On 2017-04-17 18:55, Tom Lane wrote:
Magnus Hagander <magnus@xxxxxxxxxxxx> writes:
But all our files are opened with (FILE_SHARE_READ | FILE_SHARE_WRITE |
FILE_SHARE_DELETE). So shouldn't this allow 7zip (or whatever) to open up
the file, regardless of us holding it open? (Looking at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363874(v=vs.85).aspx
at least that's how I read it?)
No, I'm afraid not. The share modes have to be compatible across all
CreateFile() calls (that result in concurrently open handles). After
Postgres has opened the file with all three share modes, any later calls
must use all three as well.
The share mode you use on your CreateFile() call expresses your
requirement for what others can do to the file while you have it open.
If you successfully open with FILE_SHARE_READ, you are assured that no
one else has the file open for write or delete, and no one _can_ open it
that way, until you close it.
From that MSDN page:
When a process uses CreateFile to attempt to open a file that
has already been opened in a sharing mode (dwShareMode set to a
valid nonzero value), the system compares the requested access
and sharing modes to those specified when the file was opened.
If you specify an access or sharing mode that conflicts with the
modes specified in the previous call, CreateFile fails.
"[T]hat conflicts with" means "does not allow at least all modes that
have already been requested on existing calls".
My understanding of what Christian wrote is that 7zip is using flags
that specifically disallow "sharing". The flags we use will allow other
programs to open the file(s) with default options, but a program that
is deliberately trying to be the sole user of the file can still notice
our opens.
Not quite; there are no "default options" for that argument of
CreateFile(). The only way for another program to open the
otherwise-open segment file is to specify compatible share modes, in
this case, all of them.
Otherwise, yes, that is correct. There is essentially no way for a
process to keep the fact that it has a file open completely hidden from
others.
At least the potential issue of someone deleting active segment files
(open with FILE_SHARE_DELETE as per above) is one of being on the other
side of this airtight hatchway, to quote Raymond Chen. In a properly set
up cluster, you have to have admin rights to get at the data directory
at all, and then you can also just kill the database server if you want
to delete something.
--
Christian
--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
