2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
19 #include <sys/types.h>
21 #include <sys/socket.h>
41 #include "got_error.h"
42 #include "got_opentemp.h"
44 #include "got_repository.h"
45 #include "got_object.h"
46 #include "got_reference.h"
48 #include "got_lib_delta.h"
49 #include "got_lib_object.h"
50 #include "got_lib_object_cache.h"
51 #include "got_lib_hash.h"
52 #include "got_lib_gitproto.h"
53 #include "got_lib_pack.h"
54 #include "got_lib_repository.h"
61 #include "repo_read.h"
62 #include "repo_write.h"
65 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
68 enum gotd_client_state {
69 GOTD_CLIENT_STATE_NEW,
70 GOTD_CLIENT_STATE_ACCESS_GRANTED,
73 struct gotd_child_proc {
75 enum gotd_procid type;
76 char repo_name[NAME_MAX];
77 char repo_path[PATH_MAX];
79 struct gotd_imsgev iev;
82 TAILQ_ENTRY(gotd_child_proc) entry;
84 TAILQ_HEAD(gotd_procs, gotd_child_proc) procs;
87 STAILQ_ENTRY(gotd_client) entry;
88 enum gotd_client_state state;
91 struct gotd_imsgev iev;
95 struct gotd_child_proc *repo;
96 struct gotd_child_proc *auth;
97 struct gotd_child_proc *session;
100 STAILQ_HEAD(gotd_clients, gotd_client);
102 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
103 static SIPHASH_KEY clients_hash_key;
104 volatile int client_cnt;
105 static struct timeval auth_timeout = { 5, 0 };
106 static struct gotd gotd;
108 void gotd_sighdlr(int sig, short event, void *arg);
109 static void gotd_shutdown(void);
110 static const struct got_error *start_session_child(struct gotd_client *,
111 struct gotd_repo *, char *, const char *, int, int);
112 static const struct got_error *start_repo_child(struct gotd_client *,
113 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
114 static const struct got_error *start_auth_child(struct gotd_client *, int,
115 struct gotd_repo *, char *, const char *, int, int);
116 static void kill_proc(struct gotd_child_proc *, int);
117 static void disconnect(struct gotd_client *);
122 fprintf(stderr, "usage: %s [-dnv] [-f config-file]\n", getprogname());
127 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
129 struct sockaddr_un sun;
131 mode_t old_umask, mode;
133 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
139 sun.sun_family = AF_UNIX;
140 if (strlcpy(sun.sun_path, unix_socket_path,
141 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
142 log_warnx("%s: name too long", unix_socket_path);
147 if (unlink(unix_socket_path) == -1) {
148 if (errno != ENOENT) {
149 log_warn("unlink %s", unix_socket_path);
155 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
156 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
158 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
159 log_warn("bind: %s", unix_socket_path);
167 if (chmod(unix_socket_path, mode) == -1) {
168 log_warn("chmod %o %s", mode, unix_socket_path);
170 unlink(unix_socket_path);
174 if (chown(unix_socket_path, uid, gid) == -1) {
175 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
177 unlink(unix_socket_path);
181 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
184 unlink(unix_socket_path);
192 client_hash(uint32_t client_id)
194 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
198 add_client(struct gotd_client *client)
200 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
201 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
205 static struct gotd_client *
206 find_client(uint32_t client_id)
209 struct gotd_client *c;
211 slot = client_hash(client_id) % nitems(gotd_clients);
212 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
213 if (c->id == client_id)
220 static struct gotd_client *
221 find_client_by_proc_fd(int fd)
225 for (slot = 0; slot < nitems(gotd_clients); slot++) {
226 struct gotd_client *c;
228 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
229 if (c->repo && c->repo->iev.ibuf.fd == fd)
231 if (c->auth && c->auth->iev.ibuf.fd == fd)
233 if (c->session && c->session->iev.ibuf.fd == fd)
242 client_is_reading(struct gotd_client *client)
244 return (client->required_auth &
245 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) == GOTD_AUTH_READ;
249 client_is_writing(struct gotd_client *client)
251 return (client->required_auth &
252 (GOTD_AUTH_READ | GOTD_AUTH_WRITE)) ==
253 (GOTD_AUTH_READ | GOTD_AUTH_WRITE);
256 static const struct got_error *
257 ensure_client_is_not_writing(struct gotd_client *client)
259 if (client_is_writing(client)) {
260 return got_error_fmt(GOT_ERR_BAD_PACKET,
261 "uid %d made a read-request but is writing to "
262 "a repository", client->euid);
268 static const struct got_error *
269 ensure_client_is_not_reading(struct gotd_client *client)
271 if (client_is_reading(client)) {
272 return got_error_fmt(GOT_ERR_BAD_PACKET,
273 "uid %d made a write-request but is reading from "
274 "a repository", client->euid);
281 proc_done(struct gotd_child_proc *proc)
283 struct gotd_client *client;
285 TAILQ_REMOVE(&procs, proc, entry);
287 client = find_client_by_proc_fd(proc->iev.ibuf.fd);
288 if (client != NULL) {
289 if (proc == client->repo)
291 if (proc == client->auth)
293 if (proc == client->session)
294 client->session = NULL;
298 evtimer_del(&proc->tmo);
300 if (proc->iev.ibuf.fd != -1) {
301 event_del(&proc->iev.ev);
302 msgbuf_clear(&proc->iev.ibuf.w);
303 close(proc->iev.ibuf.fd);
310 kill_repo_proc(struct gotd_client *client)
312 if (client->repo == NULL)
315 kill_proc(client->repo, 0);
320 kill_auth_proc(struct gotd_client *client)
322 if (client->auth == NULL)
325 kill_proc(client->auth, 0);
330 kill_session_proc(struct gotd_client *client)
332 if (client->session == NULL)
335 kill_proc(client->session, 0);
336 client->session = NULL;
340 disconnect(struct gotd_client *client)
342 struct gotd_imsg_disconnect idisconnect;
343 struct gotd_child_proc *listen_proc = gotd.listen_proc;
346 log_debug("uid %d: disconnecting", client->euid);
348 kill_auth_proc(client);
349 kill_session_proc(client);
350 kill_repo_proc(client);
352 idisconnect.client_id = client->id;
353 if (gotd_imsg_compose_event(&listen_proc->iev,
354 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
355 &idisconnect, sizeof(idisconnect)) == -1)
356 log_warn("imsg compose DISCONNECT");
358 slot = client_hash(client->id) % nitems(gotd_clients);
359 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
360 imsg_clear(&client->iev.ibuf);
361 event_del(&client->iev.ev);
362 evtimer_del(&client->tmo);
363 if (client->fd != -1)
365 else if (client->iev.ibuf.fd != -1)
366 close(client->iev.ibuf.fd);
372 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
376 log_warnx("uid %d: %s", client->euid, err->msg);
377 if (err->code != GOT_ERR_EOF && client->fd != -1) {
378 imsg_init(&ibuf, client->fd);
379 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
385 static const struct got_error *
386 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
388 const struct got_error *err = NULL;
389 struct gotd_imsg_info_repo irepo;
391 memset(&irepo, 0, sizeof(irepo));
393 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
394 >= sizeof(irepo.repo_name))
395 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
396 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
397 >= sizeof(irepo.repo_path))
398 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
400 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
401 &irepo, sizeof(irepo)) == -1) {
402 err = got_error_from_errno("imsg compose INFO_REPO");
410 static const struct got_error *
411 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
413 const struct got_error *err = NULL;
414 struct gotd_imsg_info_client iclient;
415 struct gotd_child_proc *proc;
417 memset(&iclient, 0, sizeof(iclient));
418 iclient.euid = client->euid;
419 iclient.egid = client->egid;
423 if (strlcpy(iclient.repo_name, proc->repo_path,
424 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
425 return got_error_msg(GOT_ERR_NO_SPACE,
426 "repo name too long");
428 if (client_is_writing(client))
429 iclient.is_writing = 1;
431 iclient.repo_child_pid = proc->pid;
435 iclient.session_child_pid = client->session->pid;
437 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
438 &iclient, sizeof(iclient)) == -1) {
439 err = got_error_from_errno("imsg compose INFO_CLIENT");
447 static const struct got_error *
448 send_info(struct gotd_client *client)
450 const struct got_error *err = NULL;
451 struct gotd_imsg_info info;
453 struct gotd_repo *repo;
455 if (client->euid != 0)
456 return got_error_set_errno(EPERM, "info");
459 info.verbosity = gotd.verbosity;
460 info.nrepos = gotd.nrepos;
461 info.nclients = client_cnt - 1;
463 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
464 &info, sizeof(info)) == -1) {
465 err = got_error_from_errno("imsg compose INFO");
470 TAILQ_FOREACH(repo, &gotd.repos, entry) {
471 err = send_repo_info(&client->iev, repo);
476 for (slot = 0; slot < nitems(gotd_clients); slot++) {
477 struct gotd_client *c;
478 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
479 if (c->id == client->id)
481 err = send_client_info(&client->iev, c);
490 static const struct got_error *
491 stop_gotd(struct gotd_client *client)
494 if (client->euid != 0)
495 return got_error_set_errno(EPERM, "stop");
502 static const struct got_error *
503 start_client_authentication(struct gotd_client *client, struct imsg *imsg)
505 const struct got_error *err;
506 struct gotd_imsg_list_refs ireq;
507 struct gotd_repo *repo = NULL;
510 log_debug("list-refs request from uid %d", client->euid);
512 if (client->state != GOTD_CLIENT_STATE_NEW)
513 return got_error_msg(GOT_ERR_BAD_REQUEST,
514 "unexpected list-refs request received");
516 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
517 if (datalen != sizeof(ireq))
518 return got_error(GOT_ERR_PRIVSEP_LEN);
520 memcpy(&ireq, imsg->data, datalen);
522 if (ireq.client_is_reading) {
523 err = ensure_client_is_not_writing(client);
526 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
528 return got_error(GOT_ERR_NOT_GIT_REPO);
529 err = start_auth_child(client, GOTD_AUTH_READ, repo,
530 gotd.argv0, gotd.confpath, gotd.daemonize,
535 err = ensure_client_is_not_reading(client);
538 repo = gotd_find_repo_by_name(ireq.repo_name, &gotd);
540 return got_error(GOT_ERR_NOT_GIT_REPO);
541 err = start_auth_child(client,
542 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
543 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
549 evtimer_add(&client->tmo, &auth_timeout);
551 /* Flow continues upon authentication successs/failure or timeout. */
556 gotd_request(int fd, short events, void *arg)
558 struct gotd_imsgev *iev = arg;
559 struct imsgbuf *ibuf = &iev->ibuf;
560 struct gotd_client *client = iev->handler_arg;
561 const struct got_error *err = NULL;
565 if (events & EV_WRITE) {
566 while (ibuf->w.queued) {
567 n = msgbuf_write(&ibuf->w);
568 if (n == -1 && errno == EPIPE) {
570 * The client has closed its socket.
571 * This can happen when Git clients are
572 * done sending pack file data.
574 msgbuf_clear(&ibuf->w);
576 } else if (n == -1 && errno != EAGAIN) {
577 err = got_error_from_errno("imsg_flush");
578 disconnect_on_error(client, err);
582 /* Connection closed. */
583 err = got_error(GOT_ERR_EOF);
584 disconnect_on_error(client, err);
589 /* Disconnect gotctl(8) now that messages have been sent. */
590 if (!client_is_reading(client) && !client_is_writing(client)) {
596 if ((events & EV_READ) == 0)
599 memset(&imsg, 0, sizeof(imsg));
601 while (err == NULL) {
602 err = gotd_imsg_recv(&imsg, ibuf, 0);
604 if (err->code == GOT_ERR_PRIVSEP_READ)
609 evtimer_del(&client->tmo);
611 switch (imsg.hdr.type) {
613 err = send_info(client);
616 err = stop_gotd(client);
618 case GOTD_IMSG_LIST_REFS:
619 err = start_client_authentication(client, &imsg);
622 log_debug("unexpected imsg %d", imsg.hdr.type);
623 err = got_error(GOT_ERR_PRIVSEP_MSG);
631 disconnect_on_error(client, err);
633 gotd_imsg_event_add(&client->iev);
638 gotd_auth_timeout(int fd, short events, void *arg)
640 struct gotd_client *client = arg;
642 log_debug("disconnecting uid %d due to authentication timeout",
647 static const struct got_error *
648 recv_connect(uint32_t *client_id, struct imsg *imsg)
650 const struct got_error *err = NULL;
651 struct gotd_imsg_connect iconnect;
654 struct gotd_client *client = NULL;
658 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
659 if (datalen != sizeof(iconnect))
660 return got_error(GOT_ERR_PRIVSEP_LEN);
661 memcpy(&iconnect, imsg->data, sizeof(iconnect));
665 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
669 if (find_client(iconnect.client_id)) {
670 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
674 client = calloc(1, sizeof(*client));
675 if (client == NULL) {
676 err = got_error_from_errno("calloc");
680 *client_id = iconnect.client_id;
682 client->state = GOTD_CLIENT_STATE_NEW;
683 client->id = iconnect.client_id;
686 /* The auth process will verify UID/GID for us. */
687 client->euid = iconnect.euid;
688 client->egid = iconnect.egid;
690 imsg_init(&client->iev.ibuf, client->fd);
691 client->iev.handler = gotd_request;
692 client->iev.events = EV_READ;
693 client->iev.handler_arg = client;
695 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
697 gotd_imsg_event_add(&client->iev);
699 evtimer_set(&client->tmo, gotd_auth_timeout, client);
702 log_debug("%s: new client uid %d connected on fd %d", __func__,
703 client->euid, client->fd);
706 struct gotd_child_proc *listen_proc = gotd.listen_proc;
707 struct gotd_imsg_disconnect idisconnect;
709 idisconnect.client_id = client->id;
710 if (gotd_imsg_compose_event(&listen_proc->iev,
711 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
712 &idisconnect, sizeof(idisconnect)) == -1)
713 log_warn("imsg compose DISCONNECT");
722 static const char *gotd_proc_names[PROC_MAX] = {
733 kill_proc(struct gotd_child_proc *proc, int fatal)
735 struct timeval tv = { 5, 0 };
737 log_debug("kill -%d %d", fatal ? SIGKILL : SIGTERM, proc->pid);
739 if (proc->iev.ibuf.fd != -1) {
740 event_del(&proc->iev.ev);
741 msgbuf_clear(&proc->iev.ibuf.w);
742 close(proc->iev.ibuf.fd);
743 proc->iev.ibuf.fd = -1;
746 if (!evtimer_pending(&proc->tmo, NULL) && !fatal)
747 evtimer_add(&proc->tmo, &tv);
750 log_warnx("sending SIGKILL to PID %d", proc->pid);
751 kill(proc->pid, SIGKILL);
753 kill(proc->pid, SIGTERM);
757 kill_proc_timeout(int fd, short ev, void *d)
759 struct gotd_child_proc *proc = d;
761 log_warnx("timeout waiting for PID %d to terminate;"
762 " retrying with force", proc->pid);
771 log_debug("shutting down");
772 for (slot = 0; slot < nitems(gotd_clients); slot++) {
773 struct gotd_client *c, *tmp;
775 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
779 kill_proc(gotd.listen_proc, 0);
781 log_info("terminating");
785 static struct gotd_child_proc *
786 find_proc_by_pid(pid_t pid)
788 struct gotd_child_proc *proc = NULL;
790 TAILQ_FOREACH(proc, &procs, entry)
791 if (proc->pid == pid)
798 gotd_sighdlr(int sig, short event, void *arg)
800 struct gotd_child_proc *proc;
805 * Normal signal handler rules don't apply because libevent
811 log_info("%s: ignoring SIGHUP", __func__);
814 log_info("%s: ignoring SIGUSR1", __func__);
822 pid = waitpid(WAIT_ANY, &status, WNOHANG);
833 log_debug("reaped pid %d", pid);
834 proc = find_proc_by_pid(pid);
836 log_info("caught exit of unknown child %d",
841 if (WIFSIGNALED(status)) {
842 log_warnx("child PID %d terminated with"
843 " signal %d", pid, WTERMSIG(status));
850 fatalx("unexpected signal");
854 static const struct got_error *
855 ensure_proc_is_reading(struct gotd_client *client,
856 struct gotd_child_proc *proc)
858 if (!client_is_reading(client)) {
860 return got_error_fmt(GOT_ERR_BAD_PACKET,
861 "PID %d handled a read-request for uid %d but this "
862 "user is not reading from a repository", proc->pid,
869 static const struct got_error *
870 ensure_proc_is_writing(struct gotd_client *client,
871 struct gotd_child_proc *proc)
873 if (!client_is_writing(client)) {
875 return got_error_fmt(GOT_ERR_BAD_PACKET,
876 "PID %d handled a write-request for uid %d but this "
877 "user is not writing to a repository", proc->pid,
885 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
888 const struct got_error *err;
891 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
892 if (client->repo == NULL)
893 fatalx("no process found for uid %d", client->euid);
894 if (proc->pid != client->repo->pid) {
896 log_warnx("received message from PID %d for uid %d, "
897 "while PID %d is the process serving this user",
898 proc->pid, client->euid, client->repo->pid);
902 if (proc->type == PROC_SESSION_READ ||
903 proc->type == PROC_SESSION_WRITE) {
904 if (client->session == NULL) {
905 log_warnx("no session found for uid %d", client->euid);
908 if (proc->pid != client->session->pid) {
910 log_warnx("received message from PID %d for uid %d, "
911 "while PID %d is the process serving this user",
912 proc->pid, client->euid, client->session->pid);
917 switch (imsg->hdr.type) {
918 case GOTD_IMSG_ERROR:
921 case GOTD_IMSG_CONNECT:
922 if (proc->type != PROC_LISTEN) {
923 err = got_error_fmt(GOT_ERR_BAD_PACKET,
924 "new connection for uid %d from PID %d "
925 "which is not the listen process",
926 proc->pid, client->euid);
930 case GOTD_IMSG_ACCESS_GRANTED:
931 if (proc->type != PROC_AUTH) {
932 err = got_error_fmt(GOT_ERR_BAD_PACKET,
933 "authentication of uid %d from PID %d "
934 "which is not the auth process",
935 proc->pid, client->euid);
939 case GOTD_IMSG_CLIENT_SESSION_READY:
940 if (proc->type != PROC_SESSION_READ &&
941 proc->type != PROC_SESSION_WRITE) {
942 err = got_error_fmt(GOT_ERR_BAD_PACKET,
943 "unexpected \"ready\" signal from PID %d",
948 case GOTD_IMSG_REPO_CHILD_READY:
949 if (proc->type != PROC_REPO_READ &&
950 proc->type != PROC_REPO_WRITE) {
951 err = got_error_fmt(GOT_ERR_BAD_PACKET,
952 "unexpected \"ready\" signal from PID %d",
957 case GOTD_IMSG_PACKFILE_DONE:
958 err = ensure_proc_is_reading(client, proc);
960 log_warnx("uid %d: %s", client->euid, err->msg);
964 case GOTD_IMSG_PACKFILE_INSTALL:
965 case GOTD_IMSG_REF_UPDATES_START:
966 case GOTD_IMSG_REF_UPDATE:
967 err = ensure_proc_is_writing(client, proc);
969 log_warnx("uid %d: %s", client->euid, err->msg);
974 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
981 static const struct got_error *
982 connect_repo_child(struct gotd_client *client,
983 struct gotd_child_proc *repo_proc)
985 static const struct got_error *err;
986 struct gotd_imsgev *session_iev = &client->session->iev;
987 struct gotd_imsg_connect_repo_child ireq;
990 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED)
991 return got_error_msg(GOT_ERR_BAD_REQUEST,
992 "unexpected repo child ready signal received");
994 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
995 PF_UNSPEC, pipe) == -1)
998 memset(&ireq, 0, sizeof(ireq));
999 ireq.client_id = client->id;
1000 ireq.proc_id = repo_proc->type;
1002 /* Pass repo child pipe to session child process. */
1003 if (gotd_imsg_compose_event(session_iev, GOTD_IMSG_CONNECT_REPO_CHILD,
1004 PROC_GOTD, pipe[0], &ireq, sizeof(ireq)) == -1) {
1005 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1011 /* Pass session child pipe to repo child process. */
1012 if (gotd_imsg_compose_event(&repo_proc->iev,
1013 GOTD_IMSG_CONNECT_REPO_CHILD, PROC_GOTD, pipe[1], NULL, 0) == -1) {
1014 err = got_error_from_errno("imsg compose CONNECT_REPO_CHILD");
1023 gotd_dispatch_listener(int fd, short event, void *arg)
1025 struct gotd_imsgev *iev = arg;
1026 struct imsgbuf *ibuf = &iev->ibuf;
1027 struct gotd_child_proc *proc = gotd.listen_proc;
1032 if (proc->iev.ibuf.fd != fd)
1033 fatalx("%s: unexpected fd %d", __func__, fd);
1035 if (event & EV_READ) {
1036 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1037 fatal("imsg_read error");
1039 /* Connection closed. */
1045 if (event & EV_WRITE) {
1046 n = msgbuf_write(&ibuf->w);
1047 if (n == -1 && errno != EAGAIN)
1048 fatal("msgbuf_write");
1050 /* Connection closed. */
1057 const struct got_error *err = NULL;
1058 struct gotd_client *client = NULL;
1059 uint32_t client_id = 0;
1060 int do_disconnect = 0;
1062 if ((n = imsg_get(ibuf, &imsg)) == -1)
1063 fatal("%s: imsg_get error", __func__);
1064 if (n == 0) /* No more messages. */
1067 switch (imsg.hdr.type) {
1068 case GOTD_IMSG_ERROR:
1070 err = gotd_imsg_recv_error(&client_id, &imsg);
1072 case GOTD_IMSG_CONNECT:
1073 err = recv_connect(&client_id, &imsg);
1076 log_debug("unexpected imsg %d", imsg.hdr.type);
1080 client = find_client(client_id);
1081 if (client == NULL) {
1082 log_warnx("%s: client not found", __func__);
1088 log_warnx("uid %d: %s", client->euid, err->msg);
1090 if (do_disconnect) {
1092 disconnect_on_error(client, err);
1101 gotd_imsg_event_add(iev);
1103 /* This pipe is dead. Remove its event handler */
1104 event_del(&iev->ev);
1105 event_loopexit(NULL);
1110 gotd_dispatch_auth_child(int fd, short event, void *arg)
1112 const struct got_error *err = NULL;
1113 struct gotd_imsgev *iev = arg;
1114 struct imsgbuf *ibuf = &iev->ibuf;
1115 struct gotd_client *client;
1116 struct gotd_repo *repo = NULL;
1120 uint32_t client_id = 0;
1121 int do_disconnect = 0;
1123 client = find_client_by_proc_fd(fd);
1124 if (client == NULL) {
1125 /* Can happen during process teardown. */
1126 warnx("cannot find client for fd %d", fd);
1131 if (client->auth == NULL)
1132 fatalx("cannot find auth child process for fd %d", fd);
1134 if (event & EV_READ) {
1135 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1136 fatal("imsg_read error");
1138 /* Connection closed. */
1144 if (event & EV_WRITE) {
1145 n = msgbuf_write(&ibuf->w);
1146 if (n == -1 && errno != EAGAIN)
1147 fatal("msgbuf_write");
1149 /* Connection closed. */
1155 if (client->auth->iev.ibuf.fd != fd)
1156 fatalx("%s: unexpected fd %d", __func__, fd);
1158 if ((n = imsg_get(ibuf, &imsg)) == -1)
1159 fatal("%s: imsg_get error", __func__);
1160 if (n == 0) /* No more messages. */
1163 evtimer_del(&client->tmo);
1165 switch (imsg.hdr.type) {
1166 case GOTD_IMSG_ERROR:
1168 err = gotd_imsg_recv_error(&client_id, &imsg);
1170 case GOTD_IMSG_ACCESS_GRANTED:
1171 client->state = GOTD_CLIENT_STATE_ACCESS_GRANTED;
1175 log_debug("unexpected imsg %d", imsg.hdr.type);
1179 if (!verify_imsg_src(client, client->auth, &imsg)) {
1181 log_debug("dropping imsg type %d from PID %d",
1182 imsg.hdr.type, client->auth->pid);
1186 if (do_disconnect) {
1188 disconnect_on_error(client, err);
1194 repo = gotd_find_repo_by_name(client->auth->repo_name, &gotd);
1196 err = got_error(GOT_ERR_NOT_GIT_REPO);
1199 kill_auth_proc(client);
1201 log_info("authenticated uid %d for repository %s",
1202 client->euid, repo->name);
1204 err = start_session_child(client, repo, gotd.argv0,
1205 gotd.confpath, gotd.daemonize, gotd.verbosity);
1210 log_warnx("uid %d: %s", client->euid, err->msg);
1212 /* We might have killed the auth process by now. */
1213 if (client->auth != NULL) {
1215 gotd_imsg_event_add(iev);
1217 /* This pipe is dead. Remove its event handler */
1218 event_del(&iev->ev);
1223 static const struct got_error *
1224 connect_session(struct gotd_client *client)
1226 const struct got_error *err = NULL;
1227 struct gotd_imsg_connect iconnect;
1230 memset(&iconnect, 0, sizeof(iconnect));
1232 s = dup(client->fd);
1234 return got_error_from_errno("dup");
1236 iconnect.client_id = client->id;
1237 iconnect.euid = client->euid;
1238 iconnect.egid = client->egid;
1240 if (gotd_imsg_compose_event(&client->session->iev, GOTD_IMSG_CONNECT,
1241 PROC_GOTD, s, &iconnect, sizeof(iconnect)) == -1) {
1242 err = got_error_from_errno("imsg compose CONNECT");
1248 * We are no longer interested in messages from this client.
1249 * Further client requests will be handled by the session process.
1251 msgbuf_clear(&client->iev.ibuf.w);
1252 imsg_clear(&client->iev.ibuf);
1253 event_del(&client->iev.ev);
1254 client->fd = -1; /* will be closed via copy in client->iev.ibuf.fd */
1260 gotd_dispatch_client_session(int fd, short event, void *arg)
1262 struct gotd_imsgev *iev = arg;
1263 struct imsgbuf *ibuf = &iev->ibuf;
1264 struct gotd_child_proc *proc = NULL;
1265 struct gotd_client *client = NULL;
1270 client = find_client_by_proc_fd(fd);
1271 if (client == NULL) {
1272 /* Can happen during process teardown. */
1273 warnx("cannot find client for fd %d", fd);
1278 if (event & EV_READ) {
1279 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1280 fatal("imsg_read error");
1282 /* Connection closed. */
1288 if (event & EV_WRITE) {
1289 n = msgbuf_write(&ibuf->w);
1290 if (n == -1 && errno != EAGAIN)
1291 fatal("msgbuf_write");
1293 /* Connection closed. */
1299 proc = client->session;
1301 fatalx("cannot find session child process for fd %d", fd);
1304 const struct got_error *err = NULL;
1305 uint32_t client_id = 0;
1306 int do_disconnect = 0, do_start_repo_child = 0;
1308 if ((n = imsg_get(ibuf, &imsg)) == -1)
1309 fatal("%s: imsg_get error", __func__);
1310 if (n == 0) /* No more messages. */
1313 switch (imsg.hdr.type) {
1314 case GOTD_IMSG_ERROR:
1316 err = gotd_imsg_recv_error(&client_id, &imsg);
1318 case GOTD_IMSG_CLIENT_SESSION_READY:
1319 if (client->state != GOTD_CLIENT_STATE_ACCESS_GRANTED) {
1320 err = got_error(GOT_ERR_PRIVSEP_MSG);
1323 do_start_repo_child = 1;
1325 case GOTD_IMSG_DISCONNECT:
1329 log_debug("unexpected imsg %d", imsg.hdr.type);
1333 if (!verify_imsg_src(client, proc, &imsg)) {
1334 log_debug("dropping imsg type %d from PID %d",
1335 imsg.hdr.type, proc->pid);
1340 log_warnx("uid %d: %s", client->euid, err->msg);
1342 if (do_start_repo_child) {
1343 struct gotd_repo *repo;
1344 const char *name = client->session->repo_name;
1346 repo = gotd_find_repo_by_name(name, &gotd);
1348 enum gotd_procid proc_type;
1350 if (client->required_auth & GOTD_AUTH_WRITE)
1351 proc_type = PROC_REPO_WRITE;
1353 proc_type = PROC_REPO_READ;
1355 err = start_repo_child(client, proc_type, repo,
1356 gotd.argv0, gotd.confpath, gotd.daemonize,
1359 err = got_error(GOT_ERR_NOT_GIT_REPO);
1362 log_warnx("uid %d: %s", client->euid, err->msg);
1367 if (do_disconnect) {
1369 disconnect_on_error(client, err);
1378 gotd_imsg_event_add(iev);
1380 /* This pipe is dead. Remove its event handler */
1381 event_del(&iev->ev);
1387 gotd_dispatch_repo_child(int fd, short event, void *arg)
1389 struct gotd_imsgev *iev = arg;
1390 struct imsgbuf *ibuf = &iev->ibuf;
1391 struct gotd_child_proc *proc = NULL;
1392 struct gotd_client *client;
1397 client = find_client_by_proc_fd(fd);
1398 if (client == NULL) {
1399 /* Can happen during process teardown. */
1400 warnx("cannot find client for fd %d", fd);
1405 if (event & EV_READ) {
1406 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1407 fatal("imsg_read error");
1409 /* Connection closed. */
1415 if (event & EV_WRITE) {
1416 n = msgbuf_write(&ibuf->w);
1417 if (n == -1 && errno != EAGAIN)
1418 fatal("msgbuf_write");
1420 /* Connection closed. */
1426 proc = client->repo;
1428 fatalx("cannot find child process for fd %d", fd);
1431 const struct got_error *err = NULL;
1432 uint32_t client_id = 0;
1433 int do_disconnect = 0;
1435 if ((n = imsg_get(ibuf, &imsg)) == -1)
1436 fatal("%s: imsg_get error", __func__);
1437 if (n == 0) /* No more messages. */
1440 switch (imsg.hdr.type) {
1441 case GOTD_IMSG_ERROR:
1443 err = gotd_imsg_recv_error(&client_id, &imsg);
1445 case GOTD_IMSG_REPO_CHILD_READY:
1446 err = connect_session(client);
1449 err = connect_repo_child(client, proc);
1452 log_debug("unexpected imsg %d", imsg.hdr.type);
1456 if (!verify_imsg_src(client, proc, &imsg)) {
1457 log_debug("dropping imsg type %d from PID %d",
1458 imsg.hdr.type, proc->pid);
1463 log_warnx("uid %d: %s", client->euid, err->msg);
1465 if (do_disconnect) {
1467 disconnect_on_error(client, err);
1476 gotd_imsg_event_add(iev);
1478 /* This pipe is dead. Remove its event handler */
1479 event_del(&iev->ev);
1485 start_child(enum gotd_procid proc_id, const char *repo_path,
1486 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
1492 switch (pid = fork()) {
1494 fatal("cannot fork");
1502 if (fd != GOTD_FILENO_MSG_PIPE) {
1503 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
1504 fatal("cannot setup imsg fd");
1505 } else if (fcntl(fd, F_SETFD, 0) == -1)
1506 fatal("cannot setup imsg fd");
1508 argv[argc++] = argv0;
1511 argv[argc++] = (char *)"-L";
1514 argv[argc++] = (char *)"-A";
1516 case PROC_SESSION_READ:
1517 argv[argc++] = (char *)"-s";
1519 case PROC_SESSION_WRITE:
1520 argv[argc++] = (char *)"-S";
1522 case PROC_REPO_READ:
1523 argv[argc++] = (char *)"-R";
1525 case PROC_REPO_WRITE:
1526 argv[argc++] = (char *)"-W";
1529 fatalx("invalid process id %d", proc_id);
1532 argv[argc++] = (char *)"-f";
1533 argv[argc++] = (char *)confpath;
1536 argv[argc++] = (char *)"-P";
1537 argv[argc++] = (char *)repo_path;
1541 argv[argc++] = (char *)"-d";
1543 argv[argc++] = (char *)"-v";
1545 argv[argc++] = (char *)"-v";
1546 argv[argc++] = NULL;
1548 execvp(argv0, argv);
1553 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
1555 struct gotd_child_proc *proc;
1557 proc = calloc(1, sizeof(*proc));
1561 TAILQ_INSERT_HEAD(&procs, proc, entry);
1563 /* proc->tmo is initialized in main() after event_init() */
1565 proc->type = PROC_LISTEN;
1567 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1568 PF_UNSPEC, proc->pipe) == -1)
1569 fatal("socketpair");
1571 proc->pid = start_child(proc->type, NULL, argv0, confpath,
1572 proc->pipe[1], daemonize, verbosity);
1573 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1574 proc->iev.handler = gotd_dispatch_listener;
1575 proc->iev.events = EV_READ;
1576 proc->iev.handler_arg = NULL;
1578 gotd.listen_proc = proc;
1581 static const struct got_error *
1582 start_session_child(struct gotd_client *client, struct gotd_repo *repo,
1583 char *argv0, const char *confpath, int daemonize, int verbosity)
1585 struct gotd_child_proc *proc;
1587 proc = calloc(1, sizeof(*proc));
1589 return got_error_from_errno("calloc");
1591 TAILQ_INSERT_HEAD(&procs, proc, entry);
1592 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1594 if (client_is_reading(client))
1595 proc->type = PROC_SESSION_READ;
1597 proc->type = PROC_SESSION_WRITE;
1598 if (strlcpy(proc->repo_name, repo->name,
1599 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1600 fatalx("repository name too long: %s", repo->name);
1601 log_debug("starting client uid %d session for repository %s",
1602 client->euid, repo->name);
1603 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1604 sizeof(proc->repo_path))
1605 fatalx("repository path too long: %s", repo->path);
1606 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1607 PF_UNSPEC, proc->pipe) == -1)
1608 fatal("socketpair");
1609 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1610 confpath, proc->pipe[1], daemonize, verbosity);
1611 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1612 log_debug("proc %s %s is on fd %d",
1613 gotd_proc_names[proc->type], proc->repo_path,
1615 proc->iev.handler = gotd_dispatch_client_session;
1616 proc->iev.events = EV_READ;
1617 proc->iev.handler_arg = NULL;
1618 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1619 gotd_dispatch_client_session, &proc->iev);
1620 gotd_imsg_event_add(&proc->iev);
1622 client->session = proc;
1626 static const struct got_error *
1627 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
1628 struct gotd_repo *repo, char *argv0, const char *confpath,
1629 int daemonize, int verbosity)
1631 struct gotd_child_proc *proc;
1633 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
1634 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
1636 proc = calloc(1, sizeof(*proc));
1638 return got_error_from_errno("calloc");
1640 TAILQ_INSERT_HEAD(&procs, proc, entry);
1641 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1643 proc->type = proc_type;
1644 if (strlcpy(proc->repo_name, repo->name,
1645 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1646 fatalx("repository name too long: %s", repo->name);
1647 log_debug("starting %s for repository %s",
1648 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
1649 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1650 sizeof(proc->repo_path))
1651 fatalx("repository path too long: %s", repo->path);
1652 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1653 PF_UNSPEC, proc->pipe) == -1)
1654 fatal("socketpair");
1655 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1656 confpath, proc->pipe[1], daemonize, verbosity);
1657 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1658 log_debug("proc %s %s is on fd %d",
1659 gotd_proc_names[proc->type], proc->repo_path,
1661 proc->iev.handler = gotd_dispatch_repo_child;
1662 proc->iev.events = EV_READ;
1663 proc->iev.handler_arg = NULL;
1664 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1665 gotd_dispatch_repo_child, &proc->iev);
1666 gotd_imsg_event_add(&proc->iev);
1668 client->repo = proc;
1672 static const struct got_error *
1673 start_auth_child(struct gotd_client *client, int required_auth,
1674 struct gotd_repo *repo, char *argv0, const char *confpath,
1675 int daemonize, int verbosity)
1677 const struct got_error *err = NULL;
1678 struct gotd_child_proc *proc;
1679 struct gotd_imsg_auth iauth;
1682 memset(&iauth, 0, sizeof(iauth));
1684 fd = dup(client->fd);
1686 return got_error_from_errno("dup");
1688 proc = calloc(1, sizeof(*proc));
1690 err = got_error_from_errno("calloc");
1695 TAILQ_INSERT_HEAD(&procs, proc, entry);
1696 evtimer_set(&proc->tmo, kill_proc_timeout, proc);
1698 proc->type = PROC_AUTH;
1699 if (strlcpy(proc->repo_name, repo->name,
1700 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
1701 fatalx("repository name too long: %s", repo->name);
1702 log_debug("starting auth for uid %d repository %s",
1703 client->euid, repo->name);
1704 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
1705 sizeof(proc->repo_path))
1706 fatalx("repository path too long: %s", repo->path);
1707 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
1708 PF_UNSPEC, proc->pipe) == -1)
1709 fatal("socketpair");
1710 proc->pid = start_child(proc->type, proc->repo_path, argv0,
1711 confpath, proc->pipe[1], daemonize, verbosity);
1712 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
1713 log_debug("proc %s %s is on fd %d",
1714 gotd_proc_names[proc->type], proc->repo_path,
1716 proc->iev.handler = gotd_dispatch_auth_child;
1717 proc->iev.events = EV_READ;
1718 proc->iev.handler_arg = NULL;
1719 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
1720 gotd_dispatch_auth_child, &proc->iev);
1721 gotd_imsg_event_add(&proc->iev);
1723 iauth.euid = client->euid;
1724 iauth.egid = client->egid;
1725 iauth.required_auth = required_auth;
1726 iauth.client_id = client->id;
1727 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
1728 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
1729 log_warn("imsg compose AUTHENTICATE");
1731 /* Let the auth_timeout handler tidy up. */
1734 client->auth = proc;
1735 client->required_auth = required_auth;
1740 apply_unveil_repo_readonly(const char *repo_path, int need_tmpdir)
1743 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1744 fatal("unveil %s", GOT_TMPDIR_STR);
1747 if (unveil(repo_path, "r") == -1)
1748 fatal("unveil %s", repo_path);
1750 if (unveil(NULL, NULL) == -1)
1755 apply_unveil_repo_readwrite(const char *repo_path)
1757 if (unveil(repo_path, "rwc") == -1)
1758 fatal("unveil %s", repo_path);
1760 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
1761 fatal("unveil %s", GOT_TMPDIR_STR);
1763 if (unveil(NULL, NULL) == -1)
1768 apply_unveil_none(void)
1770 if (unveil("/", "") == -1)
1773 if (unveil(NULL, NULL) == -1)
1778 apply_unveil_selfexec(void)
1780 if (unveil(gotd.argv0, "x") == -1)
1781 fatal("unveil %s", gotd.argv0);
1783 if (unveil(NULL, NULL) == -1)
1788 main(int argc, char **argv)
1790 const struct got_error *error = NULL;
1791 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
1792 const char *confpath = GOTD_CONF_PATH;
1793 char *argv0 = argv[0];
1795 struct passwd *pw = NULL;
1796 char *repo_path = NULL;
1797 enum gotd_procid proc_id = PROC_GOTD;
1798 struct event evsigint, evsigterm, evsighup, evsigusr1, evsigchld;
1799 int *pack_fds = NULL, *temp_fds = NULL;
1800 struct gotd_repo *repo = NULL;
1804 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
1806 while ((ch = getopt(argc, argv, "Adf:LnP:RsSvW")) != -1) {
1809 proc_id = PROC_AUTH;
1818 proc_id = PROC_LISTEN;
1824 repo_path = realpath(optarg, NULL);
1825 if (repo_path == NULL)
1826 fatal("realpath '%s'", optarg);
1829 proc_id = PROC_REPO_READ;
1832 proc_id = PROC_SESSION_READ;
1835 proc_id = PROC_SESSION_WRITE;
1842 proc_id = PROC_REPO_WRITE;
1855 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
1856 fatalx("need root privileges");
1858 if (parse_config(confpath, proc_id, &gotd, 1) != 0)
1861 pw = getpwnam(gotd.user_name);
1863 fatalx("user %s not found", gotd.user_name);
1865 if (pw->pw_uid == 0)
1866 fatalx("cannot run %s as the superuser", getprogname());
1869 fprintf(stderr, "configuration OK\n");
1874 gotd.daemonize = daemonize;
1875 gotd.verbosity = verbosity;
1876 gotd.confpath = confpath;
1878 /* Require an absolute path in argv[0] for reliable re-exec. */
1879 if (!got_path_is_absolute(argv0))
1880 fatalx("bad path \"%s\": must be an absolute path", argv0);
1882 log_init(daemonize ? 0 : 1, LOG_DAEMON);
1883 log_setverbose(verbosity);
1885 if (proc_id == PROC_GOTD) {
1886 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1887 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
1888 if (daemonize && daemon(1, 0) == -1)
1890 gotd.pid = getpid();
1891 start_listener(argv0, confpath, daemonize, verbosity);
1892 } else if (proc_id == PROC_LISTEN) {
1893 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
1895 log_info("socket: %s", gotd.unix_socket_path);
1896 log_info("user: %s", pw->pw_name);
1899 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
1902 fatal("cannot listen on unix socket %s",
1903 gotd.unix_socket_path);
1905 } else if (proc_id == PROC_AUTH) {
1906 snprintf(title, sizeof(title), "%s %s",
1907 gotd_proc_names[proc_id], repo_path);
1908 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE ||
1909 proc_id == PROC_SESSION_READ || proc_id == PROC_SESSION_WRITE) {
1910 error = got_repo_pack_fds_open(&pack_fds);
1912 fatalx("cannot open pack tempfiles: %s", error->msg);
1913 error = got_repo_temp_fds_open(&temp_fds);
1915 fatalx("cannot open pack tempfiles: %s", error->msg);
1916 if (repo_path == NULL)
1917 fatalx("repository path not specified");
1918 snprintf(title, sizeof(title), "%s %s",
1919 gotd_proc_names[proc_id], repo_path);
1921 fatal("invalid process id %d", proc_id);
1923 setproctitle("%s", title);
1924 log_procinit(title);
1926 /* Drop root privileges. */
1927 if (setgid(pw->pw_gid) == -1)
1928 fatal("setgid %d failed", pw->pw_gid);
1929 if (setuid(pw->pw_uid) == -1)
1930 fatal("setuid %d failed", pw->pw_uid);
1937 /* "exec" promise will be limited to argv[0] via unveil(2). */
1938 if (pledge("stdio proc exec sendfd recvfd unveil", NULL) == -1)
1944 if (pledge("stdio sendfd unix unveil", NULL) == -1)
1948 * Ensure that AF_UNIX bind(2) cannot be used with any other
1949 * sockets by revoking all filesystem access via unveil(2).
1951 apply_unveil_none();
1953 listen_main(title, fd, gotd.connection_limits,
1954 gotd.nconnection_limits);
1959 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
1963 * We need the "unix" pledge promise for getpeername(2) only.
1964 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
1965 * filesystem access via unveil(2). Access to password database
1966 * files will still work since "getpw" bypasses unveil(2).
1968 apply_unveil_none();
1970 auth_main(title, &gotd.repos, repo_path);
1973 case PROC_SESSION_READ:
1974 case PROC_SESSION_WRITE:
1977 * The "recvfd" promise is only needed during setup and
1978 * will be removed in a later pledge(2) call.
1980 if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
1981 "unveil", NULL) == -1)
1984 if (proc_id == PROC_SESSION_READ)
1985 apply_unveil_repo_readonly(repo_path, 1);
1987 apply_unveil_repo_readwrite(repo_path);
1988 session_main(title, repo_path, pack_fds, temp_fds,
1989 &gotd.request_timeout, proc_id);
1992 case PROC_REPO_READ:
1994 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
1997 apply_unveil_repo_readonly(repo_path, 0);
1998 repo_read_main(title, repo_path, pack_fds, temp_fds);
2001 case PROC_REPO_WRITE:
2003 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2006 apply_unveil_repo_readonly(repo_path, 0);
2007 repo = gotd_find_repo_by_path(repo_path, &gotd);
2009 fatalx("no repository for path %s", repo_path);
2010 repo_write_main(title, repo_path, pack_fds, temp_fds,
2011 &repo->protected_tag_namespaces,
2012 &repo->protected_branch_namespaces,
2013 &repo->protected_branches);
2017 fatal("invalid process id %d", proc_id);
2020 if (proc_id != PROC_GOTD)
2021 fatal("invalid process id %d", proc_id);
2023 evtimer_set(&gotd.listen_proc->tmo, kill_proc_timeout,
2026 apply_unveil_selfexec();
2028 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2029 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2030 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2031 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2032 signal_set(&evsigchld, SIGCHLD, gotd_sighdlr, NULL);
2033 signal(SIGPIPE, SIG_IGN);
2035 signal_add(&evsigint, NULL);
2036 signal_add(&evsigterm, NULL);
2037 signal_add(&evsighup, NULL);
2038 signal_add(&evsigusr1, NULL);
2039 signal_add(&evsigchld, NULL);
2041 gotd_imsg_event_add(&gotd.listen_proc->iev);