Commit Briefs
gotd: disconnect on client EOF too
Otherwise gotd keeps the (client-closed) sockets around and may prevent new connections from being established since they still count for the limits. ok jamsek, stsp
gotd: move socket path check to parse.y and error from the main process
It's handy to have a "bad unix socket path" error being reported directly from the main process since can get caught by `gotd -n'. ok jamsek stsp
gotd: move nrepos check to parse_config
ok jamsek stsp
gotd: print configuration errors without -d
Defer the absolute path check on argv[0] and log_init so that it becomes possible to run `gotd -n' to check the configuration file and get errors without specifying -d. Erorrs in the configuration now are actually always printed regardless of -d. While here also tweak an error message and print 'configuration OK' if -n ok stsp@
update client state tracking in the gotd parent process
The session process takes over the old state definitions under a new name ("session state"). The parent only needs to keep track of whether a client has been granted access, so it only uses two states: NEW, and ACCCESS_GRANTED which is set as soon as the auth process has granted repository access and before the session and repo_read/repo_write children are started. Because 'gotctl info' can no longer observe the session state remove support code for printing it. ok op@
remove support for showing client capabilities in 'gotctl info'
The gotd parent process has lost access to client capabilities. Take the easy way out and remove related code. If needed, client capabilities can still be found in the debug log with 'gotd -v'. ok op, jamsek
add a gotd session process, split off from the parent process
The new session process is able to manipulate files in the repository and keeps track of the read/write client session state. The parent process now restricts its view of the filesystem to the absolute path stored in argv[0], and combines this with unveil "x" on this path. As a result the parent process can only re-exec itself. small tweaks + ok op@
call realpath() during early startup in gotd's parse.y
This ensures that all repositories exist when the process is first started. It will also help to avoid an "rpath" pledge promise in a future gotd which uses a separate session process, by avoiding realpath() calls while starting new processes.
revoke filesystem access in gotd listen process via unveil(2)
This should avoid involuntary use of bind(2) with arbitrary socket paths. ok op@
expose 'gotctl info' output only to the root user
Now that anyone can connect to the socket, it is probably safer to expose information about currently connected clients only to root.