2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
25 #include <sys/resource.h>
45 #include "got_error.h"
46 #include "got_opentemp.h"
48 #include "got_repository.h"
49 #include "got_object.h"
50 #include "got_reference.h"
52 #include "got_lib_delta.h"
53 #include "got_lib_object.h"
54 #include "got_lib_object_cache.h"
55 #include "got_lib_hash.h"
56 #include "got_lib_gitproto.h"
57 #include "got_lib_pack.h"
58 #include "got_lib_repository.h"
65 #include "repo_read.h"
66 #include "repo_write.h"
69 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
72 enum gotd_client_state {
73 GOTD_CLIENT_STATE_NEW,
74 GOTD_CLIENT_STATE_ACCESS_GRANTED,
77 struct gotd_child_proc {
79 enum gotd_procid type;
80 char repo_name[NAME_MAX];
81 char repo_path[PATH_MAX];
83 struct gotd_imsgev iev;
86 TAILQ_ENTRY(gotd_child_proc) entry;
88 TAILQ_HEAD(gotd_procs, gotd_child_proc) procs;
91 STAILQ_ENTRY(gotd_client) entry;
92 enum gotd_client_state state;
95 struct gotd_imsgev iev;
100 struct gotd_child_proc *repo;
101 struct gotd_child_proc *auth;
102 struct gotd_child_proc *session;
105 STAILQ_HEAD(gotd_clients, gotd_client);
107 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
108 static SIPHASH_KEY clients_hash_key;
109 volatile int client_cnt;
110 static struct timeval auth_timeout = { 5, 0 };
111 static struct gotd gotd;
113 void gotd_sighdlr(int sig, short event, void *arg);
114 static void gotd_shutdown(void);
115 static const struct got_error *start_session_child(struct gotd_client *,
116 struct gotd_repo *, char *, const char *, int, int);
117 static const struct got_error *start_repo_child(struct gotd_client *,
118 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
119 static const struct got_error *start_auth_child(struct gotd_client *, int,
120 struct gotd_repo *, char *, const char *, int, int);
121 static void kill_proc(struct gotd_child_proc *, int);
122 static void disconnect(struct gotd_client *);
127 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
132 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
134 struct sockaddr_un sun;
136 mode_t old_umask, mode;
138 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
144 sun.sun_family = AF_UNIX;
145 if (strlcpy(sun.sun_path, unix_socket_path,
146 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
147 log_warnx("%s: name too long", unix_socket_path);
152 if (unlink(unix_socket_path) == -1) {
153 if (errno != ENOENT) {
154 log_warn("unlink %s", unix_socket_path);
160 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
161 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
163 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
164 log_warn("bind: %s", unix_socket_path);
172 if (chmod(unix_socket_path, mode) == -1) {
173 log_warn("chmod %o %s", mode, unix_socket_path);
175 unlink(unix_socket_path);
179 if (chown(unix_socket_path, uid, gid) == -1) {
180 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
182 unlink(unix_socket_path);
186 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
189 unlink(unix_socket_path);
197 client_hash(uint32_t client_id)
199 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
203 add_client(struct gotd_client *client)
205 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
206 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
210 static struct gotd_client *
211 find_client(uint32_t client_id)
214 struct gotd_client *c;
216 slot = client_hash(client_id) % nitems(gotd_clients);
217 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
218 if (c->id == client_id)
225 static struct gotd_client *
226 find_client_by_proc_fd(int fd)
230 for (slot = 0; slot < nitems(gotd_clients); slot++) {
231 struct gotd_client *c;
233 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
234 if (c->repo && c->repo->iev.ibuf.fd == fd)
236 if (c->auth && c->auth->iev.ibuf.fd == fd)
238 if (c->session && c->session->iev.ibuf.fd == fd)
247 client_is_reading(struct gotd_client *client)
249 return (client->required_auth &
250 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
254 client_is_writing(struct gotd_client *client)
256 return (client->required_auth &
257 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
258 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
261 static const struct got_error *
262 ensure_client_is_not_writing(struct gotd_client *client)
264 if (client_is_writing(client)) {
265 return got_error_fmt(GOT_ERR_BAD_PACKET,
266 "uid %d made a read-request but is writing to "
267 "a repository", client->euid);
273 static const struct got_error *
274 ensure_client_is_not_reading(struct gotd_client *client)
276 if (client_is_reading(client)) {
277 return got_error_fmt(GOT_ERR_BAD_PACKET,
278 "uid %d made a write-request but is reading from "
279 "a repository", client->euid);
286 proc_done(struct gotd_child_proc *proc)
288 struct gotd_client *client;
290 TAILQ_REMOVE(&procs, proc, entry);
292 client = find_client_by_proc_fd(proc->iev.ibuf.fd);
293 if (client != NULL) {
294 if (proc == client->repo)
296 if (proc == client->auth)
298 if (proc == client->session)
299 client->session = NULL;
303 evtimer_del(&proc->tmo);
305 if (proc->iev.ibuf.fd != -1) {
306 event_del(&proc->iev.ev);
307 msgbuf_clear(&proc->iev.ibuf.w);
308 close(proc->iev.ibuf.fd);
315 kill_repo_proc(struct gotd_client *client)
317 if (client->repo == NULL)
320 kill_proc(client->repo, 0);
325 kill_auth_proc(struct gotd_client *client)
327 if (client->auth == NULL)
330 kill_proc(client->auth, 0);
335 kill_session_proc(struct gotd_client *client)
337 if (client->session == NULL)
340 kill_proc(client->session, 0);
341 client->session = NULL;
345 disconnect(struct gotd_client *client)
347 struct gotd_imsg_disconnect idisconnect;
348 struct gotd_child_proc *listen_proc = gotd.listen_proc;
351 log_debug("uid %d: disconnecting", client->euid);
353 kill_auth_proc(client);
354 kill_session_proc(client);
355 kill_repo_proc(client);
357 idisconnect.client_id = client->id;
358 if (gotd_imsg_compose_event(&listen_proc->iev,
359 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
360 &idisconnect, sizeof(idisconnect)) == -1)
361 log_warn("imsg compose DISCONNECT");
363 slot = client_hash(client->id) % nitems(gotd_clients);
364 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
365 imsg_clear(&client->iev.ibuf);
366 event_del(&client->iev.ev);
367 evtimer_del(&client->tmo);
368 if (client->fd != -1)
370 else if (client->iev.ibuf.fd != -1)
371 close(client->iev.ibuf.fd);
372 free(client->username);
378 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
382 if (err->code != GOT_ERR_EOF) {
383 log_warnx("uid %d: %s", client->euid, err->msg);
384 if (client->fd != -1) {
385 imsg_init(&ibuf, client->fd);
386 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
393 static const struct got_error *
394 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
396 const struct got_error *err = NULL;
397 struct gotd_imsg_info_repo irepo;
399 memset(&irepo, 0, sizeof(irepo));
401 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
402 >= sizeof(irepo.repo_name))
403 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
404 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
405 >= sizeof(irepo.repo_path))
406 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
408 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
409 &irepo, sizeof(irepo)) == -1) {
410 err = got_error_from_errno("imsg compose INFO_REPO");
418 static const struct got_error *
419 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
421 const struct got_error *err = NULL;
422 struct gotd_imsg_info_client iclient;
423 struct gotd_child_proc *proc;
425 memset(&iclient, 0, sizeof(iclient));
426 iclient.euid = client->euid;
427 iclient.egid = client->egid;
431 if (strlcpy(iclient.repo_name, proc->repo_path,
432 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
433 return got_error_msg(GOT_ERR_NO_SPACE,
434 "repo name too long");
436 if (client_is_writing(client))
437 iclient.is_writing = 1;
439 iclient.repo_child_pid = proc->pid;
443 iclient.session_child_pid = client->session->pid;
445 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
446 &iclient, sizeof(iclient)) == -1) {
447 err = got_error_from_errno("imsg compose INFO_CLIENT");
455 static const struct got_error *
456 send_info(struct gotd_client *client)
458 const struct got_error *err = NULL;
459 struct gotd_imsg_info info;
461 struct gotd_repo *repo;
463 if (client->euid != 0)
464 return got_error_set_errno(EPERM, "info");
467 info.verbosity = gotd.verbosity;
468 info.nrepos = gotd.nrepos;
469 info.nclients = client_cnt - 1;
471 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
472 &info, sizeof(info)) == -1) {
473 err = got_error_from_errno("imsg compose INFO");
478 TAILQ_FOREACH(repo, &gotd.repos, entry) {
479 err = send_repo_info(&client->iev, repo);
484 for (slot = 0; slot < nitems(gotd_clients); slot++) {
485 struct gotd_client *c;
486 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
487 if (c->id == client->id)
489 err = send_client_info(&client->iev, c);
498 static const struct got_error *
499 stop_gotd(struct gotd_client *client)
502 if (client->euid != 0)
503 return got_error_set_errno(EPERM, "stop");
510 static const struct got_error *
511 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
513 const struct got_error *err;
514 struct gotd_imsg_list_refs ireq;
515 struct gotd_repo *repo = NULL;
518 log_debug("list-refs request from uid %d", client->euid);
520 if (client->state != GOTD_CLIENT_STATE_NEW)
521 return got_error_msg(GOT_ERR_BAD_REQUEST,
522 "unexpected list-refs request received");
524 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
525 if (datalen != sizeof(ireq))
526 return got_error(GOT_ERR_PRIVSEP_LEN);
528 memcpy(&ireq, imsg->data, datalen);
530 if (ireq.client_is_reading) {
531 err = ensure_client_is_not_writing(client);
534 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
536 return got_error(GOT_ERR_NOT_GIT_REPO);
537 err = start_auth_child(client, GOTD_AUTH_READ, repo,
538 gotd.argv0, gotd.confpath, gotd.daemonize,
543 err = ensure_client_is_not_reading(client);
546 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
548 return got_error(GOT_ERR_NOT_GIT_REPO);
549 err = start_auth_child(client,
550 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
551 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
557 evtimer_add(&client->tmo, &auth_timeout);
559 /* Flow continues upon authentication success/failure or timeout. */
564 gotd_request(int fd, short events, void *arg)
566 struct gotd_imsgev *iev = arg;
567 struct imsgbuf *ibuf = &iev->ibuf;
568 struct gotd_client *client = iev->handler_arg;
569 const struct got_error *err = NULL;
573 if (events & EV_WRITE) {
574 while (ibuf->w.queued) {
575 n = msgbuf_write(&ibuf->w);
576 if (n == -1 && errno == EPIPE) {
578 * The client has closed its socket.
579 * This can happen when Git clients are
580 * done sending pack file data.
582 msgbuf_clear(&ibuf->w);
584 } else if (n == -1 && errno != EAGAIN) {
585 err = got_error_from_errno("imsg_flush");
586 disconnect_on_error(client, err);
590 /* Connection closed. */
591 err = got_error(GOT_ERR_EOF);
592 disconnect_on_error(client, err);
597 /* Disconnect gotctl(8) now that messages have been sent. */
598 if (!client_is_reading(client) && !client_is_writing(client)) {
604 if ((events & EV_READ) == 0)
607 memset(&imsg, 0, sizeof(imsg));
609 while (err == NULL) {
610 err = gotd_imsg_recv(&imsg, ibuf, 0);
612 if (err->code == GOT_ERR_PRIVSEP_READ)
617 evtimer_del(&client->tmo);
619 switch (imsg.hdr.type) {
621 err = send_info(client);
624 err = stop_gotd(client);
626 case GOTD_IMSG_LIST_REFS:
627 err = start_client_authentication(client, &imsg);
630 log_debug("unexpected imsg %d", imsg.hdr.type);
631 err = got_error(GOT_ERR_PRIVSEP_MSG);
639 disconnect_on_error(client, err);
641 gotd_imsg_event_add(&client->iev);
646 gotd_auth_timeout(int fd, short events, void *arg)
648 struct gotd_client *client = arg;
650 log_debug("disconnecting uid %d due to authentication timeout",
655 static const struct got_error *
656 recv_connect(uint32_t *client_id, struct imsg *imsg)
658 const struct got_error *err = NULL;
659 struct gotd_imsg_connect iconnect;
662 struct gotd_client *client = NULL;
666 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
667 if (datalen != sizeof(iconnect))
668 return got_error(GOT_ERR_PRIVSEP_LEN);
669 memcpy(&iconnect, imsg->data, sizeof(iconnect));
671 s = imsg_get_fd(imsg);
673 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
677 if (find_client(iconnect.client_id)) {
678 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
682 client = calloc(1, sizeof(*client));
683 if (client == NULL) {
684 err = got_error_from_errno("calloc");
688 *client_id = iconnect.client_id;
690 client->state = GOTD_CLIENT_STATE_NEW;
691 client->id = iconnect.client_id;
694 /* The auth process will verify UID/GID for us. */
695 client->euid = iconnect.euid;
696 client->egid = iconnect.egid;
698 imsg_init(&client->iev.ibuf, client->fd);
699 client->iev.handler = gotd_request;
700 client->iev.events = EV_READ;
701 client->iev.handler_arg = client;
703 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
705 gotd_imsg_event_add(&client->iev);
707 evtimer_set(&client->tmo, gotd_auth_timeout, client);
710 log_debug("%s: new client uid %d connected on fd %d", __func__,
711 client->euid, client->fd);
714 struct gotd_child_proc *listen_proc = gotd.listen_proc;
715 struct gotd_imsg_disconnect idisconnect;
717 idisconnect.client_id = client->id;
718 if (gotd_imsg_compose_event(&listen_proc->iev,
719 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
720 &idisconnect, sizeof(idisconnect)) == -1)
721 log_warn("imsg compose DISCONNECT");
730 static const char *gotd_proc_names[PROC_MAX] = {
742 kill_proc(struct gotd_child_proc *proc, int fatal)
744 struct timeval tv = { 5, 0 };
746 log_debug("kill -%d %d", fatal ? SIGKILL : SIGTERM, proc->pid);
748 if (proc->iev.ibuf.fd != -1) {
749 event_del(&proc->iev.ev);
750 msgbuf_clear(&proc->iev.ibuf.w);
751 close(proc->iev.ibuf.fd);
752 proc->iev.ibuf.fd = -1;
755 if (!evtimer_pending(&proc->tmo, NULL) && !fatal)
756 evtimer_add(&proc->tmo, &tv);
759 log_warnx("sending SIGKILL to PID %d", proc->pid);
760 kill(proc->pid, SIGKILL);
762 kill(proc->pid, SIGTERM);
766 kill_proc_timeout(int fd, short ev, void *d)
768 struct gotd_child_proc *proc = d;
770 log_warnx("timeout waiting for PID %d to terminate;"
771 " retrying with force", proc->pid);
780 log_debug("shutting down");
781 for (slot = 0; slot < nitems(gotd_clients); slot++) {
782 struct gotd_client *c, *tmp;
784 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
788 kill_proc(gotd.listen_proc, 0);
790 log_info("terminating");
794 static struct gotd_child_proc *
795 find_proc_by_pid(pid_t pid)
797 struct gotd_child_proc *proc = NULL;
799 TAILQ_FOREACH(proc, &procs, entry)
800 if (proc->pid == pid)
807 gotd_sighdlr(int sig, short event, void *arg)
809 struct gotd_child_proc *proc;
814 * Normal signal handler rules don't apply because libevent
820 log_info("%s: ignoring SIGHUP", __func__);
823 log_info("%s: ignoring SIGUSR1", __func__);
831 pid = waitpid(WAIT_ANY, &status, WNOHANG);
842 log_debug("reaped pid %d", pid);
843 proc = find_proc_by_pid(pid);
845 log_info("caught exit of unknown child %d",
850 if (WIFSIGNALED(status)) {
851 log_warnx("child PID %d terminated with"
852 " signal %d", pid, WTERMSIG(status));
859 fatalx("unexpected signal");
863 static const struct got_error *
864 ensure_proc_is_reading(struct gotd_client *client,
865 struct gotd_child_proc *proc)
867 if (!client_is_reading(client)) {
869 return got_error_fmt(GOT_ERR_BAD_PACKET,
870 "PID %d handled a read-request for uid %d but this "
871 "user is not reading from a repository", proc->pid,
878 static const struct got_error *
879 ensure_proc_is_writing(struct gotd_client *client,
880 struct gotd_child_proc *proc)
882 if (!client_is_writing(client)) {
884 return got_error_fmt(GOT_ERR_BAD_PACKET,
885 "PID %d handled a write-request for uid %d but this "
886 "user is not writing to a repository", proc->pid,
894 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
897 const struct got_error *err;
900 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
901 if (client->repo == NULL)
902 fatalx("no process found for uid %d", client->euid);
903 if (proc->pid != client->repo->pid) {
905 log_warnx("received message from PID %d for uid %d, "
906 "while PID %d is the process serving this user",
907 proc->pid, client->euid, client->repo->pid);
911 if (proc->type == PROC_SESSION_READ ||
912 proc->type == PROC_SESSION_WRITE) {
913 if (client->session == NULL) {
914 log_warnx("no session found for uid %d", client->euid);
917 if (proc->pid != client->session->pid) {
919 log_warnx("received message from PID %d for uid %d, "
920 "while PID %d is the process serving this user",
921 proc->pid, client->euid, client->session->pid);
926 switch (imsg->hdr.type) {
927 case GOTD_IMSG_ERROR:
930 case GOTD_IMSG_CONNECT:
931 if (proc->type != PROC_LISTEN) {
932 err = got_error_fmt(GOT_ERR_BAD_PACKET,
933 "new connection for uid %d from PID %d "
934 "which is not the listen process",
935 client->euid, proc->pid);
939 case GOTD_IMSG_ACCESS_GRANTED:
940 if (proc->type != PROC_AUTH) {
941 err = got_error_fmt(GOT_ERR_BAD_PACKET,
942 "authentication of uid %d from PID %d "
943 "which is not the auth process",
944 client->euid, proc->pid);
948 case GOTD_IMSG_CLIENT_SESSION_READY:
949 if (proc->type != PROC_SESSION_READ &&
950 proc->type != PROC_SESSION_WRITE) {
951 err = got_error_fmt(GOT_ERR_BAD_PACKET,
952 "unexpected \"ready\" signal from PID %d",
957 case GOTD_IMSG_REPO_CHILD_READY:
958 if (proc->type != PROC_REPO_READ &&
959 proc->type != PROC_REPO_WRITE) {
960 err = got_error_fmt(GOT_ERR_BAD_PACKET,
961 "unexpected \"ready\" signal from PID %d",
966 case GOTD_IMSG_PACKFILE_DONE:
967 err = ensure_proc_is_reading(client, proc);
969 log_warnx("uid %d: %s", client->euid, err->msg);
973 case GOTD_IMSG_PACKFILE_INSTALL:
974 case GOTD_IMSG_REF_UPDATES_START:
975 case GOTD_IMSG_REF_UPDATE:
976 err = ensure_proc_is_writing(client, proc);
978 log_warnx("uid %d: %s", client->euid, err->msg);
983 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
990 static const struct got_error *
991 connect_repo_child(struct gotd_client *client,
992 struct gotd_child_proc *repo_proc)
994 static const struct got_error *err;
995 struct gotd_imsgev *session_iev = &client->session->iev;
996 struct gotd_imsg_connect_repo_child ireq;
999 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
1000 return got_error_msg(GOT_ERR_BAD_REQUEST,
1001 "unexpected repo child ready signal received");
1003 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1004 PF_UNSPEC, pipe) == -1)
1005 fatal("socketpair");
1007 memset(&ireq, 0, sizeof(ireq));
1008 ireq.client_id = client->id;
1009 ireq.proc_id = repo_proc->type;
1011 /* Pass repo child pipe to session child process. */
1012 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1013 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1014 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1020 /* Pass session child pipe to repo child process. */
1021 if (gotd_imsg_compose_event(&repo_proc->iev,
1022 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1023 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1032 gotd_dispatch_listener(int fd, short event, void *arg)
1034 struct gotd_imsgev *iev = arg;
1035 struct imsgbuf *ibuf = &iev->ibuf;
1036 struct gotd_child_proc *proc = gotd.listen_proc;
1041 if (proc->iev.ibuf.fd != fd)
1042 fatalx("%s: unexpected fd %d", __func__, fd);
1044 if (event & EV_READ) {
1045 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1046 fatal("imsg_read error");
1048 /* Connection closed. */
1054 if (event & EV_WRITE) {
1055 n = msgbuf_write(&ibuf->w);
1056 if (n == -1 && errno != EAGAIN)
1057 fatal("msgbuf_write");
1059 /* Connection closed. */
1066 const struct got_error *err = NULL;
1067 struct gotd_client *client = NULL;
1068 uint32_t client_id = 0;
1069 int do_disconnect = 0;
1071 if ((n = imsg_get(ibuf, &imsg)) == -1)
1072 fatal("%s: imsg_get error", __func__);
1073 if (n == 0) /* No more messages. */
1076 switch (imsg.hdr.type) {
1077 case GOTD_IMSG_ERROR:
1079 err = gotd_imsg_recv_error(&client_id, &imsg);
1081 case GOTD_IMSG_CONNECT:
1082 err = recv_connect(&client_id, &imsg);
1085 log_debug("unexpected imsg %d", imsg.hdr.type);
1089 client = find_client(client_id);
1090 if (client == NULL) {
1091 log_warnx("%s: client not found", __func__);
1097 log_warnx("uid %d: %s", client->euid, err->msg);
1099 if (do_disconnect) {
1101 disconnect_on_error(client, err);
1110 gotd_imsg_event_add(iev);
1112 /* This pipe is dead. Remove its event handler */
1113 event_del(&iev->ev);
1114 event_loopexit(NULL);
1119 gotd_dispatch_auth_child(int fd, short event, void *arg)
1121 const struct got_error *err = NULL;
1122 struct gotd_imsgev *iev = arg;
1123 struct imsgbuf *ibuf = &iev->ibuf;
1124 struct gotd_client *client;
1125 struct gotd_repo *repo = NULL;
1129 uint32_t client_id = 0;
1130 int do_disconnect = 0;
1133 client = find_client_by_proc_fd(fd);
1134 if (client == NULL) {
1135 /* Can happen during process teardown. */
1136 warnx("cannot find client for fd %d", fd);
1141 if (client->auth == NULL)
1142 fatalx("cannot find auth child process for fd %d", fd);
1144 if (event & EV_READ) {
1145 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1146 fatal("imsg_read error");
1148 /* Connection closed. */
1154 if (event & EV_WRITE) {
1155 n = msgbuf_write(&ibuf->w);
1156 if (n == -1 && errno != EAGAIN)
1157 fatal("msgbuf_write");
1159 /* Connection closed. */
1165 if (client->auth->iev.ibuf.fd != fd)
1166 fatalx("%s: unexpected fd %d", __func__, fd);
1168 if ((n = imsg_get(ibuf, &imsg)) == -1)
1169 fatal("%s: imsg_get error", __func__);
1170 if (n == 0) /* No more messages. */
1173 evtimer_del(&client->tmo);
1175 datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1177 switch (imsg.hdr.type) {
1178 case GOTD_IMSG_ERROR:
1180 err = gotd_imsg_recv_error(&client_id, &imsg);
1182 case GOTD_IMSG_ACCESS_GRANTED:
1183 if (client->state != GOTD_CLIENT_STATE_NEW) {
1185 err = got_error(GOT_ERR_PRIVSEP_MSG);
1190 log_debug("unexpected imsg %d", imsg.hdr.type);
1194 if (!verify_imsg_src(client, client->auth, &imsg)) {
1196 log_debug("dropping imsg type %d from PID %d",
1197 imsg.hdr.type, client->auth->pid);
1200 if (do_disconnect) {
1202 disconnect_on_error(client, err);
1209 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1211 client->username = strndup(imsg.data, datalen);
1213 if (client->username == NULL &&
1214 asprintf(&client->username, "uid %d", client->euid) == -1) {
1215 err = got_error_from_errno("asprintf");
1219 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1221 err = got_error(GOT_ERR_NOT_GIT_REPO);
1224 kill_auth_proc(client);
1226 log_info("authenticated %s for repository %s",
1227 client->username, repo->name);
1229 err = start_session_child(client, repo, gotd.argv0,
1230 gotd.confpath, gotd.daemonize, gotd.verbosity);
1235 log_warnx("uid %d: %s", client->euid, err->msg);
1237 /* We might have killed the auth process by now. */
1238 if (client->auth != NULL) {
1240 gotd_imsg_event_add(iev);
1242 /* This pipe is dead. Remove its event handler */
1243 event_del(&iev->ev);
1248 static const struct got_error *
1249 connect_session(struct gotd_client *client)
1251 const struct got_error *err = NULL;
1252 struct gotd_imsg_connect iconnect;
1255 memset(&iconnect, 0, sizeof(iconnect));
1257 s = dup(client->fd);
1259 return got_error_from_errno("dup");
1261 iconnect.client_id = client->id;
1262 iconnect.euid = client->euid;
1263 iconnect.egid = client->egid;
1265 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1266 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1267 err = got_error_from_errno("imsg compose CONNECT");
1273 * We are no longer interested in messages from this client.
1274 * Further client requests will be handled by the session process.
1276 msgbuf_clear(&client->iev.ibuf.w);
1277 imsg_clear(&client->iev.ibuf);
1278 event_del(&client->iev.ev);
1279 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1285 gotd_dispatch_client_session(int fd, short event, void *arg)
1287 struct gotd_imsgev *iev = arg;
1288 struct imsgbuf *ibuf = &iev->ibuf;
1289 struct gotd_child_proc *proc = NULL;
1290 struct gotd_client *client = NULL;
1295 client = find_client_by_proc_fd(fd);
1296 if (client == NULL) {
1297 /* Can happen during process teardown. */
1298 warnx("cannot find client for fd %d", fd);
1303 if (event & EV_READ) {
1304 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1305 fatal("imsg_read error");
1307 /* Connection closed. */
1313 if (event & EV_WRITE) {
1314 n = msgbuf_write(&ibuf->w);
1315 if (n == -1 && errno != EAGAIN)
1316 fatal("msgbuf_write");
1318 /* Connection closed. */
1324 proc = client->session;
1326 fatalx("cannot find session child process for fd %d", fd);
1329 const struct got_error *err = NULL;
1330 uint32_t client_id = 0;
1331 int do_disconnect = 0, do_start_repo_child = 0;
1333 if ((n = imsg_get(ibuf, &imsg)) == -1)
1334 fatal("%s: imsg_get error", __func__);
1335 if (n == 0) /* No more messages. */
1338 switch (imsg.hdr.type) {
1339 case GOTD_IMSG_ERROR:
1341 err = gotd_imsg_recv_error(&client_id, &imsg);
1343 case GOTD_IMSG_CLIENT_SESSION_READY:
1344 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1345 err = got_error(GOT_ERR_PRIVSEP_MSG);
1348 do_start_repo_child = 1;
1350 case GOTD_IMSG_DISCONNECT:
1354 log_debug("unexpected imsg %d", imsg.hdr.type);
1358 if (!verify_imsg_src(client, proc, &imsg)) {
1359 log_debug("dropping imsg type %d from PID %d",
1360 imsg.hdr.type, proc->pid);
1365 log_warnx("uid %d: %s", client->euid, err->msg);
1367 if (do_start_repo_child) {
1368 struct gotd_repo *repo;
1369 const char *name = client->session->repo_name;
1371 repo = gotd_find_repo_by_name(name, &gotd);
1373 enum gotd_procid proc_type;
1375 if (client->required_auth & GOTD_AUTH_WRITE)
1376 proc_type = PROC_REPO_WRITE;
1378 proc_type = PROC_REPO_READ;
1380 err = start_repo_child(client, proc_type, repo,
1381 gotd.argv0, gotd.confpath, gotd.daemonize,
1384 err = got_error(GOT_ERR_NOT_GIT_REPO);
1387 log_warnx("uid %d: %s", client->euid, err->msg);
1392 if (do_disconnect) {
1394 disconnect_on_error(client, err);
1403 gotd_imsg_event_add(iev);
1405 /* This pipe is dead. Remove its event handler */
1406 event_del(&iev->ev);
1412 gotd_dispatch_repo_child(int fd, short event, void *arg)
1414 struct gotd_imsgev *iev = arg;
1415 struct imsgbuf *ibuf = &iev->ibuf;
1416 struct gotd_child_proc *proc = NULL;
1417 struct gotd_client *client;
1422 client = find_client_by_proc_fd(fd);
1423 if (client == NULL) {
1424 /* Can happen during process teardown. */
1425 warnx("cannot find client for fd %d", fd);
1430 if (event & EV_READ) {
1431 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1432 fatal("imsg_read error");
1434 /* Connection closed. */
1440 if (event & EV_WRITE) {
1441 n = msgbuf_write(&ibuf->w);
1442 if (n == -1 && errno != EAGAIN)
1443 fatal("msgbuf_write");
1445 /* Connection closed. */
1451 proc = client->repo;
1453 fatalx("cannot find child process for fd %d", fd);
1456 const struct got_error *err = NULL;
1457 uint32_t client_id = 0;
1458 int do_disconnect = 0;
1460 if ((n = imsg_get(ibuf, &imsg)) == -1)
1461 fatal("%s: imsg_get error", __func__);
1462 if (n == 0) /* No more messages. */
1465 switch (imsg.hdr.type) {
1466 case GOTD_IMSG_ERROR:
1468 err = gotd_imsg_recv_error(&client_id, &imsg);
1470 case GOTD_IMSG_REPO_CHILD_READY:
1471 err = connect_session(client);
1474 err = connect_repo_child(client, proc);
1477 log_debug("unexpected imsg %d", imsg.hdr.type);
1481 if (!verify_imsg_src(client, proc, &imsg)) {
1482 log_debug("dropping imsg type %d from PID %d",
1483 imsg.hdr.type, proc->pid);
1488 log_warnx("uid %d: %s", client->euid, err->msg);
1490 if (do_disconnect) {
1492 disconnect_on_error(client, err);
1501 gotd_imsg_event_add(iev);
1503 /* This pipe is dead. Remove its event handler */
1504 event_del(&iev->ev);
1510 start_child(enum gotd_procid proc_id, const char *repo_path,
1511 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1517 switch (pid = fork()) {
1519 fatal("cannot fork");
1527 if (fd != GOTD_FILENO_MSG_PIPE) {
1528 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1529 fatal("cannot setup imsg fd");
1530 } else if (fcntl(fd, F_SETFD, 0) == -1)
1531 fatal("cannot setup imsg fd");
1533 argv[argc++] = argv0;
1536 argv[argc++] = (char *)"-L";
1539 argv[argc++] = (char *)"-A";
1541 case PROC_SESSION_READ:
1542 argv[argc++] = (char *)"-s";
1544 case PROC_SESSION_WRITE:
1545 argv[argc++] = (char *)"-S";
1547 case PROC_REPO_READ:
1548 argv[argc++] = (char *)"-R";
1550 case PROC_REPO_WRITE:
1551 argv[argc++] = (char *)"-W";
1554 fatalx("invalid process id %d", proc_id);
1557 argv[argc++] = (char *)"-f";
1558 argv[argc++] = (char *)confpath;
1561 argv[argc++] = (char *)"-P";
1562 argv[argc++] = (char *)repo_path;
1566 argv[argc++] = (char *)"-d";
1568 argv[argc++] = (char *)"-v";
1570 argv[argc++] = (char *)"-v";
1571 argv[argc++] = NULL;
1573 execvp(argv0, argv);
1578 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1580 struct gotd_child_proc *proc;
1582 proc = calloc(1, sizeof(*proc));
1586 TAILQ_INSERT_HEAD(&procs, proc, entry);
1588 /* proc->tmo is initialized in main() after event_init() */
1590 proc->type = PROC_LISTEN;
1592 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1593 PF_UNSPEC, proc->pipe) == -1)
1594 fatal("socketpair");
1596 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1597 proc->pipe[1], daemonize, verbosity);
1598 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1599 proc->iev.handler = gotd_dispatch_listener;
1600 proc->iev.events = EV_READ;
1601 proc->iev.handler_arg = NULL;
1603 gotd.listen_proc = proc;
1606 static const struct got_error *
1607 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1608 char *argv0, const char *confpath, int daemonize, int verbosity)
1610 struct gotd_child_proc *proc;
1612 proc = calloc(1, sizeof(*proc));
1614 return got_error_from_errno("calloc");
1616 TAILQ_INSERT_HEAD(&procs, proc, entry);
1617 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1619 if (client_is_reading(client))
1620 proc->type = PROC_SESSION_READ;
1622 proc->type = PROC_SESSION_WRITE;
1623 if (strlcpy(proc->repo_name, repo->name,
1624 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1625 fatalx("repository name too long: %s", repo->name);
1626 log_debug("starting client uid %d session for repository %s",
1627 client->euid, repo->name);
1628 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1629 sizeof(proc->repo_path))
1630 fatalx("repository path too long: %s", repo->path);
1631 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1632 PF_UNSPEC, proc->pipe) == -1)
1633 fatal("socketpair");
1634 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1635 confpath, proc->pipe[1], daemonize, verbosity);
1636 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1637 log_debug("proc %s %s is on fd %d",
1638 gotd_proc_names[proc->type], proc->repo_path,
1640 proc->iev.handler = gotd_dispatch_client_session;
1641 proc->iev.events = EV_READ;
1642 proc->iev.handler_arg = NULL;
1643 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1644 gotd_dispatch_client_session, &proc->iev);
1645 gotd_imsg_event_add(&proc->iev);
1647 client->session = proc;
1651 static const struct got_error *
1652 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1653 struct gotd_repo *repo, char *argv0, const char *confpath,
1654 int daemonize, int verbosity)
1656 struct gotd_child_proc *proc;
1658 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1659 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1661 proc = calloc(1, sizeof(*proc));
1663 return got_error_from_errno("calloc");
1665 TAILQ_INSERT_HEAD(&procs, proc, entry);
1666 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1668 proc->type = proc_type;
1669 if (strlcpy(proc->repo_name, repo->name,
1670 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1671 fatalx("repository name too long: %s", repo->name);
1672 log_debug("starting %s for repository %s",
1673 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1674 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1675 sizeof(proc->repo_path))
1676 fatalx("repository path too long: %s", repo->path);
1677 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1678 PF_UNSPEC, proc->pipe) == -1)
1679 fatal("socketpair");
1680 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1681 confpath, proc->pipe[1], daemonize, verbosity);
1682 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1683 log_debug("proc %s %s is on fd %d",
1684 gotd_proc_names[proc->type], proc->repo_path,
1686 proc->iev.handler = gotd_dispatch_repo_child;
1687 proc->iev.events = EV_READ;
1688 proc->iev.handler_arg = NULL;
1689 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1690 gotd_dispatch_repo_child, &proc->iev);
1691 gotd_imsg_event_add(&proc->iev);
1693 client->repo = proc;
1697 static const struct got_error *
1698 start_auth_child(struct gotd_client *client, int required_auth,
1699 struct gotd_repo *repo, char *argv0, const char *confpath,
1700 int daemonize, int verbosity)
1702 const struct got_error *err = NULL;
1703 struct gotd_child_proc *proc;
1704 struct gotd_imsg_auth iauth;
1707 memset(&iauth, 0, sizeof(iauth));
1709 fd = dup(client->fd);
1711 return got_error_from_errno("dup");
1713 proc = calloc(1, sizeof(*proc));
1715 err = got_error_from_errno("calloc");
1720 TAILQ_INSERT_HEAD(&procs, proc, entry);
1721 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1723 proc->type = PROC_AUTH;
1724 if (strlcpy(proc->repo_name, repo->name,
1725 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1726 fatalx("repository name too long: %s", repo->name);
1727 log_debug("starting auth for uid %d repository %s",
1728 client->euid, repo->name);
1729 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1730 sizeof(proc->repo_path))
1731 fatalx("repository path too long: %s", repo->path);
1732 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1733 PF_UNSPEC, proc->pipe) == -1)
1734 fatal("socketpair");
1735 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1736 confpath, proc->pipe[1], daemonize, verbosity);
1737 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1738 log_debug("proc %s %s is on fd %d",
1739 gotd_proc_names[proc->type], proc->repo_path,
1741 proc->iev.handler = gotd_dispatch_auth_child;
1742 proc->iev.events = EV_READ;
1743 proc->iev.handler_arg = NULL;
1744 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1745 gotd_dispatch_auth_child, &proc->iev);
1746 gotd_imsg_event_add(&proc->iev);
1748 iauth.euid = client->euid;
1749 iauth.egid = client->egid;
1750 iauth.required_auth = required_auth;
1751 iauth.client_id = client->id;
1752 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1753 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1754 log_warn("imsg compose AUTHENTICATE");
1756 /* Let the auth_timeout handler tidy up. */
1759 client->auth = proc;
1760 client->required_auth = required_auth;
1765 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1768 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1769 fatal("unveil %s", GOT_TMPDIR_STR);
1772 if (unveil(repo_path, "r") == -1)
1773 fatal("unveil %s", repo_path);
1775 if (unveil(NULL, NULL) == -1)
1780 apply_unveil_repo_readwrite(const char *repo_path)
1782 if (unveil(repo_path, "rwc") == -1)
1783 fatal("unveil %s", repo_path);
1785 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1786 fatal("unveil %s", GOT_TMPDIR_STR);
1788 if (unveil(NULL, NULL) == -1)
1793 apply_unveil_none(void)
1795 if (unveil("/", "") == -1)
1798 if (unveil(NULL, NULL) == -1)
1803 apply_unveil_selfexec(void)
1805 if (unveil(gotd.argv0, "x") == -1)
1806 fatal("unveil %s", gotd.argv0);
1808 if (unveil(NULL, NULL) == -1)
1813 set_max_datasize(void)
1817 if (getrlimit(RLIMIT_DATA, &rl) != 0)
1820 rl.rlim_cur = rl.rlim_max;
1821 setrlimit(RLIMIT_DATA, &rl);
1825 main(int argc, char **argv)
1827 const struct got_error *error = NULL;
1828 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1829 const char *confpath = GOTD_CONF_PATH;
1830 char *argv0 = argv[0];
1832 struct passwd *pw = NULL;
1833 char *repo_path = NULL;
1834 enum gotd_procid proc_id = PROC_GOTD;
1835 struct event evsigint, evsigterm, evsighup, evsigusr1, evsigchld;
1836 int *pack_fds = NULL, *temp_fds = NULL;
1837 struct gotd_repo *repo = NULL;
1841 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1843 while ((ch = getopt(argc, argv, "Adf:LnP:RsSvW")) != -1) {
1846 proc_id = PROC_AUTH;
1855 proc_id = PROC_LISTEN;
1861 repo_path = realpath(optarg, NULL);
1862 if (repo_path == NULL)
1863 fatal("realpath '%s'", optarg);
1866 proc_id = PROC_REPO_READ;
1869 proc_id = PROC_SESSION_READ;
1872 proc_id = PROC_SESSION_WRITE;
1879 proc_id = PROC_REPO_WRITE;
1892 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1893 fatalx("need root privileges");
1895 if (parse_config(confpath, proc_id, &gotd) != 0)
1898 pw = getpwnam(gotd.user_name);
1900 fatalx("user %s not found", gotd.user_name);
1902 if (pw->pw_uid == 0)
1903 fatalx("cannot run %s as the superuser", getprogname());
1906 fprintf(stderr, "configuration OK\n");
1911 gotd.daemonize = daemonize;
1912 gotd.verbosity = verbosity;
1913 gotd.confpath = confpath;
1915 /* Require an absolute path in argv[0] for reliable re-exec. */
1916 if (!got_path_is_absolute(argv0))
1917 fatalx("bad path \"%s\": must be an absolute path", argv0);
1919 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1920 log_setverbose(verbosity);
1922 if (proc_id == PROC_GOTD) {
1923 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1924 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1925 if (daemonize && daemon(1, 0) == -1)
1927 gotd.pid = getpid();
1928 start_listener(argv0, confpath, daemonize, verbosity);
1929 } else if (proc_id == PROC_LISTEN) {
1930 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1932 log_info("socket: %s", gotd.unix_socket_path);
1933 log_info("user: %s", pw->pw_name);
1936 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1939 fatal("cannot listen on unix socket %s",
1940 gotd.unix_socket_path);
1942 } else if (proc_id == PROC_AUTH) {
1943 snprintf(title, sizeof(title), "%s %s",
1944 gotd_proc_names[proc_id], repo_path);
1945 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1946 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
1947 error = got_repo_pack_fds_open(&pack_fds);
1949 fatalx("cannot open pack tempfiles: %s", error->msg);
1950 error = got_repo_temp_fds_open(&temp_fds);
1952 fatalx("cannot open pack tempfiles: %s", error->msg);
1953 if (repo_path == NULL)
1954 fatalx("repository path not specified");
1955 snprintf(title, sizeof(title), "%s %s",
1956 gotd_proc_names[proc_id], repo_path);
1958 fatal("invalid process id %d", proc_id);
1960 setproctitle("%s", title);
1961 log_procinit(title);
1963 /* Drop root privileges. */
1964 if (setgid(pw->pw_gid) == -1)
1965 fatal("setgid %d failed", pw->pw_gid);
1966 if (setuid(pw->pw_uid) == -1)
1967 fatal("setuid %d failed", pw->pw_uid);
1974 /* "exec" promise will be limited to argv[0] via unveil(2). */
1975 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1981 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1985 * Ensure that AF_UNIX bind(2) cannot be used with any other
1986 * sockets by revoking all filesystem access via unveil(2).
1988 apply_unveil_none();
1990 listen_main(title, fd, gotd.connection_limits,
1991 gotd.nconnection_limits);
1996 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
2000 * We need the "unix" pledge promise for getpeername(2) only.
2001 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
2002 * filesystem access via unveil(2). Access to password database
2003 * files will still work since "getpw" bypasses unveil(2).
2005 apply_unveil_none();
2007 auth_main(title, &gotd.repos, repo_path);
2010 case PROC_SESSION_READ:
2011 case PROC_SESSION_WRITE:
2014 * The "recvfd" promise is only needed during setup and
2015 * will be removed in a later pledge(2) call.
2017 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
2018 "unveil", NULL) == -1)
2021 if (proc_id == PROC_SESSION_READ)
2022 apply_unveil_repo_readonly(repo_path, 1);
2024 apply_unveil_repo_readwrite(repo_path);
2025 session_main(title, repo_path, pack_fds, temp_fds,
2026 &gotd.request_timeout, proc_id);
2029 case PROC_REPO_READ:
2032 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2035 apply_unveil_repo_readonly(repo_path, 0);
2036 repo_read_main(title, repo_path, pack_fds, temp_fds);
2039 case PROC_REPO_WRITE:
2042 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2045 apply_unveil_repo_readonly(repo_path, 0);
2046 repo = gotd_find_repo_by_path(repo_path, &gotd);
2048 fatalx("no repository for path %s", repo_path);
2049 repo_write_main(title, repo_path, pack_fds, temp_fds,
2050 &repo->protected_tag_namespaces,
2051 &repo->protected_branch_namespaces,
2052 &repo->protected_branches);
2056 fatal("invalid process id %d", proc_id);
2059 if (proc_id != PROC_GOTD)
2060 fatal("invalid process id %d", proc_id);
2062 evtimer_set(&gotd.listen_proc->tmo, kill_proc_timeout,
2065 apply_unveil_selfexec();
2067 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2068 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2069 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2070 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2071 signal_set(&evsigchld, SIGCHLD, gotd_sighdlr, NULL);
2072 signal(SIGPIPE, SIG_IGN);
2074 signal_add(&evsigint, NULL);
2075 signal_add(&evsigterm, NULL);
2076 signal_add(&evsighup, NULL);
2077 signal_add(&evsigusr1, NULL);
2078 signal_add(&evsigchld, NULL);
2080 gotd_imsg_event_add(&gotd.listen_proc->iev);