2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include "got_compat.h"
19 #include <sys/queue.h>
21 #include <sys/types.h>
23 #include <sys/socket.h>
26 #include <sys/resource.h>
43 #include "got_error.h"
44 #include "got_opentemp.h"
46 #include "got_repository.h"
47 #include "got_object.h"
48 #include "got_reference.h"
50 #include "got_lib_delta.h"
51 #include "got_lib_object.h"
52 #include "got_lib_object_cache.h"
53 #include "got_lib_hash.h"
54 #include "got_lib_gitproto.h"
55 #include "got_lib_pack.h"
56 #include "got_lib_repository.h"
63 #include "repo_read.h"
64 #include "repo_write.h"
67 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
70 enum gotd_client_state {
71 GOTD_CLIENT_STATE_NEW,
72 GOTD_CLIENT_STATE_ACCESS_GRANTED,
75 struct gotd_child_proc {
77 enum gotd_procid type;
78 char repo_name[NAME_MAX];
79 char repo_path[PATH_MAX];
81 struct gotd_imsgev iev;
84 TAILQ_ENTRY(gotd_child_proc) entry;
86 TAILQ_HEAD(gotd_procs, gotd_child_proc) procs;
89 STAILQ_ENTRY(gotd_client) entry;
90 enum gotd_client_state state;
93 struct gotd_imsgev iev;
97 struct gotd_child_proc *repo;
98 struct gotd_child_proc *auth;
99 struct gotd_child_proc *session;
102 STAILQ_HEAD(gotd_clients, gotd_client);
104 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
105 static SIPHASH_KEY clients_hash_key;
106 volatile int client_cnt;
107 static struct timeval auth_timeout = { 5, 0 };
108 static struct gotd gotd;
110 void gotd_sighdlr(int sig, short event, void *arg);
111 static void gotd_shutdown(void);
112 static const struct got_error *start_session_child(struct gotd_client *,
113 struct gotd_repo *, char *, const char *, int, int);
114 static const struct got_error *start_repo_child(struct gotd_client *,
115 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
116 static const struct got_error *start_auth_child(struct gotd_client *, int,
117 struct gotd_repo *, char *, const char *, int, int);
118 static void kill_proc(struct gotd_child_proc *, int);
119 static void disconnect(struct gotd_client *);
120 static void drop_privs(struct passwd *);
125 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
130 drop_privs(struct passwd *pw)
132 /* Drop root privileges. */
133 if (setgid(pw->pw_gid) == -1)
134 fatal("setgid %d failed", pw->pw_gid);
135 if (setuid(pw->pw_uid) == -1)
136 fatal("setuid %d failed", pw->pw_uid);
140 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
142 struct sockaddr_un sun;
144 mode_t old_umask, mode;
145 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
148 sock_flags |= SOCK_CLOEXEC;
151 fd = socket(AF_UNIX, sock_flags, 0);
157 sun.sun_family = AF_UNIX;
158 if (strlcpy(sun.sun_path, unix_socket_path,
159 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
160 log_warnx("%s: name too long", unix_socket_path);
165 if (unlink(unix_socket_path) == -1) {
166 if (errno != ENOENT) {
167 log_warn("unlink %s", unix_socket_path);
173 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
174 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
176 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
177 log_warn("bind: %s", unix_socket_path);
185 if (chmod(unix_socket_path, mode) == -1) {
186 log_warn("chmod %o %s", mode, unix_socket_path);
188 unlink(unix_socket_path);
192 if (chown(unix_socket_path, uid, gid) == -1) {
193 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
195 unlink(unix_socket_path);
199 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
202 unlink(unix_socket_path);
210 client_hash(uint32_t client_id)
212 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
216 add_client(struct gotd_client *client)
218 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
219 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
223 static struct gotd_client *
224 find_client(uint32_t client_id)
227 struct gotd_client *c;
229 slot = client_hash(client_id) % nitems(gotd_clients);
230 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
231 if (c->id == client_id)
238 static struct gotd_client *
239 find_client_by_proc_fd(int fd)
243 for (slot = 0; slot < nitems(gotd_clients); slot++) {
244 struct gotd_client *c;
246 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
247 if (c->repo && c->repo->iev.ibuf.fd == fd)
249 if (c->auth && c->auth->iev.ibuf.fd == fd)
251 if (c->session && c->session->iev.ibuf.fd == fd)
260 client_is_reading(struct gotd_client *client)
262 return (client->required_auth &
263 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
267 client_is_writing(struct gotd_client *client)
269 return (client->required_auth &
270 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
271 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
274 static const struct got_error *
275 ensure_client_is_not_writing(struct gotd_client *client)
277 if (client_is_writing(client)) {
278 return got_error_fmt(GOT_ERR_BAD_PACKET,
279 "uid %d made a read-request but is writing to "
280 "a repository", client->euid);
286 static const struct got_error *
287 ensure_client_is_not_reading(struct gotd_client *client)
289 if (client_is_reading(client)) {
290 return got_error_fmt(GOT_ERR_BAD_PACKET,
291 "uid %d made a write-request but is reading from "
292 "a repository", client->euid);
299 proc_done(struct gotd_child_proc *proc)
301 struct gotd_client *client;
303 TAILQ_REMOVE(&procs, proc, entry);
305 client = find_client_by_proc_fd(proc->iev.ibuf.fd);
306 if (client != NULL) {
307 if (proc == client->repo)
309 if (proc == client->auth)
311 if (proc == client->session)
312 client->session = NULL;
316 evtimer_del(&proc->tmo);
318 if (proc->iev.ibuf.fd != -1) {
319 event_del(&proc->iev.ev);
320 msgbuf_clear(&proc->iev.ibuf.w);
321 close(proc->iev.ibuf.fd);
328 kill_repo_proc(struct gotd_client *client)
330 if (client->repo == NULL)
333 kill_proc(client->repo, 0);
338 kill_auth_proc(struct gotd_client *client)
340 if (client->auth == NULL)
343 kill_proc(client->auth, 0);
348 kill_session_proc(struct gotd_client *client)
350 if (client->session == NULL)
353 kill_proc(client->session, 0);
354 client->session = NULL;
358 disconnect(struct gotd_client *client)
360 struct gotd_imsg_disconnect idisconnect;
361 struct gotd_child_proc *listen_proc = gotd.listen_proc;
364 log_debug("uid %d: disconnecting", client->euid);
366 kill_auth_proc(client);
367 kill_session_proc(client);
368 kill_repo_proc(client);
370 idisconnect.client_id = client->id;
371 if (gotd_imsg_compose_event(&listen_proc->iev,
372 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
373 &idisconnect, sizeof(idisconnect)) == -1)
374 log_warn("imsg compose DISCONNECT");
376 slot = client_hash(client->id) % nitems(gotd_clients);
377 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
378 imsg_clear(&client->iev.ibuf);
379 event_del(&client->iev.ev);
380 evtimer_del(&client->tmo);
381 if (client->fd != -1)
383 else if (client->iev.ibuf.fd != -1)
384 close(client->iev.ibuf.fd);
390 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
394 if (err->code != GOT_ERR_EOF) {
395 log_warnx("uid %d: %s", client->euid, err->msg);
396 if (client->fd != -1) {
397 imsg_init(&ibuf, client->fd);
398 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
405 static const struct got_error *
406 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
408 const struct got_error *err = NULL;
409 struct gotd_imsg_info_repo irepo;
411 memset(&irepo, 0, sizeof(irepo));
413 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
414 >= sizeof(irepo.repo_name))
415 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
416 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
417 >= sizeof(irepo.repo_path))
418 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
420 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
421 &irepo, sizeof(irepo)) == -1) {
422 err = got_error_from_errno("imsg compose INFO_REPO");
430 static const struct got_error *
431 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
433 const struct got_error *err = NULL;
434 struct gotd_imsg_info_client iclient;
435 struct gotd_child_proc *proc;
437 memset(&iclient, 0, sizeof(iclient));
438 iclient.euid = client->euid;
439 iclient.egid = client->egid;
443 if (strlcpy(iclient.repo_name, proc->repo_path,
444 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
445 return got_error_msg(GOT_ERR_NO_SPACE,
446 "repo name too long");
448 if (client_is_writing(client))
449 iclient.is_writing = 1;
451 iclient.repo_child_pid = proc->pid;
455 iclient.session_child_pid = client->session->pid;
457 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
458 &iclient, sizeof(iclient)) == -1) {
459 err = got_error_from_errno("imsg compose INFO_CLIENT");
467 static const struct got_error *
468 send_info(struct gotd_client *client)
470 const struct got_error *err = NULL;
471 struct gotd_imsg_info info;
473 struct gotd_repo *repo;
475 if (client->euid != 0)
476 return got_error_set_errno(EPERM, "info");
479 info.verbosity = gotd.verbosity;
480 info.nrepos = gotd.nrepos;
481 info.nclients = client_cnt - 1;
483 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
484 &info, sizeof(info)) == -1) {
485 err = got_error_from_errno("imsg compose INFO");
490 TAILQ_FOREACH(repo, &gotd.repos, entry) {
491 err = send_repo_info(&client->iev, repo);
496 for (slot = 0; slot < nitems(gotd_clients); slot++) {
497 struct gotd_client *c;
498 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
499 if (c->id == client->id)
501 err = send_client_info(&client->iev, c);
510 static const struct got_error *
511 stop_gotd(struct gotd_client *client)
514 if (client->euid != 0)
515 return got_error_set_errno(EPERM, "stop");
522 static const struct got_error *
523 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
525 const struct got_error *err;
526 struct gotd_imsg_list_refs ireq;
527 struct gotd_repo *repo = NULL;
530 log_debug("list-refs request from uid %d", client->euid);
532 if (client->state != GOTD_CLIENT_STATE_NEW)
533 return got_error_msg(GOT_ERR_BAD_REQUEST,
534 "unexpected list-refs request received");
536 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
537 if (datalen != sizeof(ireq))
538 return got_error(GOT_ERR_PRIVSEP_LEN);
540 memcpy(&ireq, imsg->data, datalen);
542 if (ireq.client_is_reading) {
543 err = ensure_client_is_not_writing(client);
546 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
548 return got_error(GOT_ERR_NOT_GIT_REPO);
549 err = start_auth_child(client, GOTD_AUTH_READ, repo,
550 gotd.argv0, gotd.confpath, gotd.daemonize,
555 err = ensure_client_is_not_reading(client);
558 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
560 return got_error(GOT_ERR_NOT_GIT_REPO);
561 err = start_auth_child(client,
562 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
563 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
569 evtimer_add(&client->tmo, &auth_timeout);
571 /* Flow continues upon authentication success/failure or timeout. */
576 gotd_request(int fd, short events, void *arg)
578 struct gotd_imsgev *iev = arg;
579 struct imsgbuf *ibuf = &iev->ibuf;
580 struct gotd_client *client = iev->handler_arg;
581 const struct got_error *err = NULL;
585 if (events & EV_WRITE) {
586 while (ibuf->w.queued) {
587 n = msgbuf_write(&ibuf->w);
588 if (n == -1 && errno == EPIPE) {
590 * The client has closed its socket.
591 * This can happen when Git clients are
592 * done sending pack file data.
594 msgbuf_clear(&ibuf->w);
596 } else if (n == -1 && errno != EAGAIN) {
597 err = got_error_from_errno("imsg_flush");
598 disconnect_on_error(client, err);
602 /* Connection closed. */
603 err = got_error(GOT_ERR_EOF);
604 disconnect_on_error(client, err);
609 /* Disconnect gotctl(8) now that messages have been sent. */
610 if (!client_is_reading(client) && !client_is_writing(client)) {
616 if ((events & EV_READ) == 0)
619 memset(&imsg, 0, sizeof(imsg));
621 while (err == NULL) {
622 err = gotd_imsg_recv(&imsg, ibuf, 0);
624 if (err->code == GOT_ERR_PRIVSEP_READ)
629 evtimer_del(&client->tmo);
631 switch (imsg.hdr.type) {
633 err = send_info(client);
636 err = stop_gotd(client);
638 case GOTD_IMSG_LIST_REFS:
639 err = start_client_authentication(client, &imsg);
642 log_debug("unexpected imsg %d", imsg.hdr.type);
643 err = got_error(GOT_ERR_PRIVSEP_MSG);
651 disconnect_on_error(client, err);
653 gotd_imsg_event_add(&client->iev);
658 gotd_auth_timeout(int fd, short events, void *arg)
660 struct gotd_client *client = arg;
662 log_debug("disconnecting uid %d due to authentication timeout",
667 static const struct got_error *
668 recv_connect(uint32_t *client_id, struct imsg *imsg)
670 const struct got_error *err = NULL;
671 struct gotd_imsg_connect iconnect;
674 struct gotd_client *client = NULL;
678 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
679 if (datalen != sizeof(iconnect))
680 return got_error(GOT_ERR_PRIVSEP_LEN);
681 memcpy(&iconnect, imsg->data, sizeof(iconnect));
685 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
689 if (find_client(iconnect.client_id)) {
690 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
694 client = calloc(1, sizeof(*client));
695 if (client == NULL) {
696 err = got_error_from_errno("calloc");
700 *client_id = iconnect.client_id;
702 client->state = GOTD_CLIENT_STATE_NEW;
703 client->id = iconnect.client_id;
706 /* The auth process will verify UID/GID for us. */
707 client->euid = iconnect.euid;
708 client->egid = iconnect.egid;
710 imsg_init(&client->iev.ibuf, client->fd);
711 client->iev.handler = gotd_request;
712 client->iev.events = EV_READ;
713 client->iev.handler_arg = client;
715 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
717 gotd_imsg_event_add(&client->iev);
719 evtimer_set(&client->tmo, gotd_auth_timeout, client);
722 log_debug("%s: new client uid %d connected on fd %d", __func__,
723 client->euid, client->fd);
726 struct gotd_child_proc *listen_proc = gotd.listen_proc;
727 struct gotd_imsg_disconnect idisconnect;
729 idisconnect.client_id = client->id;
730 if (gotd_imsg_compose_event(&listen_proc->iev,
731 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
732 &idisconnect, sizeof(idisconnect)) == -1)
733 log_warn("imsg compose DISCONNECT");
742 static const char *gotd_proc_names[PROC_MAX] = {
754 kill_proc(struct gotd_child_proc *proc, int fatal)
756 struct timeval tv = { 5, 0 };
758 log_debug("kill -%d %d", fatal ? SIGKILL : SIGTERM, proc->pid);
760 if (proc->iev.ibuf.fd != -1) {
761 event_del(&proc->iev.ev);
762 msgbuf_clear(&proc->iev.ibuf.w);
763 close(proc->iev.ibuf.fd);
764 proc->iev.ibuf.fd = -1;
767 if (!evtimer_pending(&proc->tmo, NULL) && !fatal)
768 evtimer_add(&proc->tmo, &tv);
771 log_warnx("sending SIGKILL to PID %d", proc->pid);
772 kill(proc->pid, SIGKILL);
774 kill(proc->pid, SIGTERM);
778 kill_proc_timeout(int fd, short ev, void *d)
780 struct gotd_child_proc *proc = d;
782 log_warnx("timeout waiting for PID %d to terminate;"
783 " retrying with force", proc->pid);
792 log_debug("shutting down");
793 for (slot = 0; slot < nitems(gotd_clients); slot++) {
794 struct gotd_client *c, *tmp;
796 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
800 kill_proc(gotd.listen_proc, 0);
802 log_info("terminating");
806 static struct gotd_child_proc *
807 find_proc_by_pid(pid_t pid)
809 struct gotd_child_proc *proc = NULL;
811 TAILQ_FOREACH(proc, &procs, entry)
812 if (proc->pid == pid)
819 gotd_sighdlr(int sig, short event, void *arg)
821 struct gotd_child_proc *proc;
826 * Normal signal handler rules don't apply because libevent
832 log_info("%s: ignoring SIGHUP", __func__);
835 log_info("%s: ignoring SIGUSR1", __func__);
843 pid = waitpid(WAIT_ANY, &status, WNOHANG);
854 log_debug("reaped pid %d", pid);
855 proc = find_proc_by_pid(pid);
857 log_info("caught exit of unknown child %d",
862 if (WIFSIGNALED(status)) {
863 log_warnx("child PID %d terminated with"
864 " signal %d", pid, WTERMSIG(status));
871 fatalx("unexpected signal");
875 static const struct got_error *
876 ensure_proc_is_reading(struct gotd_client *client,
877 struct gotd_child_proc *proc)
879 if (!client_is_reading(client)) {
881 return got_error_fmt(GOT_ERR_BAD_PACKET,
882 "PID %d handled a read-request for uid %d but this "
883 "user is not reading from a repository", proc->pid,
890 static const struct got_error *
891 ensure_proc_is_writing(struct gotd_client *client,
892 struct gotd_child_proc *proc)
894 if (!client_is_writing(client)) {
896 return got_error_fmt(GOT_ERR_BAD_PACKET,
897 "PID %d handled a write-request for uid %d but this "
898 "user is not writing to a repository", proc->pid,
906 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
909 const struct got_error *err;
912 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
913 if (client->repo == NULL)
914 fatalx("no process found for uid %d", client->euid);
915 if (proc->pid != client->repo->pid) {
917 log_warnx("received message from PID %d for uid %d, "
918 "while PID %d is the process serving this user",
919 proc->pid, client->euid, client->repo->pid);
923 if (proc->type == PROC_SESSION_READ ||
924 proc->type == PROC_SESSION_WRITE) {
925 if (client->session == NULL) {
926 log_warnx("no session found for uid %d", client->euid);
929 if (proc->pid != client->session->pid) {
931 log_warnx("received message from PID %d for uid %d, "
932 "while PID %d is the process serving this user",
933 proc->pid, client->euid, client->session->pid);
938 switch (imsg->hdr.type) {
939 case GOTD_IMSG_ERROR:
942 case GOTD_IMSG_CONNECT:
943 if (proc->type != PROC_LISTEN) {
944 err = got_error_fmt(GOT_ERR_BAD_PACKET,
945 "new connection for uid %d from PID %d "
946 "which is not the listen process",
947 proc->pid, client->euid);
951 case GOTD_IMSG_ACCESS_GRANTED:
952 if (proc->type != PROC_AUTH) {
953 err = got_error_fmt(GOT_ERR_BAD_PACKET,
954 "authentication of uid %d from PID %d "
955 "which is not the auth process",
956 proc->pid, client->euid);
960 case GOTD_IMSG_CLIENT_SESSION_READY:
961 if (proc->type != PROC_SESSION_READ &&
962 proc->type != PROC_SESSION_WRITE) {
963 err = got_error_fmt(GOT_ERR_BAD_PACKET,
964 "unexpected \"ready\" signal from PID %d",
969 case GOTD_IMSG_REPO_CHILD_READY:
970 if (proc->type != PROC_REPO_READ &&
971 proc->type != PROC_REPO_WRITE) {
972 err = got_error_fmt(GOT_ERR_BAD_PACKET,
973 "unexpected \"ready\" signal from PID %d",
978 case GOTD_IMSG_PACKFILE_DONE:
979 err = ensure_proc_is_reading(client, proc);
981 log_warnx("uid %d: %s", client->euid, err->msg);
985 case GOTD_IMSG_PACKFILE_INSTALL:
986 case GOTD_IMSG_REF_UPDATES_START:
987 case GOTD_IMSG_REF_UPDATE:
988 err = ensure_proc_is_writing(client, proc);
990 log_warnx("uid %d: %s", client->euid, err->msg);
995 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
1002 static const struct got_error *
1003 connect_repo_child(struct gotd_client *client,
1004 struct gotd_child_proc *repo_proc)
1006 static const struct got_error *err;
1007 struct gotd_imsgev *session_iev = &client->session->iev;
1008 struct gotd_imsg_connect_repo_child ireq;
1010 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
1013 sock_flags |= SOCK_CLOEXEC;
1016 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
1017 return got_error_msg(GOT_ERR_BAD_REQUEST,
1018 "unexpected repo child ready signal received");
1020 if (socketpair(AF_UNIX, sock_flags, PF_UNSPEC, pipe) == -1)
1021 fatal("socketpair");
1023 memset(&ireq, 0, sizeof(ireq));
1024 ireq.client_id = client->id;
1025 ireq.proc_id = repo_proc->type;
1027 /* Pass repo child pipe to session child process. */
1028 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1029 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1030 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1036 /* Pass session child pipe to repo child process. */
1037 if (gotd_imsg_compose_event(&repo_proc->iev,
1038 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1039 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1048 gotd_dispatch_listener(int fd, short event, void *arg)
1050 struct gotd_imsgev *iev = arg;
1051 struct imsgbuf *ibuf = &iev->ibuf;
1052 struct gotd_child_proc *proc = gotd.listen_proc;
1057 if (proc->iev.ibuf.fd != fd)
1058 fatalx("%s: unexpected fd %d", __func__, fd);
1060 if (event & EV_READ) {
1061 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1062 fatal("imsg_read error");
1064 /* Connection closed. */
1070 if (event & EV_WRITE) {
1071 n = msgbuf_write(&ibuf->w);
1072 if (n == -1 && errno != EAGAIN)
1073 fatal("msgbuf_write");
1075 /* Connection closed. */
1082 const struct got_error *err = NULL;
1083 struct gotd_client *client = NULL;
1084 uint32_t client_id = 0;
1085 int do_disconnect = 0;
1087 if ((n = imsg_get(ibuf, &imsg)) == -1)
1088 fatal("%s: imsg_get error", __func__);
1089 if (n == 0) /* No more messages. */
1092 switch (imsg.hdr.type) {
1093 case GOTD_IMSG_ERROR:
1095 err = gotd_imsg_recv_error(&client_id, &imsg);
1097 case GOTD_IMSG_CONNECT:
1098 err = recv_connect(&client_id, &imsg);
1101 log_debug("unexpected imsg %d", imsg.hdr.type);
1105 client = find_client(client_id);
1106 if (client == NULL) {
1107 log_warnx("%s: client not found", __func__);
1113 log_warnx("uid %d: %s", client->euid, err->msg);
1115 if (do_disconnect) {
1117 disconnect_on_error(client, err);
1126 gotd_imsg_event_add(iev);
1128 /* This pipe is dead. Remove its event handler */
1129 event_del(&iev->ev);
1130 event_loopexit(NULL);
1135 gotd_dispatch_auth_child(int fd, short event, void *arg)
1137 const struct got_error *err = NULL;
1138 struct gotd_imsgev *iev = arg;
1139 struct imsgbuf *ibuf = &iev->ibuf;
1140 struct gotd_client *client;
1141 struct gotd_repo *repo = NULL;
1145 uint32_t client_id = 0;
1146 int do_disconnect = 0;
1148 client = find_client_by_proc_fd(fd);
1149 if (client == NULL) {
1150 /* Can happen during process teardown. */
1151 warnx("cannot find client for fd %d", fd);
1156 if (client->auth == NULL)
1157 fatalx("cannot find auth child process for fd %d", fd);
1159 if (event & EV_READ) {
1160 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1161 fatal("imsg_read error");
1163 /* Connection closed. */
1169 if (event & EV_WRITE) {
1170 n = msgbuf_write(&ibuf->w);
1171 if (n == -1 && errno != EAGAIN)
1172 fatal("msgbuf_write");
1174 /* Connection closed. */
1180 if (client->auth->iev.ibuf.fd != fd)
1181 fatalx("%s: unexpected fd %d", __func__, fd);
1183 if ((n = imsg_get(ibuf, &imsg)) == -1)
1184 fatal("%s: imsg_get error", __func__);
1185 if (n == 0) /* No more messages. */
1188 evtimer_del(&client->tmo);
1190 switch (imsg.hdr.type) {
1191 case GOTD_IMSG_ERROR:
1193 err = gotd_imsg_recv_error(&client_id, &imsg);
1195 case GOTD_IMSG_ACCESS_GRANTED:
1196 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1200 log_debug("unexpected imsg %d", imsg.hdr.type);
1204 if (!verify_imsg_src(client, client->auth, &imsg)) {
1206 log_debug("dropping imsg type %d from PID %d",
1207 imsg.hdr.type, client->auth->pid);
1211 if (do_disconnect) {
1213 disconnect_on_error(client, err);
1219 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1221 err = got_error(GOT_ERR_NOT_GIT_REPO);
1224 kill_auth_proc(client);
1226 log_info("authenticated uid %d for repository %s",
1227 client->euid, repo->name);
1229 err = start_session_child(client, repo, gotd.argv0,
1230 gotd.confpath, gotd.daemonize, gotd.verbosity);
1235 log_warnx("uid %d: %s", client->euid, err->msg);
1237 /* We might have killed the auth process by now. */
1238 if (client->auth != NULL) {
1240 gotd_imsg_event_add(iev);
1242 /* This pipe is dead. Remove its event handler */
1243 event_del(&iev->ev);
1248 static const struct got_error *
1249 connect_session(struct gotd_client *client)
1251 const struct got_error *err = NULL;
1252 struct gotd_imsg_connect iconnect;
1255 memset(&iconnect, 0, sizeof(iconnect));
1257 s = dup(client->fd);
1259 return got_error_from_errno("dup");
1261 iconnect.client_id = client->id;
1262 iconnect.euid = client->euid;
1263 iconnect.egid = client->egid;
1265 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1266 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1267 err = got_error_from_errno("imsg compose CONNECT");
1273 * We are no longer interested in messages from this client.
1274 * Further client requests will be handled by the session process.
1276 msgbuf_clear(&client->iev.ibuf.w);
1277 imsg_clear(&client->iev.ibuf);
1278 event_del(&client->iev.ev);
1279 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1285 gotd_dispatch_client_session(int fd, short event, void *arg)
1287 struct gotd_imsgev *iev = arg;
1288 struct imsgbuf *ibuf = &iev->ibuf;
1289 struct gotd_child_proc *proc = NULL;
1290 struct gotd_client *client = NULL;
1295 client = find_client_by_proc_fd(fd);
1296 if (client == NULL) {
1297 /* Can happen during process teardown. */
1298 warnx("cannot find client for fd %d", fd);
1303 if (event & EV_READ) {
1304 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1305 fatal("imsg_read error");
1307 /* Connection closed. */
1313 if (event & EV_WRITE) {
1314 n = msgbuf_write(&ibuf->w);
1315 if (n == -1 && errno != EAGAIN)
1316 fatal("msgbuf_write");
1318 /* Connection closed. */
1324 proc = client->session;
1326 fatalx("cannot find session child process for fd %d", fd);
1329 const struct got_error *err = NULL;
1330 uint32_t client_id = 0;
1331 int do_disconnect = 0, do_start_repo_child = 0;
1333 if ((n = imsg_get(ibuf, &imsg)) == -1)
1334 fatal("%s: imsg_get error", __func__);
1335 if (n == 0) /* No more messages. */
1338 switch (imsg.hdr.type) {
1339 case GOTD_IMSG_ERROR:
1341 err = gotd_imsg_recv_error(&client_id, &imsg);
1343 case GOTD_IMSG_CLIENT_SESSION_READY:
1344 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1345 err = got_error(GOT_ERR_PRIVSEP_MSG);
1348 do_start_repo_child = 1;
1350 case GOTD_IMSG_DISCONNECT:
1354 log_debug("unexpected imsg %d", imsg.hdr.type);
1358 if (!verify_imsg_src(client, proc, &imsg)) {
1359 log_debug("dropping imsg type %d from PID %d",
1360 imsg.hdr.type, proc->pid);
1365 log_warnx("uid %d: %s", client->euid, err->msg);
1367 if (do_start_repo_child) {
1368 struct gotd_repo *repo;
1369 const char *name = client->session->repo_name;
1371 repo = gotd_find_repo_by_name(name, &gotd);
1373 enum gotd_procid proc_type;
1375 if (client->required_auth & GOTD_AUTH_WRITE)
1376 proc_type = PROC_REPO_WRITE;
1378 proc_type = PROC_REPO_READ;
1380 err = start_repo_child(client, proc_type, repo,
1381 gotd.argv0, gotd.confpath, gotd.daemonize,
1384 err = got_error(GOT_ERR_NOT_GIT_REPO);
1387 log_warnx("uid %d: %s", client->euid, err->msg);
1392 if (do_disconnect) {
1394 disconnect_on_error(client, err);
1403 gotd_imsg_event_add(iev);
1405 /* This pipe is dead. Remove its event handler */
1406 event_del(&iev->ev);
1412 gotd_dispatch_repo_child(int fd, short event, void *arg)
1414 struct gotd_imsgev *iev = arg;
1415 struct imsgbuf *ibuf = &iev->ibuf;
1416 struct gotd_child_proc *proc = NULL;
1417 struct gotd_client *client;
1422 client = find_client_by_proc_fd(fd);
1423 if (client == NULL) {
1424 /* Can happen during process teardown. */
1425 warnx("cannot find client for fd %d", fd);
1430 if (event & EV_READ) {
1431 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1432 fatal("imsg_read error");
1434 /* Connection closed. */
1440 if (event & EV_WRITE) {
1441 n = msgbuf_write(&ibuf->w);
1442 if (n == -1 && errno != EAGAIN)
1443 fatal("msgbuf_write");
1445 /* Connection closed. */
1451 proc = client->repo;
1453 fatalx("cannot find child process for fd %d", fd);
1456 const struct got_error *err = NULL;
1457 uint32_t client_id = 0;
1458 int do_disconnect = 0;
1460 if ((n = imsg_get(ibuf, &imsg)) == -1)
1461 fatal("%s: imsg_get error", __func__);
1462 if (n == 0) /* No more messages. */
1465 switch (imsg.hdr.type) {
1466 case GOTD_IMSG_ERROR:
1468 err = gotd_imsg_recv_error(&client_id, &imsg);
1470 case GOTD_IMSG_REPO_CHILD_READY:
1471 err = connect_session(client);
1474 err = connect_repo_child(client, proc);
1477 log_debug("unexpected imsg %d", imsg.hdr.type);
1481 if (!verify_imsg_src(client, proc, &imsg)) {
1482 log_debug("dropping imsg type %d from PID %d",
1483 imsg.hdr.type, proc->pid);
1488 log_warnx("uid %d: %s", client->euid, err->msg);
1490 if (do_disconnect) {
1492 disconnect_on_error(client, err);
1501 gotd_imsg_event_add(iev);
1503 /* This pipe is dead. Remove its event handler */
1504 event_del(&iev->ev);
1510 start_child(enum gotd_procid proc_id, const char *repo_path,
1511 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1517 switch (pid = fork()) {
1519 fatal("cannot fork");
1527 if (fd != GOTD_FILENO_MSG_PIPE) {
1528 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1529 fatal("cannot setup imsg fd");
1530 } else if (fcntl(fd, F_SETFD, 0) == -1)
1531 fatal("cannot setup imsg fd");
1533 argv[argc++] = argv0;
1536 argv[argc++] = (char *)"-L";
1539 argv[argc++] = (char *)"-A";
1541 case PROC_SESSION_READ:
1542 argv[argc++] = (char *)"-s";
1544 case PROC_SESSION_WRITE:
1545 argv[argc++] = (char *)"-S";
1547 case PROC_REPO_READ:
1548 argv[argc++] = (char *)"-R";
1550 case PROC_REPO_WRITE:
1551 argv[argc++] = (char *)"-W";
1554 fatalx("invalid process id %d", proc_id);
1557 argv[argc++] = (char *)"-f";
1558 argv[argc++] = (char *)confpath;
1561 argv[argc++] = (char *)"-P";
1562 argv[argc++] = (char *)repo_path;
1566 argv[argc++] = (char *)"-d";
1568 argv[argc++] = (char *)"-v";
1570 argv[argc++] = (char *)"-v";
1571 argv[argc++] = NULL;
1573 execvp(argv0, argv);
1578 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1580 struct gotd_child_proc *proc;
1581 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1584 sock_flags |= SOCK_CLOEXEC;
1587 proc = calloc(1, sizeof(*proc));
1591 TAILQ_INSERT_HEAD(&procs, proc, entry);
1593 /* proc->tmo is initialized in main() after event_init() */
1595 proc->type = PROC_LISTEN;
1597 if (socketpair(AF_UNIX, sock_flags,
1598 PF_UNSPEC, proc->pipe) == -1)
1599 fatal("socketpair");
1601 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1602 proc->pipe[1], daemonize, verbosity);
1603 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1604 proc->iev.handler = gotd_dispatch_listener;
1605 proc->iev.events = EV_READ;
1606 proc->iev.handler_arg = NULL;
1608 gotd.listen_proc = proc;
1611 static const struct got_error *
1612 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1613 char *argv0, const char *confpath, int daemonize, int verbosity)
1615 struct gotd_child_proc *proc;
1616 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
1619 sock_flags |= SOCK_CLOEXEC;
1622 proc = calloc(1, sizeof(*proc));
1624 return got_error_from_errno("calloc");
1626 TAILQ_INSERT_HEAD(&procs, proc, entry);
1627 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1629 if (client_is_reading(client))
1630 proc->type = PROC_SESSION_READ;
1632 proc->type = PROC_SESSION_WRITE;
1633 if (strlcpy(proc->repo_name, repo->name,
1634 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1635 fatalx("repository name too long: %s", repo->name);
1636 log_debug("starting client uid %d session for repository %s",
1637 client->euid, repo->name);
1638 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1639 sizeof(proc->repo_path))
1640 fatalx("repository path too long: %s", repo->path);
1641 if (socketpair(AF_UNIX, sock_flags, PF_UNSPEC, proc->pipe) == -1)
1642 fatal("socketpair");
1643 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1644 confpath, proc->pipe[1], daemonize, verbosity);
1645 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1646 log_debug("proc %s %s is on fd %d",
1647 gotd_proc_names[proc->type], proc->repo_path,
1649 proc->iev.handler = gotd_dispatch_client_session;
1650 proc->iev.events = EV_READ;
1651 proc->iev.handler_arg = NULL;
1652 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1653 gotd_dispatch_client_session, &proc->iev);
1654 gotd_imsg_event_add(&proc->iev);
1656 client->session = proc;
1660 static const struct got_error *
1661 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1662 struct gotd_repo *repo, char *argv0, const char *confpath,
1663 int daemonize, int verbosity)
1665 struct gotd_child_proc *proc;
1666 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1669 sock_flags |= SOCK_CLOEXEC;
1672 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1673 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1675 proc = calloc(1, sizeof(*proc));
1677 return got_error_from_errno("calloc");
1679 TAILQ_INSERT_HEAD(&procs, proc, entry);
1680 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1682 proc->type = proc_type;
1683 if (strlcpy(proc->repo_name, repo->name,
1684 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1685 fatalx("repository name too long: %s", repo->name);
1686 log_debug("starting %s for repository %s",
1687 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1689 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1690 sizeof(proc->repo_path))
1691 fatalx("repository path too long: %s", repo->path);
1692 if (realpath(repo->path, proc->repo_path) == NULL)
1693 fatal("%s", repo->path);
1694 if (socketpair(AF_UNIX, sock_flags,
1695 PF_UNSPEC, proc->pipe) == -1)
1696 fatal("socketpair");
1697 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1698 confpath, proc->pipe[1], daemonize, verbosity);
1699 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1700 log_debug("proc %s %s is on fd %d",
1701 gotd_proc_names[proc->type], proc->repo_path,
1703 proc->iev.handler = gotd_dispatch_repo_child;
1704 proc->iev.events = EV_READ;
1705 proc->iev.handler_arg = NULL;
1706 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1707 gotd_dispatch_repo_child, &proc->iev);
1708 gotd_imsg_event_add(&proc->iev);
1710 client->repo = proc;
1714 static const struct got_error *
1715 start_auth_child(struct gotd_client *client, int required_auth,
1716 struct gotd_repo *repo, char *argv0, const char *confpath,
1717 int daemonize, int verbosity)
1719 const struct got_error *err = NULL;
1720 struct gotd_child_proc *proc;
1721 struct gotd_imsg_auth iauth;
1723 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1726 sock_flags |= SOCK_CLOEXEC;
1729 memset(&iauth, 0, sizeof(iauth));
1731 fd = dup(client->fd);
1733 return got_error_from_errno("dup");
1735 proc = calloc(1, sizeof(*proc));
1737 err = got_error_from_errno("calloc");
1742 TAILQ_INSERT_HEAD(&procs, proc, entry);
1743 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1745 proc->type = PROC_AUTH;
1746 if (strlcpy(proc->repo_name, repo->name,
1747 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1748 fatalx("repository name too long: %s", repo->name);
1749 log_debug("starting auth for uid %d repository %s",
1750 client->euid, repo->name);
1751 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1752 sizeof(proc->repo_path))
1753 fatalx("repository path too long: %s", repo->path);
1754 if (realpath(repo->path, proc->repo_path) == NULL)
1755 fatal("%s", repo->path);
1756 if (socketpair(AF_UNIX, sock_flags,
1757 PF_UNSPEC, proc->pipe) == -1)
1758 fatal("socketpair");
1759 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1760 confpath, proc->pipe[1], daemonize, verbosity);
1761 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1762 log_debug("proc %s %s is on fd %d",
1763 gotd_proc_names[proc->type], proc->repo_path,
1765 proc->iev.handler = gotd_dispatch_auth_child;
1766 proc->iev.events = EV_READ;
1767 proc->iev.handler_arg = NULL;
1768 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1769 gotd_dispatch_auth_child, &proc->iev);
1770 gotd_imsg_event_add(&proc->iev);
1772 iauth.euid = client->euid;
1773 iauth.egid = client->egid;
1774 iauth.required_auth = required_auth;
1775 iauth.client_id = client->id;
1776 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1777 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1778 log_warn("imsg compose AUTHENTICATE");
1780 /* Let the auth_timeout handler tidy up. */
1783 client->auth = proc;
1784 client->required_auth = required_auth;
1789 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1792 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1793 fatal("unveil %s", GOT_TMPDIR_STR);
1796 if (unveil(repo_path, "r") == -1)
1797 fatal("unveil %s", repo_path);
1799 if (unveil(NULL, NULL) == -1)
1804 apply_unveil_repo_readwrite(const char *repo_path)
1806 if (unveil(repo_path, "rwc") == -1)
1807 fatal("unveil %s", repo_path);
1809 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1810 fatal("unveil %s", GOT_TMPDIR_STR);
1812 if (unveil(NULL, NULL) == -1)
1817 apply_unveil_none(void)
1819 if (unveil("/", "") == -1)
1822 if (unveil(NULL, NULL) == -1)
1827 apply_unveil_selfexec(void)
1829 if (unveil(gotd.argv0, "x") == -1)
1830 fatal("unveil %s", gotd.argv0);
1832 if (unveil(NULL, NULL) == -1)
1837 set_max_datasize(void)
1841 if (getrlimit(RLIMIT_DATA, &rl) != 0)
1844 rl.rlim_cur = rl.rlim_max;
1845 setrlimit(RLIMIT_DATA, &rl);
1849 main(int argc, char **argv)
1851 const struct got_error *error = NULL;
1852 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1853 const char *confpath = GOTD_CONF_PATH;
1854 char *argv0 = argv[0];
1856 struct passwd *pw = NULL;
1857 char *repo_path = NULL;
1858 enum gotd_procid proc_id = PROC_GOTD;
1859 struct event evsigint, evsigterm, evsighup, evsigusr1, evsigchld;
1860 int *pack_fds = NULL, *temp_fds = NULL;
1861 struct gotd_repo *repo = NULL;
1865 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1867 while ((ch = getopt(argc, argv, "Adf:LnP:RsSvW")) != -1) {
1870 proc_id = PROC_AUTH;
1879 proc_id = PROC_LISTEN;
1885 repo_path = realpath(optarg, NULL);
1886 if (repo_path == NULL)
1887 fatal("realpath '%s'", optarg);
1890 proc_id = PROC_REPO_READ;
1893 proc_id = PROC_SESSION_READ;
1896 proc_id = PROC_SESSION_WRITE;
1903 proc_id = PROC_REPO_WRITE;
1916 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1917 fatalx("need root privileges");
1919 if (parse_config(confpath, proc_id, &gotd) != 0)
1922 pw = getpwnam(gotd.user_name);
1924 fatalx("user %s not found", gotd.user_name);
1926 if (pw->pw_uid == 0)
1927 fatalx("cannot run %s as the superuser", getprogname());
1930 fprintf(stderr, "configuration OK\n");
1935 gotd.daemonize = daemonize;
1936 gotd.verbosity = verbosity;
1937 gotd.confpath = confpath;
1939 /* Require an absolute path in argv[0] for reliable re-exec. */
1940 if (!got_path_is_absolute(argv0))
1941 fatalx("bad path \"%s\": must be an absolute path", argv0);
1943 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1944 log_setverbose(verbosity);
1946 if (proc_id == PROC_GOTD) {
1947 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1948 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1949 if (daemonize && daemon(1, 0) == -1)
1951 gotd.pid = getpid();
1952 start_listener(argv0, confpath, daemonize, verbosity);
1953 } else if (proc_id == PROC_LISTEN) {
1954 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1956 log_info("socket: %s", gotd.unix_socket_path);
1957 log_info("user: %s", pw->pw_name);
1960 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1963 fatal("cannot listen on unix socket %s",
1964 gotd.unix_socket_path);
1966 } else if (proc_id == PROC_AUTH) {
1967 snprintf(title, sizeof(title), "%s %s",
1968 gotd_proc_names[proc_id], repo_path);
1969 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1970 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
1971 error = got_repo_pack_fds_open(&pack_fds);
1973 fatalx("cannot open pack tempfiles: %s", error->msg);
1974 error = got_repo_temp_fds_open(&temp_fds);
1976 fatalx("cannot open pack tempfiles: %s", error->msg);
1977 if (repo_path == NULL)
1978 fatalx("repository path not specified");
1979 snprintf(title, sizeof(title), "%s %s",
1980 gotd_proc_names[proc_id], repo_path);
1982 fatal("invalid process id %d", proc_id);
1984 setproctitle("%s", title);
1985 log_procinit(title);
1987 if (proc_id != PROC_GOTD && proc_id != PROC_LISTEN &&
1988 proc_id != PROC_REPO_READ && proc_id != PROC_REPO_WRITE) {
1989 /* Drop root privileges. */
1990 if (setgid(pw->pw_gid) == -1)
1991 fatal("setgid %d failed", pw->pw_gid);
1992 if (setuid(pw->pw_uid) == -1)
1993 fatal("setuid %d failed", pw->pw_uid);
2001 /* "exec" promise will be limited to argv[0] via unveil(2). */
2002 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
2008 if (pledge("stdio sendfd unix unveil", NULL) == -1)
2012 * Ensure that AF_UNIX bind(2) cannot be used with any other
2013 * sockets by revoking all filesystem access via unveil(2).
2015 apply_unveil_none();
2017 enter_chroot(GOTD_EMPTY_PATH);
2020 listen_main(title, fd, gotd.connection_limits,
2021 gotd.nconnection_limits);
2026 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
2030 * We need the "unix" pledge promise for getpeername(2) only.
2031 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
2032 * filesystem access via unveil(2). Access to password database
2033 * files will still work since "getpw" bypasses unveil(2).
2035 apply_unveil_none();
2037 auth_main(title, &gotd.repos, repo_path);
2040 case PROC_SESSION_READ:
2041 case PROC_SESSION_WRITE:
2044 * The "recvfd" promise is only needed during setup and
2045 * will be removed in a later pledge(2) call.
2047 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
2048 "unveil", NULL) == -1)
2051 if (proc_id == PROC_SESSION_READ)
2052 apply_unveil_repo_readonly(repo_path, 1);
2054 apply_unveil_repo_readwrite(repo_path);
2056 session_main(title, repo_path, pack_fds, temp_fds,
2057 &gotd.request_timeout, proc_id);
2060 case PROC_REPO_READ:
2063 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2066 apply_unveil_repo_readonly(repo_path, 0);
2068 if (enter_chroot(repo_path)) {
2069 log_info("change repo path %s", repo_path);
2071 repo_path = strdup("/");
2072 if (repo_path == NULL)
2074 log_info("repo path is now %s", repo_path);
2078 repo_read_main(title, repo_path, pack_fds, temp_fds);
2081 case PROC_REPO_WRITE:
2084 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2087 apply_unveil_repo_readonly(repo_path, 0);
2088 repo = gotd_find_repo_by_path(repo_path, &gotd);
2090 fatalx("no repository for path %s", repo_path);
2092 if (enter_chroot(repo_path)) {
2094 repo_path = strdup("/");
2095 if (repo_path == NULL)
2100 repo_write_main(title, repo_path, pack_fds, temp_fds,
2101 &repo->protected_tag_namespaces,
2102 &repo->protected_branch_namespaces,
2103 &repo->protected_branches);
2107 fatal("invalid process id %d", proc_id);
2110 if (proc_id != PROC_GOTD)
2111 fatal("invalid process id %d", proc_id);
2113 evtimer_set(&gotd.listen_proc->tmo, kill_proc_timeout,
2116 apply_unveil_selfexec();
2118 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2119 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2120 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2121 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2122 signal_set(&evsigchld, SIGCHLD, gotd_sighdlr, NULL);
2123 signal(SIGPIPE, SIG_IGN);
2125 signal_add(&evsigint, NULL);
2126 signal_add(&evsigterm, NULL);
2127 signal_add(&evsighup, NULL);
2128 signal_add(&evsigusr1, NULL);
2129 signal_add(&evsigchld, NULL);
2131 gotd_imsg_event_add(&gotd.listen_proc->iev);