Commit Graph

64 Commits

Author SHA1 Message Date
Junio C Hamano
d819e4e682 daemon: prepare for multiple services.
This adds an infrastructure to selectively enable and disable
more than one services in git-daemon.  Currently upload-pack
service, which serves the git-fetch-pack and git-peek-remote
clients, is the only service that is defined.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-27 23:32:36 -07:00
Junio C Hamano
d5d0a0e748 Merge branch 'ts/daemon'
* ts/daemon:
  Added support for dropping privileges to git-daemon.
2006-08-27 17:51:42 -07:00
Jonas Fonseca
83572c1a91 Use xrealloc instead of realloc
Change places that use realloc, without a proper error path, to instead use
xrealloc. Drop an erroneous error path in the daemon code that used errno
in the die message in favour of the simpler xrealloc.

Signed-off-by: Jonas Fonseca <fonseca@diku.dk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-26 17:54:06 -07:00
Tilman Sauerbeck
678dac6b45 Added support for dropping privileges to git-daemon.
Signed-off-by: Tilman Sauerbeck <tilman@code-monkey.de>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-22 16:40:40 -07:00
David Rientjes
96f1e58f52 remove unnecessary initializations
[jc: I needed to hand merge the changes to the updated codebase,
 so the result needs to be checked.]

Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-08-15 21:22:20 -07:00
Matthias Lederhofer
6c35119ac7 daemon: documentation for --reuseaddr, --detach and --pid-file
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-27 13:55:31 -07:00
Matthias Lederhofer
a5262768e1 daemon: new option --detach to run git-daemon in background
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:46 -07:00
Matthias Lederhofer
45ed5d7f4c daemon: new option --pid-file=<path> to store the pid
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:41 -07:00
Matthias Lederhofer
258e93a155 daemon: if one of the standard fds is missing open it to /dev/null
Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:20 -07:00
Matthias Lederhofer
ad8b4f56b5 daemon: use a custom die routine with syslog
Removed the git-daemon prefix from die() because no other call to die
does this.

Signed-off-by: Matthias Lederhofer <matled@gmx.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-07-13 21:50:14 -07:00
Timo Hirvonen
554fe20d80 Make some strings const
Signed-off-by: Timo Hirvonen <tihirvon@gmail.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-28 03:24:37 -07:00
Junio C Hamano
78831b40d6 Merge branch 'jc/upload-corrupt' into next
* jc/upload-corrupt:
  daemon: send stderr to /dev/null instead of closing.
2006-06-21 16:38:11 -07:00
Junio C Hamano
ba0012c367 daemon: send stderr to /dev/null instead of closing.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-21 16:37:48 -07:00
Junio C Hamano
ad9f72a704 Merge branch 'master' into next
* master:
  checkout -f: do not leave untracked working tree files.
  Log peer address when git-daemon called from inetd
2006-06-21 01:24:45 -07:00
David Woodhouse
5b276ee4fb Log peer address when git-daemon called from inetd
When we run git-daemon from inetd, even with the --verbose option, it
doesn't log the peer address. That logic was only in the standalone
daemon code -- move it to the execute() function instead. Tested with
both IPv6 and Legacy IP clients, in both inetd and daemon mode.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Acked-by: Jon Loeliger <jdl@jdl.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-20 22:19:29 -07:00
Junio C Hamano
f0b7367cb1 Restore SIGCHLD to SIG_DFL where we care about waitpid().
It was reported that under one implementation of socks client
"git clone" fails with "error: waitpid failed (No child processes)",
because "git" is spawned after setting SIGCHLD to SIG_IGN.

Arguably it may be a broken setting, but we should protect
ourselves so that we can get reliable results from waitpid() for
the children we care about.

This patch resets SIGCHLD to SIG_DFL in three places:

 - connect.c::git_connect() - initiators of git native
   protocol transfer are covered with this.

 - daemon.c::main() - obviously.

 - merge-index.c::main() - obviously.

There are other programs that do fork() but do not waitpid():
http-push, imap-send.  upload-pack does not either, but in the
case of that program, each of the forked halves runs exec()
another program, so this change would not have much effect
there.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-19 18:44:58 -07:00
Jon Loeliger
5ad312bede Refactor git_tcp_connect() functions a little.
Add client side sending of "\0host=%s\0" extended
arg for git native protocol, backwards compatibly.

Signed-off-by: Jon Loeliger <jdl@jdl.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-06-06 21:44:39 -07:00
Serge E. Hallyn
0032d548db socksetup: don't return on set_reuse_addr() error
The set_reuse_addr() error case was the only error case in
socklist() where we returned rather than continued.  Not sure
why.  Either we must free the socklist, or continue.  This patch
continues on error.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-04-18 14:39:28 -07:00
Junio C Hamano
603968d22b daemon: extend user-relative path notation.
Earlier, we made --base-path to automatically forbid
user-relative paths, which was probably a mistake.  This
introduces --user-path (or --user-path=path) option to control
the use of user-relative paths independently.  The latter form
of the option can be used to restrict accesses to a part of each
user's home directory, similar to "public_html" some webservers
supports.

If we're invoked with --user-path=FOO option, then a URL of the
form git://~USER/PATH/... resolves to the path HOME/FOO/PATH/...,
where HOME is USER's home directory.

[jc: This is much reworked by me so bugs are mine, but the
 original patch was done by Mark Wooding.]

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-05 16:51:01 -08:00
Mark Wooding
1955fabf41 daemon: Set SO_REUSEADDR on listening sockets.
Without this, you can silently lose the ability to receive IPv4
connections if you stop and restart the daemon.

[jc: tweaked code organization a bit and made this controllable
 from a command line option.]

Signed-off-by: Mark Wooding <mdw@distorted.org.uk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-05 16:51:01 -08:00
Junio C Hamano
363f24c936 daemon: do not forbid user relative paths unconditionally under --base-path
Using base-path to relocate the server public space does not
have anything to do with allowing or forbidding user relative
paths.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-05 16:51:01 -08:00
Mark Wooding
1fda3d557b daemon: Provide missing argument for logerror() call.
Could cause a crash if --base-path set.  Unlikely to be a security the
concern: message doesn't go to the client, so we can't leak anything
(except by dumping core), and we've already forked, so it's not a denial
of service.

Signed-off-by: Mark Wooding <mdw@distorted.org.uk>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-02-03 23:33:20 -08:00
Michal Ostrowski
77cb17e940 Exec git programs without using PATH.
The git suite may not be in PATH (and thus programs such as
git-send-pack could not exec git-rev-list).  Thus there is a need for
logic that will locate these programs.  Modifying PATH is not
desirable as it result in behavior differing from the user's
intentions, as we may end up prepending "/usr/bin" to PATH.

- git C programs will use exec*_git_cmd() APIs to exec sub-commands.
- exec*_git_cmd() will execute a git program by searching for it in
  the following directories:
	1. --exec-path (as used by "git")
	2. The GIT_EXEC_PATH environment variable.
	3. $(gitexecdir) as set in Makefile (default value $(bindir)).
- git wrapper will modify PATH as before to enable shell scripts to
  invoke "git-foo" commands.

Ideally, shell scripts should use the git wrapper to become independent
of PATH, and then modifying PATH will not be necessary.

[jc: with minor updates after a brief review.]

Signed-off-by: Michal Ostrowski <mostrows@watson.ibm.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-01-13 16:49:01 -08:00
Petr Baudis
b21c31c9a5 git-daemon --base-path
Tommi Virtanen expressed a wish on #git to be able to use short and elegant
git URLs by making git-daemon 'root' in a given directory. This patch
implements this, causing git-daemon to interpret all paths relative to
the given base path if any is given.

Signed-off-by: Petr Baudis <pasky@suse.cz>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2006-01-07 21:43:02 -08:00
Junio C Hamano
d79374c7b5 [PATCH] daemon.c and path.enter_repo(): revamp path validation.
The whitelist of git-daemon is checked against return value from
enter_repo(), and enter_repo() used to return the value obtained
from getcwd() to avoid directory aliasing issues as discussed
earier (mid October 2005).

Unfortunately, it did not go well as we hoped.

For example, /pub on a kernel.org public machine is a symlink to
its real mountpoint, and it is understandable that the
administrator does not want to adjust the whitelist every time
/pub needs to point at a different partition for storage
allcation or whatever reasons.  Being able to keep using
/pub/scm as the whitelist is a desirable property.

So this version of enter_repo() reports what it used to chdir()
and validate, but does not use getcwd() to canonicalize the
directory name.  When it sees a user relative path ~user/path,
it internally resolves it to try chdir() there, but it still
reports ~user/path (possibly after appending .git if allowed to
do so, in which case it would report ~user/path.git).

What this means is that if a whitelist wants to allow a user
relative path, it needs to say "~" (for all users) or list user
home directories like "~alice" "~bob".  And no, you cannot say
/home if the advertised way to access user home directories are
~alice,~bob, etc.  The whole point of this is to avoid
unnecessary aliasing issues.

Anyway, because of this, daemon needs to do a bit more work to
guard itself.  Namely, it needs to make sure that the accessor
does not try to exploit its leading path match rule by inserting
/../ in the middle or hanging /.. at the end.  I resurrected the
belts and suspender paranoia code HPA did for this purpose.

This check cannot be done in the enter_repo() unconditionally,
because there are valid callers of enter_repo() that want to
honor /../; authorized users coming over ssh to run send-pack
and fetch-pack should be allowed to do so.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-12-03 23:17:42 -08:00
Paul Serice
f35230fb11 git-daemon not listening when compiled with -DNO_IPV6
git-daemon was not listening when compiled with -DNO_IPV6.
socksetup() was not returning socket count when compiled with -DNO_IPV6.

Signed-off-by: Paul Serice <paul@serice.net>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-21 14:36:43 -08:00
Junio C Hamano
ce335fe04f daemon: further tweaks.
- Do validation only on canonicalized paths
 - Run upload-pack with "." as repository argument

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-21 13:47:00 -08:00
Andreas Ericsson
4dbd135279 git-daemon support for user-relative paths.
Dropped a fair amount of reundant code in favour of the library code
in path.c

Added option --strict-paths with documentation, with backwards
compatibility for whitelist entries with symlinks.

Everything that worked earlier still works insofar as I have
remembered testing it.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-21 13:47:00 -08:00
Andreas Ericsson
a8883288fa daemon.c: fix arg parsing bugs
Allow --init-timeout and --timeout to be specified without falling
through to usage().

Make sure openlog() is called even if implied by --inetd, or messages
will be sent to wherever LOG_USER ends up.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-16 20:34:26 -08:00
Andreas Ericsson
bce8230d5d git-daemon: --inetd implies --syslog
Otherwise nothing is logged anywhere, which is a Bad Thing.

Signed-off-by: Andreas Ericsson <ae@op5.se>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-11-15 00:19:32 -08:00
Randal L. Schwartz
979e32fa14 fix daemon.c to compile on OpenBSD
I can confirm that the following patch lets the current origin
compile on OpenBSD.  If you could apply this until you sort out the
rest of the namespace issue, I would be happy.  Thanks.

Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-25 17:37:59 -07:00
Junio C Hamano
4ae22d96fe Merge branch 'fixes' 2005-10-20 23:21:50 -07:00
Junio C Hamano
a935c39727 daemon.c: remove trailing whitespace.
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-20 23:19:36 -07:00
H. Peter Anvin
54e31a205c Fix git-daemon argument-parsing bug
Fix stupid bug in parsing the --init-timeout option.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-20 22:46:03 -07:00
Jens Axboe
7872e05567 git-daemon poll() spinning out of control
With the '0' timeout given to poll, it returns instantly without any
events on my system, causing git-daemon to consume all the CPU time. Use
-1 as the timeout so poll() only returns in case of EINTR or actually
events being available.

Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-20 21:26:31 -07:00
H. Peter Anvin
960deccb26 git-daemon: timeout, eliminate double DWIM
It turns out that not only did git-daemon do DWIM, but git-upload-pack
does as well.  This is bad; security checks have to be performed *after*
canonicalization, not before.

Additionally, the current git-daemon can be trivially DoSed by spewing
SYNs at the target port.

This patch adds a --strict option to git-upload-pack to disable all
DWIM, a --timeout option to git-daemon and git-upload-pack, and an
--init-timeout option to git-daemon (which is typically set to a much
lower value, since the initial request should come immediately from the
client.)

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-19 14:27:01 -07:00
H. Peter Anvin
3e04c62daa revised^2: git-daemon extra paranoia, and path DWIM
This patch adds some extra paranoia to the git-daemon filename test.  In
particular, it now rejects pathnames containing //; it also adds a
redundant test for pathname absoluteness (belts and suspenders.)

A single / at the end of the path is still permitted, however, and the
.git and /.git append DWIM stuff is now handled in an integrated manner,
which means the resulting path will always be subjected to pathname checks.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-18 18:26:52 -07:00
Linus Torvalds
230f13225d Create object subdirectories on demand
This makes it possible to have a "sparse" git object subdirectory
structure, something that has become much more attractive now that people
use pack-files all the time.

As a result of pack-files, a git object directory doesn't necessarily have
any individual objects lying around, and in that case it's just wasting
space to keep the empty first-level object directories around: on many
filesystems the 256 empty directories will be aboue 1MB of diskspace.

Even more importantly, after you re-pack a project that _used_ to be
unpacked, you could be left with huge directories that no longer contain
anything, but that waste space and take time to look through.

With this change, "git prune-packed" can just do an rmdir() on the
directories, and they'll get removed if empty, and re-created on demand.

This patch also tries to fix up "write_sha1_from_fd()" to use the new
common infrastructure for creating the object files, closing a hole where
we might otherwise leave half-written objects in the object database.

[jc: I unoptimized the part that really removes the fan-out directories
 to ease transition.  init-db still wastes 1MB of diskspace to hold 256
 empty fan-outs, and prune-packed rmdir()'s the grown but empty directories,
 but runs mkdir() immediately after that -- reducing the saving from 150KB
 to 146KB.  These parts will be re-introduced when everybody has the
 on-demand capability.]

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-10-08 15:54:01 -07:00
H. Peter Anvin
9220282a9c Move signal setting into service_loop() 2005-09-30 11:01:57 -07:00
H. Peter Anvin
7626e49e9f socklen_t is unsigned int on most Linux platforms 2005-09-30 10:48:21 -07:00
H. Peter Anvin
1b4713fb9e Use xmalloc/xcalloc 2005-09-30 10:47:50 -07:00
H. Peter Anvin
d6b89e7bf8 Don't need <alloca.h> 2005-09-30 10:46:42 -07:00
H. Peter Anvin
300b4801b7 Merge with master.kernel.org:/pub/scm/git/git.git 2005-09-30 10:44:21 -07:00
Pavel Roskin
cdda474525 [PATCH] Make logerror() and loginfo() static
Make logerror() and loginfo() static

logerror() and loginfo() in daemon.c are never declared and never called
from other files, therefore they should be declared static.  Found by
sparse.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-09-29 22:47:40 -07:00
Peter Anvin
e72456bb67 Remove variables not needed when using poll 2005-09-28 18:01:55 -07:00
Peter Anvin
6573faff34 NO_IPV6 support for git daemon 2005-09-28 17:26:44 -07:00
H. Peter Anvin
47888f0f31 Restore chdir(".git") 2005-09-27 08:49:40 -07:00
H. Peter Anvin
4ae9568269 Support a modicum of path validation, and allow an export all trees option. 2005-09-26 19:10:55 -07:00
Petr Baudis
da38641d7c [PATCH] Rename daemon.c's lognotice() to loginfo()
The syslog code logs with severity LOG_INFO in the loginfo() function, so make
things less confusing.

Signed-off-by: Petr Baudis <pasky@suse.cz>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-09-24 11:20:45 -07:00
Petr Baudis
9048fe1c50 [PATCH] git-daemon --syslog to log through syslog
Well, this makes it even more clear that we need the packet reader and
friends to use the daemon logging code. :/  Therefore, we at least indicate
in the "Disconnect" log message if the child process exitted with an error
code or not.

Idea by Linus.

Signed-off-by: Petr Baudis <pasky@suse.cz>
Signed-off-by: Junio C Hamano <junkio@cox.net>
2005-09-24 11:20:45 -07:00