2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
44 #include "got_error.h"
45 #include "got_opentemp.h"
47 #include "got_repository.h"
48 #include "got_object.h"
49 #include "got_reference.h"
51 #include "got_lib_delta.h"
52 #include "got_lib_object.h"
53 #include "got_lib_object_cache.h"
54 #include "got_lib_hash.h"
55 #include "got_lib_gitproto.h"
56 #include "got_lib_pack.h"
57 #include "got_lib_repository.h"
64 #include "repo_read.h"
65 #include "repo_write.h"
68 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
71 enum gotd_client_state {
72 GOTD_CLIENT_STATE_NEW,
73 GOTD_CLIENT_STATE_ACCESS_GRANTED,
76 struct gotd_child_proc {
78 enum gotd_procid type;
79 char repo_name[NAME_MAX];
80 char repo_path[PATH_MAX];
82 struct gotd_imsgev iev;
85 TAILQ_ENTRY(gotd_child_proc) entry;
87 TAILQ_HEAD(gotd_procs, gotd_child_proc) procs;
90 STAILQ_ENTRY(gotd_client) entry;
91 enum gotd_client_state state;
94 struct gotd_imsgev iev;
98 struct gotd_child_proc *repo;
99 struct gotd_child_proc *auth;
100 struct gotd_child_proc *session;
103 STAILQ_HEAD(gotd_clients, gotd_client);
105 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
106 static SIPHASH_KEY clients_hash_key;
107 volatile int client_cnt;
108 static struct timeval auth_timeout = { 5, 0 };
109 static struct gotd gotd;
111 void gotd_sighdlr(int sig, short event, void *arg);
112 static void gotd_shutdown(void);
113 static const struct got_error *start_session_child(struct gotd_client *,
114 struct gotd_repo *, char *, const char *, int, int);
115 static const struct got_error *start_repo_child(struct gotd_client *,
116 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
117 static const struct got_error *start_auth_child(struct gotd_client *, int,
118 struct gotd_repo *, char *, const char *, int, int);
119 static void kill_proc(struct gotd_child_proc *, int);
120 static void disconnect(struct gotd_client *);
125 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
130 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
132 struct sockaddr_un sun;
134 mode_t old_umask, mode;
136 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
142 sun.sun_family = AF_UNIX;
143 if (strlcpy(sun.sun_path, unix_socket_path,
144 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
145 log_warnx("%s: name too long", unix_socket_path);
150 if (unlink(unix_socket_path) == -1) {
151 if (errno != ENOENT) {
152 log_warn("unlink %s", unix_socket_path);
158 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
159 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
161 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
162 log_warn("bind: %s", unix_socket_path);
170 if (chmod(unix_socket_path, mode) == -1) {
171 log_warn("chmod %o %s", mode, unix_socket_path);
173 unlink(unix_socket_path);
177 if (chown(unix_socket_path, uid, gid) == -1) {
178 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
180 unlink(unix_socket_path);
184 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
187 unlink(unix_socket_path);
195 client_hash(uint32_t client_id)
197 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
201 add_client(struct gotd_client *client)
203 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
204 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
208 static struct gotd_client *
209 find_client(uint32_t client_id)
212 struct gotd_client *c;
214 slot = client_hash(client_id) % nitems(gotd_clients);
215 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
216 if (c->id == client_id)
223 static struct gotd_client *
224 find_client_by_proc_fd(int fd)
228 for (slot = 0; slot < nitems(gotd_clients); slot++) {
229 struct gotd_client *c;
231 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
232 if (c->repo && c->repo->iev.ibuf.fd == fd)
234 if (c->auth && c->auth->iev.ibuf.fd == fd)
236 if (c->session && c->session->iev.ibuf.fd == fd)
245 client_is_reading(struct gotd_client *client)
247 return (client->required_auth &
248 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
252 client_is_writing(struct gotd_client *client)
254 return (client->required_auth &
255 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
256 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
259 static const struct got_error *
260 ensure_client_is_not_writing(struct gotd_client *client)
262 if (client_is_writing(client)) {
263 return got_error_fmt(GOT_ERR_BAD_PACKET,
264 "uid %d made a read-request but is writing to "
265 "a repository", client->euid);
271 static const struct got_error *
272 ensure_client_is_not_reading(struct gotd_client *client)
274 if (client_is_reading(client)) {
275 return got_error_fmt(GOT_ERR_BAD_PACKET,
276 "uid %d made a write-request but is reading from "
277 "a repository", client->euid);
284 proc_done(struct gotd_child_proc *proc)
286 struct gotd_client *client;
288 TAILQ_REMOVE(&procs, proc, entry);
290 client = find_client_by_proc_fd(proc->iev.ibuf.fd);
291 if (client != NULL) {
292 if (proc == client->repo)
294 if (proc == client->auth)
296 if (proc == client->session)
297 client->session = NULL;
301 evtimer_del(&proc->tmo);
303 if (proc->iev.ibuf.fd != -1) {
304 event_del(&proc->iev.ev);
305 msgbuf_clear(&proc->iev.ibuf.w);
306 close(proc->iev.ibuf.fd);
313 kill_repo_proc(struct gotd_client *client)
315 if (client->repo == NULL)
318 kill_proc(client->repo, 0);
323 kill_auth_proc(struct gotd_client *client)
325 if (client->auth == NULL)
328 kill_proc(client->auth, 0);
333 kill_session_proc(struct gotd_client *client)
335 if (client->session == NULL)
338 kill_proc(client->session, 0);
339 client->session = NULL;
343 disconnect(struct gotd_client *client)
345 struct gotd_imsg_disconnect idisconnect;
346 struct gotd_child_proc *listen_proc = gotd.listen_proc;
349 log_debug("uid %d: disconnecting", client->euid);
351 kill_auth_proc(client);
352 kill_session_proc(client);
353 kill_repo_proc(client);
355 idisconnect.client_id = client->id;
356 if (gotd_imsg_compose_event(&listen_proc->iev,
357 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
358 &idisconnect, sizeof(idisconnect)) == -1)
359 log_warn("imsg compose DISCONNECT");
361 slot = client_hash(client->id) % nitems(gotd_clients);
362 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
363 imsg_clear(&client->iev.ibuf);
364 event_del(&client->iev.ev);
365 evtimer_del(&client->tmo);
366 if (client->fd != -1)
368 else if (client->iev.ibuf.fd != -1)
369 close(client->iev.ibuf.fd);
375 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
379 if (err->code != GOT_ERR_EOF) {
380 log_warnx("uid %d: %s", client->euid, err->msg);
381 if (client->fd != -1) {
382 imsg_init(&ibuf, client->fd);
383 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
390 static const struct got_error *
391 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
393 const struct got_error *err = NULL;
394 struct gotd_imsg_info_repo irepo;
396 memset(&irepo, 0, sizeof(irepo));
398 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
399 >= sizeof(irepo.repo_name))
400 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
401 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
402 >= sizeof(irepo.repo_path))
403 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
405 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
406 &irepo, sizeof(irepo)) == -1) {
407 err = got_error_from_errno("imsg compose INFO_REPO");
415 static const struct got_error *
416 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
418 const struct got_error *err = NULL;
419 struct gotd_imsg_info_client iclient;
420 struct gotd_child_proc *proc;
422 memset(&iclient, 0, sizeof(iclient));
423 iclient.euid = client->euid;
424 iclient.egid = client->egid;
428 if (strlcpy(iclient.repo_name, proc->repo_path,
429 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
430 return got_error_msg(GOT_ERR_NO_SPACE,
431 "repo name too long");
433 if (client_is_writing(client))
434 iclient.is_writing = 1;
436 iclient.repo_child_pid = proc->pid;
440 iclient.session_child_pid = client->session->pid;
442 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
443 &iclient, sizeof(iclient)) == -1) {
444 err = got_error_from_errno("imsg compose INFO_CLIENT");
452 static const struct got_error *
453 send_info(struct gotd_client *client)
455 const struct got_error *err = NULL;
456 struct gotd_imsg_info info;
458 struct gotd_repo *repo;
460 if (client->euid != 0)
461 return got_error_set_errno(EPERM, "info");
464 info.verbosity = gotd.verbosity;
465 info.nrepos = gotd.nrepos;
466 info.nclients = client_cnt - 1;
468 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
469 &info, sizeof(info)) == -1) {
470 err = got_error_from_errno("imsg compose INFO");
475 TAILQ_FOREACH(repo, &gotd.repos, entry) {
476 err = send_repo_info(&client->iev, repo);
481 for (slot = 0; slot < nitems(gotd_clients); slot++) {
482 struct gotd_client *c;
483 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
484 if (c->id == client->id)
486 err = send_client_info(&client->iev, c);
495 static const struct got_error *
496 stop_gotd(struct gotd_client *client)
499 if (client->euid != 0)
500 return got_error_set_errno(EPERM, "stop");
507 static const struct got_error *
508 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
510 const struct got_error *err;
511 struct gotd_imsg_list_refs ireq;
512 struct gotd_repo *repo = NULL;
515 log_debug("list-refs request from uid %d", client->euid);
517 if (client->state != GOTD_CLIENT_STATE_NEW)
518 return got_error_msg(GOT_ERR_BAD_REQUEST,
519 "unexpected list-refs request received");
521 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
522 if (datalen != sizeof(ireq))
523 return got_error(GOT_ERR_PRIVSEP_LEN);
525 memcpy(&ireq, imsg->data, datalen);
527 if (ireq.client_is_reading) {
528 err = ensure_client_is_not_writing(client);
531 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
533 return got_error(GOT_ERR_NOT_GIT_REPO);
534 err = start_auth_child(client, GOTD_AUTH_READ, repo,
535 gotd.argv0, gotd.confpath, gotd.daemonize,
540 err = ensure_client_is_not_reading(client);
543 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
545 return got_error(GOT_ERR_NOT_GIT_REPO);
546 err = start_auth_child(client,
547 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
548 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
554 evtimer_add(&client->tmo, &auth_timeout);
556 /* Flow continues upon authentication success/failure or timeout. */
561 gotd_request(int fd, short events, void *arg)
563 struct gotd_imsgev *iev = arg;
564 struct imsgbuf *ibuf = &iev->ibuf;
565 struct gotd_client *client = iev->handler_arg;
566 const struct got_error *err = NULL;
570 if (events & EV_WRITE) {
571 while (ibuf->w.queued) {
572 n = msgbuf_write(&ibuf->w);
573 if (n == -1 && errno == EPIPE) {
575 * The client has closed its socket.
576 * This can happen when Git clients are
577 * done sending pack file data.
579 msgbuf_clear(&ibuf->w);
581 } else if (n == -1 && errno != EAGAIN) {
582 err = got_error_from_errno("imsg_flush");
583 disconnect_on_error(client, err);
587 /* Connection closed. */
588 err = got_error(GOT_ERR_EOF);
589 disconnect_on_error(client, err);
594 /* Disconnect gotctl(8) now that messages have been sent. */
595 if (!client_is_reading(client) && !client_is_writing(client)) {
601 if ((events & EV_READ) == 0)
604 memset(&imsg, 0, sizeof(imsg));
606 while (err == NULL) {
607 err = gotd_imsg_recv(&imsg, ibuf, 0);
609 if (err->code == GOT_ERR_PRIVSEP_READ)
614 evtimer_del(&client->tmo);
616 switch (imsg.hdr.type) {
618 err = send_info(client);
621 err = stop_gotd(client);
623 case GOTD_IMSG_LIST_REFS:
624 err = start_client_authentication(client, &imsg);
627 log_debug("unexpected imsg %d", imsg.hdr.type);
628 err = got_error(GOT_ERR_PRIVSEP_MSG);
636 disconnect_on_error(client, err);
638 gotd_imsg_event_add(&client->iev);
643 gotd_auth_timeout(int fd, short events, void *arg)
645 struct gotd_client *client = arg;
647 log_debug("disconnecting uid %d due to authentication timeout",
652 static const struct got_error *
653 recv_connect(uint32_t *client_id, struct imsg *imsg)
655 const struct got_error *err = NULL;
656 struct gotd_imsg_connect iconnect;
659 struct gotd_client *client = NULL;
663 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
664 if (datalen != sizeof(iconnect))
665 return got_error(GOT_ERR_PRIVSEP_LEN);
666 memcpy(&iconnect, imsg->data, sizeof(iconnect));
670 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
674 if (find_client(iconnect.client_id)) {
675 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
679 client = calloc(1, sizeof(*client));
680 if (client == NULL) {
681 err = got_error_from_errno("calloc");
685 *client_id = iconnect.client_id;
687 client->state = GOTD_CLIENT_STATE_NEW;
688 client->id = iconnect.client_id;
691 /* The auth process will verify UID/GID for us. */
692 client->euid = iconnect.euid;
693 client->egid = iconnect.egid;
695 imsg_init(&client->iev.ibuf, client->fd);
696 client->iev.handler = gotd_request;
697 client->iev.events = EV_READ;
698 client->iev.handler_arg = client;
700 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
702 gotd_imsg_event_add(&client->iev);
704 evtimer_set(&client->tmo, gotd_auth_timeout, client);
707 log_debug("%s: new client uid %d connected on fd %d", __func__,
708 client->euid, client->fd);
711 struct gotd_child_proc *listen_proc = gotd.listen_proc;
712 struct gotd_imsg_disconnect idisconnect;
714 idisconnect.client_id = client->id;
715 if (gotd_imsg_compose_event(&listen_proc->iev,
716 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
717 &idisconnect, sizeof(idisconnect)) == -1)
718 log_warn("imsg compose DISCONNECT");
727 static const char *gotd_proc_names[PROC_MAX] = {
739 kill_proc(struct gotd_child_proc *proc, int fatal)
741 struct timeval tv = { 5, 0 };
743 log_debug("kill -%d %d", fatal ? SIGKILL : SIGTERM, proc->pid);
745 if (proc->iev.ibuf.fd != -1) {
746 event_del(&proc->iev.ev);
747 msgbuf_clear(&proc->iev.ibuf.w);
748 close(proc->iev.ibuf.fd);
749 proc->iev.ibuf.fd = -1;
752 if (!evtimer_pending(&proc->tmo, NULL) && !fatal)
753 evtimer_add(&proc->tmo, &tv);
756 log_warnx("sending SIGKILL to PID %d", proc->pid);
757 kill(proc->pid, SIGKILL);
759 kill(proc->pid, SIGTERM);
763 kill_proc_timeout(int fd, short ev, void *d)
765 struct gotd_child_proc *proc = d;
767 log_warnx("timeout waiting for PID %d to terminate;"
768 " retrying with force", proc->pid);
777 log_debug("shutting down");
778 for (slot = 0; slot < nitems(gotd_clients); slot++) {
779 struct gotd_client *c, *tmp;
781 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
785 kill_proc(gotd.listen_proc, 0);
787 log_info("terminating");
791 static struct gotd_child_proc *
792 find_proc_by_pid(pid_t pid)
794 struct gotd_child_proc *proc = NULL;
796 TAILQ_FOREACH(proc, &procs, entry)
797 if (proc->pid == pid)
804 gotd_sighdlr(int sig, short event, void *arg)
806 struct gotd_child_proc *proc;
811 * Normal signal handler rules don't apply because libevent
817 log_info("%s: ignoring SIGHUP", __func__);
820 log_info("%s: ignoring SIGUSR1", __func__);
828 pid = waitpid(WAIT_ANY, &status, WNOHANG);
839 log_debug("reaped pid %d", pid);
840 proc = find_proc_by_pid(pid);
842 log_info("caught exit of unknown child %d",
847 if (WIFSIGNALED(status)) {
848 log_warnx("child PID %d terminated with"
849 " signal %d", pid, WTERMSIG(status));
856 fatalx("unexpected signal");
860 static const struct got_error *
861 ensure_proc_is_reading(struct gotd_client *client,
862 struct gotd_child_proc *proc)
864 if (!client_is_reading(client)) {
866 return got_error_fmt(GOT_ERR_BAD_PACKET,
867 "PID %d handled a read-request for uid %d but this "
868 "user is not reading from a repository", proc->pid,
875 static const struct got_error *
876 ensure_proc_is_writing(struct gotd_client *client,
877 struct gotd_child_proc *proc)
879 if (!client_is_writing(client)) {
881 return got_error_fmt(GOT_ERR_BAD_PACKET,
882 "PID %d handled a write-request for uid %d but this "
883 "user is not writing to a repository", proc->pid,
891 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
894 const struct got_error *err;
897 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
898 if (client->repo == NULL)
899 fatalx("no process found for uid %d", client->euid);
900 if (proc->pid != client->repo->pid) {
902 log_warnx("received message from PID %d for uid %d, "
903 "while PID %d is the process serving this user",
904 proc->pid, client->euid, client->repo->pid);
908 if (proc->type == PROC_SESSION_READ ||
909 proc->type == PROC_SESSION_WRITE) {
910 if (client->session == NULL) {
911 log_warnx("no session found for uid %d", client->euid);
914 if (proc->pid != client->session->pid) {
916 log_warnx("received message from PID %d for uid %d, "
917 "while PID %d is the process serving this user",
918 proc->pid, client->euid, client->session->pid);
923 switch (imsg->hdr.type) {
924 case GOTD_IMSG_ERROR:
927 case GOTD_IMSG_CONNECT:
928 if (proc->type != PROC_LISTEN) {
929 err = got_error_fmt(GOT_ERR_BAD_PACKET,
930 "new connection for uid %d from PID %d "
931 "which is not the listen process",
932 proc->pid, client->euid);
936 case GOTD_IMSG_ACCESS_GRANTED:
937 if (proc->type != PROC_AUTH) {
938 err = got_error_fmt(GOT_ERR_BAD_PACKET,
939 "authentication of uid %d from PID %d "
940 "which is not the auth process",
941 proc->pid, client->euid);
945 case GOTD_IMSG_CLIENT_SESSION_READY:
946 if (proc->type != PROC_SESSION_READ &&
947 proc->type != PROC_SESSION_WRITE) {
948 err = got_error_fmt(GOT_ERR_BAD_PACKET,
949 "unexpected \"ready\" signal from PID %d",
954 case GOTD_IMSG_REPO_CHILD_READY:
955 if (proc->type != PROC_REPO_READ &&
956 proc->type != PROC_REPO_WRITE) {
957 err = got_error_fmt(GOT_ERR_BAD_PACKET,
958 "unexpected \"ready\" signal from PID %d",
963 case GOTD_IMSG_PACKFILE_DONE:
964 err = ensure_proc_is_reading(client, proc);
966 log_warnx("uid %d: %s", client->euid, err->msg);
970 case GOTD_IMSG_PACKFILE_INSTALL:
971 case GOTD_IMSG_REF_UPDATES_START:
972 case GOTD_IMSG_REF_UPDATE:
973 err = ensure_proc_is_writing(client, proc);
975 log_warnx("uid %d: %s", client->euid, err->msg);
980 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
987 static const struct got_error *
988 connect_repo_child(struct gotd_client *client,
989 struct gotd_child_proc *repo_proc)
991 static const struct got_error *err;
992 struct gotd_imsgev *session_iev = &client->session->iev;
993 struct gotd_imsg_connect_repo_child ireq;
996 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
997 return got_error_msg(GOT_ERR_BAD_REQUEST,
998 "unexpected repo child ready signal received");
1000 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1001 PF_UNSPEC, pipe) == -1)
1002 fatal("socketpair");
1004 memset(&ireq, 0, sizeof(ireq));
1005 ireq.client_id = client->id;
1006 ireq.proc_id = repo_proc->type;
1008 /* Pass repo child pipe to session child process. */
1009 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1010 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1011 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1017 /* Pass session child pipe to repo child process. */
1018 if (gotd_imsg_compose_event(&repo_proc->iev,
1019 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1020 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1029 gotd_dispatch_listener(int fd, short event, void *arg)
1031 struct gotd_imsgev *iev = arg;
1032 struct imsgbuf *ibuf = &iev->ibuf;
1033 struct gotd_child_proc *proc = gotd.listen_proc;
1038 if (proc->iev.ibuf.fd != fd)
1039 fatalx("%s: unexpected fd %d", __func__, fd);
1041 if (event & EV_READ) {
1042 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1043 fatal("imsg_read error");
1045 /* Connection closed. */
1051 if (event & EV_WRITE) {
1052 n = msgbuf_write(&ibuf->w);
1053 if (n == -1 && errno != EAGAIN)
1054 fatal("msgbuf_write");
1056 /* Connection closed. */
1063 const struct got_error *err = NULL;
1064 struct gotd_client *client = NULL;
1065 uint32_t client_id = 0;
1066 int do_disconnect = 0;
1068 if ((n = imsg_get(ibuf, &imsg)) == -1)
1069 fatal("%s: imsg_get error", __func__);
1070 if (n == 0) /* No more messages. */
1073 switch (imsg.hdr.type) {
1074 case GOTD_IMSG_ERROR:
1076 err = gotd_imsg_recv_error(&client_id, &imsg);
1078 case GOTD_IMSG_CONNECT:
1079 err = recv_connect(&client_id, &imsg);
1082 log_debug("unexpected imsg %d", imsg.hdr.type);
1086 client = find_client(client_id);
1087 if (client == NULL) {
1088 log_warnx("%s: client not found", __func__);
1094 log_warnx("uid %d: %s", client->euid, err->msg);
1096 if (do_disconnect) {
1098 disconnect_on_error(client, err);
1107 gotd_imsg_event_add(iev);
1109 /* This pipe is dead. Remove its event handler */
1110 event_del(&iev->ev);
1111 event_loopexit(NULL);
1116 gotd_dispatch_auth_child(int fd, short event, void *arg)
1118 const struct got_error *err = NULL;
1119 struct gotd_imsgev *iev = arg;
1120 struct imsgbuf *ibuf = &iev->ibuf;
1121 struct gotd_client *client;
1122 struct gotd_repo *repo = NULL;
1126 uint32_t client_id = 0;
1127 int do_disconnect = 0;
1129 client = find_client_by_proc_fd(fd);
1130 if (client == NULL) {
1131 /* Can happen during process teardown. */
1132 warnx("cannot find client for fd %d", fd);
1137 if (client->auth == NULL)
1138 fatalx("cannot find auth child process for fd %d", fd);
1140 if (event & EV_READ) {
1141 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1142 fatal("imsg_read error");
1144 /* Connection closed. */
1150 if (event & EV_WRITE) {
1151 n = msgbuf_write(&ibuf->w);
1152 if (n == -1 && errno != EAGAIN)
1153 fatal("msgbuf_write");
1155 /* Connection closed. */
1161 if (client->auth->iev.ibuf.fd != fd)
1162 fatalx("%s: unexpected fd %d", __func__, fd);
1164 if ((n = imsg_get(ibuf, &imsg)) == -1)
1165 fatal("%s: imsg_get error", __func__);
1166 if (n == 0) /* No more messages. */
1169 evtimer_del(&client->tmo);
1171 switch (imsg.hdr.type) {
1172 case GOTD_IMSG_ERROR:
1174 err = gotd_imsg_recv_error(&client_id, &imsg);
1176 case GOTD_IMSG_ACCESS_GRANTED:
1177 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1181 log_debug("unexpected imsg %d", imsg.hdr.type);
1185 if (!verify_imsg_src(client, client->auth, &imsg)) {
1187 log_debug("dropping imsg type %d from PID %d",
1188 imsg.hdr.type, client->auth->pid);
1192 if (do_disconnect) {
1194 disconnect_on_error(client, err);
1200 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1202 err = got_error(GOT_ERR_NOT_GIT_REPO);
1205 kill_auth_proc(client);
1207 log_info("authenticated uid %d for repository %s",
1208 client->euid, repo->name);
1210 err = start_session_child(client, repo, gotd.argv0,
1211 gotd.confpath, gotd.daemonize, gotd.verbosity);
1216 log_warnx("uid %d: %s", client->euid, err->msg);
1218 /* We might have killed the auth process by now. */
1219 if (client->auth != NULL) {
1221 gotd_imsg_event_add(iev);
1223 /* This pipe is dead. Remove its event handler */
1224 event_del(&iev->ev);
1229 static const struct got_error *
1230 connect_session(struct gotd_client *client)
1232 const struct got_error *err = NULL;
1233 struct gotd_imsg_connect iconnect;
1236 memset(&iconnect, 0, sizeof(iconnect));
1238 s = dup(client->fd);
1240 return got_error_from_errno("dup");
1242 iconnect.client_id = client->id;
1243 iconnect.euid = client->euid;
1244 iconnect.egid = client->egid;
1246 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1247 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1248 err = got_error_from_errno("imsg compose CONNECT");
1254 * We are no longer interested in messages from this client.
1255 * Further client requests will be handled by the session process.
1257 msgbuf_clear(&client->iev.ibuf.w);
1258 imsg_clear(&client->iev.ibuf);
1259 event_del(&client->iev.ev);
1260 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1266 gotd_dispatch_client_session(int fd, short event, void *arg)
1268 struct gotd_imsgev *iev = arg;
1269 struct imsgbuf *ibuf = &iev->ibuf;
1270 struct gotd_child_proc *proc = NULL;
1271 struct gotd_client *client = NULL;
1276 client = find_client_by_proc_fd(fd);
1277 if (client == NULL) {
1278 /* Can happen during process teardown. */
1279 warnx("cannot find client for fd %d", fd);
1284 if (event & EV_READ) {
1285 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1286 fatal("imsg_read error");
1288 /* Connection closed. */
1294 if (event & EV_WRITE) {
1295 n = msgbuf_write(&ibuf->w);
1296 if (n == -1 && errno != EAGAIN)
1297 fatal("msgbuf_write");
1299 /* Connection closed. */
1305 proc = client->session;
1307 fatalx("cannot find session child process for fd %d", fd);
1310 const struct got_error *err = NULL;
1311 uint32_t client_id = 0;
1312 int do_disconnect = 0, do_start_repo_child = 0;
1314 if ((n = imsg_get(ibuf, &imsg)) == -1)
1315 fatal("%s: imsg_get error", __func__);
1316 if (n == 0) /* No more messages. */
1319 switch (imsg.hdr.type) {
1320 case GOTD_IMSG_ERROR:
1322 err = gotd_imsg_recv_error(&client_id, &imsg);
1324 case GOTD_IMSG_CLIENT_SESSION_READY:
1325 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1326 err = got_error(GOT_ERR_PRIVSEP_MSG);
1329 do_start_repo_child = 1;
1331 case GOTD_IMSG_DISCONNECT:
1335 log_debug("unexpected imsg %d", imsg.hdr.type);
1339 if (!verify_imsg_src(client, proc, &imsg)) {
1340 log_debug("dropping imsg type %d from PID %d",
1341 imsg.hdr.type, proc->pid);
1346 log_warnx("uid %d: %s", client->euid, err->msg);
1348 if (do_start_repo_child) {
1349 struct gotd_repo *repo;
1350 const char *name = client->session->repo_name;
1352 repo = gotd_find_repo_by_name(name, &gotd);
1354 enum gotd_procid proc_type;
1356 if (client->required_auth & GOTD_AUTH_WRITE)
1357 proc_type = PROC_REPO_WRITE;
1359 proc_type = PROC_REPO_READ;
1361 err = start_repo_child(client, proc_type, repo,
1362 gotd.argv0, gotd.confpath, gotd.daemonize,
1365 err = got_error(GOT_ERR_NOT_GIT_REPO);
1368 log_warnx("uid %d: %s", client->euid, err->msg);
1373 if (do_disconnect) {
1375 disconnect_on_error(client, err);
1384 gotd_imsg_event_add(iev);
1386 /* This pipe is dead. Remove its event handler */
1387 event_del(&iev->ev);
1393 gotd_dispatch_repo_child(int fd, short event, void *arg)
1395 struct gotd_imsgev *iev = arg;
1396 struct imsgbuf *ibuf = &iev->ibuf;
1397 struct gotd_child_proc *proc = NULL;
1398 struct gotd_client *client;
1403 client = find_client_by_proc_fd(fd);
1404 if (client == NULL) {
1405 /* Can happen during process teardown. */
1406 warnx("cannot find client for fd %d", fd);
1411 if (event & EV_READ) {
1412 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1413 fatal("imsg_read error");
1415 /* Connection closed. */
1421 if (event & EV_WRITE) {
1422 n = msgbuf_write(&ibuf->w);
1423 if (n == -1 && errno != EAGAIN)
1424 fatal("msgbuf_write");
1426 /* Connection closed. */
1432 proc = client->repo;
1434 fatalx("cannot find child process for fd %d", fd);
1437 const struct got_error *err = NULL;
1438 uint32_t client_id = 0;
1439 int do_disconnect = 0;
1441 if ((n = imsg_get(ibuf, &imsg)) == -1)
1442 fatal("%s: imsg_get error", __func__);
1443 if (n == 0) /* No more messages. */
1446 switch (imsg.hdr.type) {
1447 case GOTD_IMSG_ERROR:
1449 err = gotd_imsg_recv_error(&client_id, &imsg);
1451 case GOTD_IMSG_REPO_CHILD_READY:
1452 err = connect_session(client);
1455 err = connect_repo_child(client, proc);
1458 log_debug("unexpected imsg %d", imsg.hdr.type);
1462 if (!verify_imsg_src(client, proc, &imsg)) {
1463 log_debug("dropping imsg type %d from PID %d",
1464 imsg.hdr.type, proc->pid);
1469 log_warnx("uid %d: %s", client->euid, err->msg);
1471 if (do_disconnect) {
1473 disconnect_on_error(client, err);
1482 gotd_imsg_event_add(iev);
1484 /* This pipe is dead. Remove its event handler */
1485 event_del(&iev->ev);
1491 start_child(enum gotd_procid proc_id, const char *repo_path,
1492 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1498 switch (pid = fork()) {
1500 fatal("cannot fork");
1508 if (fd != GOTD_FILENO_MSG_PIPE) {
1509 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1510 fatal("cannot setup imsg fd");
1511 } else if (fcntl(fd, F_SETFD, 0) == -1)
1512 fatal("cannot setup imsg fd");
1514 argv[argc++] = argv0;
1517 argv[argc++] = (char *)"-L";
1520 argv[argc++] = (char *)"-A";
1522 case PROC_SESSION_READ:
1523 argv[argc++] = (char *)"-s";
1525 case PROC_SESSION_WRITE:
1526 argv[argc++] = (char *)"-S";
1528 case PROC_REPO_READ:
1529 argv[argc++] = (char *)"-R";
1531 case PROC_REPO_WRITE:
1532 argv[argc++] = (char *)"-W";
1535 fatalx("invalid process id %d", proc_id);
1538 argv[argc++] = (char *)"-f";
1539 argv[argc++] = (char *)confpath;
1542 argv[argc++] = (char *)"-P";
1543 argv[argc++] = (char *)repo_path;
1547 argv[argc++] = (char *)"-d";
1549 argv[argc++] = (char *)"-v";
1551 argv[argc++] = (char *)"-v";
1552 argv[argc++] = NULL;
1554 execvp(argv0, argv);
1559 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1561 struct gotd_child_proc *proc;
1563 proc = calloc(1, sizeof(*proc));
1567 TAILQ_INSERT_HEAD(&procs, proc, entry);
1569 /* proc->tmo is initialized in main() after event_init() */
1571 proc->type = PROC_LISTEN;
1573 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1574 PF_UNSPEC, proc->pipe) == -1)
1575 fatal("socketpair");
1577 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1578 proc->pipe[1], daemonize, verbosity);
1579 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1580 proc->iev.handler = gotd_dispatch_listener;
1581 proc->iev.events = EV_READ;
1582 proc->iev.handler_arg = NULL;
1584 gotd.listen_proc = proc;
1587 static const struct got_error *
1588 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1589 char *argv0, const char *confpath, int daemonize, int verbosity)
1591 struct gotd_child_proc *proc;
1593 proc = calloc(1, sizeof(*proc));
1595 return got_error_from_errno("calloc");
1597 TAILQ_INSERT_HEAD(&procs, proc, entry);
1598 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1600 if (client_is_reading(client))
1601 proc->type = PROC_SESSION_READ;
1603 proc->type = PROC_SESSION_WRITE;
1604 if (strlcpy(proc->repo_name, repo->name,
1605 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1606 fatalx("repository name too long: %s", repo->name);
1607 log_debug("starting client uid %d session for repository %s",
1608 client->euid, repo->name);
1609 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1610 sizeof(proc->repo_path))
1611 fatalx("repository path too long: %s", repo->path);
1612 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1613 PF_UNSPEC, proc->pipe) == -1)
1614 fatal("socketpair");
1615 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1616 confpath, proc->pipe[1], daemonize, verbosity);
1617 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1618 log_debug("proc %s %s is on fd %d",
1619 gotd_proc_names[proc->type], proc->repo_path,
1621 proc->iev.handler = gotd_dispatch_client_session;
1622 proc->iev.events = EV_READ;
1623 proc->iev.handler_arg = NULL;
1624 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1625 gotd_dispatch_client_session, &proc->iev);
1626 gotd_imsg_event_add(&proc->iev);
1628 client->session = proc;
1632 static const struct got_error *
1633 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1634 struct gotd_repo *repo, char *argv0, const char *confpath,
1635 int daemonize, int verbosity)
1637 struct gotd_child_proc *proc;
1639 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1640 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1642 proc = calloc(1, sizeof(*proc));
1644 return got_error_from_errno("calloc");
1646 TAILQ_INSERT_HEAD(&procs, proc, entry);
1647 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1649 proc->type = proc_type;
1650 if (strlcpy(proc->repo_name, repo->name,
1651 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1652 fatalx("repository name too long: %s", repo->name);
1653 log_debug("starting %s for repository %s",
1654 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1655 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1656 sizeof(proc->repo_path))
1657 fatalx("repository path too long: %s", repo->path);
1658 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1659 PF_UNSPEC, proc->pipe) == -1)
1660 fatal("socketpair");
1661 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1662 confpath, proc->pipe[1], daemonize, verbosity);
1663 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1664 log_debug("proc %s %s is on fd %d",
1665 gotd_proc_names[proc->type], proc->repo_path,
1667 proc->iev.handler = gotd_dispatch_repo_child;
1668 proc->iev.events = EV_READ;
1669 proc->iev.handler_arg = NULL;
1670 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1671 gotd_dispatch_repo_child, &proc->iev);
1672 gotd_imsg_event_add(&proc->iev);
1674 client->repo = proc;
1678 static const struct got_error *
1679 start_auth_child(struct gotd_client *client, int required_auth,
1680 struct gotd_repo *repo, char *argv0, const char *confpath,
1681 int daemonize, int verbosity)
1683 const struct got_error *err = NULL;
1684 struct gotd_child_proc *proc;
1685 struct gotd_imsg_auth iauth;
1688 memset(&iauth, 0, sizeof(iauth));
1690 fd = dup(client->fd);
1692 return got_error_from_errno("dup");
1694 proc = calloc(1, sizeof(*proc));
1696 err = got_error_from_errno("calloc");
1701 TAILQ_INSERT_HEAD(&procs, proc, entry);
1702 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1704 proc->type = PROC_AUTH;
1705 if (strlcpy(proc->repo_name, repo->name,
1706 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1707 fatalx("repository name too long: %s", repo->name);
1708 log_debug("starting auth for uid %d repository %s",
1709 client->euid, repo->name);
1710 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1711 sizeof(proc->repo_path))
1712 fatalx("repository path too long: %s", repo->path);
1713 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1714 PF_UNSPEC, proc->pipe) == -1)
1715 fatal("socketpair");
1716 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1717 confpath, proc->pipe[1], daemonize, verbosity);
1718 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1719 log_debug("proc %s %s is on fd %d",
1720 gotd_proc_names[proc->type], proc->repo_path,
1722 proc->iev.handler = gotd_dispatch_auth_child;
1723 proc->iev.events = EV_READ;
1724 proc->iev.handler_arg = NULL;
1725 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1726 gotd_dispatch_auth_child, &proc->iev);
1727 gotd_imsg_event_add(&proc->iev);
1729 iauth.euid = client->euid;
1730 iauth.egid = client->egid;
1731 iauth.required_auth = required_auth;
1732 iauth.client_id = client->id;
1733 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1734 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1735 log_warn("imsg compose AUTHENTICATE");
1737 /* Let the auth_timeout handler tidy up. */
1740 client->auth = proc;
1741 client->required_auth = required_auth;
1746 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1749 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1750 fatal("unveil %s", GOT_TMPDIR_STR);
1753 if (unveil(repo_path, "r") == -1)
1754 fatal("unveil %s", repo_path);
1756 if (unveil(NULL, NULL) == -1)
1761 apply_unveil_repo_readwrite(const char *repo_path)
1763 if (unveil(repo_path, "rwc") == -1)
1764 fatal("unveil %s", repo_path);
1766 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1767 fatal("unveil %s", GOT_TMPDIR_STR);
1769 if (unveil(NULL, NULL) == -1)
1774 apply_unveil_none(void)
1776 if (unveil("/", "") == -1)
1779 if (unveil(NULL, NULL) == -1)
1784 apply_unveil_selfexec(void)
1786 if (unveil(gotd.argv0, "x") == -1)
1787 fatal("unveil %s", gotd.argv0);
1789 if (unveil(NULL, NULL) == -1)
1794 main(int argc, char **argv)
1796 const struct got_error *error = NULL;
1797 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1798 const char *confpath = GOTD_CONF_PATH;
1799 char *argv0 = argv[0];
1801 struct passwd *pw = NULL;
1802 char *repo_path = NULL;
1803 enum gotd_procid proc_id = PROC_GOTD;
1804 struct event evsigint, evsigterm, evsighup, evsigusr1, evsigchld;
1805 int *pack_fds = NULL, *temp_fds = NULL;
1806 struct gotd_repo *repo = NULL;
1810 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1812 while ((ch = getopt(argc, argv, "Adf:LnP:RsSvW")) != -1) {
1815 proc_id = PROC_AUTH;
1824 proc_id = PROC_LISTEN;
1830 repo_path = realpath(optarg, NULL);
1831 if (repo_path == NULL)
1832 fatal("realpath '%s'", optarg);
1835 proc_id = PROC_REPO_READ;
1838 proc_id = PROC_SESSION_READ;
1841 proc_id = PROC_SESSION_WRITE;
1848 proc_id = PROC_REPO_WRITE;
1861 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1862 fatalx("need root privileges");
1864 if (parse_config(confpath, proc_id, &gotd) != 0)
1867 pw = getpwnam(gotd.user_name);
1869 fatalx("user %s not found", gotd.user_name);
1871 if (pw->pw_uid == 0)
1872 fatalx("cannot run %s as the superuser", getprogname());
1875 fprintf(stderr, "configuration OK\n");
1880 gotd.daemonize = daemonize;
1881 gotd.verbosity = verbosity;
1882 gotd.confpath = confpath;
1884 /* Require an absolute path in argv[0] for reliable re-exec. */
1885 if (!got_path_is_absolute(argv0))
1886 fatalx("bad path \"%s\": must be an absolute path", argv0);
1888 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1889 log_setverbose(verbosity);
1891 if (proc_id == PROC_GOTD) {
1892 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1893 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1894 if (daemonize && daemon(1, 0) == -1)
1896 gotd.pid = getpid();
1897 start_listener(argv0, confpath, daemonize, verbosity);
1898 } else if (proc_id == PROC_LISTEN) {
1899 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1901 log_info("socket: %s", gotd.unix_socket_path);
1902 log_info("user: %s", pw->pw_name);
1905 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1908 fatal("cannot listen on unix socket %s",
1909 gotd.unix_socket_path);
1911 } else if (proc_id == PROC_AUTH) {
1912 snprintf(title, sizeof(title), "%s %s",
1913 gotd_proc_names[proc_id], repo_path);
1914 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1915 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
1916 error = got_repo_pack_fds_open(&pack_fds);
1918 fatalx("cannot open pack tempfiles: %s", error->msg);
1919 error = got_repo_temp_fds_open(&temp_fds);
1921 fatalx("cannot open pack tempfiles: %s", error->msg);
1922 if (repo_path == NULL)
1923 fatalx("repository path not specified");
1924 snprintf(title, sizeof(title), "%s %s",
1925 gotd_proc_names[proc_id], repo_path);
1927 fatal("invalid process id %d", proc_id);
1929 setproctitle("%s", title);
1930 log_procinit(title);
1932 /* Drop root privileges. */
1933 if (setgid(pw->pw_gid) == -1)
1934 fatal("setgid %d failed", pw->pw_gid);
1935 if (setuid(pw->pw_uid) == -1)
1936 fatal("setuid %d failed", pw->pw_uid);
1943 /* "exec" promise will be limited to argv[0] via unveil(2). */
1944 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1950 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1954 * Ensure that AF_UNIX bind(2) cannot be used with any other
1955 * sockets by revoking all filesystem access via unveil(2).
1957 apply_unveil_none();
1959 listen_main(title, fd, gotd.connection_limits,
1960 gotd.nconnection_limits);
1965 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1969 * We need the "unix" pledge promise for getpeername(2) only.
1970 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1971 * filesystem access via unveil(2). Access to password database
1972 * files will still work since "getpw" bypasses unveil(2).
1974 apply_unveil_none();
1976 auth_main(title, &gotd.repos, repo_path);
1979 case PROC_SESSION_READ:
1980 case PROC_SESSION_WRITE:
1983 * The "recvfd" promise is only needed during setup and
1984 * will be removed in a later pledge(2) call.
1986 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1987 "unveil", NULL) == -1)
1990 if (proc_id == PROC_SESSION_READ)
1991 apply_unveil_repo_readonly(repo_path, 1);
1993 apply_unveil_repo_readwrite(repo_path);
1994 session_main(title, repo_path, pack_fds, temp_fds,
1995 &gotd.request_timeout, proc_id);
1998 case PROC_REPO_READ:
2000 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2003 apply_unveil_repo_readonly(repo_path, 0);
2004 repo_read_main(title, repo_path, pack_fds, temp_fds);
2007 case PROC_REPO_WRITE:
2009 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2012 apply_unveil_repo_readonly(repo_path, 0);
2013 repo = gotd_find_repo_by_path(repo_path, &gotd);
2015 fatalx("no repository for path %s", repo_path);
2016 repo_write_main(title, repo_path, pack_fds, temp_fds,
2017 &repo->protected_tag_namespaces,
2018 &repo->protected_branch_namespaces,
2019 &repo->protected_branches);
2023 fatal("invalid process id %d", proc_id);
2026 if (proc_id != PROC_GOTD)
2027 fatal("invalid process id %d", proc_id);
2029 evtimer_set(&gotd.listen_proc->tmo, kill_proc_timeout,
2032 apply_unveil_selfexec();
2034 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2035 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2036 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2037 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2038 signal_set(&evsigchld, SIGCHLD, gotd_sighdlr, NULL);
2039 signal(SIGPIPE, SIG_IGN);
2041 signal_add(&evsigint, NULL);
2042 signal_add(&evsigterm, NULL);
2043 signal_add(&evsighup, NULL);
2044 signal_add(&evsigusr1, NULL);
2045 signal_add(&evsigchld, NULL);
2047 gotd_imsg_event_add(&gotd.listen_proc->iev);