2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
19 #include <sys/types.h>
21 #include <sys/socket.h>
40 #include "got_error.h"
41 #include "got_opentemp.h"
43 #include "got_repository.h"
44 #include "got_object.h"
45 #include "got_reference.h"
47 #include "got_lib_delta.h"
48 #include "got_lib_object.h"
49 #include "got_lib_object_cache.h"
50 #include "got_lib_hash.h"
51 #include "got_lib_gitproto.h"
52 #include "got_lib_pack.h"
53 #include "got_lib_repository.h"
60 #include "repo_read.h"
61 #include "repo_write.h"
64 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
67 enum gotd_client_state {
68 GOTD_CLIENT_STATE_NEW,
69 GOTD_CLIENT_STATE_ACCESS_GRANTED,
72 struct gotd_child_proc {
74 enum gotd_procid type;
75 char repo_name[NAME_MAX];
76 char repo_path[PATH_MAX];
78 struct gotd_imsgev iev;
81 TAILQ_ENTRY(gotd_child_proc) entry;
83 TAILQ_HEAD(gotd_procs, gotd_child_proc) procs;
86 STAILQ_ENTRY(gotd_client) entry;
87 enum gotd_client_state state;
90 struct gotd_imsgev iev;
94 struct gotd_child_proc *repo;
95 struct gotd_child_proc *auth;
96 struct gotd_child_proc *session;
99 STAILQ_HEAD(gotd_clients, gotd_client);
101 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
102 static SIPHASH_KEY clients_hash_key;
103 volatile int client_cnt;
104 static struct timeval auth_timeout = { 5, 0 };
105 static struct gotd gotd;
107 void gotd_sighdlr(int sig, short event, void *arg);
108 static void gotd_shutdown(void);
109 static const struct got_error *start_session_child(struct gotd_client *,
110 struct gotd_repo *, char *, const char *, int, int);
111 static const struct got_error *start_repo_child(struct gotd_client *,
112 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
113 static const struct got_error *start_auth_child(struct gotd_client *, int,
114 struct gotd_repo *, char *, const char *, int, int);
115 static void kill_proc(struct gotd_child_proc *, int);
116 static void disconnect(struct gotd_client *);
121 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
126 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
128 struct sockaddr_un sun;
130 mode_t old_umask, mode;
131 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
134 sock_flags |= SOCK_CLOEXEC;
137 fd = socket(AF_UNIX, sock_flags, 0);
143 sun.sun_family = AF_UNIX;
144 if (strlcpy(sun.sun_path, unix_socket_path,
145 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
146 log_warnx("%s: name too long", unix_socket_path);
151 if (unlink(unix_socket_path) == -1) {
152 if (errno != ENOENT) {
153 log_warn("unlink %s", unix_socket_path);
159 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
160 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
162 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
163 log_warn("bind: %s", unix_socket_path);
171 if (chmod(unix_socket_path, mode) == -1) {
172 log_warn("chmod %o %s", mode, unix_socket_path);
174 unlink(unix_socket_path);
178 if (chown(unix_socket_path, uid, gid) == -1) {
179 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
181 unlink(unix_socket_path);
185 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
188 unlink(unix_socket_path);
196 client_hash(uint32_t client_id)
198 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
202 add_client(struct gotd_client *client)
204 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
205 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
209 static struct gotd_client *
210 find_client(uint32_t client_id)
213 struct gotd_client *c;
215 slot = client_hash(client_id) % nitems(gotd_clients);
216 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
217 if (c->id == client_id)
224 static struct gotd_client *
225 find_client_by_proc_fd(int fd)
229 for (slot = 0; slot < nitems(gotd_clients); slot++) {
230 struct gotd_client *c;
232 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
233 if (c->repo && c->repo->iev.ibuf.fd == fd)
235 if (c->auth && c->auth->iev.ibuf.fd == fd)
237 if (c->session && c->session->iev.ibuf.fd == fd)
246 client_is_reading(struct gotd_client *client)
248 return (client->required_auth &
249 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
253 client_is_writing(struct gotd_client *client)
255 return (client->required_auth &
256 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
257 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
260 static const struct got_error *
261 ensure_client_is_not_writing(struct gotd_client *client)
263 if (client_is_writing(client)) {
264 return got_error_fmt(GOT_ERR_BAD_PACKET,
265 "uid %d made a read-request but is writing to "
266 "a repository", client->euid);
272 static const struct got_error *
273 ensure_client_is_not_reading(struct gotd_client *client)
275 if (client_is_reading(client)) {
276 return got_error_fmt(GOT_ERR_BAD_PACKET,
277 "uid %d made a write-request but is reading from "
278 "a repository", client->euid);
285 proc_done(struct gotd_child_proc *proc)
287 struct gotd_client *client;
289 TAILQ_REMOVE(&procs, proc, entry);
291 client = find_client_by_proc_fd(proc->iev.ibuf.fd);
292 if (client != NULL) {
293 if (proc == client->repo)
295 if (proc == client->auth)
297 if (proc == client->session)
298 client->session = NULL;
302 evtimer_del(&proc->tmo);
304 if (proc->iev.ibuf.fd != -1) {
305 event_del(&proc->iev.ev);
306 msgbuf_clear(&proc->iev.ibuf.w);
307 close(proc->iev.ibuf.fd);
314 kill_repo_proc(struct gotd_client *client)
316 if (client->repo == NULL)
319 kill_proc(client->repo, 0);
324 kill_auth_proc(struct gotd_client *client)
326 if (client->auth == NULL)
329 kill_proc(client->auth, 0);
334 kill_session_proc(struct gotd_client *client)
336 if (client->session == NULL)
339 kill_proc(client->session, 0);
340 client->session = NULL;
344 disconnect(struct gotd_client *client)
346 struct gotd_imsg_disconnect idisconnect;
347 struct gotd_child_proc *listen_proc = gotd.listen_proc;
350 log_debug("uid %d: disconnecting", client->euid);
352 kill_auth_proc(client);
353 kill_session_proc(client);
354 kill_repo_proc(client);
356 idisconnect.client_id = client->id;
357 if (gotd_imsg_compose_event(&listen_proc->iev,
358 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
359 &idisconnect, sizeof(idisconnect)) == -1)
360 log_warn("imsg compose DISCONNECT");
362 slot = client_hash(client->id) % nitems(gotd_clients);
363 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
364 imsg_clear(&client->iev.ibuf);
365 event_del(&client->iev.ev);
366 evtimer_del(&client->tmo);
367 if (client->fd != -1)
369 else if (client->iev.ibuf.fd != -1)
370 close(client->iev.ibuf.fd);
376 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
380 if (err->code != GOT_ERR_EOF) {
381 log_warnx("uid %d: %s", client->euid, err->msg);
382 if (client->fd != -1) {
383 imsg_init(&ibuf, client->fd);
384 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
391 static const struct got_error *
392 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
394 const struct got_error *err = NULL;
395 struct gotd_imsg_info_repo irepo;
397 memset(&irepo, 0, sizeof(irepo));
399 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
400 >= sizeof(irepo.repo_name))
401 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
402 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
403 >= sizeof(irepo.repo_path))
404 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
406 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
407 &irepo, sizeof(irepo)) == -1) {
408 err = got_error_from_errno("imsg compose INFO_REPO");
416 static const struct got_error *
417 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
419 const struct got_error *err = NULL;
420 struct gotd_imsg_info_client iclient;
421 struct gotd_child_proc *proc;
423 memset(&iclient, 0, sizeof(iclient));
424 iclient.euid = client->euid;
425 iclient.egid = client->egid;
429 if (strlcpy(iclient.repo_name, proc->repo_path,
430 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
431 return got_error_msg(GOT_ERR_NO_SPACE,
432 "repo name too long");
434 if (client_is_writing(client))
435 iclient.is_writing = 1;
437 iclient.repo_child_pid = proc->pid;
441 iclient.session_child_pid = client->session->pid;
443 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
444 &iclient, sizeof(iclient)) == -1) {
445 err = got_error_from_errno("imsg compose INFO_CLIENT");
453 static const struct got_error *
454 send_info(struct gotd_client *client)
456 const struct got_error *err = NULL;
457 struct gotd_imsg_info info;
459 struct gotd_repo *repo;
461 if (client->euid != 0)
462 return got_error_set_errno(EPERM, "info");
465 info.verbosity = gotd.verbosity;
466 info.nrepos = gotd.nrepos;
467 info.nclients = client_cnt - 1;
469 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
470 &info, sizeof(info)) == -1) {
471 err = got_error_from_errno("imsg compose INFO");
476 TAILQ_FOREACH(repo, &gotd.repos, entry) {
477 err = send_repo_info(&client->iev, repo);
482 for (slot = 0; slot < nitems(gotd_clients); slot++) {
483 struct gotd_client *c;
484 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
485 if (c->id == client->id)
487 err = send_client_info(&client->iev, c);
496 static const struct got_error *
497 stop_gotd(struct gotd_client *client)
500 if (client->euid != 0)
501 return got_error_set_errno(EPERM, "stop");
508 static const struct got_error *
509 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
511 const struct got_error *err;
512 struct gotd_imsg_list_refs ireq;
513 struct gotd_repo *repo = NULL;
516 log_debug("list-refs request from uid %d", client->euid);
518 if (client->state != GOTD_CLIENT_STATE_NEW)
519 return got_error_msg(GOT_ERR_BAD_REQUEST,
520 "unexpected list-refs request received");
522 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
523 if (datalen != sizeof(ireq))
524 return got_error(GOT_ERR_PRIVSEP_LEN);
526 memcpy(&ireq, imsg->data, datalen);
528 if (ireq.client_is_reading) {
529 err = ensure_client_is_not_writing(client);
532 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
534 return got_error(GOT_ERR_NOT_GIT_REPO);
535 err = start_auth_child(client, GOTD_AUTH_READ, repo,
536 gotd.argv0, gotd.confpath, gotd.daemonize,
541 err = ensure_client_is_not_reading(client);
544 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
546 return got_error(GOT_ERR_NOT_GIT_REPO);
547 err = start_auth_child(client,
548 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
549 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
555 evtimer_add(&client->tmo, &auth_timeout);
557 /* Flow continues upon authentication success/failure or timeout. */
562 gotd_request(int fd, short events, void *arg)
564 struct gotd_imsgev *iev = arg;
565 struct imsgbuf *ibuf = &iev->ibuf;
566 struct gotd_client *client = iev->handler_arg;
567 const struct got_error *err = NULL;
571 if (events & EV_WRITE) {
572 while (ibuf->w.queued) {
573 n = msgbuf_write(&ibuf->w);
574 if (n == -1 && errno == EPIPE) {
576 * The client has closed its socket.
577 * This can happen when Git clients are
578 * done sending pack file data.
580 msgbuf_clear(&ibuf->w);
582 } else if (n == -1 && errno != EAGAIN) {
583 err = got_error_from_errno("imsg_flush");
584 disconnect_on_error(client, err);
588 /* Connection closed. */
589 err = got_error(GOT_ERR_EOF);
590 disconnect_on_error(client, err);
595 /* Disconnect gotctl(8) now that messages have been sent. */
596 if (!client_is_reading(client) && !client_is_writing(client)) {
602 if ((events & EV_READ) == 0)
605 memset(&imsg, 0, sizeof(imsg));
607 while (err == NULL) {
608 err = gotd_imsg_recv(&imsg, ibuf, 0);
610 if (err->code == GOT_ERR_PRIVSEP_READ)
615 evtimer_del(&client->tmo);
617 switch (imsg.hdr.type) {
619 err = send_info(client);
622 err = stop_gotd(client);
624 case GOTD_IMSG_LIST_REFS:
625 err = start_client_authentication(client, &imsg);
628 log_debug("unexpected imsg %d", imsg.hdr.type);
629 err = got_error(GOT_ERR_PRIVSEP_MSG);
637 disconnect_on_error(client, err);
639 gotd_imsg_event_add(&client->iev);
644 gotd_auth_timeout(int fd, short events, void *arg)
646 struct gotd_client *client = arg;
648 log_debug("disconnecting uid %d due to authentication timeout",
653 static const struct got_error *
654 recv_connect(uint32_t *client_id, struct imsg *imsg)
656 const struct got_error *err = NULL;
657 struct gotd_imsg_connect iconnect;
660 struct gotd_client *client = NULL;
664 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
665 if (datalen != sizeof(iconnect))
666 return got_error(GOT_ERR_PRIVSEP_LEN);
667 memcpy(&iconnect, imsg->data, sizeof(iconnect));
671 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
675 if (find_client(iconnect.client_id)) {
676 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
680 client = calloc(1, sizeof(*client));
681 if (client == NULL) {
682 err = got_error_from_errno("calloc");
686 *client_id = iconnect.client_id;
688 client->state = GOTD_CLIENT_STATE_NEW;
689 client->id = iconnect.client_id;
692 /* The auth process will verify UID/GID for us. */
693 client->euid = iconnect.euid;
694 client->egid = iconnect.egid;
696 imsg_init(&client->iev.ibuf, client->fd);
697 client->iev.handler = gotd_request;
698 client->iev.events = EV_READ;
699 client->iev.handler_arg = client;
701 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
703 gotd_imsg_event_add(&client->iev);
705 evtimer_set(&client->tmo, gotd_auth_timeout, client);
708 log_debug("%s: new client uid %d connected on fd %d", __func__,
709 client->euid, client->fd);
712 struct gotd_child_proc *listen_proc = gotd.listen_proc;
713 struct gotd_imsg_disconnect idisconnect;
715 idisconnect.client_id = client->id;
716 if (gotd_imsg_compose_event(&listen_proc->iev,
717 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
718 &idisconnect, sizeof(idisconnect)) == -1)
719 log_warn("imsg compose DISCONNECT");
728 static const char *gotd_proc_names[PROC_MAX] = {
740 kill_proc(struct gotd_child_proc *proc, int fatal)
742 struct timeval tv = { 5, 0 };
744 log_debug("kill -%d %d", fatal ? SIGKILL : SIGTERM, proc->pid);
746 if (proc->iev.ibuf.fd != -1) {
747 event_del(&proc->iev.ev);
748 msgbuf_clear(&proc->iev.ibuf.w);
749 close(proc->iev.ibuf.fd);
750 proc->iev.ibuf.fd = -1;
753 if (!evtimer_pending(&proc->tmo, NULL) && !fatal)
754 evtimer_add(&proc->tmo, &tv);
757 log_warnx("sending SIGKILL to PID %d", proc->pid);
758 kill(proc->pid, SIGKILL);
760 kill(proc->pid, SIGTERM);
764 kill_proc_timeout(int fd, short ev, void *d)
766 struct gotd_child_proc *proc = d;
768 log_warnx("timeout waiting for PID %d to terminate;"
769 " retrying with force", proc->pid);
778 log_debug("shutting down");
779 for (slot = 0; slot < nitems(gotd_clients); slot++) {
780 struct gotd_client *c, *tmp;
782 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
786 kill_proc(gotd.listen_proc, 0);
788 log_info("terminating");
792 static struct gotd_child_proc *
793 find_proc_by_pid(pid_t pid)
795 struct gotd_child_proc *proc = NULL;
797 TAILQ_FOREACH(proc, &procs, entry)
798 if (proc->pid == pid)
805 gotd_sighdlr(int sig, short event, void *arg)
807 struct gotd_child_proc *proc;
812 * Normal signal handler rules don't apply because libevent
818 log_info("%s: ignoring SIGHUP", __func__);
821 log_info("%s: ignoring SIGUSR1", __func__);
829 pid = waitpid(WAIT_ANY, &status, WNOHANG);
840 log_debug("reaped pid %d", pid);
841 proc = find_proc_by_pid(pid);
843 log_info("caught exit of unknown child %d",
848 if (WIFSIGNALED(status)) {
849 log_warnx("child PID %d terminated with"
850 " signal %d", pid, WTERMSIG(status));
857 fatalx("unexpected signal");
861 static const struct got_error *
862 ensure_proc_is_reading(struct gotd_client *client,
863 struct gotd_child_proc *proc)
865 if (!client_is_reading(client)) {
867 return got_error_fmt(GOT_ERR_BAD_PACKET,
868 "PID %d handled a read-request for uid %d but this "
869 "user is not reading from a repository", proc->pid,
876 static const struct got_error *
877 ensure_proc_is_writing(struct gotd_client *client,
878 struct gotd_child_proc *proc)
880 if (!client_is_writing(client)) {
882 return got_error_fmt(GOT_ERR_BAD_PACKET,
883 "PID %d handled a write-request for uid %d but this "
884 "user is not writing to a repository", proc->pid,
892 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
895 const struct got_error *err;
898 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
899 if (client->repo == NULL)
900 fatalx("no process found for uid %d", client->euid);
901 if (proc->pid != client->repo->pid) {
903 log_warnx("received message from PID %d for uid %d, "
904 "while PID %d is the process serving this user",
905 proc->pid, client->euid, client->repo->pid);
909 if (proc->type == PROC_SESSION_READ ||
910 proc->type == PROC_SESSION_WRITE) {
911 if (client->session == NULL) {
912 log_warnx("no session found for uid %d", client->euid);
915 if (proc->pid != client->session->pid) {
917 log_warnx("received message from PID %d for uid %d, "
918 "while PID %d is the process serving this user",
919 proc->pid, client->euid, client->session->pid);
924 switch (imsg->hdr.type) {
925 case GOTD_IMSG_ERROR:
928 case GOTD_IMSG_CONNECT:
929 if (proc->type != PROC_LISTEN) {
930 err = got_error_fmt(GOT_ERR_BAD_PACKET,
931 "new connection for uid %d from PID %d "
932 "which is not the listen process",
933 proc->pid, client->euid);
937 case GOTD_IMSG_ACCESS_GRANTED:
938 if (proc->type != PROC_AUTH) {
939 err = got_error_fmt(GOT_ERR_BAD_PACKET,
940 "authentication of uid %d from PID %d "
941 "which is not the auth process",
942 proc->pid, client->euid);
946 case GOTD_IMSG_CLIENT_SESSION_READY:
947 if (proc->type != PROC_SESSION_READ &&
948 proc->type != PROC_SESSION_WRITE) {
949 err = got_error_fmt(GOT_ERR_BAD_PACKET,
950 "unexpected \"ready\" signal from PID %d",
955 case GOTD_IMSG_REPO_CHILD_READY:
956 if (proc->type != PROC_REPO_READ &&
957 proc->type != PROC_REPO_WRITE) {
958 err = got_error_fmt(GOT_ERR_BAD_PACKET,
959 "unexpected \"ready\" signal from PID %d",
964 case GOTD_IMSG_PACKFILE_DONE:
965 err = ensure_proc_is_reading(client, proc);
967 log_warnx("uid %d: %s", client->euid, err->msg);
971 case GOTD_IMSG_PACKFILE_INSTALL:
972 case GOTD_IMSG_REF_UPDATES_START:
973 case GOTD_IMSG_REF_UPDATE:
974 err = ensure_proc_is_writing(client, proc);
976 log_warnx("uid %d: %s", client->euid, err->msg);
981 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
988 static const struct got_error *
989 connect_repo_child(struct gotd_client *client,
990 struct gotd_child_proc *repo_proc)
992 static const struct got_error *err;
993 struct gotd_imsgev *session_iev = &client->session->iev;
994 struct gotd_imsg_connect_repo_child ireq;
996 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
999 sock_flags |= SOCK_CLOEXEC;
1002 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
1003 return got_error_msg(GOT_ERR_BAD_REQUEST,
1004 "unexpected repo child ready signal received");
1006 if (socketpair(AF_UNIX, sock_flags, PF_UNSPEC, pipe) == -1)
1007 fatal("socketpair");
1009 memset(&ireq, 0, sizeof(ireq));
1010 ireq.client_id = client->id;
1011 ireq.proc_id = repo_proc->type;
1013 /* Pass repo child pipe to session child process. */
1014 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1015 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1016 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1022 /* Pass session child pipe to repo child process. */
1023 if (gotd_imsg_compose_event(&repo_proc->iev,
1024 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1025 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1034 gotd_dispatch_listener(int fd, short event, void *arg)
1036 struct gotd_imsgev *iev = arg;
1037 struct imsgbuf *ibuf = &iev->ibuf;
1038 struct gotd_child_proc *proc = gotd.listen_proc;
1043 if (proc->iev.ibuf.fd != fd)
1044 fatalx("%s: unexpected fd %d", __func__, fd);
1046 if (event & EV_READ) {
1047 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1048 fatal("imsg_read error");
1050 /* Connection closed. */
1056 if (event & EV_WRITE) {
1057 n = msgbuf_write(&ibuf->w);
1058 if (n == -1 && errno != EAGAIN)
1059 fatal("msgbuf_write");
1061 /* Connection closed. */
1068 const struct got_error *err = NULL;
1069 struct gotd_client *client = NULL;
1070 uint32_t client_id = 0;
1071 int do_disconnect = 0;
1073 if ((n = imsg_get(ibuf, &imsg)) == -1)
1074 fatal("%s: imsg_get error", __func__);
1075 if (n == 0) /* No more messages. */
1078 switch (imsg.hdr.type) {
1079 case GOTD_IMSG_ERROR:
1081 err = gotd_imsg_recv_error(&client_id, &imsg);
1083 case GOTD_IMSG_CONNECT:
1084 err = recv_connect(&client_id, &imsg);
1087 log_debug("unexpected imsg %d", imsg.hdr.type);
1091 client = find_client(client_id);
1092 if (client == NULL) {
1093 log_warnx("%s: client not found", __func__);
1099 log_warnx("uid %d: %s", client->euid, err->msg);
1101 if (do_disconnect) {
1103 disconnect_on_error(client, err);
1112 gotd_imsg_event_add(iev);
1114 /* This pipe is dead. Remove its event handler */
1115 event_del(&iev->ev);
1116 event_loopexit(NULL);
1121 gotd_dispatch_auth_child(int fd, short event, void *arg)
1123 const struct got_error *err = NULL;
1124 struct gotd_imsgev *iev = arg;
1125 struct imsgbuf *ibuf = &iev->ibuf;
1126 struct gotd_client *client;
1127 struct gotd_repo *repo = NULL;
1131 uint32_t client_id = 0;
1132 int do_disconnect = 0;
1134 client = find_client_by_proc_fd(fd);
1135 if (client == NULL) {
1136 /* Can happen during process teardown. */
1137 warnx("cannot find client for fd %d", fd);
1142 if (client->auth == NULL)
1143 fatalx("cannot find auth child process for fd %d", fd);
1145 if (event & EV_READ) {
1146 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1147 fatal("imsg_read error");
1149 /* Connection closed. */
1155 if (event & EV_WRITE) {
1156 n = msgbuf_write(&ibuf->w);
1157 if (n == -1 && errno != EAGAIN)
1158 fatal("msgbuf_write");
1160 /* Connection closed. */
1166 if (client->auth->iev.ibuf.fd != fd)
1167 fatalx("%s: unexpected fd %d", __func__, fd);
1169 if ((n = imsg_get(ibuf, &imsg)) == -1)
1170 fatal("%s: imsg_get error", __func__);
1171 if (n == 0) /* No more messages. */
1174 evtimer_del(&client->tmo);
1176 switch (imsg.hdr.type) {
1177 case GOTD_IMSG_ERROR:
1179 err = gotd_imsg_recv_error(&client_id, &imsg);
1181 case GOTD_IMSG_ACCESS_GRANTED:
1182 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1186 log_debug("unexpected imsg %d", imsg.hdr.type);
1190 if (!verify_imsg_src(client, client->auth, &imsg)) {
1192 log_debug("dropping imsg type %d from PID %d",
1193 imsg.hdr.type, client->auth->pid);
1197 if (do_disconnect) {
1199 disconnect_on_error(client, err);
1205 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1207 err = got_error(GOT_ERR_NOT_GIT_REPO);
1210 kill_auth_proc(client);
1212 log_info("authenticated uid %d for repository %s",
1213 client->euid, repo->name);
1215 err = start_session_child(client, repo, gotd.argv0,
1216 gotd.confpath, gotd.daemonize, gotd.verbosity);
1221 log_warnx("uid %d: %s", client->euid, err->msg);
1223 /* We might have killed the auth process by now. */
1224 if (client->auth != NULL) {
1226 gotd_imsg_event_add(iev);
1228 /* This pipe is dead. Remove its event handler */
1229 event_del(&iev->ev);
1234 static const struct got_error *
1235 connect_session(struct gotd_client *client)
1237 const struct got_error *err = NULL;
1238 struct gotd_imsg_connect iconnect;
1241 memset(&iconnect, 0, sizeof(iconnect));
1243 s = dup(client->fd);
1245 return got_error_from_errno("dup");
1247 iconnect.client_id = client->id;
1248 iconnect.euid = client->euid;
1249 iconnect.egid = client->egid;
1251 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1252 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1253 err = got_error_from_errno("imsg compose CONNECT");
1259 * We are no longer interested in messages from this client.
1260 * Further client requests will be handled by the session process.
1262 msgbuf_clear(&client->iev.ibuf.w);
1263 imsg_clear(&client->iev.ibuf);
1264 event_del(&client->iev.ev);
1265 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1271 gotd_dispatch_client_session(int fd, short event, void *arg)
1273 struct gotd_imsgev *iev = arg;
1274 struct imsgbuf *ibuf = &iev->ibuf;
1275 struct gotd_child_proc *proc = NULL;
1276 struct gotd_client *client = NULL;
1281 client = find_client_by_proc_fd(fd);
1282 if (client == NULL) {
1283 /* Can happen during process teardown. */
1284 warnx("cannot find client for fd %d", fd);
1289 if (event & EV_READ) {
1290 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1291 fatal("imsg_read error");
1293 /* Connection closed. */
1299 if (event & EV_WRITE) {
1300 n = msgbuf_write(&ibuf->w);
1301 if (n == -1 && errno != EAGAIN)
1302 fatal("msgbuf_write");
1304 /* Connection closed. */
1310 proc = client->session;
1312 fatalx("cannot find session child process for fd %d", fd);
1315 const struct got_error *err = NULL;
1316 uint32_t client_id = 0;
1317 int do_disconnect = 0, do_start_repo_child = 0;
1319 if ((n = imsg_get(ibuf, &imsg)) == -1)
1320 fatal("%s: imsg_get error", __func__);
1321 if (n == 0) /* No more messages. */
1324 switch (imsg.hdr.type) {
1325 case GOTD_IMSG_ERROR:
1327 err = gotd_imsg_recv_error(&client_id, &imsg);
1329 case GOTD_IMSG_CLIENT_SESSION_READY:
1330 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1331 err = got_error(GOT_ERR_PRIVSEP_MSG);
1334 do_start_repo_child = 1;
1336 case GOTD_IMSG_DISCONNECT:
1340 log_debug("unexpected imsg %d", imsg.hdr.type);
1344 if (!verify_imsg_src(client, proc, &imsg)) {
1345 log_debug("dropping imsg type %d from PID %d",
1346 imsg.hdr.type, proc->pid);
1351 log_warnx("uid %d: %s", client->euid, err->msg);
1353 if (do_start_repo_child) {
1354 struct gotd_repo *repo;
1355 const char *name = client->session->repo_name;
1357 repo = gotd_find_repo_by_name(name, &gotd);
1359 enum gotd_procid proc_type;
1361 if (client->required_auth & GOTD_AUTH_WRITE)
1362 proc_type = PROC_REPO_WRITE;
1364 proc_type = PROC_REPO_READ;
1366 err = start_repo_child(client, proc_type, repo,
1367 gotd.argv0, gotd.confpath, gotd.daemonize,
1370 err = got_error(GOT_ERR_NOT_GIT_REPO);
1373 log_warnx("uid %d: %s", client->euid, err->msg);
1378 if (do_disconnect) {
1380 disconnect_on_error(client, err);
1389 gotd_imsg_event_add(iev);
1391 /* This pipe is dead. Remove its event handler */
1392 event_del(&iev->ev);
1398 gotd_dispatch_repo_child(int fd, short event, void *arg)
1400 struct gotd_imsgev *iev = arg;
1401 struct imsgbuf *ibuf = &iev->ibuf;
1402 struct gotd_child_proc *proc = NULL;
1403 struct gotd_client *client;
1408 client = find_client_by_proc_fd(fd);
1409 if (client == NULL) {
1410 /* Can happen during process teardown. */
1411 warnx("cannot find client for fd %d", fd);
1416 if (event & EV_READ) {
1417 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1418 fatal("imsg_read error");
1420 /* Connection closed. */
1426 if (event & EV_WRITE) {
1427 n = msgbuf_write(&ibuf->w);
1428 if (n == -1 && errno != EAGAIN)
1429 fatal("msgbuf_write");
1431 /* Connection closed. */
1437 proc = client->repo;
1439 fatalx("cannot find child process for fd %d", fd);
1442 const struct got_error *err = NULL;
1443 uint32_t client_id = 0;
1444 int do_disconnect = 0;
1446 if ((n = imsg_get(ibuf, &imsg)) == -1)
1447 fatal("%s: imsg_get error", __func__);
1448 if (n == 0) /* No more messages. */
1451 switch (imsg.hdr.type) {
1452 case GOTD_IMSG_ERROR:
1454 err = gotd_imsg_recv_error(&client_id, &imsg);
1456 case GOTD_IMSG_REPO_CHILD_READY:
1457 err = connect_session(client);
1460 err = connect_repo_child(client, proc);
1463 log_debug("unexpected imsg %d", imsg.hdr.type);
1467 if (!verify_imsg_src(client, proc, &imsg)) {
1468 log_debug("dropping imsg type %d from PID %d",
1469 imsg.hdr.type, proc->pid);
1474 log_warnx("uid %d: %s", client->euid, err->msg);
1476 if (do_disconnect) {
1478 disconnect_on_error(client, err);
1487 gotd_imsg_event_add(iev);
1489 /* This pipe is dead. Remove its event handler */
1490 event_del(&iev->ev);
1496 start_child(enum gotd_procid proc_id, const char *repo_path,
1497 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1503 switch (pid = fork()) {
1505 fatal("cannot fork");
1513 if (fd != GOTD_FILENO_MSG_PIPE) {
1514 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1515 fatal("cannot setup imsg fd");
1516 } else if (fcntl(fd, F_SETFD, 0) == -1)
1517 fatal("cannot setup imsg fd");
1519 argv[argc++] = argv0;
1522 argv[argc++] = (char *)"-L";
1525 argv[argc++] = (char *)"-A";
1527 case PROC_SESSION_READ:
1528 argv[argc++] = (char *)"-s";
1530 case PROC_SESSION_WRITE:
1531 argv[argc++] = (char *)"-S";
1533 case PROC_REPO_READ:
1534 argv[argc++] = (char *)"-R";
1536 case PROC_REPO_WRITE:
1537 argv[argc++] = (char *)"-W";
1540 fatalx("invalid process id %d", proc_id);
1543 argv[argc++] = (char *)"-f";
1544 argv[argc++] = (char *)confpath;
1547 argv[argc++] = (char *)"-P";
1548 argv[argc++] = (char *)repo_path;
1552 argv[argc++] = (char *)"-d";
1554 argv[argc++] = (char *)"-v";
1556 argv[argc++] = (char *)"-v";
1557 argv[argc++] = NULL;
1559 execvp(argv0, argv);
1564 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1566 struct gotd_child_proc *proc;
1568 proc = calloc(1, sizeof(*proc));
1572 TAILQ_INSERT_HEAD(&procs, proc, entry);
1574 /* proc->tmo is initialized in main() after event_init() */
1576 proc->type = PROC_LISTEN;
1578 if (socketpair(AF_UNIX, sock_flags,
1579 PF_UNSPEC, proc->pipe) == -1)
1580 fatal("socketpair");
1582 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1583 proc->pipe[1], daemonize, verbosity);
1584 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1585 proc->iev.handler = gotd_dispatch_listener;
1586 proc->iev.events = EV_READ;
1587 proc->iev.handler_arg = NULL;
1589 gotd.listen_proc = proc;
1592 static const struct got_error *
1593 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1594 char *argv0, const char *confpath, int daemonize, int verbosity)
1596 struct gotd_child_proc *proc;
1597 int sock_flags = SOCK_STREAM | SOCK_NONBLOCK;
1600 sock_flags |= SOCK_CLOEXEC;
1603 proc = calloc(1, sizeof(*proc));
1605 return got_error_from_errno("calloc");
1607 TAILQ_INSERT_HEAD(&procs, proc, entry);
1608 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1610 if (client_is_reading(client))
1611 proc->type = PROC_SESSION_READ;
1613 proc->type = PROC_SESSION_WRITE;
1614 if (strlcpy(proc->repo_name, repo->name,
1615 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1616 fatalx("repository name too long: %s", repo->name);
1617 log_debug("starting client uid %d session for repository %s",
1618 client->euid, repo->name);
1619 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1620 sizeof(proc->repo_path))
1621 fatalx("repository path too long: %s", repo->path);
1622 if (socketpair(AF_UNIX, sock_flags, PF_UNSPEC, proc->pipe) == -1)
1623 fatal("socketpair");
1624 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1625 confpath, proc->pipe[1], daemonize, verbosity);
1626 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1627 log_debug("proc %s %s is on fd %d",
1628 gotd_proc_names[proc->type], proc->repo_path,
1630 proc->iev.handler = gotd_dispatch_client_session;
1631 proc->iev.events = EV_READ;
1632 proc->iev.handler_arg = NULL;
1633 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1634 gotd_dispatch_client_session, &proc->iev);
1635 gotd_imsg_event_add(&proc->iev);
1637 client->session = proc;
1641 static const struct got_error *
1642 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1643 struct gotd_repo *repo, char *argv0, const char *confpath,
1644 int daemonize, int verbosity)
1646 struct gotd_child_proc *proc;
1647 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1650 sock_flags |= SOCK_CLOEXEC;
1653 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1654 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1656 proc = calloc(1, sizeof(*proc));
1658 return got_error_from_errno("calloc");
1660 TAILQ_INSERT_HEAD(&procs, proc, entry);
1661 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1663 proc->type = proc_type;
1664 if (strlcpy(proc->repo_name, repo->name,
1665 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1666 fatalx("repository name too long: %s", repo->name);
1667 log_debug("starting %s for repository %s",
1668 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1670 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1671 sizeof(proc->repo_path))
1672 fatalx("repository path too long: %s", repo->path);
1673 if (realpath(repo->path, proc->repo_path) == NULL)
1674 fatal("%s", repo->path);
1675 if (socketpair(AF_UNIX, sock_flags,
1676 PF_UNSPEC, proc->pipe) == -1)
1677 fatal("socketpair");
1678 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1679 confpath, proc->pipe[1], daemonize, verbosity);
1680 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1681 log_debug("proc %s %s is on fd %d",
1682 gotd_proc_names[proc->type], proc->repo_path,
1684 proc->iev.handler = gotd_dispatch_repo_child;
1685 proc->iev.events = EV_READ;
1686 proc->iev.handler_arg = NULL;
1687 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1688 gotd_dispatch_repo_child, &proc->iev);
1689 gotd_imsg_event_add(&proc->iev);
1691 client->repo = proc;
1695 static const struct got_error *
1696 start_auth_child(struct gotd_client *client, int required_auth,
1697 struct gotd_repo *repo, char *argv0, const char *confpath,
1698 int daemonize, int verbosity)
1700 const struct got_error *err = NULL;
1701 struct gotd_child_proc *proc;
1702 struct gotd_imsg_auth iauth;
1704 int sock_flags = SOCK_STREAM|SOCK_NONBLOCK;
1707 sock_flags |= SOCK_CLOEXEC;
1710 memset(&iauth, 0, sizeof(iauth));
1712 fd = dup(client->fd);
1714 return got_error_from_errno("dup");
1716 proc = calloc(1, sizeof(*proc));
1718 err = got_error_from_errno("calloc");
1723 TAILQ_INSERT_HEAD(&procs, proc, entry);
1724 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1726 proc->type = PROC_AUTH;
1727 if (strlcpy(proc->repo_name, repo->name,
1728 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1729 fatalx("repository name too long: %s", repo->name);
1730 log_debug("starting auth for uid %d repository %s",
1731 client->euid, repo->name);
1732 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1733 sizeof(proc->repo_path))
1734 fatalx("repository path too long: %s", repo->path);
1735 if (realpath(repo->path, proc->repo_path) == NULL)
1736 fatal("%s", repo->path);
1737 if (socketpair(AF_UNIX, sock_flags,
1738 PF_UNSPEC, proc->pipe) == -1)
1739 fatal("socketpair");
1740 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1741 confpath, proc->pipe[1], daemonize, verbosity);
1742 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1743 log_debug("proc %s %s is on fd %d",
1744 gotd_proc_names[proc->type], proc->repo_path,
1746 proc->iev.handler = gotd_dispatch_auth_child;
1747 proc->iev.events = EV_READ;
1748 proc->iev.handler_arg = NULL;
1749 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1750 gotd_dispatch_auth_child, &proc->iev);
1751 gotd_imsg_event_add(&proc->iev);
1753 iauth.euid = client->euid;
1754 iauth.egid = client->egid;
1755 iauth.required_auth = required_auth;
1756 iauth.client_id = client->id;
1757 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1758 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1759 log_warn("imsg compose AUTHENTICATE");
1761 /* Let the auth_timeout handler tidy up. */
1764 client->auth = proc;
1765 client->required_auth = required_auth;
1770 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1773 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1774 fatal("unveil %s", GOT_TMPDIR_STR);
1777 if (unveil(repo_path, "r") == -1)
1778 fatal("unveil %s", repo_path);
1780 if (unveil(NULL, NULL) == -1)
1785 apply_unveil_repo_readwrite(const char *repo_path)
1787 if (unveil(repo_path, "rwc") == -1)
1788 fatal("unveil %s", repo_path);
1790 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1791 fatal("unveil %s", GOT_TMPDIR_STR);
1793 if (unveil(NULL, NULL) == -1)
1798 apply_unveil_none(void)
1800 if (unveil("/", "") == -1)
1803 if (unveil(NULL, NULL) == -1)
1808 apply_unveil_selfexec(void)
1810 if (unveil(gotd.argv0, "x") == -1)
1811 fatal("unveil %s", gotd.argv0);
1813 if (unveil(NULL, NULL) == -1)
1818 main(int argc, char **argv)
1820 const struct got_error *error = NULL;
1821 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1822 const char *confpath = GOTD_CONF_PATH;
1823 char *argv0 = argv[0];
1825 struct passwd *pw = NULL;
1826 char *repo_path = NULL;
1827 enum gotd_procid proc_id = PROC_GOTD;
1828 struct event evsigint, evsigterm, evsighup, evsigusr1, evsigchld;
1829 int *pack_fds = NULL, *temp_fds = NULL;
1830 struct gotd_repo *repo = NULL;
1834 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1836 while ((ch = getopt(argc, argv, "Adf:LnP:RsSvW")) != -1) {
1839 proc_id = PROC_AUTH;
1848 proc_id = PROC_LISTEN;
1854 repo_path = realpath(optarg, NULL);
1855 if (repo_path == NULL)
1856 fatal("realpath '%s'", optarg);
1859 proc_id = PROC_REPO_READ;
1862 proc_id = PROC_SESSION_READ;
1865 proc_id = PROC_SESSION_WRITE;
1872 proc_id = PROC_REPO_WRITE;
1885 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1886 fatalx("need root privileges");
1888 if (parse_config(confpath, proc_id, &gotd) != 0)
1891 pw = getpwnam(gotd.user_name);
1893 fatalx("user %s not found", gotd.user_name);
1895 if (pw->pw_uid == 0)
1896 fatalx("cannot run %s as the superuser", getprogname());
1899 fprintf(stderr, "configuration OK\n");
1904 gotd.daemonize = daemonize;
1905 gotd.verbosity = verbosity;
1906 gotd.confpath = confpath;
1908 /* Require an absolute path in argv[0] for reliable re-exec. */
1909 if (!got_path_is_absolute(argv0))
1910 fatalx("bad path \"%s\": must be an absolute path", argv0);
1912 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1913 log_setverbose(verbosity);
1915 if (proc_id == PROC_GOTD) {
1916 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1917 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1918 if (daemonize && daemon(1, 0) == -1)
1920 gotd.pid = getpid();
1921 start_listener(argv0, confpath, daemonize, verbosity);
1922 } else if (proc_id == PROC_LISTEN) {
1923 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1925 log_info("socket: %s", gotd.unix_socket_path);
1926 log_info("user: %s", pw->pw_name);
1929 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1932 fatal("cannot listen on unix socket %s",
1933 gotd.unix_socket_path);
1935 } else if (proc_id == PROC_AUTH) {
1936 snprintf(title, sizeof(title), "%s %s",
1937 gotd_proc_names[proc_id], repo_path);
1938 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1939 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
1940 error = got_repo_pack_fds_open(&pack_fds);
1942 fatalx("cannot open pack tempfiles: %s", error->msg);
1943 error = got_repo_temp_fds_open(&temp_fds);
1945 fatalx("cannot open pack tempfiles: %s", error->msg);
1946 if (repo_path == NULL)
1947 fatalx("repository path not specified");
1948 snprintf(title, sizeof(title), "%s %s",
1949 gotd_proc_names[proc_id], repo_path);
1951 fatal("invalid process id %d", proc_id);
1953 setproctitle("%s", title);
1954 log_procinit(title);
1956 /* Drop root privileges. */
1957 if (setgid(pw->pw_gid) == -1)
1958 fatal("setgid %d failed", pw->pw_gid);
1959 if (setuid(pw->pw_uid) == -1)
1960 fatal("setuid %d failed", pw->pw_uid);
1967 /* "exec" promise will be limited to argv[0] via unveil(2). */
1968 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1974 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1978 * Ensure that AF_UNIX bind(2) cannot be used with any other
1979 * sockets by revoking all filesystem access via unveil(2).
1981 apply_unveil_none();
1983 listen_main(title, fd, gotd.connection_limits,
1984 gotd.nconnection_limits);
1989 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1993 * We need the "unix" pledge promise for getpeername(2) only.
1994 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1995 * filesystem access via unveil(2). Access to password database
1996 * files will still work since "getpw" bypasses unveil(2).
1998 apply_unveil_none();
2000 auth_main(title, &gotd.repos, repo_path);
2003 case PROC_SESSION_READ:
2004 case PROC_SESSION_WRITE:
2007 * The "recvfd" promise is only needed during setup and
2008 * will be removed in a later pledge(2) call.
2010 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
2011 "unveil", NULL) == -1)
2014 if (proc_id == PROC_SESSION_READ)
2015 apply_unveil_repo_readonly(repo_path, 1);
2017 apply_unveil_repo_readwrite(repo_path);
2018 session_main(title, repo_path, pack_fds, temp_fds,
2019 &gotd.request_timeout, proc_id);
2022 case PROC_REPO_READ:
2024 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2027 apply_unveil_repo_readonly(repo_path, 0);
2028 repo_read_main(title, repo_path, pack_fds, temp_fds);
2031 case PROC_REPO_WRITE:
2033 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2036 apply_unveil_repo_readonly(repo_path, 0);
2037 repo = gotd_find_repo_by_path(repo_path, &gotd);
2039 fatalx("no repository for path %s", repo_path);
2040 repo_write_main(title, repo_path, pack_fds, temp_fds,
2041 &repo->protected_tag_namespaces,
2042 &repo->protected_branch_namespaces,
2043 &repo->protected_branches);
2047 fatal("invalid process id %d", proc_id);
2050 if (proc_id != PROC_GOTD)
2051 fatal("invalid process id %d", proc_id);
2053 evtimer_set(&gotd.listen_proc->tmo, kill_proc_timeout,
2056 apply_unveil_selfexec();
2058 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2059 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2060 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2061 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2062 signal_set(&evsigchld, SIGCHLD, gotd_sighdlr, NULL);
2063 signal(SIGPIPE, SIG_IGN);
2065 signal_add(&evsigint, NULL);
2066 signal_add(&evsigterm, NULL);
2067 signal_add(&evsighup, NULL);
2068 signal_add(&evsigusr1, NULL);
2069 signal_add(&evsigchld, NULL);
2071 gotd_imsg_event_add(&gotd.listen_proc->iev);
