It will soon grow functions to deal with sha256 too. stsp@ agrees.

In preparation for wide sha256 support; stsp@ agrees. Change done mechanically with find . -iname \*.[cy] -exec sam {} + X ,x/<sha1\.h>/i/\n#include <sha2.h>

Sending a DISCONNECT message to the repo process and then killing it and freeing its structure won't work. The message ends up on internal libevent queues and will soon crash because we have freed the memory for the event structre. Sending that message is a leftover from the times when the repo procs were persistent.

"function declaration isn't a prototype" should fix the error seen by tracey@ on sparc64

We have observed gotd exiting after "cannot find client for fd N" errors. If this occurs then we are likely in the process of disconnecting a client session while processing an event from a child process. Treat the above error as non-fatal and stop processing more events from the child process.

ok op, jamsek

Otherwise gotd keeps the (client-closed) sockets around and may prevent new connections from being established since they still count for the limits. ok jamsek, stsp

It's handy to have a "bad unix socket path" error being reported directly from the main process since can get caught by `gotd -n'. ok jamsek stsp

ok jamsek stsp

Defer the absolute path check on argv[0] and log_init so that it becomes possible to run `gotd -n' to check the configuration file and get errors without specifying -d. Erorrs in the configuration now are actually always printed regardless of -d. While here also tweak an error message and print 'configuration OK' if -n ok stsp@

ok op@

The session process takes over the old state definitions under a new name ("session state"). The parent only needs to keep track of whether a client has been granted access, so it only uses two states: NEW, and ACCCESS_GRANTED which is set as soon as the auth process has granted repository access and before the session and repo_read/repo_write children are started. Because 'gotctl info' can no longer observe the session state remove support code for printing it. ok op@

The gotd parent process has lost access to client capabilities. Take the easy way out and remove related code. If needed, client capabilities can still be found in the debug log with 'gotd -v'. ok op, jamsek

The new session process is able to manipulate files in the repository and keeps track of the read/write client session state. The parent process now restricts its view of the filesystem to the absolute path stored in argv[0], and combines this with unveil "x" on this path. As a result the parent process can only re-exec itself. small tweaks + ok op@

This ensures that all repositories exist when the process is first started. It will also help to avoid an "rpath" pledge promise in a future gotd which uses a separate session process, by avoiding realpath() calls while starting new processes.

This should avoid involuntary use of bind(2) with arbitrary socket paths. ok op@

Now that anyone can connect to the socket, it is probably safer to expose information about currently connected clients only to root.

Repository access is now controlled by access rules in gotd.conf, and concurrent connections to the gotd socket by local users are limited by the listen process. We should keep refining our anti-DoS measures in the future, but at least we have something in place now. ok jamsek, op

Allow administrators to tweak the default authentication and request timeouts if needed, and to tweak the limit of concurrent connections for specific user accounts. with several tweaks from and ok op@