summaryrefslogtreecommitdiff
path: root/daemon.c
Commit message (Collapse)AuthorAgeFilesLines
* daemon: extend user-relative path notation.Junio C Hamano2006-02-051-7/+42
| | | | | | | | | | | | | | | | | | | Earlier, we made --base-path to automatically forbid user-relative paths, which was probably a mistake. This introduces --user-path (or --user-path=path) option to control the use of user-relative paths independently. The latter form of the option can be used to restrict accesses to a part of each user's home directory, similar to "public_html" some webservers supports. If we're invoked with --user-path=FOO option, then a URL of the form git://~USER/PATH/... resolves to the path HOME/FOO/PATH/..., where HOME is USER's home directory. [jc: This is much reworked by me so bugs are mine, but the original patch was done by Mark Wooding.] Signed-off-by: Junio C Hamano <junkio@cox.net>
* daemon: Set SO_REUSEADDR on listening sockets.Mark Wooding2006-02-051-1/+26
| | | | | | | | | | | Without this, you can silently lose the ability to receive IPv4 connections if you stop and restart the daemon. [jc: tweaked code organization a bit and made this controllable from a command line option.] Signed-off-by: Mark Wooding <mdw@distorted.org.uk> Signed-off-by: Junio C Hamano <junkio@cox.net>
* daemon: do not forbid user relative paths unconditionally under --base-pathJunio C Hamano2006-02-051-4/+8
| | | | | | | | Using base-path to relocate the server public space does not have anything to do with allowing or forbidding user relative paths. Signed-off-by: Junio C Hamano <junkio@cox.net>
* daemon: Provide missing argument for logerror() call.Mark Wooding2006-02-031-1/+1
| | | | | | | | | | Could cause a crash if --base-path set. Unlikely to be a security the concern: message doesn't go to the client, so we can't leak anything (except by dumping core), and we've already forked, so it's not a denial of service. Signed-off-by: Mark Wooding <mdw@distorted.org.uk> Signed-off-by: Junio C Hamano <junkio@cox.net>
* Exec git programs without using PATH.Michal Ostrowski2006-01-131-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | The git suite may not be in PATH (and thus programs such as git-send-pack could not exec git-rev-list). Thus there is a need for logic that will locate these programs. Modifying PATH is not desirable as it result in behavior differing from the user's intentions, as we may end up prepending "/usr/bin" to PATH. - git C programs will use exec*_git_cmd() APIs to exec sub-commands. - exec*_git_cmd() will execute a git program by searching for it in the following directories: 1. --exec-path (as used by "git") 2. The GIT_EXEC_PATH environment variable. 3. $(gitexecdir) as set in Makefile (default value $(bindir)). - git wrapper will modify PATH as before to enable shell scripts to invoke "git-foo" commands. Ideally, shell scripts should use the git wrapper to become independent of PATH, and then modifying PATH will not be necessary. [jc: with minor updates after a brief review.] Signed-off-by: Michal Ostrowski <mostrows@watson.ibm.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
* git-daemon --base-pathPetr Baudis2006-01-071-1/+20
| | | | | | | | | | Tommi Virtanen expressed a wish on #git to be able to use short and elegant git URLs by making git-daemon 'root' in a given directory. This patch implements this, causing git-daemon to interpret all paths relative to the given base path if any is given. Signed-off-by: Petr Baudis <pasky@suse.cz> Signed-off-by: Junio C Hamano <junkio@cox.net>
* [PATCH] daemon.c and path.enter_repo(): revamp path validation.Junio C Hamano2005-12-031-4/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The whitelist of git-daemon is checked against return value from enter_repo(), and enter_repo() used to return the value obtained from getcwd() to avoid directory aliasing issues as discussed earier (mid October 2005). Unfortunately, it did not go well as we hoped. For example, /pub on a kernel.org public machine is a symlink to its real mountpoint, and it is understandable that the administrator does not want to adjust the whitelist every time /pub needs to point at a different partition for storage allcation or whatever reasons. Being able to keep using /pub/scm as the whitelist is a desirable property. So this version of enter_repo() reports what it used to chdir() and validate, but does not use getcwd() to canonicalize the directory name. When it sees a user relative path ~user/path, it internally resolves it to try chdir() there, but it still reports ~user/path (possibly after appending .git if allowed to do so, in which case it would report ~user/path.git). What this means is that if a whitelist wants to allow a user relative path, it needs to say "~" (for all users) or list user home directories like "~alice" "~bob". And no, you cannot say /home if the advertised way to access user home directories are ~alice,~bob, etc. The whole point of this is to avoid unnecessary aliasing issues. Anyway, because of this, daemon needs to do a bit more work to guard itself. Namely, it needs to make sure that the accessor does not try to exploit its leading path match rule by inserting /../ in the middle or hanging /.. at the end. I resurrected the belts and suspender paranoia code HPA did for this purpose. This check cannot be done in the enter_repo() unconditionally, because there are valid callers of enter_repo() that want to honor /../; authorized users coming over ssh to run send-pack and fetch-pack should be allowed to do so. Signed-off-by: Junio C Hamano <junkio@cox.net>
* git-daemon not listening when compiled with -DNO_IPV6Paul Serice2005-11-211-0/+6
| | | | | | | | git-daemon was not listening when compiled with -DNO_IPV6. socksetup() was not returning socket count when compiled with -DNO_IPV6. Signed-off-by: Paul Serice <paul@serice.net> Signed-off-by: Junio C Hamano <junkio@cox.net>
* daemon: further tweaks.Junio C Hamano2005-11-211-16/+12
| | | | | | | - Do validation only on canonicalized paths - Run upload-pack with "." as repository argument Signed-off-by: Junio C Hamano <junkio@cox.net>
* git-daemon support for user-relative paths.Andreas Ericsson2005-11-211-82/+54
| | | | | | | | | | | | | | Dropped a fair amount of reundant code in favour of the library code in path.c Added option --strict-paths with documentation, with backwards compatibility for whitelist entries with symlinks. Everything that worked earlier still works insofar as I have remembered testing it. Signed-off-by: Andreas Ericsson <ae@op5.se> Signed-off-by: Junio C Hamano <junkio@cox.net>
* daemon.c: fix arg parsing bugsAndreas Ericsson2005-11-161-2/+6
| | | | | | | | | | | Allow --init-timeout and --timeout to be specified without falling through to usage(). Make sure openlog() is called even if implied by --inetd, or messages will be sent to wherever LOG_USER ends up. Signed-off-by: Andreas Ericsson <ae@op5.se> Signed-off-by: Junio C Hamano <junkio@cox.net>
* git-daemon: --inetd implies --syslogAndreas Ericsson2005-11-151-2/+3
| | | | | | | Otherwise nothing is logged anywhere, which is a Bad Thing. Signed-off-by: Andreas Ericsson <ae@op5.se> Signed-off-by: Junio C Hamano <junkio@cox.net>
* fix daemon.c to compile on OpenBSDRandal L. Schwartz2005-10-251-2/+2
| | | | | | | | I can confirm that the following patch lets the current origin compile on OpenBSD. If you could apply this until you sort out the rest of the namespace issue, I would be happy. Thanks. Signed-off-by: Junio C Hamano <junkio@cox.net>
* Merge branch 'fixes'Junio C Hamano2005-10-201-6/+6
|\
| * daemon.c: remove trailing whitespace.Junio C Hamano2005-10-201-2/+2
| | | | | | | | Signed-off-by: Junio C Hamano <junkio@cox.net>
* | Fix git-daemon argument-parsing bugH. Peter Anvin2005-10-201-1/+1
| | | | | | | | | | | | | | Fix stupid bug in parsing the --init-timeout option. Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
* | git-daemon poll() spinning out of controlJens Axboe2005-10-201-1/+1
| | | | | | | | | | | | | | | | | | | | With the '0' timeout given to poll, it returns instantly without any events on my system, causing git-daemon to consume all the CPU time. Use -1 as the timeout so poll() only returns in case of EINTR or actually events being available. Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Junio C Hamano <junkio@cox.net>
* | git-daemon: timeout, eliminate double DWIMH. Peter Anvin2005-10-191-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It turns out that not only did git-daemon do DWIM, but git-upload-pack does as well. This is bad; security checks have to be performed *after* canonicalization, not before. Additionally, the current git-daemon can be trivially DoSed by spewing SYNs at the target port. This patch adds a --strict option to git-upload-pack to disable all DWIM, a --timeout option to git-daemon and git-upload-pack, and an --init-timeout option to git-daemon (which is typically set to a much lower value, since the initial request should come immediately from the client.) Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
* | revised^2: git-daemon extra paranoia, and path DWIMH. Peter Anvin2005-10-181-21/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds some extra paranoia to the git-daemon filename test. In particular, it now rejects pathnames containing //; it also adds a redundant test for pathname absoluteness (belts and suspenders.) A single / at the end of the path is still permitted, however, and the .git and /.git append DWIM stuff is now handled in an integrated manner, which means the resulting path will always be subjected to pathname checks. Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
* | Create object subdirectories on demandLinus Torvalds2005-10-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This makes it possible to have a "sparse" git object subdirectory structure, something that has become much more attractive now that people use pack-files all the time. As a result of pack-files, a git object directory doesn't necessarily have any individual objects lying around, and in that case it's just wasting space to keep the empty first-level object directories around: on many filesystems the 256 empty directories will be aboue 1MB of diskspace. Even more importantly, after you re-pack a project that _used_ to be unpacked, you could be left with huge directories that no longer contain anything, but that waste space and take time to look through. With this change, "git prune-packed" can just do an rmdir() on the directories, and they'll get removed if empty, and re-created on demand. This patch also tries to fix up "write_sha1_from_fd()" to use the new common infrastructure for creating the object files, closing a hole where we might otherwise leave half-written objects in the object database. [jc: I unoptimized the part that really removes the fan-out directories to ease transition. init-db still wastes 1MB of diskspace to hold 256 empty fan-outs, and prune-packed rmdir()'s the grown but empty directories, but runs mkdir() immediately after that -- reducing the saving from 150KB to 146KB. These parts will be re-introduced when everybody has the on-demand capability.] Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
* | Move signal setting into service_loop()H. Peter Anvin2005-09-301-2/+2
| |
* | socklen_t is unsigned int on most Linux platformsH. Peter Anvin2005-09-301-1/+1
| |
* | Use xmalloc/xcallocH. Peter Anvin2005-09-301-6/+2
| |
* | Don't need <alloca.h>H. Peter Anvin2005-09-301-1/+0
| |
* | Merge with master.kernel.org:/pub/scm/git/git.gitH. Peter Anvin2005-09-301-2/+2
|\ \ | |/
| * [PATCH] Make logerror() and loginfo() staticPavel Roskin2005-09-291-2/+2
| | | | | | | | | | | | | | | | | | | | | | Make logerror() and loginfo() static logerror() and loginfo() in daemon.c are never declared and never called from other files, therefore they should be declared static. Found by sparse. Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
* | Remove variables not needed when using pollPeter Anvin2005-09-281-4/+0
| |
* | NO_IPV6 support for git daemonPeter Anvin2005-09-281-16/+75
|/
* Restore chdir(".git")H. Peter Anvin2005-09-271-0/+2
|
* Support a modicum of path validation, and allow an export all trees option.H. Peter Anvin2005-09-261-5/+67
|
* [PATCH] Rename daemon.c's lognotice() to loginfo()Petr Baudis2005-09-241-3/+3
| | | | | | | | The syslog code logs with severity LOG_INFO in the loginfo() function, so make things less confusing. Signed-off-by: Petr Baudis <pasky@suse.cz> Signed-off-by: Junio C Hamano <junkio@cox.net>
* [PATCH] git-daemon --syslog to log through syslogPetr Baudis2005-09-241-7/+27
| | | | | | | | | | | | Well, this makes it even more clear that we need the packet reader and friends to use the daemon logging code. :/ Therefore, we at least indicate in the "Disconnect" log message if the child process exitted with an error code or not. Idea by Linus. Signed-off-by: Petr Baudis <pasky@suse.cz> Signed-off-by: Junio C Hamano <junkio@cox.net>
* daemon.c: pid_t is not int.Junio C Hamano2005-09-231-1/+1
| | | | | | Reported by Morten Welinder <mwelinder@gmail.com>. Signed-off-by: Junio C Hamano <junkio@cox.net>
* [PATCH] Verbose git-daemon loggingPetr Baudis2005-09-221-4/+90
| | | | | | | | | | | | | | | This patch makes git-daemon --verbose log some useful things on stderr - in particular connects, disconnects and upload requests, and in such a way to be able to trace a particular session. Some more errors are now also logged (even when --verbose is not passed). It is still not perfect since messages produced by the non-daemon-specific code are obviously not formatted properly. [jc: With minor fix up in the log line truncation, and use of write(2) as suggested by Linus.] Signed-off-by: Petr Baudis <pasky@suse.cz> Signed-off-by: Junio C Hamano <junkio@cox.net>
* Use int instead of socklen_tJunio C Hamano2005-09-111-4/+4
| | | | | | | | | | | | | | This should work around the compilation problem Johannes Schindelin and others had on Mac OS/X. Quoting Linus: Any operating system where socklen_t is anything else than "int" is terminally broken. The people who introduced that typedef were confused, and I actually had to argue with them that it was fundamentally wrong: there is no other valid type than "int" that makes sense for it. Signed-off-by: Junio C Hamano <junkio@cox.net>
* [PATCH] git-daemon --inetdlars.doelle@on-line.de2005-09-071-1/+3
| | | | | | | | | | | | git-daemon using inetd. does not work properly. inetd routes stderr onto the network line just like stdout, which was apparently not expected to be so. As the result of this, the stream is closed by the receiver, because some "Packing %d objects\n" originating from pack_objects is first reported over the line instead of the expected pack_header, and so the SIGNATURE test fails. Here is a workaround. Signed-off-by: Junio C Hamano <junkio@cox.net>
* Include sys/time.h in daemon.c.Jason Riedy2005-08-231-0/+1
| | | | | | | Some systems and feature levels want sys/time.h for fd_set functionality. Signed-off-by: Jason Riedy <ejr@cs.berkeley.edu>
* daemon.c: squelch error message from EINTRJunio C Hamano2005-08-051-2/+5
| | | | | | | | | | | | | | | Every time after servicing the connection, select() first fails with EINTR and ends up waiting for one second before serving the next client. The sleep() was placed by the original author per suggestion from the list to avoid spinning on failing select, but at least this EINTR situation should not result in "at most one client per second" service limit. I am not sure if this is the right fix, but WTH. The king penguin says that serious people would run the daemon under inetd anyway, and I agree with that. Signed-off-by: Junio C Hamano <junkio@cox.net>
* [PATCH] Fix sparse warningsLinus Torvalds2005-08-011-2/+2
| | | | | | | | | | A few sparse warnings have crept in again since I checked last time: undeclared variables with global scope. Fix them by marking the private variables properly "static". Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
* [PATCH] GIT: Listen on IPv6 as well, if available.YOSHIFUJI Hideaki2005-07-271-31/+100
| | | | | Signed-off-by: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
* Be slightly smarter about git-daemon client shutdownLinus Torvalds2005-07-151-20/+38
| | | | | | Shut down connections that haven't even identified themselves as git clients first. That should get rid of people who just connect to the port and wait for something to happen.
* git-daemon: actually remember the children we have outstandingLinus Torvalds2005-07-151-21/+121
| | | | | | | | This is using a lockless approach that allows us to handle children dying without having to block SIGCHLD. Right now our "solution" to too many kids is pretty damn rough, but it at least shows what you can do.
* git-daemon: keep track of childrenLinus Torvalds2005-07-151-1/+43
| | | | | We don't want them as zombies, and eventually we'll want to limit their number. Right now we just count them.
* Add "--inetd" flag to git-daemonLinus Torvalds2005-07-151-1/+11
| | | | | All credit go to Alexey Nezhdanov <snake@penza-gsm.ru>, I just ended up re-implementing his idea.
* git-daemon: re-organize code a bit for --inetd flagLinus Torvalds2005-07-151-10/+10
| | | | | | | Alexey Nezhdanov sent a patch that made git-daemon usable from inetd (ie where inetd has already done the accept on the new connection, the fork, and the setup of stdin/stdout). I wanted to organize the thing slightly differently, though.
* Add a "git-daemon" that listens on a TCP portLinus Torvalds2005-07-131-0/+117
.. and does a "git-upload-pack" on demand.