted,
-							 role_length,
-							 sizeof(List *),
-							 role_bsearch_cmp);
-}
 /*
 * Does user belong to role?
 *
- * user is always the name given as the attempted login identifier.
+ * userid is the OID of the role given as the attempted login identifier.
 * We check to see if it is a member of the specified role name.
 */
 static bool
-is_member(const char *user, const char *role)
+is_member(Oid userid, const char *role)
 {
-	List	  **line;
+	Oid			roleid;
-	ListCell   *line_item;
-	if ((line = get_role_line(user)) == NULL)
+	if (!OidIsValid(userid))
 		return false;			/* if user not exist, say "no" */
-	/* A user always belongs to its own role */
+	roleid = get_roleid(role);
-	if (strcmp(user, role) == 0)
-		return true;
-	/*
+	if (!OidIsValid(roleid))
-	 * skip over the role name, password, valuntil, examine all the membership
+		return false;			/* if target role not exist, say "no" */
-	 * entries
-	 */
-	if (list_length(*line) < 4)
-		return false;
-	for_each_cell(line_item, lnext(lnext(lnext(list_head(*line)))))
-	{
-		if (strcmp((char *) lfirst(line_item), role) == 0)
-			return true;
-	}
-	return false;
+	/* See if user is directly or indirectly a member of role */
+	return is_member_of_role(userid, roleid);
 }
 /*
@@ -508,7 +456,7 @@ is_member(const char *user, const char *role)
 * and so it doesn't matter that we clobber the stored hba info.
 */
 static bool
-check_role(const char *role, char *param_str)
+check_role(const char *role, Oid roleid, char *param_str)
 {
 	char	   *tok;
@@ -518,7 +466,7 @@ check_role(const char *role, char *param_str)
 	{
 		if (tok[0] == '+')
 		{
-			if (is_member(role, tok + 1))
+			if (is_member(roleid, tok + 1))
 				return true;
 		}
 		else if (strcmp(tok, role) == 0 ||
@@ -537,7 +485,7 @@ check_role(const char *role, char *param_str)
 * and so it doesn't matter that we clobber the stored hba info.
 */
 static bool
-check_db(const char *dbname, const char *role, char *param_str)
+check_db(const char *dbname, const char *role, Oid roleid, char *param_str)
 {
 	char	   *tok;
@@ -555,7 +503,7 @@ check_db(const char *dbname, const char *role, char *param_str)
 		else if (strcmp(tok, "samegroup\n") == 0 ||
 				 strcmp(tok, "samerole\n") == 0)
 		{
-			if (is_member(role, dbname))
+			if (is_member(roleid, dbname))
 				return true;
 		}
 		else if (strcmp(tok, dbname) == 0)
@@ -1106,9 +1054,13 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
 static bool
 check_hba(hbaPort *port)
 {
+	Oid			roleid;
 	ListCell   *line;
 	HbaLine    *hba;
+	/* Get the target role's OID.  Note we do not error out for bad role. */
+	roleid = get_roleid(port->user_name);
 	foreach(line, parsed_hba_lines)
 	{
 		hba = (HbaLine *) lfirst(line);
@@ -1177,10 +1129,11 @@ check_hba(hbaPort *port)
 		}						/* != ctLocal */
 		/* Check database and role */
-		if (!check_db(port->database_name, port->user_name, hba->database))
+		if (!check_db(port->database_name, port->user_name, roleid,
+					  hba->database))
 			continue;
-		if (!check_role(port->user_name, hba->role))
+		if (!check_role(port->user_name, roleid, hba->role))
 			continue;
 		/* Found a record that matched! */
@@ -1200,58 +1153,6 @@ check_hba(hbaPort *port)
 	 */
 }
-/*
- *	 Load role/password mapping file
- */
-void
-load_role(void)
-{
-	char	   *filename;
-	FILE	   *role_file;
-	/* Discard any old data */
-	if (role_lines || role_line_nums)
-		free_lines(&role_lines, &role_line_nums);
-	if (role_sorted)
-		pfree(role_sorted);
-	role_sorted = NULL;
-	role_length = 0;
-	/* Read in the file contents */
-	filename = auth_getflatfilename();
-	role_file = AllocateFile(filename, "r");
-	if (role_file == NULL)
-	{
-		/* no complaint if not there */
-		if (errno != ENOENT)
-			ereport(LOG,
-					(errcode_for_file_access(),
-					 errmsg("could not open file \"%s\": %m", filename)));
-		pfree(filename);
-		return;
-	}
-	tokenize_file(filename, role_file, &role_lines, &role_line_nums);
-	FreeFile(role_file);
-	pfree(filename);
-	/* create array for binary searching */
-	role_length = list_length(role_lines);
-	if (role_length)
-	{
-		int			i = 0;
-		ListCell   *line;
-		/* We assume the flat file was written already-sorted */
-		role_sorted = palloc(role_length * sizeof(List *));
-		foreach(line, role_lines)
-			role_sorted[i++] = lfirst(line);
-	}
-}
 /*
 * Free the contents of a hba record
 */
@@ -1613,7 +1514,7 @@ ident_syntax:
 *	as Postgres user "pgrole" according to usermap "usermap_name".
 *
 *	Special case: Usermap NULL, equivalent to what was previously called
- *	"sameuser" or "samerole", don't look in the usermap
+ *	"sameuser" or "samerole", means don't look in the usermap
 *	file.  That's an implied map where "pgrole" must be identical to
 *	"ident_user" in order to be authorized.
 *

--- a/src/backend/libpq/pqsignal.c
+++ b/src/backend/libpq/pqsignal.c
@@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/pqsignal.c,v 1.45 2009/01/01 17:23:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/pqsignal.c,v 1.46 2009/08/29 19:26:51 tgl Exp $
 *
 * NOTES
 *		This shouldn't be in libpq, but the monitor and some other
@@ -49,23 +49,23 @@
 #ifdef HAVE_SIGPROCMASK
 sigset_t	UnBlockSig,
 			BlockSig,
-			AuthBlockSig;
+			StartupBlockSig;
 #else
 int			UnBlockSig,
 			BlockSig,
-			AuthBlockSig;
+			StartupBlockSig;
 #endif
 /*
- * Initialize BlockSig, UnBlockSig, and AuthBlockSig.
+ * Initialize BlockSig, UnBlockSig, and StartupBlockSig.
 *
 * BlockSig is the set of signals to block when we are trying to block
 * signals.  This includes all signals we normally expect to get, but NOT
 * signals that should never be turned off.
 *
- * AuthBlockSig is the set of signals to block during authentication;
+ * StartupBlockSig is the set of signals to block during startup packet
- * it's essentially BlockSig minus SIGTERM, SIGQUIT, SIGALRM.
+ * collection; it's essentially BlockSig minus SIGTERM, SIGQUIT, SIGALRM.
 *
 * UnBlockSig is the set of signals to block when we don't want to block
 * signals (is this ever nonzero??)
@@ -79,7 +79,7 @@ pqinitmask(void)
 	/* First set all signals, then clear some. */
 	sigfillset(&BlockSig);
-	sigfillset(&AuthBlockSig);
+	sigfillset(&StartupBlockSig);
 	/*
 	 * Unmark those signals that should never be blocked. Some of these signal
@@ -88,46 +88,46 @@ pqinitmask(void)
 	 */
 #ifdef SIGTRAP
 	sigdelset(&BlockSig, SIGTRAP);
-	sigdelset(&AuthBlockSig, SIGTRAP);
+	sigdelset(&StartupBlockSig, SIGTRAP);
 #endif
 #ifdef SIGABRT
 	sigdelset(&BlockSig, SIGABRT);
-	sigdelset(&AuthBlockSig, SIGABRT);
+	sigdelset(&StartupBlockSig, SIGABRT);
 #endif
 #ifdef SIGILL
 	sigdelset(&BlockSig, SIGILL);
-	sigdelset(&AuthBlockSig, SIGILL);
+	sigdelset(&StartupBlockSig, SIGILL);
 #endif
 #ifdef SIGFPE
 	sigdelset(&BlockSig, SIGFPE);
-	sigdelset(&AuthBlockSig, SIGFPE);
+	sigdelset(&StartupBlockSig, SIGFPE);
 #endif
 #ifdef SIGSEGV
 	sigdelset(&BlockSig, SIGSEGV);
-	sigdelset(&AuthBlockSig, SIGSEGV);
+	sigdelset(&StartupBlockSig, SIGSEGV);
 #endif
 #ifdef SIGBUS
 	sigdelset(&BlockSig, SIGBUS);
-	sigdelset(&AuthBlockSig, SIGBUS);
+	sigdelset(&StartupBlockSig, SIGBUS);
 #endif
 #ifdef SIGSYS
 	sigdelset(&BlockSig, SIGSYS);
-	sigdelset(&AuthBlockSig, SIGSYS);
+	sigdelset(&StartupBlockSig, SIGSYS);
 #endif
 #ifdef SIGCONT
 	sigdelset(&BlockSig, SIGCONT);
-	sigdelset(&AuthBlockSig, SIGCONT);
+	sigdelset(&StartupBlockSig, SIGCONT);
 #endif
-/* Signals unique to Auth */
+/* Signals unique to startup */
 #ifdef SIGQUIT
-	sigdelset(&AuthBlockSig, SIGQUIT);
+	sigdelset(&StartupBlockSig, SIGQUIT);
 #endif
 #ifdef SIGTERM
-	sigdelset(&AuthBlockSig, SIGTERM);
+	sigdelset(&StartupBlockSig, SIGTERM);
 #endif
 #ifdef SIGALRM
-	sigdelset(&AuthBlockSig, SIGALRM);
+	sigdelset(&StartupBlockSig, SIGALRM);
 #endif
 #else
 	/* Set the signals we want. */
@@ -139,7 +139,7 @@ pqinitmask(void)
 		sigmask(SIGINT) | sigmask(SIGUSR1) |
 		sigmask(SIGUSR2) | sigmask(SIGCHLD) |
 		sigmask(SIGWINCH) | sigmask(SIGFPE);
-	AuthBlockSig = sigmask(SIGHUP) |
+	StartupBlockSig = sigmask(SIGHUP) |
 		sigmask(SIGINT) | sigmask(SIGUSR1) |
 		sigmask(SIGUSR2) | sigmask(SIGCHLD) |
 		sigmask(SIGWINCH) | sigmask(SIGFPE);

--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
--- a/src/backend/tcop/postgres.c
+++ b/src/backend/tcop/postgres.c
--- a/src/backend/utils/init/flatfiles.c
+++ b/src/backend/utils/init/flatfiles.c
@@ -23,7 +23,7 @@
 * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/backend/utils/init/flatfiles.c,v 1.37 2009/08/12 20:53:30 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/init/flatfiles.c,v 1.38 2009/08/29 19:26:51 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -824,11 +824,6 @@ AtEOXact_UpdateFlatFiles(bool isCommit)
 		heap_close(mrel, NoLock);
 	}
-	/*
-	 * Signal the postmaster to reload its caches.
-	 */
-	SendPostmasterSignal(PMSIGNAL_PASSWORD_CHANGE);
 	/*
 	 * Force synchronous commit, to minimize the window between changing the
 	 * flat files on-disk and marking the transaction committed.  It's not

--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -8,13 +8,14 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.194 2009/08/12 20:53:30 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/init/postinit.c,v 1.195 2009/08/29 19:26:51 tgl Exp $
 *
 *
 *-------------------------------------------------------------------------
 */
 #include "postgres.h"
+#include <ctype.h>
 #include <fcntl.h>
 #include <unistd.h>
@@ -27,6 +28,7 @@
 #include "catalog/pg_authid.h"
 #include "catalog/pg_database.h"
 #include "catalog/pg_tablespace.h"
+#include "libpq/auth.h"
 #include "libpq/libpq-be.h"
 #include "mb/pg_wchar.h"
 #include "miscadmin.h"
@@ -54,6 +56,7 @@
 static HeapTuple GetDatabaseTuple(const char *dbname);
 static HeapTuple GetDatabaseTupleByOid(Oid dboid);
+static void PerformAuthentication(Port *port);
 static void CheckMyDatabase(const char *name, bool am_superuser);
 static void InitCommunication(void);
 static void ShutdownPostgres(int code, Datum arg);
@@ -158,6 +161,66 @@ GetDatabaseTupleByOid(Oid dboid)
 }
+/*
+ * PerformAuthentication -- authenticate a remote client
+ *
+ * returns: nothing.  Will not return at all if there's any failure.
+ */
+static void
+PerformAuthentication(Port *port)
+{
+	/* This should be set already, but let's make sure */
+	ClientAuthInProgress = true;	/* limit visibility of log messages */
+	/*
+	 * In EXEC_BACKEND case, we didn't inherit the contents of pg_hba.conf
+	 * etcetera from the postmaster, and have to load them ourselves.  Note
+	 * we are loading them into the startup transaction's memory context,
+	 * not PostmasterContext, but that shouldn't matter.
+	 *
+	 * FIXME: [fork/exec] Ugh.	Is there a way around this overhead?
+	 */
+#ifdef EXEC_BACKEND
+	if (!load_hba())
+	{
+		/*
+		 * It makes no sense to continue if we fail to load the HBA file,
+		 * since there is no way to connect to the database in this case.
+		 */
+		ereport(FATAL,
+				(errmsg("could not load pg_hba.conf")));
+	}
+	load_ident();
+#endif
+	/*
+	 * Set up a timeout in case a buggy or malicious client fails to respond
+	 * during authentication.  Since we're inside a transaction and might do
+	 * database access, we have to use the statement_timeout infrastructure.
+	 */
+	if (!enable_sig_alarm(AuthenticationTimeout * 1000, true))
+		elog(FATAL, "could not set timer for authorization timeout");
+	/*
+	 * Now perform authentication exchange.
+	 */
+	ClientAuthentication(port); /* might not return, if failure */
+	/*
+	 * Done with authentication.  Disable the timeout, and log if needed.
+	 */
+	if (!disable_sig_alarm(true))
+		elog(FATAL, "could not disable timer for authorization timeout");
+	if (Log_connections)
+		ereport(LOG,
+				(errmsg("connection authorized: user=%s database=%s",
+						port->user_name, port->database_name)));
+	ClientAuthInProgress = false;		/* client_min_messages is active now */
+}
 /*
 * CheckMyDatabase -- fetch information from the pg_database entry for our DB
 */
@@ -329,6 +392,38 @@ InitCommunication(void)
 }
+/*
+ * pg_split_opts -- split a string of options and append it to an argv array
+ *
+ * NB: the input string is destructively modified!  Also, caller is responsible
+ * for ensuring the argv array is large enough.  The maximum possible number
+ * of arguments added by this routine is (strlen(optstr) + 1) / 2.
+ *
+ * Since no current POSTGRES arguments require any quoting characters,
+ * we can use the simple-minded tactic of assuming each set of space-
+ * delimited characters is a separate argv element.
+ *
+ * If you don't like that, well, we *used* to pass the whole option string
+ * as ONE argument to execl(), which was even less intelligent...
+ */
+void
+pg_split_opts(char **argv, int *argcp, char *optstr)
+{
+	while (*optstr)
+	{
+		while (isspace((unsigned char) *optstr))
+			optstr++;
+		if (*optstr == '\0')
+			break;
+		argv[(*argcp)++] = optstr;
+		while (*optstr && !isspace((unsigned char) *optstr))
+			optstr++;
+		if (*optstr)
+			*optstr++ = '\0';
+	}
+}
 /*
 * Early initialization of a backend (either standalone or under postmaster).
 * This happens even before InitPostgres.
@@ -388,6 +483,8 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
 	char	   *fullpath;
 	char		dbname[NAMEDATALEN];
+	elog(DEBUG3, "InitPostgres");
 	/*
 	 * Add my PGPROC struct to the ProcArray.
 	 *
@@ -599,7 +696,8 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
 	RelationCacheInitializePhase3();
 	/*
-	 * Figure out our postgres user id, and see if we are a superuser.
+	 * Perform client authentication if necessary, then figure out our
+	 * postgres user id, and see if we are a superuser.
 	 *
 	 * In standalone mode and in the autovacuum process, we use a fixed id,
 	 * otherwise we figure it out from the authenticated user name.
@@ -623,6 +721,8 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
 	else
 	{
 		/* normal multiuser case */
+		Assert(MyProcPort != NULL);
+		PerformAuthentication(MyProcPort);
 		InitializeSessionUserId(username);
 		am_superuser = superuser();
 	}

--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.511 2009/08/24 20:08:32 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.512 2009/08/29 19:26:51 tgl Exp $
 *
 *--------------------------------------------------------------------
 */
@@ -4635,7 +4635,8 @@ set_config_option(const char *name, const char *value,
 				if (IsUnderPostmaster)
 					return true;
 			}
-			else if (context != PGC_BACKEND && context != PGC_POSTMASTER)
+			else if (context != PGC_POSTMASTER && context != PGC_BACKEND &&
+					 source != PGC_S_CLIENT)
 			{
 				ereport(elevel,
 						(errcode(ERRCODE_CANT_CHANGE_RUNTIME_PARAM),
@@ -5243,22 +5244,6 @@ GetConfigOptionResetString(const char *name)
 	return NULL;
 }
-/*
- * Detect whether the given configuration option can only be set by
- * a superuser.
- */
-bool
-IsSuperuserConfigOption(const char *name)
-{
-	struct config_generic *record;
-	record = find_option(name, false, ERROR);
-	/* On an unrecognized name, don't error, just return false. */
-	if (record == NULL)
-		return false;
-	return (record->context == PGC_SUSET);
-}
 /*
 * GUC_complaint_elevel

--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
 *	  Interface to hba.c
 *
 *
- * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.56 2009/06/11 14:49:11 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.57 2009/08/29 19:26:51 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -61,12 +61,11 @@ typedef struct
 	bool		include_realm;
 } HbaLine;
+/* kluge to avoid including libpq/libpq-be.h here */
 typedef struct Port hbaPort;
-extern List **get_role_line(const char *role);
 extern bool load_hba(void);
 extern void load_ident(void);
-extern void load_role(void);
 extern int	hba_getauthmethod(hbaPort *port);
 extern bool read_pg_database_line(FILE *fp, char *dbname, Oid *dboid,
 					  Oid *dbtablespace, TransactionId *dbfrozenxid);

--- a/src/include/libpq/pqsignal.h
+++ b/src/include/libpq/pqsignal.h
@@ -7,7 +7,7 @@
 * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/libpq/pqsignal.h,v 1.33 2009/01/01 17:23:59 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/pqsignal.h,v 1.34 2009/08/29 19:26:51 tgl Exp $
 *
 * NOTES
 *	  This shouldn't be in libpq, but the monitor and some other
@@ -23,13 +23,13 @@
 #ifdef HAVE_SIGPROCMASK
 extern sigset_t UnBlockSig,
 			BlockSig,
-			AuthBlockSig;
+			StartupBlockSig;
 #define PG_SETMASK(mask)	sigprocmask(SIG_SETMASK, mask, NULL)
 #else
 extern int	UnBlockSig,
 			BlockSig,
-			AuthBlockSig;
+			StartupBlockSig;
 #ifndef WIN32
 #define PG_SETMASK(mask)	sigsetmask(*((int*)(mask)))

--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@@ -13,7 +13,7 @@
 * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.212 2009/08/12 20:53:30 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.213 2009/08/29 19:26:51 tgl Exp $
 *
 * NOTES
 *	  some of the information in this file should be moved to other files.
@@ -323,6 +323,7 @@ extern ProcessingMode Mode;
 *****************************************************************************/
 /* in utils/init/postinit.c */
+extern void pg_split_opts(char **argv, int *argcp, char *optstr);
 extern bool InitPostgres(const char *in_dbname, Oid dboid, const char *username,
 			 char *out_dbname);
 extern void BaseInit(void);

--- a/src/include/storage/pmsignal.h
+++ b/src/include/storage/pmsignal.h
@@ -7,7 +7,7 @@
 * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/storage/pmsignal.h,v 1.25 2009/06/11 14:49:12 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/storage/pmsignal.h,v 1.26 2009/08/29 19:26:52 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -25,7 +25,6 @@ typedef enum
 	PMSIGNAL_RECOVERY_STARTED,	/* recovery has started */
 	PMSIGNAL_RECOVERY_CONSISTENT,		/* recovery has reached consistent
 										 * state */
-	PMSIGNAL_PASSWORD_CHANGE,	/* pg_auth file has changed */
 	PMSIGNAL_WAKEN_ARCHIVER,	/* send a NOTIFY signal to xlog archiver */
 	PMSIGNAL_ROTATE_LOGFILE,	/* send SIGUSR1 to syslogger to rotate logfile */
 	PMSIGNAL_START_AUTOVAC_LAUNCHER,	/* start an autovacuum launcher */

--- a/src/include/tcop/tcopprot.h
+++ b/src/include/tcop/tcopprot.h
@@ -7,7 +7,7 @@
 * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/tcop/tcopprot.h,v 1.98 2009/06/11 14:49:12 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/tcop/tcopprot.h,v 1.99 2009/08/29 19:26:52 tgl Exp $
 *
 * OLD COMMENTS
 *	  This file was created so that other c files could get the two
@@ -58,7 +58,6 @@ extern bool assign_max_stack_depth(int newval, bool doit, GucSource source);
 extern void die(SIGNAL_ARGS);
 extern void quickdie(SIGNAL_ARGS);
-extern void authdie(SIGNAL_ARGS);
 extern void StatementCancelHandler(SIGNAL_ARGS);
 extern void FloatExceptionHandler(SIGNAL_ARGS);
 extern void prepare_for_client_read(void);

--- a/src/include/utils/guc.h
+++ b/src/include/utils/guc.h
@@ -7,7 +7,7 @@
 * Copyright (c) 2000-2009, PostgreSQL Global Development Group
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
- * $PostgreSQL: pgsql/src/include/utils/guc.h,v 1.102 2009/06/11 14:49:13 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/utils/guc.h,v 1.103 2009/08/29 19:26:52 tgl Exp $
 *--------------------------------------------------------------------
 */
 #ifndef GUC_H
@@ -247,7 +247,6 @@ extern void EmitWarningsOnPlaceholders(const char *className);
 extern const char *GetConfigOption(const char *name);
 extern const char *GetConfigOptionResetString(const char *name);
-extern bool IsSuperuserConfigOption(const char *name);
 extern void ProcessConfigFile(GucContext context);
 extern void InitializeGUCOptions(void);
 extern bool SelectConfigFiles(const char *userDoption, const char *progname);