add a privsep crypto engine Incorporate the OpenSMTPD' privsep crypto engine. The idea behind it is to never load the certificate' private keys in a networked process, instead they are loaded in a separate process (the `crypto' one) which signs payloads on the behalf of the server processes. This way, we greatly reduce the risk of leaking the certificate' private key should the server process be compromised. This currently compiles only on LibreSSL (portable fix is in the way).

fix sandbox_server_process it does the unveil(2)ing based on the first config, which breaks config-reloading.

provide sandbox_main_process on !OpenBSD

rework the daemon to do fork+exec It uses the 'common' proc.c from various OpenBSD-daemons. gmid grew organically bit by bit and it was also the first place where I tried to implement privsep. It wasn't done very well, in fact the parent process (that retains root privileges) just fork()s a generation of servers, all sharing *exactly* the same address space. No good! Now, we fork() and re-exec() ourselves, so that each process has a fresh address space. Some features (require client ca for example) are temporarly disabled, will be fixed in subsequent commits. The "ge" program is also temporarly disabled as it needs tweaks to do privsep too.

use fatal() in code used in the daemon

switch to the more usual log.c

rename log.[ch] to logger.[ch]

provide a more usual fatal fatal usually appends the error string. Add 'fatalx' that doesn't. Fix callers and move the prototypes to log.h

send capsicum/landlock/seccomp hack to Valhalla

drop landlock/seccomp and capsicum support it reached a point where this stuff is not maintenable. I'd like to move forward with gmid, but the restriction of capsicum and the linux environment at large that make landlock unusable (how can you resolve DNS portably when under landlock?) -and don't get me started on seccomp- makes it impossible for me to do any work. So, I prefer removing the crap, resuming working on gmid by cleaning stuff and consolidating the features, improving various things etc... and then eventually see how to introduce some sandboxing again on other systems. Patches to resume sandboxing are, as always, welcome!

adjust pledge/unveil on OpenBSD to connect to unix-domain sockets the `unix' pledge is needed and also unveil "w". gmid can't mutate files because it doesn't pledge `wpath' nor `cpath'.

make the various strings in the config fixed-length will help in future restructuring to have fixed-size objects.

optionally disable the sandbox on some systems The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy' configuration rules: new sockets needs to be opened and it's either impossible (the former) or a huge pain in the arse (the latter). The sandbox is still always used in case only static files are served.

gc sandbox_executor_process

get rid of the CGI support I really want to get rid of the `executor' process hack for CGI scripts and its escalation to allow fastcgi and proxying to work on non-OpenBSD. This drops the CGI support and the `executor' process entirely and is the first step towards gmid 2.0. It also allows to have more secure defaults. On non-OpenBSD systems this means that the sandbox will be deactivated as soon as fastcgi or proxying are used: you can't open sockets under FreeBSD' capsicum(4) and I don't want to go thru the pain of making it work under linux' seccomp/landlock. Patches are always welcome however. For folks using CGI scripts (hey, I'm one of you!) not all hope is lost: fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were FastCGI applications. fixes for the documentation and to the non-OpenBSD sandboxes will follow.