2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
25 #include <sys/resource.h>
45 #include "got_error.h"
46 #include "got_opentemp.h"
48 #include "got_repository.h"
49 #include "got_object.h"
50 #include "got_reference.h"
53 #include "got_lib_delta.h"
54 #include "got_lib_object.h"
55 #include "got_lib_object_cache.h"
56 #include "got_lib_hash.h"
57 #include "got_lib_gitproto.h"
58 #include "got_lib_pack.h"
59 #include "got_lib_repository.h"
65 #include "session_read.h"
66 #include "session_write.h"
67 #include "repo_read.h"
68 #include "repo_write.h"
72 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
75 enum gotd_client_state {
76 GOTD_CLIENT_STATE_NEW,
77 GOTD_CLIENT_STATE_ACCESS_GRANTED,
80 struct gotd_child_proc {
82 enum gotd_procid type;
83 char repo_name[NAME_MAX];
84 char repo_path[PATH_MAX];
86 struct gotd_imsgev iev;
89 TAILQ_ENTRY(gotd_child_proc) entry;
91 TAILQ_HEAD(gotd_procs, gotd_child_proc) procs;
94 STAILQ_ENTRY(gotd_client) entry;
95 enum gotd_client_state state;
98 struct gotd_imsgev iev;
103 struct gotd_child_proc *repo;
104 struct gotd_child_proc *auth;
105 struct gotd_child_proc *session;
108 STAILQ_HEAD(gotd_clients, gotd_client);
110 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
111 static SIPHASH_KEY clients_hash_key;
112 volatile int client_cnt;
113 static struct timeval auth_timeout = { 5, 0 };
114 static struct gotd gotd;
116 void gotd_sighdlr(int sig, short event, void *arg);
117 static void gotd_shutdown(void);
118 static const struct got_error *start_session_child(struct gotd_client *,
119 struct gotd_repo *, char *, const char *, int, int);
120 static const struct got_error *start_repo_child(struct gotd_client *,
121 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
122 static const struct got_error *start_auth_child(struct gotd_client *, int,
123 struct gotd_repo *, char *, const char *, int, int);
124 static void kill_proc(struct gotd_child_proc *, int);
125 static void disconnect(struct gotd_client *);
130 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
135 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
137 struct sockaddr_un sun;
139 mode_t old_umask, mode;
141 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
147 sun.sun_family = AF_UNIX;
148 if (strlcpy(sun.sun_path, unix_socket_path,
149 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
150 log_warnx("%s: name too long", unix_socket_path);
155 if (unlink(unix_socket_path) == -1) {
156 if (errno != ENOENT) {
157 log_warn("unlink %s", unix_socket_path);
163 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
164 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
166 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
167 log_warn("bind: %s", unix_socket_path);
175 if (chmod(unix_socket_path, mode) == -1) {
176 log_warn("chmod %o %s", mode, unix_socket_path);
178 unlink(unix_socket_path);
182 if (chown(unix_socket_path, uid, gid) == -1) {
183 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
185 unlink(unix_socket_path);
189 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
192 unlink(unix_socket_path);
200 client_hash(uint32_t client_id)
202 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
206 add_client(struct gotd_client *client)
208 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
209 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
213 static struct gotd_client *
214 find_client(uint32_t client_id)
217 struct gotd_client *c;
219 slot = client_hash(client_id) % nitems(gotd_clients);
220 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
221 if (c->id == client_id)
228 static struct gotd_client *
229 find_client_by_proc_fd(int fd)
233 for (slot = 0; slot < nitems(gotd_clients); slot++) {
234 struct gotd_client *c;
236 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
237 if (c->repo && c->repo->iev.ibuf.fd == fd)
239 if (c->auth && c->auth->iev.ibuf.fd == fd)
241 if (c->session && c->session->iev.ibuf.fd == fd)
250 client_is_reading(struct gotd_client *client)
252 return (client->required_auth &
253 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
257 client_is_writing(struct gotd_client *client)
259 return (client->required_auth &
260 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
261 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
264 static const struct got_error *
265 ensure_client_is_not_writing(struct gotd_client *client)
267 if (client_is_writing(client)) {
268 return got_error_fmt(GOT_ERR_BAD_PACKET,
269 "uid %d made a read-request but is writing to "
270 "a repository", client->euid);
276 static const struct got_error *
277 ensure_client_is_not_reading(struct gotd_client *client)
279 if (client_is_reading(client)) {
280 return got_error_fmt(GOT_ERR_BAD_PACKET,
281 "uid %d made a write-request but is reading from "
282 "a repository", client->euid);
289 proc_done(struct gotd_child_proc *proc)
291 struct gotd_client *client;
293 TAILQ_REMOVE(&procs, proc, entry);
295 client = find_client_by_proc_fd(proc->iev.ibuf.fd);
296 if (client != NULL) {
297 if (proc == client->repo)
299 if (proc == client->auth)
301 if (proc == client->session)
302 client->session = NULL;
306 if (proc == gotd.notify_proc)
307 gotd.notify_proc = NULL;
309 evtimer_del(&proc->tmo);
311 if (proc->iev.ibuf.fd != -1) {
312 event_del(&proc->iev.ev);
313 msgbuf_clear(&proc->iev.ibuf.w);
314 close(proc->iev.ibuf.fd);
321 kill_repo_proc(struct gotd_client *client)
323 if (client->repo == NULL)
326 kill_proc(client->repo, 0);
331 kill_auth_proc(struct gotd_client *client)
333 if (client->auth == NULL)
336 kill_proc(client->auth, 0);
341 kill_session_proc(struct gotd_client *client)
343 if (client->session == NULL)
346 kill_proc(client->session, 0);
347 client->session = NULL;
351 disconnect(struct gotd_client *client)
353 struct gotd_imsg_disconnect idisconnect;
354 struct gotd_child_proc *listen_proc = gotd.listen_proc;
357 log_debug("uid %d: disconnecting", client->euid);
359 kill_auth_proc(client);
360 kill_session_proc(client);
361 kill_repo_proc(client);
363 idisconnect.client_id = client->id;
364 if (gotd_imsg_compose_event(&listen_proc->iev,
365 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
366 &idisconnect, sizeof(idisconnect)) == -1)
367 log_warn("imsg compose DISCONNECT");
369 slot = client_hash(client->id) % nitems(gotd_clients);
370 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
371 imsg_clear(&client->iev.ibuf);
372 event_del(&client->iev.ev);
373 evtimer_del(&client->tmo);
374 if (client->fd != -1)
376 else if (client->iev.ibuf.fd != -1)
377 close(client->iev.ibuf.fd);
378 free(client->username);
384 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
388 if (err->code != GOT_ERR_EOF) {
389 log_warnx("uid %d: %s", client->euid, err->msg);
390 if (client->fd != -1) {
391 imsg_init(&ibuf, client->fd);
392 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
399 static const struct got_error *
400 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
402 const struct got_error *err = NULL;
403 struct gotd_imsg_info_repo irepo;
405 memset(&irepo, 0, sizeof(irepo));
407 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
408 >= sizeof(irepo.repo_name))
409 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
410 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
411 >= sizeof(irepo.repo_path))
412 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
414 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
415 &irepo, sizeof(irepo)) == -1) {
416 err = got_error_from_errno("imsg compose INFO_REPO");
424 static const struct got_error *
425 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
427 const struct got_error *err = NULL;
428 struct gotd_imsg_info_client iclient;
429 struct gotd_child_proc *proc;
431 memset(&iclient, 0, sizeof(iclient));
432 iclient.euid = client->euid;
433 iclient.egid = client->egid;
437 if (strlcpy(iclient.repo_name, proc->repo_path,
438 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
439 return got_error_msg(GOT_ERR_NO_SPACE,
440 "repo name too long");
442 if (client_is_writing(client))
443 iclient.is_writing = 1;
445 iclient.repo_child_pid = proc->pid;
449 iclient.session_child_pid = client->session->pid;
451 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
452 &iclient, sizeof(iclient)) == -1) {
453 err = got_error_from_errno("imsg compose INFO_CLIENT");
461 static const struct got_error *
462 send_info(struct gotd_client *client)
464 const struct got_error *err = NULL;
465 struct gotd_imsg_info info;
467 struct gotd_repo *repo;
469 if (client->euid != 0)
470 return got_error_set_errno(EPERM, "info");
473 info.verbosity = gotd.verbosity;
474 info.nrepos = gotd.nrepos;
475 info.nclients = client_cnt - 1;
477 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
478 &info, sizeof(info)) == -1) {
479 err = got_error_from_errno("imsg compose INFO");
484 TAILQ_FOREACH(repo, &gotd.repos, entry) {
485 err = send_repo_info(&client->iev, repo);
490 for (slot = 0; slot < nitems(gotd_clients); slot++) {
491 struct gotd_client *c;
492 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
493 if (c->id == client->id)
495 err = send_client_info(&client->iev, c);
504 static const struct got_error *
505 stop_gotd(struct gotd_client *client)
508 if (client->euid != 0)
509 return got_error_set_errno(EPERM, "stop");
516 static const struct got_error *
517 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
519 const struct got_error *err;
520 struct gotd_imsg_list_refs ireq;
521 struct gotd_repo *repo = NULL;
524 log_debug("list-refs request from uid %d", client->euid);
526 if (client->state != GOTD_CLIENT_STATE_NEW)
527 return got_error_msg(GOT_ERR_BAD_REQUEST,
528 "unexpected list-refs request received");
530 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
531 if (datalen != sizeof(ireq))
532 return got_error(GOT_ERR_PRIVSEP_LEN);
534 memcpy(&ireq, imsg->data, datalen);
536 if (ireq.client_is_reading) {
537 err = ensure_client_is_not_writing(client);
540 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd.repos);
542 return got_error(GOT_ERR_NOT_GIT_REPO);
543 err = start_auth_child(client, GOTD_AUTH_READ, repo,
544 gotd.argv0, gotd.confpath, gotd.daemonize,
549 err = ensure_client_is_not_reading(client);
552 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd.repos);
554 return got_error(GOT_ERR_NOT_GIT_REPO);
555 err = start_auth_child(client,
556 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
557 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
563 evtimer_add(&client->tmo, &auth_timeout);
565 /* Flow continues upon authentication success/failure or timeout. */
570 gotd_request(int fd, short events, void *arg)
572 struct gotd_imsgev *iev = arg;
573 struct imsgbuf *ibuf = &iev->ibuf;
574 struct gotd_client *client = iev->handler_arg;
575 const struct got_error *err = NULL;
579 if (events & EV_WRITE) {
580 while (ibuf->w.queued) {
581 n = msgbuf_write(&ibuf->w);
582 if (n == -1 && errno == EPIPE) {
584 * The client has closed its socket.
585 * This can happen when Git clients are
586 * done sending pack file data.
588 msgbuf_clear(&ibuf->w);
590 } else if (n == -1 && errno != EAGAIN) {
591 err = got_error_from_errno("imsg_flush");
592 disconnect_on_error(client, err);
596 /* Connection closed. */
597 err = got_error(GOT_ERR_EOF);
598 disconnect_on_error(client, err);
603 /* Disconnect gotctl(8) now that messages have been sent. */
604 if (!client_is_reading(client) && !client_is_writing(client)) {
610 if ((events & EV_READ) == 0)
613 memset(&imsg, 0, sizeof(imsg));
615 while (err == NULL) {
616 err = gotd_imsg_recv(&imsg, ibuf, 0);
618 if (err->code == GOT_ERR_PRIVSEP_READ)
623 evtimer_del(&client->tmo);
625 switch (imsg.hdr.type) {
627 err = send_info(client);
630 err = stop_gotd(client);
632 case GOTD_IMSG_LIST_REFS:
633 err = start_client_authentication(client, &imsg);
636 log_debug("unexpected imsg %d", imsg.hdr.type);
637 err = got_error(GOT_ERR_PRIVSEP_MSG);
645 disconnect_on_error(client, err);
647 gotd_imsg_event_add(&client->iev);
652 gotd_auth_timeout(int fd, short events, void *arg)
654 struct gotd_client *client = arg;
656 log_debug("disconnecting uid %d due to authentication timeout",
661 static const struct got_error *
662 recv_connect(uint32_t *client_id, struct imsg *imsg)
664 const struct got_error *err = NULL;
665 struct gotd_imsg_connect iconnect;
668 struct gotd_client *client = NULL;
672 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
673 if (datalen != sizeof(iconnect))
674 return got_error(GOT_ERR_PRIVSEP_LEN);
675 memcpy(&iconnect, imsg->data, sizeof(iconnect));
677 s = imsg_get_fd(imsg);
679 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
683 if (find_client(iconnect.client_id)) {
684 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
688 client = calloc(1, sizeof(*client));
689 if (client == NULL) {
690 err = got_error_from_errno("calloc");
694 *client_id = iconnect.client_id;
696 client->state = GOTD_CLIENT_STATE_NEW;
697 client->id = iconnect.client_id;
700 /* The auth process will verify UID/GID for us. */
701 client->euid = iconnect.euid;
702 client->egid = iconnect.egid;
704 imsg_init(&client->iev.ibuf, client->fd);
705 client->iev.handler = gotd_request;
706 client->iev.events = EV_READ;
707 client->iev.handler_arg = client;
709 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
711 gotd_imsg_event_add(&client->iev);
713 evtimer_set(&client->tmo, gotd_auth_timeout, client);
716 log_debug("%s: new client uid %d connected on fd %d", __func__,
717 client->euid, client->fd);
720 struct gotd_child_proc *listen_proc = gotd.listen_proc;
721 struct gotd_imsg_disconnect idisconnect;
723 idisconnect.client_id = client->id;
724 if (gotd_imsg_compose_event(&listen_proc->iev,
725 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
726 &idisconnect, sizeof(idisconnect)) == -1)
727 log_warn("imsg compose DISCONNECT");
736 static const char *gotd_proc_names[PROC_MAX] = {
749 kill_proc(struct gotd_child_proc *proc, int fatal)
751 struct timeval tv = { 5, 0 };
753 log_debug("kill -%d %d", fatal ? SIGKILL : SIGTERM, proc->pid);
755 if (proc->iev.ibuf.fd != -1) {
756 event_del(&proc->iev.ev);
757 msgbuf_clear(&proc->iev.ibuf.w);
758 close(proc->iev.ibuf.fd);
759 proc->iev.ibuf.fd = -1;
762 if (!evtimer_pending(&proc->tmo, NULL) && !fatal)
763 evtimer_add(&proc->tmo, &tv);
766 log_warnx("sending SIGKILL to PID %d", proc->pid);
767 kill(proc->pid, SIGKILL);
769 kill(proc->pid, SIGTERM);
773 kill_proc_timeout(int fd, short ev, void *d)
775 struct gotd_child_proc *proc = d;
777 log_warnx("timeout waiting for PID %d to terminate;"
778 " retrying with force", proc->pid);
787 log_debug("shutting down");
788 for (slot = 0; slot < nitems(gotd_clients); slot++) {
789 struct gotd_client *c, *tmp;
791 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
795 kill_proc(gotd.listen_proc, 0);
797 log_info("terminating");
801 static struct gotd_child_proc *
802 find_proc_by_pid(pid_t pid)
804 struct gotd_child_proc *proc = NULL;
806 TAILQ_FOREACH(proc, &procs, entry)
807 if (proc->pid == pid)
814 gotd_sighdlr(int sig, short event, void *arg)
816 struct gotd_child_proc *proc;
821 * Normal signal handler rules don't apply because libevent
827 log_info("%s: ignoring SIGHUP", __func__);
830 log_info("%s: ignoring SIGUSR1", __func__);
838 pid = waitpid(WAIT_ANY, &status, WNOHANG);
849 log_debug("reaped pid %d", pid);
850 proc = find_proc_by_pid(pid);
852 log_info("caught exit of unknown child %d",
857 if (WIFSIGNALED(status)) {
858 log_warnx("child PID %d terminated with"
859 " signal %d", pid, WTERMSIG(status));
866 fatalx("unexpected signal");
870 static const struct got_error *
871 ensure_proc_is_reading(struct gotd_client *client,
872 struct gotd_child_proc *proc)
874 if (!client_is_reading(client)) {
876 return got_error_fmt(GOT_ERR_BAD_PACKET,
877 "PID %d handled a read-request for uid %d but this "
878 "user is not reading from a repository", proc->pid,
885 static const struct got_error *
886 ensure_proc_is_writing(struct gotd_client *client,
887 struct gotd_child_proc *proc)
889 if (!client_is_writing(client)) {
891 return got_error_fmt(GOT_ERR_BAD_PACKET,
892 "PID %d handled a write-request for uid %d but this "
893 "user is not writing to a repository", proc->pid,
901 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
904 const struct got_error *err;
907 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
908 if (client->repo == NULL)
909 fatalx("no process found for uid %d", client->euid);
910 if (proc->pid != client->repo->pid) {
912 log_warnx("received message from PID %d for uid %d, "
913 "while PID %d is the process serving this user",
914 proc->pid, client->euid, client->repo->pid);
918 if (proc->type == PROC_SESSION_READ ||
919 proc->type == PROC_SESSION_WRITE) {
920 if (client->session == NULL) {
921 log_warnx("no session found for uid %d", client->euid);
924 if (proc->pid != client->session->pid) {
926 log_warnx("received message from PID %d for uid %d, "
927 "while PID %d is the process serving this user",
928 proc->pid, client->euid, client->session->pid);
933 switch (imsg->hdr.type) {
934 case GOTD_IMSG_ERROR:
937 case GOTD_IMSG_CONNECT:
938 if (proc->type != PROC_LISTEN) {
939 err = got_error_fmt(GOT_ERR_BAD_PACKET,
940 "new connection for uid %d from PID %d "
941 "which is not the listen process",
942 client->euid, proc->pid);
946 case GOTD_IMSG_ACCESS_GRANTED:
947 if (proc->type != PROC_AUTH) {
948 err = got_error_fmt(GOT_ERR_BAD_PACKET,
949 "authentication of uid %d from PID %d "
950 "which is not the auth process",
951 client->euid, proc->pid);
955 case GOTD_IMSG_CLIENT_SESSION_READY:
956 if (proc->type != PROC_SESSION_READ &&
957 proc->type != PROC_SESSION_WRITE) {
958 err = got_error_fmt(GOT_ERR_BAD_PACKET,
959 "unexpected \"ready\" signal from PID %d",
964 case GOTD_IMSG_REPO_CHILD_READY:
965 if (proc->type != PROC_REPO_READ &&
966 proc->type != PROC_REPO_WRITE) {
967 err = got_error_fmt(GOT_ERR_BAD_PACKET,
968 "unexpected \"ready\" signal from PID %d",
973 case GOTD_IMSG_PACKFILE_DONE:
974 err = ensure_proc_is_reading(client, proc);
976 log_warnx("uid %d: %s", client->euid, err->msg);
980 case GOTD_IMSG_PACKFILE_INSTALL:
981 case GOTD_IMSG_REF_UPDATES_START:
982 case GOTD_IMSG_REF_UPDATE:
983 err = ensure_proc_is_writing(client, proc);
985 log_warnx("uid %d: %s", client->euid, err->msg);
990 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
997 static const struct got_error *
998 connect_repo_child(struct gotd_client *client,
999 struct gotd_child_proc *repo_proc)
1001 static const struct got_error *err;
1002 struct gotd_imsgev *session_iev = &client->session->iev;
1003 struct gotd_imsg_connect_repo_child ireq;
1006 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
1007 return got_error_msg(GOT_ERR_BAD_REQUEST,
1008 "unexpected repo child ready signal received");
1010 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1011 PF_UNSPEC, pipe) == -1)
1012 fatal("socketpair");
1014 memset(&ireq, 0, sizeof(ireq));
1015 ireq.proc_id = repo_proc->type;
1017 /* Pass repo child pipe to session child process. */
1018 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1019 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1020 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1026 /* Pass session child pipe to repo child process. */
1027 if (gotd_imsg_compose_event(&repo_proc->iev,
1028 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1029 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1038 gotd_dispatch_listener(int fd, short event, void *arg)
1040 struct gotd_imsgev *iev = arg;
1041 struct imsgbuf *ibuf = &iev->ibuf;
1042 struct gotd_child_proc *proc = gotd.listen_proc;
1047 if (proc->iev.ibuf.fd != fd)
1048 fatalx("%s: unexpected fd %d", __func__, fd);
1050 if (event & EV_READ) {
1051 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1052 fatal("imsg_read error");
1054 /* Connection closed. */
1060 if (event & EV_WRITE) {
1061 n = msgbuf_write(&ibuf->w);
1062 if (n == -1 && errno != EAGAIN)
1063 fatal("msgbuf_write");
1065 /* Connection closed. */
1072 const struct got_error *err = NULL;
1073 struct gotd_client *client = NULL;
1074 uint32_t client_id = 0;
1075 int do_disconnect = 0;
1077 if ((n = imsg_get(ibuf, &imsg)) == -1)
1078 fatal("%s: imsg_get error", __func__);
1079 if (n == 0) /* No more messages. */
1082 switch (imsg.hdr.type) {
1083 case GOTD_IMSG_ERROR:
1085 err = gotd_imsg_recv_error(&client_id, &imsg);
1087 case GOTD_IMSG_CONNECT:
1088 err = recv_connect(&client_id, &imsg);
1091 log_debug("unexpected imsg %d", imsg.hdr.type);
1095 client = find_client(client_id);
1096 if (client == NULL) {
1097 log_warnx("%s: client not found", __func__);
1103 log_warnx("uid %d: %s", client->euid, err->msg);
1105 if (do_disconnect) {
1107 disconnect_on_error(client, err);
1116 gotd_imsg_event_add(iev);
1118 /* This pipe is dead. Remove its event handler */
1119 event_del(&iev->ev);
1120 event_loopexit(NULL);
1125 gotd_dispatch_notifier(int fd, short event, void *arg)
1127 struct gotd_imsgev *iev = arg;
1128 struct imsgbuf *ibuf = &iev->ibuf;
1129 struct gotd_child_proc *proc = gotd.notify_proc;
1134 if (proc->iev.ibuf.fd != fd)
1135 fatalx("%s: unexpected fd %d", __func__, fd);
1137 if (event & EV_READ) {
1138 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1139 fatal("imsg_read error");
1141 /* Connection closed. */
1147 if (event & EV_WRITE) {
1148 n = msgbuf_write(&ibuf->w);
1149 if (n == -1 && errno != EAGAIN)
1150 fatal("msgbuf_write");
1152 /* Connection closed. */
1159 if ((n = imsg_get(ibuf, &imsg)) == -1)
1160 fatal("%s: imsg_get error", __func__);
1161 if (n == 0) /* No more messages. */
1164 switch (imsg.hdr.type) {
1166 log_debug("unexpected imsg %d", imsg.hdr.type);
1174 gotd_imsg_event_add(iev);
1176 /* This pipe is dead. Remove its event handler */
1177 event_del(&iev->ev);
1180 * Do not exit all of gotd if the notification handler dies.
1181 * We can continue operating without notifications until an
1182 * operator intervenes.
1184 log_warnx("notify child process (pid %d) closed its imsg pipe "
1185 "unexpectedly", proc->pid);
1191 gotd_dispatch_auth_child(int fd, short event, void *arg)
1193 const struct got_error *err = NULL;
1194 struct gotd_imsgev *iev = arg;
1195 struct imsgbuf *ibuf = &iev->ibuf;
1196 struct gotd_client *client;
1197 struct gotd_repo *repo = NULL;
1201 uint32_t client_id = 0;
1202 int do_disconnect = 0;
1205 client = find_client_by_proc_fd(fd);
1206 if (client == NULL) {
1207 /* Can happen during process teardown. */
1208 warnx("cannot find client for fd %d", fd);
1213 if (client->auth == NULL)
1214 fatalx("cannot find auth child process for fd %d", fd);
1216 if (event & EV_READ) {
1217 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1218 fatal("imsg_read error");
1220 /* Connection closed. */
1226 if (event & EV_WRITE) {
1227 n = msgbuf_write(&ibuf->w);
1228 if (n == -1 && errno != EAGAIN)
1229 fatal("msgbuf_write");
1231 /* Connection closed. */
1237 if (client->auth->iev.ibuf.fd != fd)
1238 fatalx("%s: unexpected fd %d", __func__, fd);
1240 if ((n = imsg_get(ibuf, &imsg)) == -1)
1241 fatal("%s: imsg_get error", __func__);
1242 if (n == 0) /* No more messages. */
1245 evtimer_del(&client->tmo);
1247 datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1249 switch (imsg.hdr.type) {
1250 case GOTD_IMSG_ERROR:
1252 err = gotd_imsg_recv_error(&client_id, &imsg);
1254 case GOTD_IMSG_ACCESS_GRANTED:
1255 if (client->state != GOTD_CLIENT_STATE_NEW) {
1257 err = got_error(GOT_ERR_PRIVSEP_MSG);
1262 log_debug("unexpected imsg %d", imsg.hdr.type);
1266 if (!verify_imsg_src(client, client->auth, &imsg)) {
1268 log_debug("dropping imsg type %d from PID %d",
1269 imsg.hdr.type, client->auth->pid);
1272 if (do_disconnect) {
1274 disconnect_on_error(client, err);
1281 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1283 client->username = strndup(imsg.data, datalen);
1285 if (client->username == NULL &&
1286 asprintf(&client->username, "uid %d", client->euid) == -1) {
1287 err = got_error_from_errno("asprintf");
1291 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd.repos);
1293 err = got_error(GOT_ERR_NOT_GIT_REPO);
1296 kill_auth_proc(client);
1298 log_info("authenticated %s for repository %s",
1299 client->username, repo->name);
1301 err = start_session_child(client, repo, gotd.argv0,
1302 gotd.confpath, gotd.daemonize, gotd.verbosity);
1307 log_warnx("uid %d: %s", client->euid, err->msg);
1309 /* We might have killed the auth process by now. */
1310 if (client->auth != NULL) {
1312 gotd_imsg_event_add(iev);
1314 /* This pipe is dead. Remove its event handler */
1315 event_del(&iev->ev);
1320 static const struct got_error *
1321 connect_session(struct gotd_client *client)
1323 const struct got_error *err = NULL;
1324 struct gotd_imsg_connect iconnect;
1328 memset(&iconnect, 0, sizeof(iconnect));
1330 s = dup(client->fd);
1332 return got_error_from_errno("dup");
1334 iconnect.client_id = client->id;
1335 iconnect.euid = client->euid;
1336 iconnect.egid = client->egid;
1337 iconnect.username_len = strlen(client->username);
1339 wbuf = imsg_create(&client->session->iev.ibuf, GOTD_IMSG_CONNECT,
1340 PROC_GOTD, gotd.pid, sizeof(iconnect) + iconnect.username_len);
1342 err = got_error_from_errno("imsg compose CONNECT");
1346 if (imsg_add(wbuf, &iconnect, sizeof(iconnect)) == -1) {
1348 return got_error_from_errno("imsg_add CONNECT");
1350 if (imsg_add(wbuf, client->username, iconnect.username_len) == -1) {
1352 return got_error_from_errno("imsg_add CONNECT");
1355 ibuf_fd_set(wbuf, s);
1356 imsg_close(&client->session->iev.ibuf, wbuf);
1357 gotd_imsg_event_add(&client->session->iev);
1360 * We are no longer interested in messages from this client.
1361 * Further client requests will be handled by the session process.
1363 msgbuf_clear(&client->iev.ibuf.w);
1364 imsg_clear(&client->iev.ibuf);
1365 event_del(&client->iev.ev);
1366 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1372 gotd_dispatch_client_session(int fd, short event, void *arg)
1374 struct gotd_imsgev *iev = arg;
1375 struct imsgbuf *ibuf = &iev->ibuf;
1376 struct gotd_child_proc *proc = NULL;
1377 struct gotd_client *client = NULL;
1382 client = find_client_by_proc_fd(fd);
1383 if (client == NULL) {
1384 /* Can happen during process teardown. */
1385 warnx("cannot find client for fd %d", fd);
1390 if (event & EV_READ) {
1391 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1392 fatal("imsg_read error");
1394 /* Connection closed. */
1400 if (event & EV_WRITE) {
1401 n = msgbuf_write(&ibuf->w);
1402 if (n == -1 && errno != EAGAIN)
1403 fatal("msgbuf_write");
1405 /* Connection closed. */
1411 proc = client->session;
1413 fatalx("cannot find session child process for fd %d", fd);
1416 const struct got_error *err = NULL;
1417 uint32_t client_id = 0;
1418 int do_disconnect = 0, do_start_repo_child = 0;
1420 if ((n = imsg_get(ibuf, &imsg)) == -1)
1421 fatal("%s: imsg_get error", __func__);
1422 if (n == 0) /* No more messages. */
1425 switch (imsg.hdr.type) {
1426 case GOTD_IMSG_ERROR:
1428 err = gotd_imsg_recv_error(&client_id, &imsg);
1430 case GOTD_IMSG_CLIENT_SESSION_READY:
1431 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1432 err = got_error(GOT_ERR_PRIVSEP_MSG);
1435 do_start_repo_child = 1;
1437 case GOTD_IMSG_DISCONNECT:
1441 log_debug("unexpected imsg %d", imsg.hdr.type);
1445 if (!verify_imsg_src(client, proc, &imsg)) {
1446 log_debug("dropping imsg type %d from PID %d",
1447 imsg.hdr.type, proc->pid);
1452 log_warnx("uid %d: %s", client->euid, err->msg);
1454 if (do_start_repo_child) {
1455 struct gotd_repo *repo;
1456 const char *name = client->session->repo_name;
1458 repo = gotd_find_repo_by_name(name, &gotd.repos);
1460 enum gotd_procid proc_type;
1462 if (client->required_auth & GOTD_AUTH_WRITE)
1463 proc_type = PROC_REPO_WRITE;
1465 proc_type = PROC_REPO_READ;
1467 err = start_repo_child(client, proc_type, repo,
1468 gotd.argv0, gotd.confpath, gotd.daemonize,
1471 err = got_error(GOT_ERR_NOT_GIT_REPO);
1474 log_warnx("uid %d: %s", client->euid, err->msg);
1479 if (do_disconnect) {
1481 disconnect_on_error(client, err);
1490 gotd_imsg_event_add(iev);
1492 /* This pipe is dead. Remove its event handler */
1493 event_del(&iev->ev);
1498 static const struct got_error *
1499 connect_notifier_and_session(struct gotd_client *client)
1501 const struct got_error *err = NULL;
1502 struct gotd_imsgev *session_iev = &client->session->iev;
1505 if (gotd.notify_proc == NULL)
1508 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1509 PF_UNSPEC, pipe) == -1)
1510 return got_error_from_errno("socketpair");
1512 /* Pass notifier pipe to session . */
1513 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_NOTIFIER,
1514 PROC_GOTD, pipe[0], NULL, 0) == -1) {
1515 err = got_error_from_errno("imsg compose CONNECT_NOTIFIER");
1521 /* Pass session pipe to notifier. */
1522 if (gotd_imsg_compose_event(&gotd.notify_proc->iev,
1523 GOTD_IMSG_CONNECT_SESSION, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1524 err = got_error_from_errno("imsg compose CONNECT_SESSION");
1533 gotd_dispatch_repo_child(int fd, short event, void *arg)
1535 struct gotd_imsgev *iev = arg;
1536 struct imsgbuf *ibuf = &iev->ibuf;
1537 struct gotd_child_proc *proc = NULL;
1538 struct gotd_client *client;
1543 client = find_client_by_proc_fd(fd);
1544 if (client == NULL) {
1545 /* Can happen during process teardown. */
1546 warnx("cannot find client for fd %d", fd);
1551 if (event & EV_READ) {
1552 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1553 fatal("imsg_read error");
1555 /* Connection closed. */
1561 if (event & EV_WRITE) {
1562 n = msgbuf_write(&ibuf->w);
1563 if (n == -1 && errno != EAGAIN)
1564 fatal("msgbuf_write");
1566 /* Connection closed. */
1572 proc = client->repo;
1574 fatalx("cannot find child process for fd %d", fd);
1577 const struct got_error *err = NULL;
1578 uint32_t client_id = 0;
1579 int do_disconnect = 0;
1581 if ((n = imsg_get(ibuf, &imsg)) == -1)
1582 fatal("%s: imsg_get error", __func__);
1583 if (n == 0) /* No more messages. */
1586 switch (imsg.hdr.type) {
1587 case GOTD_IMSG_ERROR:
1589 err = gotd_imsg_recv_error(&client_id, &imsg);
1591 case GOTD_IMSG_REPO_CHILD_READY:
1592 err = connect_session(client);
1595 err = connect_notifier_and_session(client);
1598 err = connect_repo_child(client, proc);
1601 log_debug("unexpected imsg %d", imsg.hdr.type);
1605 if (!verify_imsg_src(client, proc, &imsg)) {
1606 log_debug("dropping imsg type %d from PID %d",
1607 imsg.hdr.type, proc->pid);
1612 log_warnx("uid %d: %s", client->euid, err->msg);
1614 if (do_disconnect) {
1616 disconnect_on_error(client, err);
1625 gotd_imsg_event_add(iev);
1627 /* This pipe is dead. Remove its event handler */
1628 event_del(&iev->ev);
1634 start_child(enum gotd_procid proc_id, const char *repo_path,
1635 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1641 switch (pid = fork()) {
1643 fatal("cannot fork");
1651 if (fd != GOTD_FILENO_MSG_PIPE) {
1652 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1653 fatal("cannot setup imsg fd");
1654 } else if (fcntl(fd, F_SETFD, 0) == -1)
1655 fatal("cannot setup imsg fd");
1657 argv[argc++] = argv0;
1660 argv[argc++] = (char *)"-L";
1663 argv[argc++] = (char *)"-A";
1665 case PROC_SESSION_READ:
1666 argv[argc++] = (char *)"-s";
1668 case PROC_SESSION_WRITE:
1669 argv[argc++] = (char *)"-S";
1671 case PROC_REPO_READ:
1672 argv[argc++] = (char *)"-R";
1674 case PROC_REPO_WRITE:
1675 argv[argc++] = (char *)"-W";
1678 argv[argc++] = (char *)"-N";
1681 fatalx("invalid process id %d", proc_id);
1684 argv[argc++] = (char *)"-f";
1685 argv[argc++] = (char *)confpath;
1688 argv[argc++] = (char *)"-P";
1689 argv[argc++] = (char *)repo_path;
1693 argv[argc++] = (char *)"-d";
1695 argv[argc++] = (char *)"-v";
1697 argv[argc++] = (char *)"-v";
1698 argv[argc++] = NULL;
1700 execvp(argv0, argv);
1705 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1707 struct gotd_child_proc *proc;
1709 proc = calloc(1, sizeof(*proc));
1713 TAILQ_INSERT_HEAD(&procs, proc, entry);
1715 /* proc->tmo is initialized in main() after event_init() */
1717 proc->type = PROC_LISTEN;
1719 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1720 PF_UNSPEC, proc->pipe) == -1)
1721 fatal("socketpair");
1723 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1724 proc->pipe[1], daemonize, verbosity);
1725 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1726 proc->iev.handler = gotd_dispatch_listener;
1727 proc->iev.events = EV_READ;
1728 proc->iev.handler_arg = NULL;
1730 gotd.listen_proc = proc;
1734 start_notifier(char *argv0, const char *confpath, int daemonize, int verbosity)
1736 struct gotd_child_proc *proc;
1738 proc = calloc(1, sizeof(*proc));
1742 TAILQ_INSERT_HEAD(&procs, proc, entry);
1744 /* proc->tmo is initialized in main() after event_init() */
1746 proc->type = PROC_NOTIFY;
1748 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1749 PF_UNSPEC, proc->pipe) == -1)
1750 fatal("socketpair");
1752 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1753 proc->pipe[1], daemonize, verbosity);
1754 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1755 proc->iev.handler = gotd_dispatch_notifier;
1756 proc->iev.events = EV_READ;
1757 proc->iev.handler_arg = NULL;
1758 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1759 gotd_dispatch_notifier, &proc->iev);
1761 gotd.notify_proc = proc;
1764 static const struct got_error *
1765 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1766 char *argv0, const char *confpath, int daemonize, int verbosity)
1768 struct gotd_child_proc *proc;
1770 proc = calloc(1, sizeof(*proc));
1772 return got_error_from_errno("calloc");
1774 TAILQ_INSERT_HEAD(&procs, proc, entry);
1775 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1777 if (client_is_reading(client))
1778 proc->type = PROC_SESSION_READ;
1780 proc->type = PROC_SESSION_WRITE;
1781 if (strlcpy(proc->repo_name, repo->name,
1782 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1783 fatalx("repository name too long: %s", repo->name);
1784 log_debug("starting client uid %d session for repository %s",
1785 client->euid, repo->name);
1786 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1787 sizeof(proc->repo_path))
1788 fatalx("repository path too long: %s", repo->path);
1789 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1790 PF_UNSPEC, proc->pipe) == -1)
1791 fatal("socketpair");
1792 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1793 confpath, proc->pipe[1], daemonize, verbosity);
1794 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1795 log_debug("proc %s %s is on fd %d",
1796 gotd_proc_names[proc->type], proc->repo_path,
1798 proc->iev.handler = gotd_dispatch_client_session;
1799 proc->iev.events = EV_READ;
1800 proc->iev.handler_arg = NULL;
1801 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1802 gotd_dispatch_client_session, &proc->iev);
1803 gotd_imsg_event_add(&proc->iev);
1805 client->session = proc;
1809 static const struct got_error *
1810 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1811 struct gotd_repo *repo, char *argv0, const char *confpath,
1812 int daemonize, int verbosity)
1814 struct gotd_child_proc *proc;
1816 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1817 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1819 proc = calloc(1, sizeof(*proc));
1821 return got_error_from_errno("calloc");
1823 TAILQ_INSERT_HEAD(&procs, proc, entry);
1824 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1826 proc->type = proc_type;
1827 if (strlcpy(proc->repo_name, repo->name,
1828 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1829 fatalx("repository name too long: %s", repo->name);
1830 log_debug("starting %s for repository %s",
1831 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1832 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1833 sizeof(proc->repo_path))
1834 fatalx("repository path too long: %s", repo->path);
1835 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1836 PF_UNSPEC, proc->pipe) == -1)
1837 fatal("socketpair");
1838 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1839 confpath, proc->pipe[1], daemonize, verbosity);
1840 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1841 log_debug("proc %s %s is on fd %d",
1842 gotd_proc_names[proc->type], proc->repo_path,
1844 proc->iev.handler = gotd_dispatch_repo_child;
1845 proc->iev.events = EV_READ;
1846 proc->iev.handler_arg = NULL;
1847 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1848 gotd_dispatch_repo_child, &proc->iev);
1849 gotd_imsg_event_add(&proc->iev);
1851 client->repo = proc;
1855 static const struct got_error *
1856 start_auth_child(struct gotd_client *client, int required_auth,
1857 struct gotd_repo *repo, char *argv0, const char *confpath,
1858 int daemonize, int verbosity)
1860 const struct got_error *err = NULL;
1861 struct gotd_child_proc *proc;
1862 struct gotd_imsg_auth iauth;
1865 memset(&iauth, 0, sizeof(iauth));
1867 fd = dup(client->fd);
1869 return got_error_from_errno("dup");
1871 proc = calloc(1, sizeof(*proc));
1873 err = got_error_from_errno("calloc");
1878 TAILQ_INSERT_HEAD(&procs, proc, entry);
1879 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1881 proc->type = PROC_AUTH;
1882 if (strlcpy(proc->repo_name, repo->name,
1883 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1884 fatalx("repository name too long: %s", repo->name);
1885 log_debug("starting auth for uid %d repository %s",
1886 client->euid, repo->name);
1887 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1888 sizeof(proc->repo_path))
1889 fatalx("repository path too long: %s", repo->path);
1890 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1891 PF_UNSPEC, proc->pipe) == -1)
1892 fatal("socketpair");
1893 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1894 confpath, proc->pipe[1], daemonize, verbosity);
1895 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1896 log_debug("proc %s %s is on fd %d",
1897 gotd_proc_names[proc->type], proc->repo_path,
1899 proc->iev.handler = gotd_dispatch_auth_child;
1900 proc->iev.events = EV_READ;
1901 proc->iev.handler_arg = NULL;
1902 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1903 gotd_dispatch_auth_child, &proc->iev);
1904 gotd_imsg_event_add(&proc->iev);
1906 iauth.euid = client->euid;
1907 iauth.egid = client->egid;
1908 iauth.required_auth = required_auth;
1909 iauth.client_id = client->id;
1910 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1911 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1912 log_warn("imsg compose AUTHENTICATE");
1914 /* Let the auth_timeout handler tidy up. */
1917 client->auth = proc;
1918 client->required_auth = required_auth;
1923 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1926 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1927 fatal("unveil %s", GOT_TMPDIR_STR);
1930 if (unveil(repo_path, "r") == -1)
1931 fatal("unveil %s", repo_path);
1933 if (unveil(NULL, NULL) == -1)
1938 apply_unveil_repo_readwrite(const char *repo_path)
1940 if (unveil(repo_path, "rwc") == -1)
1941 fatal("unveil %s", repo_path);
1943 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1944 fatal("unveil %s", GOT_TMPDIR_STR);
1946 if (unveil(NULL, NULL) == -1)
1951 apply_unveil_none(void)
1953 if (unveil("/", "") == -1)
1956 if (unveil(NULL, NULL) == -1)
1961 apply_unveil_selfexec(void)
1963 if (unveil(gotd.argv0, "x") == -1)
1964 fatal("unveil %s", gotd.argv0);
1966 if (unveil(NULL, NULL) == -1)
1971 set_max_datasize(void)
1975 if (getrlimit(RLIMIT_DATA, &rl) != 0)
1978 rl.rlim_cur = rl.rlim_max;
1979 setrlimit(RLIMIT_DATA, &rl);
1983 unveil_notification_helpers(void)
1985 const char *helpers[] = {
1986 GOTD_PATH_PROG_NOTIFY_EMAIL,
1987 GOTD_PATH_PROG_NOTIFY_HTTP,
1991 for (i = 0; i < nitems(helpers); i++) {
1992 if (unveil(helpers[i], "x") == 0)
1994 fatal("unveil %s", helpers[i]);
1997 if (unveil(NULL, NULL) == -1)
2002 main(int argc, char **argv)
2004 const struct got_error *error = NULL;
2005 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
2006 const char *confpath = GOTD_CONF_PATH;
2007 char *argv0 = argv[0];
2009 struct passwd *pw = NULL;
2010 char *repo_path = NULL;
2011 enum gotd_procid proc_id = PROC_GOTD;
2012 struct event evsigint, evsigterm, evsighup, evsigusr1, evsigchld;
2013 int *pack_fds = NULL, *temp_fds = NULL;
2014 struct gotd_repo *repo = NULL;
2015 char *default_sender = NULL;
2016 char hostname[HOST_NAME_MAX + 1];
2017 FILE *diff_f1 = NULL, *diff_f2 = NULL;
2018 int diff_fd1 = -1, diff_fd2 = -1;
2022 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
2024 while ((ch = getopt(argc, argv, "Adf:LnNP:RsSvW")) != -1) {
2027 proc_id = PROC_AUTH;
2036 proc_id = PROC_LISTEN;
2042 proc_id = PROC_NOTIFY;
2045 repo_path = realpath(optarg, NULL);
2046 if (repo_path == NULL)
2047 fatal("realpath '%s'", optarg);
2050 proc_id = PROC_REPO_READ;
2053 proc_id = PROC_SESSION_READ;
2056 proc_id = PROC_SESSION_WRITE;
2063 proc_id = PROC_REPO_WRITE;
2076 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
2077 fatalx("need root privileges");
2079 if (parse_config(confpath, proc_id, &gotd) != 0)
2082 pw = getpwnam(gotd.user_name);
2084 fatalx("user %s not found", gotd.user_name);
2086 if (pw->pw_uid == 0)
2087 fatalx("cannot run %s as the superuser", getprogname());
2090 fprintf(stderr, "configuration OK\n");
2095 gotd.daemonize = daemonize;
2096 gotd.verbosity = verbosity;
2097 gotd.confpath = confpath;
2099 /* Require an absolute path in argv[0] for reliable re-exec. */
2100 if (!got_path_is_absolute(argv0))
2101 fatalx("bad path \"%s\": must be an absolute path", argv0);
2103 log_init(daemonize ? 0 : 1, LOG_DAEMON);
2104 log_setverbose(verbosity);
2106 if (proc_id == PROC_GOTD) {
2107 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
2108 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
2109 if (daemonize && daemon(1, 0) == -1)
2111 gotd.pid = getpid();
2112 start_listener(argv0, confpath, daemonize, verbosity);
2113 start_notifier(argv0, confpath, daemonize, verbosity);
2114 } else if (proc_id == PROC_LISTEN) {
2115 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
2117 log_info("socket: %s", gotd.unix_socket_path);
2118 log_info("user: %s", pw->pw_name);
2121 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
2124 fatal("cannot listen on unix socket %s",
2125 gotd.unix_socket_path);
2127 } else if (proc_id == PROC_AUTH) {
2128 snprintf(title, sizeof(title), "%s %s",
2129 gotd_proc_names[proc_id], repo_path);
2130 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
2131 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
2132 error = got_repo_pack_fds_open(&pack_fds);
2134 fatalx("cannot open pack tempfiles: %s", error->msg);
2135 error = got_repo_temp_fds_open(&temp_fds);
2137 fatalx("cannot open pack tempfiles: %s", error->msg);
2138 if (repo_path == NULL)
2139 fatalx("repository path not specified");
2140 snprintf(title, sizeof(title), "%s %s",
2141 gotd_proc_names[proc_id], repo_path);
2142 } else if (proc_id == PROC_NOTIFY) {
2143 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
2144 if (gethostname(hostname, sizeof(hostname)) == -1)
2145 fatal("gethostname");
2146 if (asprintf(&default_sender, "%s@%s",
2147 pw->pw_name, hostname) == -1)
2150 fatal("invalid process id %d", proc_id);
2152 setproctitle("%s", title);
2153 log_procinit(title);
2155 /* Drop root privileges. */
2156 if (setgid(pw->pw_gid) == -1)
2157 fatal("setgid %d failed", pw->pw_gid);
2158 if (setuid(pw->pw_uid) == -1)
2159 fatal("setuid %d failed", pw->pw_uid);
2166 /* "exec" promise will be limited to argv[0] via unveil(2). */
2167 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
2173 if (pledge("stdio sendfd unix unveil", NULL) == -1)
2177 * Ensure that AF_UNIX bind(2) cannot be used with any other
2178 * sockets by revoking all filesystem access via unveil(2).
2180 apply_unveil_none();
2182 listen_main(title, fd, gotd.connection_limits,
2183 gotd.nconnection_limits);
2188 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
2192 * We need the "unix" pledge promise for getpeername(2) only.
2193 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
2194 * filesystem access via unveil(2). Access to password database
2195 * files will still work since "getpw" bypasses unveil(2).
2197 apply_unveil_none();
2199 auth_main(title, &gotd.repos, repo_path);
2202 case PROC_SESSION_READ:
2203 case PROC_SESSION_WRITE:
2206 * The "recvfd" promise is only needed during setup and
2207 * will be removed in a later pledge(2) call.
2209 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
2210 "unveil", NULL) == -1)
2213 if (proc_id == PROC_SESSION_READ)
2214 apply_unveil_repo_readonly(repo_path, 1);
2216 apply_unveil_repo_readwrite(repo_path);
2217 repo = gotd_find_repo_by_path(repo_path, &gotd);
2219 fatalx("no repository for path %s", repo_path);
2221 if (proc_id == PROC_SESSION_READ)
2222 session_read_main(title, repo_path, pack_fds, temp_fds,
2223 &gotd.request_timeout, repo);
2225 session_write_main(title, repo_path, pack_fds, temp_fds,
2226 &gotd.request_timeout, repo);
2229 case PROC_REPO_READ:
2232 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2235 apply_unveil_repo_readonly(repo_path, 0);
2236 repo_read_main(title, repo_path, pack_fds, temp_fds);
2239 case PROC_REPO_WRITE:
2242 diff_f1 = got_opentemp();
2243 if (diff_f1 == NULL)
2244 fatal("got_opentemp");
2245 diff_f2 = got_opentemp();
2246 if (diff_f2 == NULL)
2247 fatal("got_opentemp");
2248 diff_fd1 = got_opentempfd();
2250 fatal("got_opentempfd");
2251 diff_fd2 = got_opentempfd();
2253 fatal("got_opentempfd");
2255 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2258 apply_unveil_repo_readonly(repo_path, 0);
2259 repo = gotd_find_repo_by_path(repo_path, &gotd);
2261 fatalx("no repository for path %s", repo_path);
2262 repo_write_main(title, repo_path, pack_fds, temp_fds,
2263 diff_f1, diff_f2, diff_fd1, diff_fd2,
2264 &repo->protected_tag_namespaces,
2265 &repo->protected_branch_namespaces,
2266 &repo->protected_branches);
2271 if (pledge("stdio proc exec recvfd unveil", NULL) == -1)
2275 * Limit "exec" promise to notification helpers via unveil(2).
2277 unveil_notification_helpers();
2279 notify_main(title, &gotd.repos, default_sender);
2283 fatal("invalid process id %d", proc_id);
2286 if (proc_id != PROC_GOTD)
2287 fatal("invalid process id %d", proc_id);
2289 evtimer_set(&gotd.listen_proc->tmo, kill_proc_timeout,
2291 if (gotd.notify_proc) {
2292 evtimer_set(&gotd.notify_proc->tmo, kill_proc_timeout,
2296 apply_unveil_selfexec();
2298 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2299 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2300 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2301 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2302 signal_set(&evsigchld, SIGCHLD, gotd_sighdlr, NULL);
2303 signal(SIGPIPE, SIG_IGN);
2305 signal_add(&evsigint, NULL);
2306 signal_add(&evsigterm, NULL);
2307 signal_add(&evsighup, NULL);
2308 signal_add(&evsigusr1, NULL);
2309 signal_add(&evsigchld, NULL);
2311 gotd_imsg_event_add(&gotd.listen_proc->iev);
2312 if (gotd.notify_proc)
2313 gotd_imsg_event_add(&gotd.notify_proc->iev);
2318 free(default_sender);