2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include "got_compat.h"
19 #include <sys/queue.h>
21 #include <sys/types.h>
23 #include <sys/socket.h>
26 #include <sys/resource.h>
43 #include "got_error.h"
44 #include "got_opentemp.h"
46 #include "got_repository.h"
47 #include "got_object.h"
48 #include "got_reference.h"
50 #include "got_lib_delta.h"
51 #include "got_lib_object.h"
52 #include "got_lib_object_cache.h"
53 #include "got_lib_hash.h"
54 #include "got_lib_gitproto.h"
55 #include "got_lib_pack.h"
56 #include "got_lib_repository.h"
63 #include "repo_read.h"
64 #include "repo_write.h"
67 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
70 enum gotd_client_state {
71 GOTD_CLIENT_STATE_NEW,
72 GOTD_CLIENT_STATE_ACCESS_GRANTED,
75 struct gotd_child_proc {
77 enum gotd_procid type;
78 char repo_name[NAME_MAX];
79 char repo_path[PATH_MAX];
81 struct gotd_imsgev iev;
84 TAILQ_ENTRY(gotd_child_proc) entry;
86 TAILQ_HEAD(gotd_procs, gotd_child_proc) procs;
89 STAILQ_ENTRY(gotd_client) entry;
90 enum gotd_client_state state;
93 struct gotd_imsgev iev;
98 struct gotd_child_proc *repo;
99 struct gotd_child_proc *auth;
100 struct gotd_child_proc *session;
103 STAILQ_HEAD(gotd_clients, gotd_client);
105 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
106 static SIPHASH_KEY clients_hash_key;
107 volatile int client_cnt;
108 static struct timeval auth_timeout = { 5, 0 };
109 static struct gotd gotd;
111 void gotd_sighdlr(int sig, short event, void *arg);
112 static void gotd_shutdown(void);
113 static const struct got_error *start_session_child(struct gotd_client *,
114 struct gotd_repo *, char *, const char *, int, int);
115 static const struct got_error *start_repo_child(struct gotd_client *,
116 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
117 static const struct got_error *start_auth_child(struct gotd_client *, int,
118 struct gotd_repo *, char *, const char *, int, int);
119 static void kill_proc(struct gotd_child_proc *, int);
120 static void disconnect(struct gotd_client *);
121 static void drop_privs(struct passwd *);
126 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
131 drop_privs(struct passwd *pw)
133 /* Drop root privileges. */
134 if (setgid(pw->pw_gid) == -1)
135 fatal("setgid %d failed", pw->pw_gid);
136 if (setuid(pw->pw_uid) == -1)
137 fatal("setuid %d failed", pw->pw_uid);
141 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
143 struct sockaddr_un sun;
145 mode_t old_umask, mode;
146 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
149 sock_flags |= SOCK_CLOEXEC;
152 fd = socket(AF_UNIX, sock_flags, 0);
158 sun.sun_family = AF_UNIX;
159 if (strlcpy(sun.sun_path, unix_socket_path,
160 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
161 log_warnx("%s: name too long", unix_socket_path);
166 if (unlink(unix_socket_path) == -1) {
167 if (errno != ENOENT) {
168 log_warn("unlink %s", unix_socket_path);
174 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
175 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
177 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
178 log_warn("bind: %s", unix_socket_path);
186 if (chmod(unix_socket_path, mode) == -1) {
187 log_warn("chmod %o %s", mode, unix_socket_path);
189 unlink(unix_socket_path);
193 if (chown(unix_socket_path, uid, gid) == -1) {
194 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
196 unlink(unix_socket_path);
200 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
203 unlink(unix_socket_path);
211 client_hash(uint32_t client_id)
213 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
217 add_client(struct gotd_client *client)
219 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
220 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
224 static struct gotd_client *
225 find_client(uint32_t client_id)
228 struct gotd_client *c;
230 slot = client_hash(client_id) % nitems(gotd_clients);
231 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
232 if (c->id == client_id)
239 static struct gotd_client *
240 find_client_by_proc_fd(int fd)
244 for (slot = 0; slot < nitems(gotd_clients); slot++) {
245 struct gotd_client *c;
247 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
248 if (c->repo && c->repo->iev.ibuf.fd == fd)
250 if (c->auth && c->auth->iev.ibuf.fd == fd)
252 if (c->session && c->session->iev.ibuf.fd == fd)
261 client_is_reading(struct gotd_client *client)
263 return (client->required_auth &
264 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
268 client_is_writing(struct gotd_client *client)
270 return (client->required_auth &
271 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
272 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
275 static const struct got_error *
276 ensure_client_is_not_writing(struct gotd_client *client)
278 if (client_is_writing(client)) {
279 return got_error_fmt(GOT_ERR_BAD_PACKET,
280 "uid %d made a read-request but is writing to "
281 "a repository", client->euid);
287 static const struct got_error *
288 ensure_client_is_not_reading(struct gotd_client *client)
290 if (client_is_reading(client)) {
291 return got_error_fmt(GOT_ERR_BAD_PACKET,
292 "uid %d made a write-request but is reading from "
293 "a repository", client->euid);
300 proc_done(struct gotd_child_proc *proc)
302 struct gotd_client *client;
304 TAILQ_REMOVE(&procs, proc, entry);
306 client = find_client_by_proc_fd(proc->iev.ibuf.fd);
307 if (client != NULL) {
308 if (proc == client->repo)
310 if (proc == client->auth)
312 if (proc == client->session)
313 client->session = NULL;
317 evtimer_del(&proc->tmo);
319 if (proc->iev.ibuf.fd != -1) {
320 event_del(&proc->iev.ev);
321 msgbuf_clear(&proc->iev.ibuf.w);
322 close(proc->iev.ibuf.fd);
329 kill_repo_proc(struct gotd_client *client)
331 if (client->repo == NULL)
334 kill_proc(client->repo, 0);
339 kill_auth_proc(struct gotd_client *client)
341 if (client->auth == NULL)
344 kill_proc(client->auth, 0);
349 kill_session_proc(struct gotd_client *client)
351 if (client->session == NULL)
354 kill_proc(client->session, 0);
355 client->session = NULL;
359 disconnect(struct gotd_client *client)
361 struct gotd_imsg_disconnect idisconnect;
362 struct gotd_child_proc *listen_proc = gotd.listen_proc;
365 log_debug("uid %d: disconnecting", client->euid);
367 kill_auth_proc(client);
368 kill_session_proc(client);
369 kill_repo_proc(client);
371 idisconnect.client_id = client->id;
372 if (gotd_imsg_compose_event(&listen_proc->iev,
373 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
374 &idisconnect, sizeof(idisconnect)) == -1)
375 log_warn("imsg compose DISCONNECT");
377 slot = client_hash(client->id) % nitems(gotd_clients);
378 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
379 imsg_clear(&client->iev.ibuf);
380 event_del(&client->iev.ev);
381 evtimer_del(&client->tmo);
382 if (client->fd != -1)
384 else if (client->iev.ibuf.fd != -1)
385 close(client->iev.ibuf.fd);
386 free(client->username);
392 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
396 if (err->code != GOT_ERR_EOF) {
397 log_warnx("uid %d: %s", client->euid, err->msg);
398 if (client->fd != -1) {
399 imsg_init(&ibuf, client->fd);
400 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
407 static const struct got_error *
408 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
410 const struct got_error *err = NULL;
411 struct gotd_imsg_info_repo irepo;
413 memset(&irepo, 0, sizeof(irepo));
415 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
416 >= sizeof(irepo.repo_name))
417 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
418 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
419 >= sizeof(irepo.repo_path))
420 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
422 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
423 &irepo, sizeof(irepo)) == -1) {
424 err = got_error_from_errno("imsg compose INFO_REPO");
432 static const struct got_error *
433 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
435 const struct got_error *err = NULL;
436 struct gotd_imsg_info_client iclient;
437 struct gotd_child_proc *proc;
439 memset(&iclient, 0, sizeof(iclient));
440 iclient.euid = client->euid;
441 iclient.egid = client->egid;
445 if (strlcpy(iclient.repo_name, proc->repo_path,
446 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
447 return got_error_msg(GOT_ERR_NO_SPACE,
448 "repo name too long");
450 if (client_is_writing(client))
451 iclient.is_writing = 1;
453 iclient.repo_child_pid = proc->pid;
457 iclient.session_child_pid = client->session->pid;
459 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
460 &iclient, sizeof(iclient)) == -1) {
461 err = got_error_from_errno("imsg compose INFO_CLIENT");
469 static const struct got_error *
470 send_info(struct gotd_client *client)
472 const struct got_error *err = NULL;
473 struct gotd_imsg_info info;
475 struct gotd_repo *repo;
477 if (client->euid != 0)
478 return got_error_set_errno(EPERM, "info");
481 info.verbosity = gotd.verbosity;
482 info.nrepos = gotd.nrepos;
483 info.nclients = client_cnt - 1;
485 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
486 &info, sizeof(info)) == -1) {
487 err = got_error_from_errno("imsg compose INFO");
492 TAILQ_FOREACH(repo, &gotd.repos, entry) {
493 err = send_repo_info(&client->iev, repo);
498 for (slot = 0; slot < nitems(gotd_clients); slot++) {
499 struct gotd_client *c;
500 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
501 if (c->id == client->id)
503 err = send_client_info(&client->iev, c);
512 static const struct got_error *
513 stop_gotd(struct gotd_client *client)
516 if (client->euid != 0)
517 return got_error_set_errno(EPERM, "stop");
524 static const struct got_error *
525 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
527 const struct got_error *err;
528 struct gotd_imsg_list_refs ireq;
529 struct gotd_repo *repo = NULL;
532 log_debug("list-refs request from uid %d", client->euid);
534 if (client->state != GOTD_CLIENT_STATE_NEW)
535 return got_error_msg(GOT_ERR_BAD_REQUEST,
536 "unexpected list-refs request received");
538 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
539 if (datalen != sizeof(ireq))
540 return got_error(GOT_ERR_PRIVSEP_LEN);
542 memcpy(&ireq, imsg->data, datalen);
544 if (ireq.client_is_reading) {
545 err = ensure_client_is_not_writing(client);
548 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
550 return got_error(GOT_ERR_NOT_GIT_REPO);
551 err = start_auth_child(client, GOTD_AUTH_READ, repo,
552 gotd.argv0, gotd.confpath, gotd.daemonize,
557 err = ensure_client_is_not_reading(client);
560 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
562 return got_error(GOT_ERR_NOT_GIT_REPO);
563 err = start_auth_child(client,
564 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
565 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
571 evtimer_add(&client->tmo, &auth_timeout);
573 /* Flow continues upon authentication success/failure or timeout. */
578 gotd_request(int fd, short events, void *arg)
580 struct gotd_imsgev *iev = arg;
581 struct imsgbuf *ibuf = &iev->ibuf;
582 struct gotd_client *client = iev->handler_arg;
583 const struct got_error *err = NULL;
587 if (events & EV_WRITE) {
588 while (ibuf->w.queued) {
589 n = msgbuf_write(&ibuf->w);
590 if (n == -1 && errno == EPIPE) {
592 * The client has closed its socket.
593 * This can happen when Git clients are
594 * done sending pack file data.
596 msgbuf_clear(&ibuf->w);
598 } else if (n == -1 && errno != EAGAIN) {
599 err = got_error_from_errno("imsg_flush");
600 disconnect_on_error(client, err);
604 /* Connection closed. */
605 err = got_error(GOT_ERR_EOF);
606 disconnect_on_error(client, err);
611 /* Disconnect gotctl(8) now that messages have been sent. */
612 if (!client_is_reading(client) && !client_is_writing(client)) {
618 if ((events & EV_READ) == 0)
621 memset(&imsg, 0, sizeof(imsg));
623 while (err == NULL) {
624 err = gotd_imsg_recv(&imsg, ibuf, 0);
626 if (err->code == GOT_ERR_PRIVSEP_READ)
631 evtimer_del(&client->tmo);
633 switch (imsg.hdr.type) {
635 err = send_info(client);
638 err = stop_gotd(client);
640 case GOTD_IMSG_LIST_REFS:
641 err = start_client_authentication(client, &imsg);
644 log_debug("unexpected imsg %d", imsg.hdr.type);
645 err = got_error(GOT_ERR_PRIVSEP_MSG);
653 disconnect_on_error(client, err);
655 gotd_imsg_event_add(&client->iev);
660 gotd_auth_timeout(int fd, short events, void *arg)
662 struct gotd_client *client = arg;
664 log_debug("disconnecting uid %d due to authentication timeout",
669 static const struct got_error *
670 recv_connect(uint32_t *client_id, struct imsg *imsg)
672 const struct got_error *err = NULL;
673 struct gotd_imsg_connect iconnect;
676 struct gotd_client *client = NULL;
680 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
681 if (datalen != sizeof(iconnect))
682 return got_error(GOT_ERR_PRIVSEP_LEN);
683 memcpy(&iconnect, imsg->data, sizeof(iconnect));
685 s = imsg_get_fd(imsg);
687 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
691 if (find_client(iconnect.client_id)) {
692 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
696 client = calloc(1, sizeof(*client));
697 if (client == NULL) {
698 err = got_error_from_errno("calloc");
702 *client_id = iconnect.client_id;
704 client->state = GOTD_CLIENT_STATE_NEW;
705 client->id = iconnect.client_id;
708 /* The auth process will verify UID/GID for us. */
709 client->euid = iconnect.euid;
710 client->egid = iconnect.egid;
712 imsg_init(&client->iev.ibuf, client->fd);
713 client->iev.handler = gotd_request;
714 client->iev.events = EV_READ;
715 client->iev.handler_arg = client;
717 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
719 gotd_imsg_event_add(&client->iev);
721 evtimer_set(&client->tmo, gotd_auth_timeout, client);
724 log_debug("%s: new client uid %d connected on fd %d", __func__,
725 client->euid, client->fd);
728 struct gotd_child_proc *listen_proc = gotd.listen_proc;
729 struct gotd_imsg_disconnect idisconnect;
731 idisconnect.client_id = client->id;
732 if (gotd_imsg_compose_event(&listen_proc->iev,
733 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
734 &idisconnect, sizeof(idisconnect)) == -1)
735 log_warn("imsg compose DISCONNECT");
744 static const char *gotd_proc_names[PROC_MAX] = {
756 kill_proc(struct gotd_child_proc *proc, int fatal)
758 struct timeval tv = { 5, 0 };
760 log_debug("kill -%d %d", fatal ? SIGKILL : SIGTERM, proc->pid);
762 if (proc->iev.ibuf.fd != -1) {
763 event_del(&proc->iev.ev);
764 msgbuf_clear(&proc->iev.ibuf.w);
765 close(proc->iev.ibuf.fd);
766 proc->iev.ibuf.fd = -1;
769 if (!evtimer_pending(&proc->tmo, NULL) && !fatal)
770 evtimer_add(&proc->tmo, &tv);
773 log_warnx("sending SIGKILL to PID %d", proc->pid);
774 kill(proc->pid, SIGKILL);
776 kill(proc->pid, SIGTERM);
780 kill_proc_timeout(int fd, short ev, void *d)
782 struct gotd_child_proc *proc = d;
784 log_warnx("timeout waiting for PID %d to terminate;"
785 " retrying with force", proc->pid);
794 log_debug("shutting down");
795 for (slot = 0; slot < nitems(gotd_clients); slot++) {
796 struct gotd_client *c, *tmp;
798 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
802 kill_proc(gotd.listen_proc, 0);
804 log_info("terminating");
808 static struct gotd_child_proc *
809 find_proc_by_pid(pid_t pid)
811 struct gotd_child_proc *proc = NULL;
813 TAILQ_FOREACH(proc, &procs, entry)
814 if (proc->pid == pid)
821 gotd_sighdlr(int sig, short event, void *arg)
823 struct gotd_child_proc *proc;
828 * Normal signal handler rules don't apply because libevent
834 log_info("%s: ignoring SIGHUP", __func__);
837 log_info("%s: ignoring SIGUSR1", __func__);
845 pid = waitpid(WAIT_ANY, &status, WNOHANG);
856 log_debug("reaped pid %d", pid);
857 proc = find_proc_by_pid(pid);
859 log_info("caught exit of unknown child %d",
864 if (WIFSIGNALED(status)) {
865 log_warnx("child PID %d terminated with"
866 " signal %d", pid, WTERMSIG(status));
873 fatalx("unexpected signal");
877 static const struct got_error *
878 ensure_proc_is_reading(struct gotd_client *client,
879 struct gotd_child_proc *proc)
881 if (!client_is_reading(client)) {
883 return got_error_fmt(GOT_ERR_BAD_PACKET,
884 "PID %d handled a read-request for uid %d but this "
885 "user is not reading from a repository", proc->pid,
892 static const struct got_error *
893 ensure_proc_is_writing(struct gotd_client *client,
894 struct gotd_child_proc *proc)
896 if (!client_is_writing(client)) {
898 return got_error_fmt(GOT_ERR_BAD_PACKET,
899 "PID %d handled a write-request for uid %d but this "
900 "user is not writing to a repository", proc->pid,
908 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
911 const struct got_error *err;
914 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
915 if (client->repo == NULL)
916 fatalx("no process found for uid %d", client->euid);
917 if (proc->pid != client->repo->pid) {
919 log_warnx("received message from PID %d for uid %d, "
920 "while PID %d is the process serving this user",
921 proc->pid, client->euid, client->repo->pid);
925 if (proc->type == PROC_SESSION_READ ||
926 proc->type == PROC_SESSION_WRITE) {
927 if (client->session == NULL) {
928 log_warnx("no session found for uid %d", client->euid);
931 if (proc->pid != client->session->pid) {
933 log_warnx("received message from PID %d for uid %d, "
934 "while PID %d is the process serving this user",
935 proc->pid, client->euid, client->session->pid);
940 switch (imsg->hdr.type) {
941 case GOTD_IMSG_ERROR:
944 case GOTD_IMSG_CONNECT:
945 if (proc->type != PROC_LISTEN) {
946 err = got_error_fmt(GOT_ERR_BAD_PACKET,
947 "new connection for uid %d from PID %d "
948 "which is not the listen process",
949 client->euid, proc->pid);
953 case GOTD_IMSG_ACCESS_GRANTED:
954 if (proc->type != PROC_AUTH) {
955 err = got_error_fmt(GOT_ERR_BAD_PACKET,
956 "authentication of uid %d from PID %d "
957 "which is not the auth process",
958 client->euid, proc->pid);
962 case GOTD_IMSG_CLIENT_SESSION_READY:
963 if (proc->type != PROC_SESSION_READ &&
964 proc->type != PROC_SESSION_WRITE) {
965 err = got_error_fmt(GOT_ERR_BAD_PACKET,
966 "unexpected \"ready\" signal from PID %d",
971 case GOTD_IMSG_REPO_CHILD_READY:
972 if (proc->type != PROC_REPO_READ &&
973 proc->type != PROC_REPO_WRITE) {
974 err = got_error_fmt(GOT_ERR_BAD_PACKET,
975 "unexpected \"ready\" signal from PID %d",
980 case GOTD_IMSG_PACKFILE_DONE:
981 err = ensure_proc_is_reading(client, proc);
983 log_warnx("uid %d: %s", client->euid, err->msg);
987 case GOTD_IMSG_PACKFILE_INSTALL:
988 case GOTD_IMSG_REF_UPDATES_START:
989 case GOTD_IMSG_REF_UPDATE:
990 err = ensure_proc_is_writing(client, proc);
992 log_warnx("uid %d: %s", client->euid, err->msg);
997 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
1004 static const struct got_error *
1005 connect_repo_child(struct gotd_client *client,
1006 struct gotd_child_proc *repo_proc)
1008 static const struct got_error *err;
1009 struct gotd_imsgev *session_iev = &client->session->iev;
1010 struct gotd_imsg_connect_repo_child ireq;
1012 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
1015 sock_flags |= SOCK_CLOEXEC;
1018 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
1019 return got_error_msg(GOT_ERR_BAD_REQUEST,
1020 "unexpected repo child ready signal received");
1022 if (socketpair(AF_UNIX, sock_flags, PF_UNSPEC, pipe) == -1)
1023 fatal("socketpair");
1025 memset(&ireq, 0, sizeof(ireq));
1026 ireq.client_id = client->id;
1027 ireq.proc_id = repo_proc->type;
1029 /* Pass repo child pipe to session child process. */
1030 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1031 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1032 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1038 /* Pass session child pipe to repo child process. */
1039 if (gotd_imsg_compose_event(&repo_proc->iev,
1040 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1041 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1050 gotd_dispatch_listener(int fd, short event, void *arg)
1052 struct gotd_imsgev *iev = arg;
1053 struct imsgbuf *ibuf = &iev->ibuf;
1054 struct gotd_child_proc *proc = gotd.listen_proc;
1059 if (proc->iev.ibuf.fd != fd)
1060 fatalx("%s: unexpected fd %d", __func__, fd);
1062 if (event & EV_READ) {
1063 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1064 fatal("imsg_read error");
1066 /* Connection closed. */
1072 if (event & EV_WRITE) {
1073 n = msgbuf_write(&ibuf->w);
1074 if (n == -1 && errno != EAGAIN)
1075 fatal("msgbuf_write");
1077 /* Connection closed. */
1084 const struct got_error *err = NULL;
1085 struct gotd_client *client = NULL;
1086 uint32_t client_id = 0;
1087 int do_disconnect = 0;
1089 if ((n = imsg_get(ibuf, &imsg)) == -1)
1090 fatal("%s: imsg_get error", __func__);
1091 if (n == 0) /* No more messages. */
1094 switch (imsg.hdr.type) {
1095 case GOTD_IMSG_ERROR:
1097 err = gotd_imsg_recv_error(&client_id, &imsg);
1099 case GOTD_IMSG_CONNECT:
1100 err = recv_connect(&client_id, &imsg);
1103 log_debug("unexpected imsg %d", imsg.hdr.type);
1107 client = find_client(client_id);
1108 if (client == NULL) {
1109 log_warnx("%s: client not found", __func__);
1115 log_warnx("uid %d: %s", client->euid, err->msg);
1117 if (do_disconnect) {
1119 disconnect_on_error(client, err);
1128 gotd_imsg_event_add(iev);
1130 /* This pipe is dead. Remove its event handler */
1131 event_del(&iev->ev);
1132 event_loopexit(NULL);
1137 gotd_dispatch_auth_child(int fd, short event, void *arg)
1139 const struct got_error *err = NULL;
1140 struct gotd_imsgev *iev = arg;
1141 struct imsgbuf *ibuf = &iev->ibuf;
1142 struct gotd_client *client;
1143 struct gotd_repo *repo = NULL;
1147 uint32_t client_id = 0;
1148 int do_disconnect = 0;
1151 client = find_client_by_proc_fd(fd);
1152 if (client == NULL) {
1153 /* Can happen during process teardown. */
1154 warnx("cannot find client for fd %d", fd);
1159 if (client->auth == NULL)
1160 fatalx("cannot find auth child process for fd %d", fd);
1162 if (event & EV_READ) {
1163 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1164 fatal("imsg_read error");
1166 /* Connection closed. */
1172 if (event & EV_WRITE) {
1173 n = msgbuf_write(&ibuf->w);
1174 if (n == -1 && errno != EAGAIN)
1175 fatal("msgbuf_write");
1177 /* Connection closed. */
1183 if (client->auth->iev.ibuf.fd != fd)
1184 fatalx("%s: unexpected fd %d", __func__, fd);
1186 if ((n = imsg_get(ibuf, &imsg)) == -1)
1187 fatal("%s: imsg_get error", __func__);
1188 if (n == 0) /* No more messages. */
1191 evtimer_del(&client->tmo);
1193 datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1195 switch (imsg.hdr.type) {
1196 case GOTD_IMSG_ERROR:
1198 err = gotd_imsg_recv_error(&client_id, &imsg);
1200 case GOTD_IMSG_ACCESS_GRANTED:
1201 if (client->state != GOTD_CLIENT_STATE_NEW) {
1203 err = got_error(GOT_ERR_PRIVSEP_MSG);
1208 log_debug("unexpected imsg %d", imsg.hdr.type);
1212 if (!verify_imsg_src(client, client->auth, &imsg)) {
1214 log_debug("dropping imsg type %d from PID %d",
1215 imsg.hdr.type, client->auth->pid);
1218 if (do_disconnect) {
1220 disconnect_on_error(client, err);
1227 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1229 client->username = strndup(imsg.data, datalen);
1231 if (client->username == NULL &&
1232 asprintf(&client->username, "uid %d", client->euid) == -1) {
1233 err = got_error_from_errno("asprintf");
1237 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1239 err = got_error(GOT_ERR_NOT_GIT_REPO);
1242 kill_auth_proc(client);
1244 log_info("authenticated %s for repository %s",
1245 client->username, repo->name);
1247 err = start_session_child(client, repo, gotd.argv0,
1248 gotd.confpath, gotd.daemonize, gotd.verbosity);
1253 log_warnx("uid %d: %s", client->euid, err->msg);
1255 /* We might have killed the auth process by now. */
1256 if (client->auth != NULL) {
1258 gotd_imsg_event_add(iev);
1260 /* This pipe is dead. Remove its event handler */
1261 event_del(&iev->ev);
1266 static const struct got_error *
1267 connect_session(struct gotd_client *client)
1269 const struct got_error *err = NULL;
1270 struct gotd_imsg_connect iconnect;
1273 memset(&iconnect, 0, sizeof(iconnect));
1275 s = dup(client->fd);
1277 return got_error_from_errno("dup");
1279 iconnect.client_id = client->id;
1280 iconnect.euid = client->euid;
1281 iconnect.egid = client->egid;
1283 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1284 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1285 err = got_error_from_errno("imsg compose CONNECT");
1291 * We are no longer interested in messages from this client.
1292 * Further client requests will be handled by the session process.
1294 msgbuf_clear(&client->iev.ibuf.w);
1295 imsg_clear(&client->iev.ibuf);
1296 event_del(&client->iev.ev);
1297 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1303 gotd_dispatch_client_session(int fd, short event, void *arg)
1305 struct gotd_imsgev *iev = arg;
1306 struct imsgbuf *ibuf = &iev->ibuf;
1307 struct gotd_child_proc *proc = NULL;
1308 struct gotd_client *client = NULL;
1313 client = find_client_by_proc_fd(fd);
1314 if (client == NULL) {
1315 /* Can happen during process teardown. */
1316 warnx("cannot find client for fd %d", fd);
1321 if (event & EV_READ) {
1322 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1323 fatal("imsg_read error");
1325 /* Connection closed. */
1331 if (event & EV_WRITE) {
1332 n = msgbuf_write(&ibuf->w);
1333 if (n == -1 && errno != EAGAIN)
1334 fatal("msgbuf_write");
1336 /* Connection closed. */
1342 proc = client->session;
1344 fatalx("cannot find session child process for fd %d", fd);
1347 const struct got_error *err = NULL;
1348 uint32_t client_id = 0;
1349 int do_disconnect = 0, do_start_repo_child = 0;
1351 if ((n = imsg_get(ibuf, &imsg)) == -1)
1352 fatal("%s: imsg_get error", __func__);
1353 if (n == 0) /* No more messages. */
1356 switch (imsg.hdr.type) {
1357 case GOTD_IMSG_ERROR:
1359 err = gotd_imsg_recv_error(&client_id, &imsg);
1361 case GOTD_IMSG_CLIENT_SESSION_READY:
1362 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1363 err = got_error(GOT_ERR_PRIVSEP_MSG);
1366 do_start_repo_child = 1;
1368 case GOTD_IMSG_DISCONNECT:
1372 log_debug("unexpected imsg %d", imsg.hdr.type);
1376 if (!verify_imsg_src(client, proc, &imsg)) {
1377 log_debug("dropping imsg type %d from PID %d",
1378 imsg.hdr.type, proc->pid);
1383 log_warnx("uid %d: %s", client->euid, err->msg);
1385 if (do_start_repo_child) {
1386 struct gotd_repo *repo;
1387 const char *name = client->session->repo_name;
1389 repo = gotd_find_repo_by_name(name, &gotd);
1391 enum gotd_procid proc_type;
1393 if (client->required_auth & GOTD_AUTH_WRITE)
1394 proc_type = PROC_REPO_WRITE;
1396 proc_type = PROC_REPO_READ;
1398 err = start_repo_child(client, proc_type, repo,
1399 gotd.argv0, gotd.confpath, gotd.daemonize,
1402 err = got_error(GOT_ERR_NOT_GIT_REPO);
1405 log_warnx("uid %d: %s", client->euid, err->msg);
1410 if (do_disconnect) {
1412 disconnect_on_error(client, err);
1421 gotd_imsg_event_add(iev);
1423 /* This pipe is dead. Remove its event handler */
1424 event_del(&iev->ev);
1430 gotd_dispatch_repo_child(int fd, short event, void *arg)
1432 struct gotd_imsgev *iev = arg;
1433 struct imsgbuf *ibuf = &iev->ibuf;
1434 struct gotd_child_proc *proc = NULL;
1435 struct gotd_client *client;
1440 client = find_client_by_proc_fd(fd);
1441 if (client == NULL) {
1442 /* Can happen during process teardown. */
1443 warnx("cannot find client for fd %d", fd);
1448 if (event & EV_READ) {
1449 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1450 fatal("imsg_read error");
1452 /* Connection closed. */
1458 if (event & EV_WRITE) {
1459 n = msgbuf_write(&ibuf->w);
1460 if (n == -1 && errno != EAGAIN)
1461 fatal("msgbuf_write");
1463 /* Connection closed. */
1469 proc = client->repo;
1471 fatalx("cannot find child process for fd %d", fd);
1474 const struct got_error *err = NULL;
1475 uint32_t client_id = 0;
1476 int do_disconnect = 0;
1478 if ((n = imsg_get(ibuf, &imsg)) == -1)
1479 fatal("%s: imsg_get error", __func__);
1480 if (n == 0) /* No more messages. */
1483 switch (imsg.hdr.type) {
1484 case GOTD_IMSG_ERROR:
1486 err = gotd_imsg_recv_error(&client_id, &imsg);
1488 case GOTD_IMSG_REPO_CHILD_READY:
1489 err = connect_session(client);
1492 err = connect_repo_child(client, proc);
1495 log_debug("unexpected imsg %d", imsg.hdr.type);
1499 if (!verify_imsg_src(client, proc, &imsg)) {
1500 log_debug("dropping imsg type %d from PID %d",
1501 imsg.hdr.type, proc->pid);
1506 log_warnx("uid %d: %s", client->euid, err->msg);
1508 if (do_disconnect) {
1510 disconnect_on_error(client, err);
1519 gotd_imsg_event_add(iev);
1521 /* This pipe is dead. Remove its event handler */
1522 event_del(&iev->ev);
1528 start_child(enum gotd_procid proc_id, const char *repo_path,
1529 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1535 switch (pid = fork()) {
1537 fatal("cannot fork");
1545 if (fd != GOTD_FILENO_MSG_PIPE) {
1546 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1547 fatal("cannot setup imsg fd");
1548 } else if (fcntl(fd, F_SETFD, 0) == -1)
1549 fatal("cannot setup imsg fd");
1551 argv[argc++] = argv0;
1554 argv[argc++] = (char *)"-L";
1557 argv[argc++] = (char *)"-A";
1559 case PROC_SESSION_READ:
1560 argv[argc++] = (char *)"-s";
1562 case PROC_SESSION_WRITE:
1563 argv[argc++] = (char *)"-S";
1565 case PROC_REPO_READ:
1566 argv[argc++] = (char *)"-R";
1568 case PROC_REPO_WRITE:
1569 argv[argc++] = (char *)"-W";
1572 fatalx("invalid process id %d", proc_id);
1575 argv[argc++] = (char *)"-f";
1576 argv[argc++] = (char *)confpath;
1579 argv[argc++] = (char *)"-P";
1580 argv[argc++] = (char *)repo_path;
1584 argv[argc++] = (char *)"-d";
1586 argv[argc++] = (char *)"-v";
1588 argv[argc++] = (char *)"-v";
1589 argv[argc++] = NULL;
1591 execvp(argv0, argv);
1596 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1598 struct gotd_child_proc *proc;
1599 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1602 sock_flags |= SOCK_CLOEXEC;
1605 proc = calloc(1, sizeof(*proc));
1609 TAILQ_INSERT_HEAD(&procs, proc, entry);
1611 /* proc->tmo is initialized in main() after event_init() */
1613 proc->type = PROC_LISTEN;
1615 if (socketpair(AF_UNIX, sock_flags,
1616 PF_UNSPEC, proc->pipe) == -1)
1617 fatal("socketpair");
1619 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1620 proc->pipe[1], daemonize, verbosity);
1621 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1622 proc->iev.handler = gotd_dispatch_listener;
1623 proc->iev.events = EV_READ;
1624 proc->iev.handler_arg = NULL;
1626 gotd.listen_proc = proc;
1629 static const struct got_error *
1630 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1631 char *argv0, const char *confpath, int daemonize, int verbosity)
1633 struct gotd_child_proc *proc;
1634 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
1637 sock_flags |= SOCK_CLOEXEC;
1640 proc = calloc(1, sizeof(*proc));
1642 return got_error_from_errno("calloc");
1644 TAILQ_INSERT_HEAD(&procs, proc, entry);
1645 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1647 if (client_is_reading(client))
1648 proc->type = PROC_SESSION_READ;
1650 proc->type = PROC_SESSION_WRITE;
1651 if (strlcpy(proc->repo_name, repo->name,
1652 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1653 fatalx("repository name too long: %s", repo->name);
1654 log_debug("starting client uid %d session for repository %s",
1655 client->euid, repo->name);
1656 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1657 sizeof(proc->repo_path))
1658 fatalx("repository path too long: %s", repo->path);
1659 if (socketpair(AF_UNIX, sock_flags, PF_UNSPEC, proc->pipe) == -1)
1660 fatal("socketpair");
1661 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1662 confpath, proc->pipe[1], daemonize, verbosity);
1663 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1664 log_debug("proc %s %s is on fd %d",
1665 gotd_proc_names[proc->type], proc->repo_path,
1667 proc->iev.handler = gotd_dispatch_client_session;
1668 proc->iev.events = EV_READ;
1669 proc->iev.handler_arg = NULL;
1670 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1671 gotd_dispatch_client_session, &proc->iev);
1672 gotd_imsg_event_add(&proc->iev);
1674 client->session = proc;
1678 static const struct got_error *
1679 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1680 struct gotd_repo *repo, char *argv0, const char *confpath,
1681 int daemonize, int verbosity)
1683 struct gotd_child_proc *proc;
1684 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1687 sock_flags |= SOCK_CLOEXEC;
1690 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1691 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1693 proc = calloc(1, sizeof(*proc));
1695 return got_error_from_errno("calloc");
1697 TAILQ_INSERT_HEAD(&procs, proc, entry);
1698 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1700 proc->type = proc_type;
1701 if (strlcpy(proc->repo_name, repo->name,
1702 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1703 fatalx("repository name too long: %s", repo->name);
1704 log_debug("starting %s for repository %s",
1705 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1707 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1708 sizeof(proc->repo_path))
1709 fatalx("repository path too long: %s", repo->path);
1710 if (realpath(repo->path, proc->repo_path) == NULL)
1711 fatal("%s", repo->path);
1712 if (socketpair(AF_UNIX, sock_flags,
1713 PF_UNSPEC, proc->pipe) == -1)
1714 fatal("socketpair");
1715 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1716 confpath, proc->pipe[1], daemonize, verbosity);
1717 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1718 log_debug("proc %s %s is on fd %d",
1719 gotd_proc_names[proc->type], proc->repo_path,
1721 proc->iev.handler = gotd_dispatch_repo_child;
1722 proc->iev.events = EV_READ;
1723 proc->iev.handler_arg = NULL;
1724 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1725 gotd_dispatch_repo_child, &proc->iev);
1726 gotd_imsg_event_add(&proc->iev);
1728 client->repo = proc;
1732 static const struct got_error *
1733 start_auth_child(struct gotd_client *client, int required_auth,
1734 struct gotd_repo *repo, char *argv0, const char *confpath,
1735 int daemonize, int verbosity)
1737 const struct got_error *err = NULL;
1738 struct gotd_child_proc *proc;
1739 struct gotd_imsg_auth iauth;
1741 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1744 sock_flags |= SOCK_CLOEXEC;
1747 memset(&iauth, 0, sizeof(iauth));
1749 fd = dup(client->fd);
1751 return got_error_from_errno("dup");
1753 proc = calloc(1, sizeof(*proc));
1755 err = got_error_from_errno("calloc");
1760 TAILQ_INSERT_HEAD(&procs, proc, entry);
1761 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1763 proc->type = PROC_AUTH;
1764 if (strlcpy(proc->repo_name, repo->name,
1765 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1766 fatalx("repository name too long: %s", repo->name);
1767 log_debug("starting auth for uid %d repository %s",
1768 client->euid, repo->name);
1769 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1770 sizeof(proc->repo_path))
1771 fatalx("repository path too long: %s", repo->path);
1772 if (realpath(repo->path, proc->repo_path) == NULL)
1773 fatal("%s", repo->path);
1774 if (socketpair(AF_UNIX, sock_flags,
1775 PF_UNSPEC, proc->pipe) == -1)
1776 fatal("socketpair");
1777 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1778 confpath, proc->pipe[1], daemonize, verbosity);
1779 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1780 log_debug("proc %s %s is on fd %d",
1781 gotd_proc_names[proc->type], proc->repo_path,
1783 proc->iev.handler = gotd_dispatch_auth_child;
1784 proc->iev.events = EV_READ;
1785 proc->iev.handler_arg = NULL;
1786 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1787 gotd_dispatch_auth_child, &proc->iev);
1788 gotd_imsg_event_add(&proc->iev);
1790 iauth.euid = client->euid;
1791 iauth.egid = client->egid;
1792 iauth.required_auth = required_auth;
1793 iauth.client_id = client->id;
1794 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1795 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1796 log_warn("imsg compose AUTHENTICATE");
1798 /* Let the auth_timeout handler tidy up. */
1801 client->auth = proc;
1802 client->required_auth = required_auth;
1807 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1810 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1811 fatal("unveil %s", GOT_TMPDIR_STR);
1814 if (unveil(repo_path, "r") == -1)
1815 fatal("unveil %s", repo_path);
1817 if (unveil(NULL, NULL) == -1)
1822 apply_unveil_repo_readwrite(const char *repo_path)
1824 if (unveil(repo_path, "rwc") == -1)
1825 fatal("unveil %s", repo_path);
1827 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1828 fatal("unveil %s", GOT_TMPDIR_STR);
1830 if (unveil(NULL, NULL) == -1)
1835 apply_unveil_none(void)
1837 if (unveil("/", "") == -1)
1840 if (unveil(NULL, NULL) == -1)
1845 apply_unveil_selfexec(void)
1847 if (unveil(gotd.argv0, "x") == -1)
1848 fatal("unveil %s", gotd.argv0);
1850 if (unveil(NULL, NULL) == -1)
1855 set_max_datasize(void)
1859 if (getrlimit(RLIMIT_DATA, &rl) != 0)
1862 rl.rlim_cur = rl.rlim_max;
1863 setrlimit(RLIMIT_DATA, &rl);
1867 main(int argc, char **argv)
1869 const struct got_error *error = NULL;
1870 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1871 const char *confpath = GOTD_CONF_PATH;
1872 char *argv0 = argv[0];
1874 struct passwd *pw = NULL;
1875 char *repo_path = NULL;
1876 enum gotd_procid proc_id = PROC_GOTD;
1877 struct event evsigint, evsigterm, evsighup, evsigusr1, evsigchld;
1878 int *pack_fds = NULL, *temp_fds = NULL;
1879 struct gotd_repo *repo = NULL;
1883 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1885 while ((ch = getopt(argc, argv, "Adf:LnP:RsSvW")) != -1) {
1888 proc_id = PROC_AUTH;
1897 proc_id = PROC_LISTEN;
1903 repo_path = realpath(optarg, NULL);
1904 if (repo_path == NULL)
1905 fatal("realpath '%s'", optarg);
1908 proc_id = PROC_REPO_READ;
1911 proc_id = PROC_SESSION_READ;
1914 proc_id = PROC_SESSION_WRITE;
1921 proc_id = PROC_REPO_WRITE;
1934 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1935 fatalx("need root privileges");
1937 if (parse_config(confpath, proc_id, &gotd) != 0)
1940 pw = getpwnam(gotd.user_name);
1942 fatalx("user %s not found", gotd.user_name);
1944 if (pw->pw_uid == 0)
1945 fatalx("cannot run %s as the superuser", getprogname());
1948 fprintf(stderr, "configuration OK\n");
1953 gotd.daemonize = daemonize;
1954 gotd.verbosity = verbosity;
1955 gotd.confpath = confpath;
1957 /* Require an absolute path in argv[0] for reliable re-exec. */
1958 if (!got_path_is_absolute(argv0))
1959 fatalx("bad path \"%s\": must be an absolute path", argv0);
1961 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1962 log_setverbose(verbosity);
1964 if (proc_id == PROC_GOTD) {
1965 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1966 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1967 if (daemonize && daemon(1, 0) == -1)
1969 gotd.pid = getpid();
1970 start_listener(argv0, confpath, daemonize, verbosity);
1971 } else if (proc_id == PROC_LISTEN) {
1972 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1974 log_info("socket: %s", gotd.unix_socket_path);
1975 log_info("user: %s", pw->pw_name);
1978 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1981 fatal("cannot listen on unix socket %s",
1982 gotd.unix_socket_path);
1984 } else if (proc_id == PROC_AUTH) {
1985 snprintf(title, sizeof(title), "%s %s",
1986 gotd_proc_names[proc_id], repo_path);
1987 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1988 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
1989 error = got_repo_pack_fds_open(&pack_fds);
1991 fatalx("cannot open pack tempfiles: %s", error->msg);
1992 error = got_repo_temp_fds_open(&temp_fds);
1994 fatalx("cannot open pack tempfiles: %s", error->msg);
1995 if (repo_path == NULL)
1996 fatalx("repository path not specified");
1997 snprintf(title, sizeof(title), "%s %s",
1998 gotd_proc_names[proc_id], repo_path);
2000 fatal("invalid process id %d", proc_id);
2002 setproctitle("%s", title);
2003 log_procinit(title);
2005 if (proc_id != PROC_GOTD && proc_id != PROC_LISTEN &&
2006 proc_id != PROC_REPO_READ && proc_id != PROC_REPO_WRITE) {
2007 /* Drop root privileges. */
2008 if (setgid(pw->pw_gid) == -1)
2009 fatal("setgid %d failed", pw->pw_gid);
2010 if (setuid(pw->pw_uid) == -1)
2011 fatal("setuid %d failed", pw->pw_uid);
2019 /* "exec" promise will be limited to argv[0] via unveil(2). */
2020 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
2026 if (pledge("stdio sendfd unix unveil", NULL) == -1)
2030 * Ensure that AF_UNIX bind(2) cannot be used with any other
2031 * sockets by revoking all filesystem access via unveil(2).
2033 apply_unveil_none();
2035 enter_chroot(GOTD_EMPTY_PATH);
2038 listen_main(title, fd, gotd.connection_limits,
2039 gotd.nconnection_limits);
2044 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
2048 * We need the "unix" pledge promise for getpeername(2) only.
2049 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
2050 * filesystem access via unveil(2). Access to password database
2051 * files will still work since "getpw" bypasses unveil(2).
2053 apply_unveil_none();
2055 auth_main(title, &gotd.repos, repo_path);
2058 case PROC_SESSION_READ:
2059 case PROC_SESSION_WRITE:
2062 * The "recvfd" promise is only needed during setup and
2063 * will be removed in a later pledge(2) call.
2065 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
2066 "unveil", NULL) == -1)
2069 if (proc_id == PROC_SESSION_READ)
2070 apply_unveil_repo_readonly(repo_path, 1);
2072 apply_unveil_repo_readwrite(repo_path);
2074 session_main(title, repo_path, pack_fds, temp_fds,
2075 &gotd.request_timeout, proc_id);
2078 case PROC_REPO_READ:
2081 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2084 apply_unveil_repo_readonly(repo_path, 0);
2086 if (enter_chroot(repo_path)) {
2087 log_info("change repo path %s", repo_path);
2089 repo_path = strdup("/");
2090 if (repo_path == NULL)
2092 log_info("repo path is now %s", repo_path);
2096 repo_read_main(title, repo_path, pack_fds, temp_fds);
2099 case PROC_REPO_WRITE:
2102 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2105 apply_unveil_repo_readonly(repo_path, 0);
2106 repo = gotd_find_repo_by_path(repo_path, &gotd);
2108 fatalx("no repository for path %s", repo_path);
2110 if (enter_chroot(repo_path)) {
2112 repo_path = strdup("/");
2113 if (repo_path == NULL)
2118 repo_write_main(title, repo_path, pack_fds, temp_fds,
2119 &repo->protected_tag_namespaces,
2120 &repo->protected_branch_namespaces,
2121 &repo->protected_branches);
2125 fatal("invalid process id %d", proc_id);
2128 if (proc_id != PROC_GOTD)
2129 fatal("invalid process id %d", proc_id);
2131 evtimer_set(&gotd.listen_proc->tmo, kill_proc_timeout,
2134 apply_unveil_selfexec();
2136 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2137 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2138 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2139 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2140 signal_set(&evsigchld, SIGCHLD, gotd_sighdlr, NULL);
2141 signal(SIGPIPE, SIG_IGN);
2143 signal_add(&evsigint, NULL);
2144 signal_add(&evsigterm, NULL);
2145 signal_add(&evsighup, NULL);
2146 signal_add(&evsigusr1, NULL);
2147 signal_add(&evsigchld, NULL);
2149 gotd_imsg_event_add(&gotd.listen_proc->iev);
