Commit Briefs

Thomas Adam

document the gotd -n option


Thomas Adam

gotd: move socket path check to parse.y and error from the main process

It's handy to have a "bad unix socket path" error being reported directly from the main process since can get caught by `gotd -n'. ok jamsek stsp


Thomas Adam

gotd: move nrepos check to parse_config

ok jamsek stsp


Thomas Adam

gotd: print configuration errors without -d

Defer the absolute path check on argv[0] and log_init so that it becomes possible to run `gotd -n' to check the configuration file and get errors without specifying -d. Erorrs in the configuration now are actually always printed regardless of -d. While here also tweak an error message and print 'configuration OK' if -n ok stsp@



Thomas Adam

update client state tracking in the gotd parent process

The session process takes over the old state definitions under a new name ("session state"). The parent only needs to keep track of whether a client has been granted access, so it only uses two states: NEW, and ACCCESS_GRANTED which is set as soon as the auth process has granted repository access and before the session and repo_read/repo_write children are started. Because 'gotctl info' can no longer observe the session state remove support code for printing it. ok op@


Thomas Adam

remove support for showing client capabilities in 'gotctl info'

The gotd parent process has lost access to client capabilities. Take the easy way out and remove related code. If needed, client capabilities can still be found in the debug log with 'gotd -v'. ok op, jamsek



Thomas Adam

add a gotd session process, split off from the parent process

The new session process is able to manipulate files in the repository and keeps track of the read/write client session state. The parent process now restricts its view of the filesystem to the absolute path stored in argv[0], and combines this with unveil "x" on this path. As a result the parent process can only re-exec itself. small tweaks + ok op@


Thomas Adam

call realpath() during early startup in gotd's parse.y

This ensures that all repositories exist when the process is first started. It will also help to avoid an "rpath" pledge promise in a future gotd which uses a separate session process, by avoiding realpath() calls while starting new processes.




Thomas Adam

revoke filesystem access in gotd listen process via unveil(2)

This should avoid involuntary use of bind(2) with arbitrary socket paths. ok op@


Thomas Adam

expose 'gotctl info' output only to the root user

Now that anyone can connect to the socket, it is probably safer to expose information about currently connected clients only to root.


Thomas Adam

remove the gotsh group requirement from gotd; any user can now connect

Repository access is now controlled by access rules in gotd.conf, and concurrent connections to the gotd socket by local users are limited by the listen process. We should keep refining our anti-DoS measures in the future, but at least we have something in place now. ok jamsek, op


Thomas Adam

introduce connection options to gotd.conf

Allow administrators to tweak the default authentication and request timeouts if needed, and to tweak the limit of concurrent connections for specific user accounts. with several tweaks from and ok op@


Thomas Adam

fmt


Thomas Adam

gotd: nix trailing whitespace and indentation fix

ok op@, stsp@


Thomas Adam

remove filesystem access via bind(2) from gotd auth process

op@ pointed out a problem in my initial patch where I forgot to call unveil(2) with a path before unveil(NULL, NULL). ok op, jamsek


Thomas Adam

move "unix" pledge promise from gotd parent to auth process

The listen process now communicates the client UID/GID to the parent, and the auth process verifies this on behalf of the parent. This allows us to remove the "unix" pledge promise from the parent, removing parent access to syscalls such as listen() and accept() in the AF_UNIX domain. ok tracey@ op@


Thomas Adam

fix gotd authentication timeout

The authentication timeout was accidentally overriden by the request timeout. Fix this and set both timeouts in the same place for clarity. ok op@


Thomas Adam

run gotd authentication in a separate child process

ok op@


Thomas Adam

fork gotd repo_read/repo_write children on demand

ok op, jamsek


Thomas Adam

gotd: tweak error message if getpwnam fails

errno may not be set to something interesting so switch to fatalx, and simplify the error message (knowing the failed function, which is also wrong, doesn't buy much here.) ok jamsek


Thomas Adam

switch gotd from chroot(2) to unveil(2)

In the future, gotd will fork+exec new processes for each client connection. Using unveil instead of chroot avoids having to start such processes as root. The -portable version could use chroot(2) where no equivalent to unveil(2) exists. A future component which starts new processes will be isolated as a separate process, which could run as root in the -portable version. ok op@