2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
43 #include "got_error.h"
44 #include "got_opentemp.h"
46 #include "got_repository.h"
47 #include "got_object.h"
48 #include "got_reference.h"
50 #include "got_lib_delta.h"
51 #include "got_lib_object.h"
52 #include "got_lib_object_cache.h"
53 #include "got_lib_sha1.h"
54 #include "got_lib_gitproto.h"
55 #include "got_lib_pack.h"
56 #include "got_lib_repository.h"
63 #include "repo_read.h"
64 #include "repo_write.h"
67 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
71 STAILQ_ENTRY(gotd_client) entry;
72 enum gotd_client_state state;
73 struct gotd_client_capability *capabilities;
79 struct gotd_imsgev iev;
83 struct gotd_child_proc *repo_read;
84 struct gotd_child_proc *repo_write;
85 struct gotd_child_proc *auth;
86 struct gotd_child_proc *session;
91 STAILQ_HEAD(gotd_clients, gotd_client);
93 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
94 static SIPHASH_KEY clients_hash_key;
95 volatile int client_cnt;
96 static struct timeval auth_timeout = { 5, 0 };
97 static struct gotd gotd;
99 void gotd_sighdlr(int sig, short event, void *arg);
100 static void gotd_shutdown(void);
101 static const struct got_error *start_session_child(struct gotd_client *,
102 struct gotd_repo *, char *, const char *, int, int);
103 static const struct got_error *start_repo_child(struct gotd_client *,
104 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
105 static const struct got_error *start_auth_child(struct gotd_client *, int,
106 struct gotd_repo *, char *, const char *, int, int);
107 static void kill_proc(struct gotd_child_proc *, int);
112 fprintf(stderr, "usage: %s [-dv] [-f config-file]\n", getprogname());
117 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
119 struct sockaddr_un sun;
121 mode_t old_umask, mode;
123 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
129 sun.sun_family = AF_UNIX;
130 if (strlcpy(sun.sun_path, unix_socket_path,
131 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
132 log_warnx("%s: name too long", unix_socket_path);
137 if (unlink(unix_socket_path) == -1) {
138 if (errno != ENOENT) {
139 log_warn("unlink %s", unix_socket_path);
145 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
146 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
148 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
149 log_warn("bind: %s", unix_socket_path);
157 if (chmod(unix_socket_path, mode) == -1) {
158 log_warn("chmod %o %s", mode, unix_socket_path);
160 unlink(unix_socket_path);
164 if (chown(unix_socket_path, uid, gid) == -1) {
165 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
167 unlink(unix_socket_path);
171 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
174 unlink(unix_socket_path);
182 client_hash(uint32_t client_id)
184 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
188 add_client(struct gotd_client *client)
190 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
191 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
195 static struct gotd_client *
196 find_client(uint32_t client_id)
199 struct gotd_client *c;
201 slot = client_hash(client_id) % nitems(gotd_clients);
202 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
203 if (c->id == client_id)
210 static struct gotd_child_proc *
211 get_client_repo_proc(struct gotd_client *client)
213 if (client->repo_read && client->repo_write) {
214 fatalx("uid %d is reading and writing in the same session",
219 if (client->repo_read)
220 return client->repo_read;
221 else if (client->repo_write)
222 return client->repo_write;
227 static struct gotd_client *
228 find_client_by_proc_fd(int fd)
232 for (slot = 0; slot < nitems(gotd_clients); slot++) {
233 struct gotd_client *c;
235 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
236 struct gotd_child_proc *proc = get_client_repo_proc(c);
237 if (proc && proc->iev.ibuf.fd == fd)
239 if (c->auth && c->auth->iev.ibuf.fd == fd)
241 if (c->session && c->session->iev.ibuf.fd == fd)
250 client_is_reading(struct gotd_client *client)
252 return client->repo_read != NULL;
256 client_is_writing(struct gotd_client *client)
258 return client->repo_write != NULL;
261 static const struct got_error *
262 ensure_client_is_not_writing(struct gotd_client *client)
264 if (client_is_writing(client)) {
265 return got_error_fmt(GOT_ERR_BAD_PACKET,
266 "uid %d made a read-request but is writing to "
267 "a repository", client->euid);
273 static const struct got_error *
274 ensure_client_is_not_reading(struct gotd_client *client)
276 if (client_is_reading(client)) {
277 return got_error_fmt(GOT_ERR_BAD_PACKET,
278 "uid %d made a write-request but is reading from "
279 "a repository", client->euid);
286 wait_for_child(pid_t child_pid)
291 log_debug("waiting for child PID %ld to terminate",
295 pid = waitpid(child_pid, &status, WNOHANG);
297 if (errno != EINTR && errno != ECHILD)
299 } else if (WIFSIGNALED(status)) {
300 log_warnx("child PID %ld terminated; signal %d",
301 (long)pid, WTERMSIG(status));
303 } while (pid != -1 || (pid == -1 && errno == EINTR));
307 proc_done(struct gotd_child_proc *proc)
309 event_del(&proc->iev.ev);
310 msgbuf_clear(&proc->iev.ibuf.w);
311 close(proc->iev.ibuf.fd);
313 wait_for_child(proc->pid);
318 kill_auth_proc(struct gotd_client *client)
320 struct gotd_child_proc *proc;
322 if (client->auth == NULL)
332 kill_session_proc(struct gotd_client *client)
334 struct gotd_child_proc *proc;
336 if (client->session == NULL)
339 proc = client->session;
340 client->session = NULL;
346 disconnect(struct gotd_client *client)
348 struct gotd_imsg_disconnect idisconnect;
349 struct gotd_child_proc *proc = get_client_repo_proc(client);
350 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
353 log_debug("uid %d: disconnecting", client->euid);
355 kill_auth_proc(client);
356 kill_session_proc(client);
358 idisconnect.client_id = client->id;
360 if (gotd_imsg_compose_event(&proc->iev,
361 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
362 &idisconnect, sizeof(idisconnect)) == -1)
363 log_warn("imsg compose DISCONNECT");
365 msgbuf_clear(&proc->iev.ibuf.w);
366 close(proc->iev.ibuf.fd);
368 wait_for_child(proc->pid);
373 if (gotd_imsg_compose_event(&listen_proc->iev,
374 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
375 &idisconnect, sizeof(idisconnect)) == -1)
376 log_warn("imsg compose DISCONNECT");
378 slot = client_hash(client->id) % nitems(gotd_clients);
379 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
380 imsg_clear(&client->iev.ibuf);
381 event_del(&client->iev.ev);
382 evtimer_del(&client->tmo);
383 if (client->fd != -1)
385 else if (client->iev.ibuf.fd != -1)
386 close(client->iev.ibuf.fd);
387 if (client->delta_cache_fd != -1)
388 close(client->delta_cache_fd);
389 if (client->packfile_path) {
390 if (unlink(client->packfile_path) == -1 && errno != ENOENT)
391 log_warn("unlink %s: ", client->packfile_path);
392 free(client->packfile_path);
394 if (client->packidx_path) {
395 if (unlink(client->packidx_path) == -1 && errno != ENOENT)
396 log_warn("unlink %s: ", client->packidx_path);
397 free(client->packidx_path);
399 free(client->capabilities);
405 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
409 log_warnx("uid %d: %s", client->euid, err->msg);
410 if (err->code != GOT_ERR_EOF && client->fd != -1) {
411 imsg_init(&ibuf, client->fd);
412 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
418 static const struct got_error *
419 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
421 const struct got_error *err = NULL;
422 struct gotd_imsg_info_repo irepo;
424 memset(&irepo, 0, sizeof(irepo));
426 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
427 >= sizeof(irepo.repo_name))
428 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
429 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
430 >= sizeof(irepo.repo_path))
431 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
433 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
434 &irepo, sizeof(irepo)) == -1) {
435 err = got_error_from_errno("imsg compose INFO_REPO");
443 static const struct got_error *
444 send_capability(struct gotd_client_capability *capa, struct gotd_imsgev* iev)
446 const struct got_error *err = NULL;
447 struct gotd_imsg_capability icapa;
451 memset(&icapa, 0, sizeof(icapa));
453 icapa.key_len = strlen(capa->key);
454 len = sizeof(icapa) + icapa.key_len;
456 icapa.value_len = strlen(capa->value);
457 len += icapa.value_len;
460 wbuf = imsg_create(&iev->ibuf, GOTD_IMSG_CAPABILITY, 0, 0, len);
462 err = got_error_from_errno("imsg_create CAPABILITY");
466 if (imsg_add(wbuf, &icapa, sizeof(icapa)) == -1)
467 return got_error_from_errno("imsg_add CAPABILITY");
468 if (imsg_add(wbuf, capa->key, icapa.key_len) == -1)
469 return got_error_from_errno("imsg_add CAPABILITY");
471 if (imsg_add(wbuf, capa->value, icapa.value_len) == -1)
472 return got_error_from_errno("imsg_add CAPABILITY");
476 imsg_close(&iev->ibuf, wbuf);
478 gotd_imsg_event_add(iev);
483 static const struct got_error *
484 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
486 const struct got_error *err = NULL;
487 struct gotd_imsg_info_client iclient;
488 struct gotd_child_proc *proc;
491 memset(&iclient, 0, sizeof(iclient));
492 iclient.euid = client->euid;
493 iclient.egid = client->egid;
495 proc = get_client_repo_proc(client);
497 if (strlcpy(iclient.repo_name, proc->repo_path,
498 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
499 return got_error_msg(GOT_ERR_NO_SPACE,
500 "repo name too long");
502 if (client_is_writing(client))
503 iclient.is_writing = 1;
505 iclient.repo_child_pid = proc->pid;
508 iclient.state = client->state;
510 iclient.session_child_pid = client->session->pid;
511 iclient.ncapabilities = client->ncapabilities;
513 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
514 &iclient, sizeof(iclient)) == -1) {
515 err = got_error_from_errno("imsg compose INFO_CLIENT");
520 for (i = 0; i < client->ncapabilities; i++) {
521 struct gotd_client_capability *capa;
522 capa = &client->capabilities[i];
523 err = send_capability(capa, iev);
531 static const struct got_error *
532 send_info(struct gotd_client *client)
534 const struct got_error *err = NULL;
535 struct gotd_imsg_info info;
537 struct gotd_repo *repo;
539 if (client->euid != 0)
540 return got_error_set_errno(EPERM, "info");
543 info.verbosity = gotd.verbosity;
544 info.nrepos = gotd.nrepos;
545 info.nclients = client_cnt - 1;
547 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
548 &info, sizeof(info)) == -1) {
549 err = got_error_from_errno("imsg compose INFO");
554 TAILQ_FOREACH(repo, &gotd.repos, entry) {
555 err = send_repo_info(&client->iev, repo);
560 for (slot = 0; slot < nitems(gotd_clients); slot++) {
561 struct gotd_client *c;
562 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
563 if (c->id == client->id)
565 err = send_client_info(&client->iev, c);
574 static const struct got_error *
575 stop_gotd(struct gotd_client *client)
578 if (client->euid != 0)
579 return got_error_set_errno(EPERM, "stop");
586 static struct gotd_repo *
587 find_repo_by_name(const char *repo_name)
589 struct gotd_repo *repo;
592 TAILQ_FOREACH(repo, &gotd.repos, entry) {
593 namelen = strlen(repo->name);
594 if (strncmp(repo->name, repo_name, namelen) != 0)
596 if (repo_name[namelen] == '\0' ||
597 strcmp(&repo_name[namelen], ".git") == 0)
604 static const struct got_error *
605 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
607 const struct got_error *err;
608 struct gotd_imsg_list_refs ireq;
609 struct gotd_repo *repo = NULL;
612 log_debug("list-refs request from uid %d", client->euid);
614 if (client->state != GOTD_STATE_EXPECT_LIST_REFS)
615 return got_error_msg(GOT_ERR_BAD_REQUEST,
616 "unexpected list-refs request received");
618 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
619 if (datalen != sizeof(ireq))
620 return got_error(GOT_ERR_PRIVSEP_LEN);
622 memcpy(&ireq, imsg->data, datalen);
624 if (ireq.client_is_reading) {
625 err = ensure_client_is_not_writing(client);
628 repo = find_repo_by_name(ireq.repo_name);
630 return got_error(GOT_ERR_NOT_GIT_REPO);
631 err = start_auth_child(client, GOTD_AUTH_READ, repo,
632 gotd.argv0, gotd.confpath, gotd.daemonize,
637 err = ensure_client_is_not_reading(client);
640 repo = find_repo_by_name(ireq.repo_name);
642 return got_error(GOT_ERR_NOT_GIT_REPO);
643 err = start_auth_child(client,
644 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
645 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
651 evtimer_add(&client->tmo, &auth_timeout);
653 /* Flow continues upon authentication successs/failure or timeout. */
658 gotd_request(int fd, short events, void *arg)
660 struct gotd_imsgev *iev = arg;
661 struct imsgbuf *ibuf = &iev->ibuf;
662 struct gotd_client *client = iev->handler_arg;
663 const struct got_error *err = NULL;
667 if (events & EV_WRITE) {
668 while (ibuf->w.queued) {
669 n = msgbuf_write(&ibuf->w);
670 if (n == -1 && errno == EPIPE) {
672 * The client has closed its socket.
673 * This can happen when Git clients are
674 * done sending pack file data.
676 msgbuf_clear(&ibuf->w);
678 } else if (n == -1 && errno != EAGAIN) {
679 err = got_error_from_errno("imsg_flush");
680 disconnect_on_error(client, err);
684 /* Connection closed. */
685 err = got_error(GOT_ERR_EOF);
686 disconnect_on_error(client, err);
691 /* Disconnect gotctl(8) now that messages have been sent. */
692 if (!client_is_reading(client) && !client_is_writing(client)) {
698 if ((events & EV_READ) == 0)
701 memset(&imsg, 0, sizeof(imsg));
703 while (err == NULL) {
704 err = gotd_imsg_recv(&imsg, ibuf, 0);
706 if (err->code == GOT_ERR_PRIVSEP_READ)
711 evtimer_del(&client->tmo);
713 switch (imsg.hdr.type) {
715 err = send_info(client);
718 err = stop_gotd(client);
720 case GOTD_IMSG_LIST_REFS:
721 err = start_client_authentication(client, &imsg);
724 log_debug("unexpected imsg %d", imsg.hdr.type);
725 err = got_error(GOT_ERR_PRIVSEP_MSG);
733 if (err->code != GOT_ERR_EOF ||
734 client->state != GOTD_STATE_EXPECT_PACKFILE)
735 disconnect_on_error(client, err);
737 gotd_imsg_event_add(&client->iev);
742 gotd_auth_timeout(int fd, short events, void *arg)
744 struct gotd_client *client = arg;
746 log_debug("disconnecting uid %d due to authentication timeout",
751 static const struct got_error *
752 recv_connect(uint32_t *client_id, struct imsg *imsg)
754 const struct got_error *err = NULL;
755 struct gotd_imsg_connect iconnect;
758 struct gotd_client *client = NULL;
762 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
763 if (datalen != sizeof(iconnect))
764 return got_error(GOT_ERR_PRIVSEP_LEN);
765 memcpy(&iconnect, imsg->data, sizeof(iconnect));
769 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
773 if (find_client(iconnect.client_id)) {
774 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
778 client = calloc(1, sizeof(*client));
779 if (client == NULL) {
780 err = got_error_from_errno("calloc");
784 *client_id = iconnect.client_id;
786 client->state = GOTD_STATE_EXPECT_LIST_REFS;
787 client->id = iconnect.client_id;
790 client->delta_cache_fd = -1;
791 /* The auth process will verify UID/GID for us. */
792 client->euid = iconnect.euid;
793 client->egid = iconnect.egid;
795 imsg_init(&client->iev.ibuf, client->fd);
796 client->iev.handler = gotd_request;
797 client->iev.events = EV_READ;
798 client->iev.handler_arg = client;
800 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
802 gotd_imsg_event_add(&client->iev);
804 evtimer_set(&client->tmo, gotd_auth_timeout, client);
807 log_debug("%s: new client uid %d connected on fd %d", __func__,
808 client->euid, client->fd);
811 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
812 struct gotd_imsg_disconnect idisconnect;
814 idisconnect.client_id = client->id;
815 if (gotd_imsg_compose_event(&listen_proc->iev,
816 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
817 &idisconnect, sizeof(idisconnect)) == -1)
818 log_warn("imsg compose DISCONNECT");
827 static const char *gotd_proc_names[PROC_MAX] = {
837 kill_proc(struct gotd_child_proc *proc, int fatal)
840 log_warnx("sending SIGKILL to PID %d", proc->pid);
841 kill(proc->pid, SIGKILL);
843 kill(proc->pid, SIGTERM);
849 struct gotd_child_proc *proc;
852 log_debug("shutting down");
853 for (slot = 0; slot < nitems(gotd_clients); slot++) {
854 struct gotd_client *c, *tmp;
856 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
860 proc = &gotd.listen_proc;
861 msgbuf_clear(&proc->iev.ibuf.w);
862 close(proc->iev.ibuf.fd);
864 wait_for_child(proc->pid);
866 log_info("terminating");
871 gotd_sighdlr(int sig, short event, void *arg)
874 * Normal signal handler rules don't apply because libevent
880 log_info("%s: ignoring SIGHUP", __func__);
883 log_info("%s: ignoring SIGUSR1", __func__);
890 fatalx("unexpected signal");
894 static const struct got_error *
895 ensure_proc_is_reading(struct gotd_client *client,
896 struct gotd_child_proc *proc)
898 if (!client_is_reading(client)) {
900 return got_error_fmt(GOT_ERR_BAD_PACKET,
901 "PID %d handled a read-request for uid %d but this "
902 "user is not reading from a repository", proc->pid,
909 static const struct got_error *
910 ensure_proc_is_writing(struct gotd_client *client,
911 struct gotd_child_proc *proc)
913 if (!client_is_writing(client)) {
915 return got_error_fmt(GOT_ERR_BAD_PACKET,
916 "PID %d handled a write-request for uid %d but this "
917 "user is not writing to a repository", proc->pid,
925 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
928 const struct got_error *err;
929 struct gotd_child_proc *client_proc;
932 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
933 client_proc = get_client_repo_proc(client);
934 if (client_proc == NULL)
935 fatalx("no process found for uid %d", client->euid);
936 if (proc->pid != client_proc->pid) {
938 log_warnx("received message from PID %d for uid %d, "
939 "while PID %d is the process serving this user",
940 proc->pid, client->euid, client_proc->pid);
944 if (proc->type == PROC_SESSION) {
945 if (client->session == NULL) {
946 log_warnx("no session found for uid %d", client->euid);
949 if (proc->pid != client->session->pid) {
951 log_warnx("received message from PID %d for uid %d, "
952 "while PID %d is the process serving this user",
953 proc->pid, client->euid, client->session->pid);
958 switch (imsg->hdr.type) {
959 case GOTD_IMSG_ERROR:
962 case GOTD_IMSG_CONNECT:
963 if (proc->type != PROC_LISTEN) {
964 err = got_error_fmt(GOT_ERR_BAD_PACKET,
965 "new connection for uid %d from PID %d "
966 "which is not the listen process",
967 proc->pid, client->euid);
971 case GOTD_IMSG_ACCESS_GRANTED:
972 if (proc->type != PROC_AUTH) {
973 err = got_error_fmt(GOT_ERR_BAD_PACKET,
974 "authentication of uid %d from PID %d "
975 "which is not the auth process",
976 proc->pid, client->euid);
980 case GOTD_IMSG_CLIENT_SESSION_READY:
981 if (proc->type != PROC_SESSION) {
982 err = got_error_fmt(GOT_ERR_BAD_PACKET,
983 "unexpected \"ready\" signal from PID %d",
988 case GOTD_IMSG_REPO_CHILD_READY:
989 if (proc->type != PROC_REPO_READ &&
990 proc->type != PROC_REPO_WRITE) {
991 err = got_error_fmt(GOT_ERR_BAD_PACKET,
992 "unexpected \"ready\" signal from PID %d",
997 case GOTD_IMSG_PACKFILE_DONE:
998 err = ensure_proc_is_reading(client, proc);
1000 log_warnx("uid %d: %s", client->euid, err->msg);
1004 case GOTD_IMSG_PACKFILE_INSTALL:
1005 case GOTD_IMSG_REF_UPDATES_START:
1006 case GOTD_IMSG_REF_UPDATE:
1007 err = ensure_proc_is_writing(client, proc);
1009 log_warnx("uid %d: %s", client->euid, err->msg);
1014 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
1021 static const struct got_error *
1022 connect_repo_child(struct gotd_client *client,
1023 struct gotd_child_proc *repo_proc)
1025 static const struct got_error *err;
1026 struct gotd_imsgev *session_iev = &client->session->iev;
1027 struct gotd_imsg_connect_repo_child ireq;
1030 if (client->state != GOTD_STATE_EXPECT_LIST_REFS)
1031 return got_error_msg(GOT_ERR_BAD_REQUEST,
1032 "unexpected repo child ready signal received");
1034 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1035 PF_UNSPEC, pipe) == -1)
1036 fatal("socketpair");
1038 memset(&ireq, 0, sizeof(ireq));
1039 ireq.client_id = client->id;
1040 ireq.proc_id = repo_proc->type;
1042 /* Pass repo child pipe to session child process. */
1043 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1044 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1045 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1051 /* Pass session child pipe to repo child process. */
1052 if (gotd_imsg_compose_event(&repo_proc->iev,
1053 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1054 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1063 gotd_dispatch_listener(int fd, short event, void *arg)
1065 struct gotd_imsgev *iev = arg;
1066 struct imsgbuf *ibuf = &iev->ibuf;
1067 struct gotd_child_proc *proc = &gotd.listen_proc;
1072 if (proc->iev.ibuf.fd != fd)
1073 fatalx("%s: unexpected fd %d", __func__, fd);
1075 if (event & EV_READ) {
1076 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1077 fatal("imsg_read error");
1079 /* Connection closed. */
1085 if (event & EV_WRITE) {
1086 n = msgbuf_write(&ibuf->w);
1087 if (n == -1 && errno != EAGAIN)
1088 fatal("msgbuf_write");
1090 /* Connection closed. */
1097 const struct got_error *err = NULL;
1098 struct gotd_client *client = NULL;
1099 uint32_t client_id = 0;
1100 int do_disconnect = 0;
1102 if ((n = imsg_get(ibuf, &imsg)) == -1)
1103 fatal("%s: imsg_get error", __func__);
1104 if (n == 0) /* No more messages. */
1107 switch (imsg.hdr.type) {
1108 case GOTD_IMSG_ERROR:
1110 err = gotd_imsg_recv_error(&client_id, &imsg);
1112 case GOTD_IMSG_CONNECT:
1113 err = recv_connect(&client_id, &imsg);
1116 log_debug("unexpected imsg %d", imsg.hdr.type);
1120 client = find_client(client_id);
1121 if (client == NULL) {
1122 log_warnx("%s: client not found", __func__);
1128 log_warnx("uid %d: %s", client->euid, err->msg);
1130 if (do_disconnect) {
1132 disconnect_on_error(client, err);
1141 gotd_imsg_event_add(iev);
1143 /* This pipe is dead. Remove its event handler */
1144 event_del(&iev->ev);
1145 event_loopexit(NULL);
1150 gotd_dispatch_auth_child(int fd, short event, void *arg)
1152 const struct got_error *err = NULL;
1153 struct gotd_imsgev *iev = arg;
1154 struct imsgbuf *ibuf = &iev->ibuf;
1155 struct gotd_client *client;
1156 struct gotd_repo *repo = NULL;
1160 uint32_t client_id = 0;
1161 int do_disconnect = 0;
1163 client = find_client_by_proc_fd(fd);
1165 fatalx("cannot find client for fd %d", fd);
1167 if (client->auth == NULL)
1168 fatalx("cannot find auth child process for fd %d", fd);
1170 if (event & EV_READ) {
1171 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1172 fatal("imsg_read error");
1174 /* Connection closed. */
1180 if (event & EV_WRITE) {
1181 n = msgbuf_write(&ibuf->w);
1182 if (n == -1 && errno != EAGAIN)
1183 fatal("msgbuf_write");
1185 /* Connection closed. */
1191 if (client->auth->iev.ibuf.fd != fd)
1192 fatalx("%s: unexpected fd %d", __func__, fd);
1194 if ((n = imsg_get(ibuf, &imsg)) == -1)
1195 fatal("%s: imsg_get error", __func__);
1196 if (n == 0) /* No more messages. */
1199 evtimer_del(&client->tmo);
1201 switch (imsg.hdr.type) {
1202 case GOTD_IMSG_ERROR:
1204 err = gotd_imsg_recv_error(&client_id, &imsg);
1206 case GOTD_IMSG_ACCESS_GRANTED:
1210 log_debug("unexpected imsg %d", imsg.hdr.type);
1214 if (!verify_imsg_src(client, client->auth, &imsg)) {
1216 log_debug("dropping imsg type %d from PID %d",
1217 imsg.hdr.type, client->auth->pid);
1221 if (do_disconnect) {
1223 disconnect_on_error(client, err);
1229 repo = find_repo_by_name(client->auth->repo_name);
1231 err = got_error(GOT_ERR_NOT_GIT_REPO);
1234 kill_auth_proc(client);
1236 log_info("authenticated uid %d for repository %s\n",
1237 client->euid, repo->name);
1239 err = start_session_child(client, repo, gotd.argv0,
1240 gotd.confpath, gotd.daemonize, gotd.verbosity);
1245 log_warnx("uid %d: %s", client->euid, err->msg);
1247 /* We might have killed the auth process by now. */
1248 if (client->auth != NULL) {
1250 gotd_imsg_event_add(iev);
1252 /* This pipe is dead. Remove its event handler */
1253 event_del(&iev->ev);
1258 static const struct got_error *
1259 connect_session(struct gotd_client *client)
1261 const struct got_error *err = NULL;
1262 struct gotd_imsg_connect iconnect;
1265 memset(&iconnect, 0, sizeof(iconnect));
1267 s = dup(client->fd);
1269 return got_error_from_errno("dup");
1271 iconnect.client_id = client->id;
1272 iconnect.euid = client->euid;
1273 iconnect.egid = client->egid;
1275 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1276 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1277 err = got_error_from_errno("imsg compose CONNECT");
1283 * We are no longer interested in messages from this client.
1284 * Further client requests will be handled by the session process.
1286 msgbuf_clear(&client->iev.ibuf.w);
1287 imsg_clear(&client->iev.ibuf);
1288 event_del(&client->iev.ev);
1289 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1295 gotd_dispatch_client_session(int fd, short event, void *arg)
1297 struct gotd_imsgev *iev = arg;
1298 struct imsgbuf *ibuf = &iev->ibuf;
1299 struct gotd_child_proc *proc = NULL;
1300 struct gotd_client *client = NULL;
1305 client = find_client_by_proc_fd(fd);
1307 fatalx("cannot find client for fd %d", fd);
1309 if (event & EV_READ) {
1310 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1311 fatal("imsg_read error");
1313 /* Connection closed. */
1319 if (event & EV_WRITE) {
1320 n = msgbuf_write(&ibuf->w);
1321 if (n == -1 && errno != EAGAIN)
1322 fatal("msgbuf_write");
1324 /* Connection closed. */
1330 proc = client->session;
1332 fatalx("cannot find session child process for fd %d", fd);
1335 const struct got_error *err = NULL;
1336 uint32_t client_id = 0;
1337 int do_disconnect = 0, do_start_repo_child = 0;
1339 if ((n = imsg_get(ibuf, &imsg)) == -1)
1340 fatal("%s: imsg_get error", __func__);
1341 if (n == 0) /* No more messages. */
1344 switch (imsg.hdr.type) {
1345 case GOTD_IMSG_ERROR:
1347 err = gotd_imsg_recv_error(&client_id, &imsg);
1349 case GOTD_IMSG_CLIENT_SESSION_READY:
1350 if (client->state != GOTD_STATE_EXPECT_LIST_REFS) {
1351 err = got_error(GOT_ERR_PRIVSEP_MSG);
1354 do_start_repo_child = 1;
1356 case GOTD_IMSG_DISCONNECT:
1360 log_debug("unexpected imsg %d", imsg.hdr.type);
1364 if (!verify_imsg_src(client, proc, &imsg)) {
1365 log_debug("dropping imsg type %d from PID %d",
1366 imsg.hdr.type, proc->pid);
1371 log_warnx("uid %d: %s", client->euid, err->msg);
1373 if (do_start_repo_child) {
1374 struct gotd_repo *repo;
1376 repo = find_repo_by_name(client->session->repo_name);
1378 enum gotd_procid proc_type;
1380 if (client->required_auth & GOTD_AUTH_WRITE)
1381 proc_type = PROC_REPO_WRITE;
1383 proc_type = PROC_REPO_READ;
1385 err = start_repo_child(client, proc_type, repo,
1386 gotd.argv0, gotd.confpath, gotd.daemonize,
1389 err = got_error(GOT_ERR_NOT_GIT_REPO);
1392 log_warnx("uid %d: %s", client->euid, err->msg);
1397 if (do_disconnect) {
1399 disconnect_on_error(client, err);
1408 gotd_imsg_event_add(iev);
1410 /* This pipe is dead. Remove its event handler */
1411 event_del(&iev->ev);
1417 gotd_dispatch_repo_child(int fd, short event, void *arg)
1419 struct gotd_imsgev *iev = arg;
1420 struct imsgbuf *ibuf = &iev->ibuf;
1421 struct gotd_child_proc *proc = NULL;
1422 struct gotd_client *client;
1427 client = find_client_by_proc_fd(fd);
1429 fatalx("cannot find client for fd %d", fd);
1431 if (event & EV_READ) {
1432 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1433 fatal("imsg_read error");
1435 /* Connection closed. */
1441 if (event & EV_WRITE) {
1442 n = msgbuf_write(&ibuf->w);
1443 if (n == -1 && errno != EAGAIN)
1444 fatal("msgbuf_write");
1446 /* Connection closed. */
1452 proc = get_client_repo_proc(client);
1454 fatalx("cannot find child process for fd %d", fd);
1457 const struct got_error *err = NULL;
1458 uint32_t client_id = 0;
1459 int do_disconnect = 0;
1461 if ((n = imsg_get(ibuf, &imsg)) == -1)
1462 fatal("%s: imsg_get error", __func__);
1463 if (n == 0) /* No more messages. */
1466 switch (imsg.hdr.type) {
1467 case GOTD_IMSG_ERROR:
1469 err = gotd_imsg_recv_error(&client_id, &imsg);
1471 case GOTD_IMSG_REPO_CHILD_READY:
1472 err = connect_session(client);
1475 err = connect_repo_child(client, proc);
1478 log_debug("unexpected imsg %d", imsg.hdr.type);
1482 if (!verify_imsg_src(client, proc, &imsg)) {
1483 log_debug("dropping imsg type %d from PID %d",
1484 imsg.hdr.type, proc->pid);
1489 log_warnx("uid %d: %s", client->euid, err->msg);
1491 if (do_disconnect) {
1493 disconnect_on_error(client, err);
1502 gotd_imsg_event_add(iev);
1504 /* This pipe is dead. Remove its event handler */
1505 event_del(&iev->ev);
1511 start_child(enum gotd_procid proc_id, const char *repo_path,
1512 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1518 switch (pid = fork()) {
1520 fatal("cannot fork");
1528 if (fd != GOTD_FILENO_MSG_PIPE) {
1529 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1530 fatal("cannot setup imsg fd");
1531 } else if (fcntl(fd, F_SETFD, 0) == -1)
1532 fatal("cannot setup imsg fd");
1534 argv[argc++] = argv0;
1537 argv[argc++] = (char *)"-L";
1540 argv[argc++] = (char *)"-A";
1543 argv[argc++] = (char *)"-S";
1545 case PROC_REPO_READ:
1546 argv[argc++] = (char *)"-R";
1548 case PROC_REPO_WRITE:
1549 argv[argc++] = (char *)"-W";
1552 fatalx("invalid process id %d", proc_id);
1555 argv[argc++] = (char *)"-f";
1556 argv[argc++] = (char *)confpath;
1559 argv[argc++] = (char *)"-P";
1560 argv[argc++] = (char *)repo_path;
1564 argv[argc++] = (char *)"-d";
1566 argv[argc++] = (char *)"-v";
1568 argv[argc++] = (char *)"-v";
1569 argv[argc++] = NULL;
1571 execvp(argv0, argv);
1576 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1578 struct gotd_child_proc *proc = &gotd.listen_proc;
1580 proc->type = PROC_LISTEN;
1582 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1583 PF_UNSPEC, proc->pipe) == -1)
1584 fatal("socketpair");
1586 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1587 proc->pipe[1], daemonize, verbosity);
1588 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1589 proc->iev.handler = gotd_dispatch_listener;
1590 proc->iev.events = EV_READ;
1591 proc->iev.handler_arg = NULL;
1594 static const struct got_error *
1595 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1596 char *argv0, const char *confpath, int daemonize, int verbosity)
1598 struct gotd_child_proc *proc;
1600 proc = calloc(1, sizeof(*proc));
1602 return got_error_from_errno("calloc");
1604 proc->type = PROC_SESSION;
1605 if (strlcpy(proc->repo_name, repo->name,
1606 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1607 fatalx("repository name too long: %s", repo->name);
1608 log_debug("starting client uid %d session for repository %s",
1609 client->euid, repo->name);
1610 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1611 sizeof(proc->repo_path))
1612 fatalx("repository path too long: %s", repo->path);
1613 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1614 PF_UNSPEC, proc->pipe) == -1)
1615 fatal("socketpair");
1616 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1617 confpath, proc->pipe[1], daemonize, verbosity);
1618 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1619 log_debug("proc %s %s is on fd %d",
1620 gotd_proc_names[proc->type], proc->repo_path,
1622 proc->iev.handler = gotd_dispatch_client_session;
1623 proc->iev.events = EV_READ;
1624 proc->iev.handler_arg = NULL;
1625 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1626 gotd_dispatch_client_session, &proc->iev);
1627 gotd_imsg_event_add(&proc->iev);
1629 client->session = proc;
1633 static const struct got_error *
1634 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1635 struct gotd_repo *repo, char *argv0, const char *confpath,
1636 int daemonize, int verbosity)
1638 struct gotd_child_proc *proc;
1640 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1641 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1643 proc = calloc(1, sizeof(*proc));
1645 return got_error_from_errno("calloc");
1647 proc->type = proc_type;
1648 if (strlcpy(proc->repo_name, repo->name,
1649 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1650 fatalx("repository name too long: %s", repo->name);
1651 log_debug("starting %s for repository %s",
1652 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1653 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1654 sizeof(proc->repo_path))
1655 fatalx("repository path too long: %s", repo->path);
1656 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1657 PF_UNSPEC, proc->pipe) == -1)
1658 fatal("socketpair");
1659 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1660 confpath, proc->pipe[1], daemonize, verbosity);
1661 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1662 log_debug("proc %s %s is on fd %d",
1663 gotd_proc_names[proc->type], proc->repo_path,
1665 proc->iev.handler = gotd_dispatch_repo_child;
1666 proc->iev.events = EV_READ;
1667 proc->iev.handler_arg = NULL;
1668 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1669 gotd_dispatch_repo_child, &proc->iev);
1670 gotd_imsg_event_add(&proc->iev);
1672 if (proc->type == PROC_REPO_READ)
1673 client->repo_read = proc;
1675 client->repo_write = proc;
1680 static const struct got_error *
1681 start_auth_child(struct gotd_client *client, int required_auth,
1682 struct gotd_repo *repo, char *argv0, const char *confpath,
1683 int daemonize, int verbosity)
1685 const struct got_error *err = NULL;
1686 struct gotd_child_proc *proc;
1687 struct gotd_imsg_auth iauth;
1690 memset(&iauth, 0, sizeof(iauth));
1692 fd = dup(client->fd);
1694 return got_error_from_errno("dup");
1696 proc = calloc(1, sizeof(*proc));
1698 err = got_error_from_errno("calloc");
1703 proc->type = PROC_AUTH;
1704 if (strlcpy(proc->repo_name, repo->name,
1705 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1706 fatalx("repository name too long: %s", repo->name);
1707 log_debug("starting auth for uid %d repository %s",
1708 client->euid, repo->name);
1709 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1710 sizeof(proc->repo_path))
1711 fatalx("repository path too long: %s", repo->path);
1712 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1713 PF_UNSPEC, proc->pipe) == -1)
1714 fatal("socketpair");
1715 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1716 confpath, proc->pipe[1], daemonize, verbosity);
1717 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1718 log_debug("proc %s %s is on fd %d",
1719 gotd_proc_names[proc->type], proc->repo_path,
1721 proc->iev.handler = gotd_dispatch_auth_child;
1722 proc->iev.events = EV_READ;
1723 proc->iev.handler_arg = NULL;
1724 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1725 gotd_dispatch_auth_child, &proc->iev);
1726 gotd_imsg_event_add(&proc->iev);
1728 iauth.euid = client->euid;
1729 iauth.egid = client->egid;
1730 iauth.required_auth = required_auth;
1731 iauth.client_id = client->id;
1732 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1733 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1734 log_warn("imsg compose AUTHENTICATE");
1736 /* Let the auth_timeout handler tidy up. */
1739 client->auth = proc;
1740 client->required_auth = required_auth;
1745 apply_unveil_repo_readonly(const char *repo_path)
1747 if (unveil(repo_path, "r") == -1)
1748 fatal("unveil %s", repo_path);
1750 if (unveil(NULL, NULL) == -1)
1755 apply_unveil_repo_readwrite(const char *repo_path)
1757 if (unveil(repo_path, "rwc") == -1)
1758 fatal("unveil %s", repo_path);
1760 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1761 fatal("unveil %s", GOT_TMPDIR_STR);
1763 if (unveil(NULL, NULL) == -1)
1768 apply_unveil_none(void)
1770 if (unveil("/", "") == -1)
1773 if (unveil(NULL, NULL) == -1)
1778 apply_unveil_selfexec(void)
1780 if (unveil(gotd.argv0, "x") == -1)
1781 fatal("unveil %s", gotd.argv0);
1783 if (unveil(NULL, NULL) == -1)
1788 main(int argc, char **argv)
1790 const struct got_error *error = NULL;
1791 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1792 const char *confpath = GOTD_CONF_PATH;
1793 char *argv0 = argv[0];
1795 struct passwd *pw = NULL;
1796 char *repo_path = NULL;
1797 enum gotd_procid proc_id = PROC_GOTD;
1798 struct event evsigint, evsigterm, evsighup, evsigusr1;
1799 int *pack_fds = NULL, *temp_fds = NULL;
1801 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1803 while ((ch = getopt(argc, argv, "Adf:LnP:RSvW")) != -1) {
1806 proc_id = PROC_AUTH;
1815 proc_id = PROC_LISTEN;
1821 repo_path = realpath(optarg, NULL);
1822 if (repo_path == NULL)
1823 fatal("realpath '%s'", optarg);
1826 proc_id = PROC_REPO_READ;
1829 proc_id = PROC_SESSION;
1836 proc_id = PROC_REPO_WRITE;
1849 /* Require an absolute path in argv[0] for reliable re-exec. */
1850 if (!got_path_is_absolute(argv0))
1851 fatalx("bad path \"%s\": must be an absolute path", argv0);
1853 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1854 fatalx("need root privileges");
1856 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1857 log_setverbose(verbosity);
1859 if (parse_config(confpath, proc_id, &gotd) != 0)
1863 gotd.daemonize = daemonize;
1864 gotd.verbosity = verbosity;
1865 gotd.confpath = confpath;
1867 if (proc_id == PROC_GOTD &&
1868 (gotd.nrepos == 0 || TAILQ_EMPTY(&gotd.repos)))
1869 fatalx("no repository defined in configuration file");
1871 pw = getpwnam(gotd.user_name);
1873 fatalx("user %s not found", gotd.user_name);
1875 if (pw->pw_uid == 0) {
1876 fatalx("cannot run %s as %s: the user running %s "
1877 "must not be the superuser",
1878 getprogname(), pw->pw_name, getprogname());
1881 if (proc_id == PROC_LISTEN &&
1882 !got_path_is_absolute(gotd.unix_socket_path))
1883 fatalx("bad unix socket path \"%s\": must be an absolute path",
1884 gotd.unix_socket_path);
1889 if (proc_id == PROC_GOTD) {
1890 gotd.pid = getpid();
1891 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1892 start_listener(argv0, confpath, daemonize, verbosity);
1893 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1894 if (daemonize && daemon(1, 0) == -1)
1896 } else if (proc_id == PROC_LISTEN) {
1897 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1899 log_info("socket: %s", gotd.unix_socket_path);
1900 log_info("user: %s", pw->pw_name);
1903 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1906 fatal("cannot listen on unix socket %s",
1907 gotd.unix_socket_path);
1909 if (daemonize && daemon(0, 0) == -1)
1911 } else if (proc_id == PROC_AUTH) {
1912 snprintf(title, sizeof(title), "%s %s",
1913 gotd_proc_names[proc_id], repo_path);
1914 if (daemonize && daemon(0, 0) == -1)
1916 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1917 proc_id == PROC_SESSION) {
1918 error = got_repo_pack_fds_open(&pack_fds);
1920 fatalx("cannot open pack tempfiles: %s", error->msg);
1921 error = got_repo_temp_fds_open(&temp_fds);
1923 fatalx("cannot open pack tempfiles: %s", error->msg);
1924 if (repo_path == NULL)
1925 fatalx("repository path not specified");
1926 snprintf(title, sizeof(title), "%s %s",
1927 gotd_proc_names[proc_id], repo_path);
1928 if (daemonize && daemon(0, 0) == -1)
1931 fatal("invalid process id %d", proc_id);
1933 setproctitle("%s", title);
1934 log_procinit(title);
1936 /* Drop root privileges. */
1937 if (setgid(pw->pw_gid) == -1)
1938 fatal("setgid %d failed", pw->pw_gid);
1939 if (setuid(pw->pw_uid) == -1)
1940 fatal("setuid %d failed", pw->pw_uid);
1947 /* "exec" promise will be limited to argv[0] via unveil(2). */
1948 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1954 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1958 * Ensure that AF_UNIX bind(2) cannot be used with any other
1959 * sockets by revoking all filesystem access via unveil(2).
1961 apply_unveil_none();
1963 listen_main(title, fd, gotd.connection_limits,
1964 gotd.nconnection_limits);
1969 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1973 * We need the "unix" pledge promise for getpeername(2) only.
1974 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1975 * filesystem access via unveil(2). Access to password database
1976 * files will still work since "getpw" bypasses unveil(2).
1978 apply_unveil_none();
1980 auth_main(title, &gotd.repos, repo_path);
1986 * The "recvfd" promise is only needed during setup and
1987 * will be removed in a later pledge(2) call.
1989 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1990 "unveil", NULL) == -1)
1993 apply_unveil_repo_readwrite(repo_path);
1994 session_main(title, repo_path, pack_fds, temp_fds,
1995 &gotd.request_timeout);
1998 case PROC_REPO_READ:
2000 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2003 apply_unveil_repo_readonly(repo_path);
2004 repo_read_main(title, repo_path, pack_fds, temp_fds);
2007 case PROC_REPO_WRITE:
2009 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2012 apply_unveil_repo_readonly(repo_path);
2013 repo_write_main(title, repo_path, pack_fds, temp_fds);
2017 fatal("invalid process id %d", proc_id);
2020 if (proc_id != PROC_GOTD)
2021 fatal("invalid process id %d", proc_id);
2023 apply_unveil_selfexec();
2025 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2026 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2027 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2028 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2029 signal(SIGPIPE, SIG_IGN);
2031 signal_add(&evsigint, NULL);
2032 signal_add(&evsigterm, NULL);
2033 signal_add(&evsighup, NULL);
2034 signal_add(&evsigusr1, NULL);
2036 gotd_imsg_event_add(&gotd.listen_proc.iev);