display process title in syslog when a gotd child process exits

get rid of gotd client_id field where it is not needed This ID was necessary back when session and repo processes supported connections from multiple clients. Nowadays, these processes run per connection and exit once a single client session has been served. The other processes already identify the client via the session/repo file descriptor which has sent an imsg.

plug some fd leaks in the fdopen{,dir} error paths There's also a memory leak fixed. ok stsp@

remove unneded wbuf->fd = -1 There's no need to set the fd to -1 on ibufs created with imsg_create(3), and it was probably never needed.

convert to use imsg_get_fd() While here also fix a fd leak in got-read-pack. We were dup'ing imsg.fd without closing imsg.fd later; instead just use imsg_get_fd() to extract the file descriptor. Tested by falsifian and Kyle Ackerman, thanks! 'go ahead' stsp@

fix typo in gotd debug messages: receving -> receiving

add support for protecting references against 'got send -f' to gotd ok op@

gotd: remove more (all?) double process names in log

gotd: Fix more double process names Patch by Josiah Frentsos, thanks!

make gotd repo_read store want/have commit IDs in ID sets rather than arrays Currently only used to detect and avoid storing duplicate IDs sent in want and have lines by the client. If in the future we ever wanted to check which IDs the client has already sent us we could now do O(1) hash table lookups rather than iterating arrays. ok op@

rename lib/sha1.c to lib/hash.c It will soon grow functions to deal with sha256 too. stsp@ agrees.

include sha2.h too where sha1.h is included In preparation for wide sha256 support; stsp@ agrees. Change done mechanically with find . -iname \*.[cy] -exec sam {} + X ,x/<sha1\.h>/i/\n#include <sha2.h>

unbreak gotd build after recent change to got_pack_create

do not expect to see a DISCONNECT message in repo processes The parent no longer sends this message. Perform related cleanup in the shutdown path instead. ok op@

gotd: delete trailing blanks spotted while re-reading

add a gotd session process, split off from the parent process The new session process is able to manipulate files in the repository and keeps track of the read/write client session state. The parent process now restricts its view of the filesystem to the absolute path stored in argv[0], and combines this with unveil "x" on this path. As a result the parent process can only re-exec itself. small tweaks + ok op@

convert gotd repo_read.c and repo_write.c to single-client Because these processes are now started on demand per client connection there is no need to keep track of multiple clients anymore. Also, these processes can now exit when a disconnect event is received. ok op, jamsek

fork gotd repo_read/repo_write children on demand ok op, jamsek

switch gotd from chroot(2) to unveil(2) In the future, gotd will fork+exec new processes for each client connection. Using unveil instead of chroot avoids having to start such processes as root. The -portable version could use chroot(2) where no equivalent to unveil(2) exists. A future component which starts new processes will be isolated as a separate process, which could run as root in the -portable version. ok op@

rename GOTD_SOCK_FILENO to GOTD_FILENO_MSG_PIPE for clarity (it's not a socket)

make gotd work as intended on an empty repository; regression test is upcoming

remove sendfd pledge promise from gotd repo_read process Have the parent process send one end of the pipe directly to gotsh(1), such that repo_write can run without "sendfd". Combining "sendfd" and "recvfd" in the same process is frowned upon. ok tracey

introduce gotd(8), a Git repository server reachable via ssh(1) This is an initial barebones implementation which provides the absolute minimum of functionality required to serve got(1) and git(1) clients. Basic fetch/send functionality has been tested and seems to work here, but this server is not yet expected to be stable. More testing is welcome. See the man pages for setup instructions. The current design uses one reader and one writer process per repository, which will have to be extended to N readers and N writers in the future. At startup, each process will chroot(2) into its assigned repository. This works because gotd(8) can only be started as root, and will then fork+exec, chroot, and privdrop. At present the parent process runs with the following pledge(2) promises: "stdio rpath wpath cpath proc getpw sendfd recvfd fattr flock unix unveil" The parent is the only process able to modify the repository in a way that becomes visible to Git clients. The parent uses unveil(2) to restrict its view of the filesystem to /tmp and the repositories listed in the configuration file gotd.conf(5). Per-repository chroot(2) processes use "stdio rpath sendfd recvfd". The writer defers to the parent for modifying references in the repository to point at newly uploaded commits. The reader is fine without such help, because Git repositories can be read without having to create any lock-files. gotd(8) requires a dedicated user ID, which should own repositories on the filesystem, and a separate secondary group, which should not have filesystem-level repository access, and must be allowed access to the gotd(8) socket. To obtain Git repository access, users must be members of this secondary group, and must have their login shell set to gotsh(1). gotsh(1) connects to the gotd(8) socket and speaks Git-protocol towards the client on the other end of the SSH connection. gotsh(1) is not an interactive command shell. At present, authenticated clients are granted read/write access to all repositories and all references (except for the "refs/got/" and the "refs/remotes/" namespaces, which are already being protected from modification). While complicated access control mechanism are not a design goal, making it possible to safely offer anonymous Git repository access over ssh(1) is on the road map.