Commits
- Commit:
a84492b75fb7c7e1a9986f7f1f70384243406c3a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
ge->gemexp forgotten in previous
- Commit:
471a5250e3d1df76765e22d14065363818084be6
- From:
- Omar Polo <op@omarpolo.com>
- Date:
rename ge -> gemexp in regress too
- Commit:
60b4efa1e2df8b5465deaec5c5493e1b2bf6a6c4
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add a test for the file logging
- Commit:
60f4107da6ed88a34867cdcbf63794b5dc039f94
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add a test with fastcgi, locations and forceful disabling
- Commit:
fdd67729b45c7073be9ea1720cbadbaae8f0d112
- From:
- Omar Polo <op@omarpolo.com>
- Date:
adjust syntax in fastcgi test; add another test for the old syntax
- Commit:
57ee9057af1b363adf2f20ca08806a9bb39a484a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add some ideas
- Commit:
9adeb265792f0049321c34bf9e32674b0be65942
- From:
- Omar Polo <op@omarpolo.com>
- Date:
re-establish fastcgi test
- Commit:
deadd9e1311204415754dcfa404bec4bf3cd557c
- From:
- Omar Polo <op@omarpolo.com>
- Date:
readd proxy certs and `require client ca' support
Was temporarly disabled during the transition to real privsep.
While here, fix a memory leak when using `require client ca'.
Also, avoid leaking info about the parent address space layout to
server processes by not sending pointer values.
- Commit:
797c4609a9b9923e8d15413f7412cf2bf4bb6ce5
- From:
- Omar Polo <op@omarpolo.com>
- Date:
make ge work again
- Commit:
c26f2460e42aa0822c283c805958989f339e7d8b
- From:
- Omar Polo <op@omarpolo.com>
- Date:
rework the daemon to do fork+exec
It uses the 'common' proc.c from various OpenBSD-daemons.
gmid grew organically bit by bit and it was also the first place where I
tried to implement privsep. It wasn't done very well, in fact the
parent process (that retains root privileges) just fork()s a generation
of servers, all sharing *exactly* the same address space. No good!
Now, we fork() and re-exec() ourselves, so that each process has a fresh
address space.
Some features (require client ca for example) are temporarly disabled,
will be fixed in subsequent commits. The "ge" program is also
temporarly disabled as it needs tweaks to do privsep too.
- Commit:
a4180f1d0b6e620058962ae93ce921c88b374d53
- From:
- Omar Polo <op@omarpolo.com>
- Date:
disable test_unknown_host temporarly
breaks on some distro and needs further investigations; it's not that
interesting fortunately.
- Commit:
a5fb2593a9ab1c6cc4ae027924724dd2714f7fe1
- From:
- Omar Polo <op@omarpolo.com>
- Date:
adjust regress to use `ge' for the old configless test
- Commit:
d29a2ee2246e1b1b0c5222a823820e42422c894e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
get rid of the CGI support
I really want to get rid of the `executor' process hack for CGI scripts
and its escalation to allow fastcgi and proxying to work on non-OpenBSD.
This drops the CGI support and the `executor' process entirely and is
the first step towards gmid 2.0. It also allows to have more secure
defaults.
On non-OpenBSD systems this means that the sandbox will be deactivated
as soon as fastcgi or proxying are used: you can't open sockets under
FreeBSD' capsicum(4) and I don't want to go thru the pain of making it
work under linux' seccomp/landlock. Patches are always welcome however.
For folks using CGI scripts (hey, I'm one of you!) not all hope is lost:
fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were
FastCGI applications.
fixes for the documentation and to the non-OpenBSD sandboxes will
follow.
- Commit:
fb1212266f366f457b0c142869b8095213fc5b96
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add tests for the type block
- Commit:
1ca7a0f3bfa18beaeae28cae9afe64bad617dff4
- From:
- Anna “CyberTailor” <cyber@sysrq.in>
- Via:
- Omar Polo <op@omarpolo.com>
- Date:
don't skip unit tests when SKIP_RUNTIME_TESTS is set
IRI and Punycode tests don't run gmid binary and can be safely executed.