diff options
115 files changed, 9395 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5c6415e --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +*.o +*.a +*.lo +*.so +*.so.* @@ -0,0 +1,7 @@ +Main author: + Laurent Bercot <ska-skaware@skarnet.org> + +Thanks to: + Jean Marot <jean.marot@skarnet.org> + Dan J. Bernstein <djb@cr.yp.to> + Vallo Kallaste <kalts@estpak.ee> @@ -0,0 +1,13 @@ +Copyright (c) 2011-2014 Laurent Bercot <ska-skaware@skarnet.org> + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. @@ -0,0 +1,134 @@ +Build Instructions +------------------ + +* Requirements + ------------ + + - A POSIX-compliant C development environment + - GNU make version 3.81 or later + - skalibs version 2.0.0.0 or later: http://skarnet.org/software/skalibs/ + - execline version 2.0.0.0 or later: http://skarnet.org/software/execline/ + - s6-dns version 2.0.0.0 or later: http://skarnet.org/software/s6-dns/ + + This software will run on any operating system that implements +POSIX.1-2008, available at: + http://pubs.opengroup.org/onlinepubs/9699919799/ + + +* Standard usage + -------------- + + ./configure && make && sudo make install + + will work for most users. + It will install the binaries in /bin and the static libraries in +/usr/lib/s6-networking. + + You can strip the binaries and libraries of their extra symbols via +"make strip" before the "make install" phase. It will shave a few bytes +off them. + + +* Customization + ------------- + + You can customize paths via flags given to configure. + See ./configure --help for a list of all available configure options. + + +* Environment variables + --------------------- + + Controlling a build process via environment variables is a big and +dangerous hammer. You should try and pass flags to configure instead; +nevertheless, the standard environment variables are recognized. + + The value of the CROSS_COMPILE environment variable will prefix the +building tools' names. The --enable-cross option is preferred, see +"Cross-compilation" below. + + If the CC environment variable is set, its value will override compiler +detection by configure. + + The values of CFLAGS, CPPFLAGS and LDFLAGS will be appended to flags +auto-detected by configure. To entirely override the flags set by +configure, use make -e. + + The value of LDLIBS will be appended by make to command lines that link +an executable, even without the -e option. + + The Makefile supports the DESTDIR convention for staging. + + +* Shared libraries + ---------------- + + Software from skarnet.org is small enough that shared libraries are +generally not worth using. Static linking is simpler and incurs less +runtime overhead and less points of failure: so by default, shared +libraries are not built and binaries are linked against the static +versions of the skarnet.org libraries. Nevertheless, you can: + * build shared libraries: --enable-shared + * link binaries against shared libraries: --disable-allstatic + + +* Static binaries + --------------- + + By default, binaries are linked against static versions of all the +libraries they depend on, except for the libc. You can enforce +linking against the static libc with --enable-static-libc. + + (If you are using a GNU/Linux system, be aware that the GNU libc +behaves badly with static linking and produces huge executables, +which is why it is not the default. Other libcs are better suited +to static linking, for instance musl: http://musl-libc.org/) + + +* Cross-compilation + ----------------- + + skarnet.org packages centralize all the difficulty of +cross-compilation in one place: skalibs. Once you have +cross-compiled skalibs, the rest is easy. + + Use the --enable-cross=PREFIX option to configure, or simply +--enable-cross if your default toolchain is a cross-compiling +toolchain. And make sure to use the correct version of skalibs +for your target, and the correct sysdeps directory, making use +of the --with-include, --with-lib, --with-dynlib and --with-sysdeps +options as necessary. + + +* The slashpackage convention + --------------------------- + + The slashpackage convention (http://cr.yp.to/slashpackage.html) +is a package installation scheme that provides a few guarantees +over other conventions such as the FHS, for instance fixed +absolute pathnames. skarnet.org packages support it: use the +--enable-slashpackage option to configure, or +--enable-slashpackage=DIR for a prefixed DIR/package tree. +This option will activate slashpackage support during the build +and set slashpackage-compatible installation directories. +Other options setting individual installation directories will be +ignored. + + When using slashpackage, two additional Makefile targets are +available after "make install": + - "make update" changes the default version of the software to the +freshly installed one. (This is useful when you have several installed +versions of the same software, which slashpackage supports.) + - "make -L global-links" adds links from /command and /library.so to the +default version of the binaries and shared libraries. The "-L" option to +make is necessary because targets are symbolic links, and the default make +behaviour is to check the pointed file's timestamp and not the symlink's +timestamp. + + +* Out-of-tree builds + ------------------ + + skarnet.org packages do not support out-of-tree builds. They +are small, so it does not cost much to duplicate the entire +source tree if parallel builds are needed. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c14a09d --- /dev/null +++ b/Makefile @@ -0,0 +1,121 @@ +# +# This Makefile requires GNU make. +# +# Do not make changes here. +# Use the included .mak files. +# + +it: all + +CC = $(error Please use ./configure first) + +-include config.mak +include package/deps.mak +include package/targets.mak + +version_m := $(basename $(version)) +version_M := $(basename $(version_m)) +version_l := $(basename $(version_M)) +CPPFLAGS_ALL := -iquote src/include-local -Isrc/include $(CPPFLAGS) +CFLAGS_ALL := $(CFLAGS) -pipe -Wall +CFLAGS_SHARED := -fPIC +LDFLAGS_ALL := $(LDFLAGS) +LDFLAGS_SHARED := -shared +LDLIBS_ALL := $(LDLIBS) +REALCC = $(CROSS_COMPILE)$(CC) +AR := $(CROSS_COMPILE)ar +RANLIB := $(CROSS_COMPILE)ranlib +STRIP := $(CROSS_COMPILE)strip +INSTALL := ./tools/install.sh + +ALL_BINS := $(LIBEXEC_TARGETS) $(BIN_TARGETS) $(SBIN_TARGETS) +ALL_LIBS := $(SHARED_LIBS) $(STATIC_LIBS) +ALL_INCLUDES := $(wildcard src/include/$(package)/*.h) + +all: $(ALL_LIBS) $(ALL_BINS) $(ALL_INCLUDES) + +clean: + @exec rm -f $(ALL_LIBS) $(ALL_BINS) $(wildcard src/*/*.o src/*/*.lo) src/minidentd/mgetuid.c + +distclean: clean + @exec rm -f config.mak src/include/${package}/config.h + +tgz: distclean + @. package/info && \ + rm -rf /tmp/$$package-$$version && \ + cp -a . /tmp/$$package-$$version && \ + cd /tmp && \ + tar -zpcv --owner=0 --group=0 --numeric-owner --exclude=.git* -f /tmp/$$package-$$version.tar.gz $$package-$$version && \ + exec rm -rf /tmp/$$package-$$version + +strip: $(ALL_LIBS) $(ALL_BINS) +ifneq ($(strip $(ALL_LIBS)),) + exec ${STRIP} -x -R .note -R .comment -R .note.GNU-stack $(ALL_LIBS) +endif +ifneq ($(strip $(ALL_BINS)),) + exec ${STRIP} -R .note -R .comment -R .note.GNU-stack $(ALL_BINS) +endif + +install: install-dynlib install-libexec install-bin install-sbin install-lib install-include +install-dynlib: $(SHARED_LIBS:lib%.so=$(DESTDIR)$(dynlibdir)/lib%.so) +install-libexec: $(LIBEXEC_TARGETS:%=$(DESTDIR)$(libexecdir)/%) +install-bin: $(BIN_TARGETS:%=$(DESTDIR)$(bindir)/%) +install-sbin: $(SBIN_TARGETS:%=$(DESTDIR)$(sbindir)/%) +install-lib: $(STATIC_LIBS:lib%.a=$(DESTDIR)$(libdir)/lib%.a) +install-include: $(ALL_INCLUDES:src/include/$(package)/%.h=$(DESTDIR)$(includedir)/$(package)/%.h) + +ifneq ($(exthome),) + +update: + exec $(INSTALL) -l $(notdir $(home)) $(DESTDIR)$(exthome) + +global-links: $(DESTDIR)$(exthome) $(SHARED_LIBS:lib%.so=$(DESTDIR)$(sproot)/library.so/lib%.so) $(BIN_TARGETS:%=$(DESTDIR)$(sproot)/command/%) $(SBIN_TARGETS:%=$(DESTDIR)$(sproot)/command/%) + +$(DESTDIR)$(sproot)/command/%: $(DESTDIR)$(home)/command/% + exec $(INSTALL) -D -l ..$(subst $(sproot),,$(exthome))/command/$(<F) $@ + +$(DESTDIR)$(sproot)/library.so/lib%.so: $(DESTDIR)$(dynlibdir)/lib%.so + exec $(INSTALL) -D -l ..$(subst $(sproot),,$(exthome))/library.so/$(<F) $@ + +.PHONY: update global-links + +endif + +$(DESTDIR)$(dynlibdir)/lib%.so: lib%.so + $(INSTALL) -D -m 755 $< $@.$(version) && \ + $(INSTALL) -l $<.$(version) $@.$(version_m) && \ + $(INSTALL) -l $<.$(version_m) $@.$(version_M) && \ + $(INSTALL) -l $<.$(version_M) $@.$(version_l) && \ + exec $(INSTALL) -l $<.$(version_l) $@ + +$(DESTDIR)$(libexecdir)/% $(DESTDIR)$(bindir)/% $(DESTDIR)$(sbindir)/%: % package/modes + exec $(INSTALL) -D -m 600 $< $@ + grep -- ^$(@F) < package/modes | { read name mode owner && \ + if [ x$$owner != x ] ; then chown -- $$owner $@ ; fi && \ + chmod $$mode $@ ; } + +$(DESTDIR)$(libdir)/lib%.a: lib%.a + exec $(INSTALL) -D -m 644 $< $@ + +$(DESTDIR)$(includedir)/$(package)/%.h: src/include/$(package)/%.h + exec $(INSTALL) -D -m 644 $< $@ + +%.o: %.c + exec $(REALCC) $(CPPFLAGS_ALL) $(CFLAGS_ALL) -c -o $@ $< + +%.lo: %.c + exec $(REALCC) $(CPPFLAGS_ALL) $(CFLAGS_ALL) $(CFLAGS_SHARED) -c -o $@ $< + +$(ALL_BINS): + exec $(REALCC) -o $@ $(CFLAGS_ALL) $(LDFLAGS_ALL) $(LDFLAGS_NOSHARED) $^ $(LDLIBS_ALL) + +lib%.a: + exec $(AR) rc $@ $^ + exec $(RANLIB) $@ + +lib%.so: + exec $(REALCC) -o $@ $(CFLAGS_ALL) $(CFLAGS_SHARED) $(LDFLAGS_ALL) $(LDFLAGS_SHARED) -Wl,-soname,$@.$(version_l) $^ + +.PHONY: it all clean distclean tgz strip install install-dynlib install-bin install-sbin install-lib install-include + +.DELETE_ON_ERROR: @@ -0,0 +1,25 @@ +s6-networking - small network and client-server tools +----------------------------------------------------- + + s6-networking is a suite of small networking tools for +Unix systems, including command-line client and server +management, TCP access control, privilege escalation +across UNIX domain sockets, IDENT protocol management, +and clock synchronization. + + See http://skarnet.org/software/s6-networking/ for details. + + +* Installation + ------------ + + See the INSTALL file. + + +* Contact information + ------------------- + + Laurent Bercot <ska-skaware at skarnet.org> + + Please use the <skaware at list.skarnet.org> mailing-list for +questions about s6-networking. diff --git a/README.macosx b/README.macosx new file mode 100644 index 0000000..d71a096 --- /dev/null +++ b/README.macosx @@ -0,0 +1,4 @@ + + This package will compile and run on Darwin (MacOS X), but the building of +shared libraries is not supported. + Make sure you use the --disable-shared option to configure. diff --git a/README.solaris b/README.solaris new file mode 100644 index 0000000..91a5b26 --- /dev/null +++ b/README.solaris @@ -0,0 +1,12 @@ + + This package assumes the existence of a POSIX shell in /bin/sh. + On Solaris, /bin/sh is not POSIX. Most versions of Solaris provide +a POSIX shell in /usr/xpg4/bin/sh. + + To compile this package on Solaris, you will need to run + + ./patch-for-solaris + + before you run ./configure. This script will change the #! invocation +of the configure script and various tools so that a POSIX shell is used +for the compilation process. diff --git a/configure b/configure new file mode 100755 index 0000000..c030856 --- /dev/null +++ b/configure @@ -0,0 +1,378 @@ +#!/bin/sh + +usage () { +cat <<EOF +Usage: $0 [OPTION]... [VAR=VALUE]... [TARGET] + +To assign environment variables (e.g., CC, CFLAGS...), specify them as +VAR=VALUE. See below for descriptions of some of the useful variables. + +Defaults for the options are specified in brackets. + +System types: + --target=TARGET configure to run on target TARGET [detected] + --host=TARGET same as --target + +Installation directories: + --prefix=PREFIX main installation prefix [/] + --exec-prefix=EPREFIX installation prefix for executable files [PREFIX] + +Fine tuning of the installation directories: + --dynlibdir=DIR shared library files [PREFIX/lib] + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR admin executables [EPREFIX/sbin] + --libexecdir=DIR package-scoped executables [EPREFIX/libexec] + --libdir=DIR static library files [PREFIX/lib] + --includedir=DIR include files for the C compiler [PREFIX/include] + +Dependencies: + --with-sysdeps=DIR use sysdeps in DIR [/usr/lib/skalibs/sysdeps] + --with-include=DIR add DIR to the list of searched directories for headers + --with-lib=DIR add DIR to the list of searched directories for static libraries + --with-dynlib=DIR add DIR to the list of searched directories for shared libraries + +Optional features: + --enable-shared build shared libraries [disabled] + --disable-static do not build static libraries [enabled] + --disable-allstatic do not prefer linking against static libraries [enabled] + --enable-static-libc make entirely static binaries [disabled] + --enable-slashpackage[=ROOT] assume /package installation at ROOT [disabled] + --enable-cross=PREFIX prefix toolchain executable names with PREFIX [none] + +EOF +exit 0 +} + + +# Helper functions + +# If your system does not have printf, you can comment this, but it is +# generally not a good idea to use echo. +# See http://www.etalabs.net/sh_tricks.html +echo () { + IFS=" " + printf %s\\n "$*" +} + +quote () { + tr '\n' ' ' <<EOF | grep '^[-[:alnum:]_=,./:]* $' >/dev/null 2>&1 && { echo "$1" ; return 0 ; } +$1 +EOF + echo "$1" | sed -e "s/'/'\\\\''/g" -e "1s/^/'/" -e "\$s/\$/'/" -e "s#^'\([-[:alnum:]_,./:]*\)=\(.*\)\$#\1='\2#" -e "s|\*/|* /|g" +} + +fail () { + echo "$*" + exit 1 +} + +fnmatch () { + eval "case \"\$2\" in $1) return 0 ;; *) return 1 ;; esac" +} + +cmdexists () { + type "$1" >/dev/null 2>&1 +} + +trycc () { + test -z "$CC_AUTO" && cmdexists "$1" && CC_AUTO=$1 +} + +stripdir () { + while eval "fnmatch '*/' \"\${$1}\"" ; do + eval "$1=\${$1%/}" + done +} + +tryflag () { + echo "checking whether compiler accepts $2 ..." + echo "typedef int x;" > "$tmpc" + if $CC_AUTO $CPPFLAGS_AUTO $CFLAGS_AUTO "$2" -c -o /dev/null "$tmpc" >/dev/null 2>&1 ; then + echo " ... yes" + eval "$1=\"\${$1} \$2\"" + eval "$1=\${$1# }" + return 0 + else + echo " ... no" + return 1 + fi +} + +tryldflag () { + echo "checking whether linker accepts $2 ..." + echo "typedef int x;" > "$tmpc" + if $CC_AUTO $CFLAGS_AUTO $LDFLAGS_AUTO -nostdlib "$2" -o /dev/null "$tmpc" >/dev/null 2>&1 ; then + echo " ... yes" + eval "$1=\"\${$1} \$2\"" + eval "$1=\${$1# }" + return 0 + else + echo " ... no" + return 1 + fi +} + + +# Actual script + +. package/info + +CC_AUTO="$CC" +CFLAGS_AUTO="$CFLAGS" +CPPFLAGS_AUTO="-D_POSIX_C_SOURCE=200809L -D_XOPEN_SOURCE=700 -O2 $CPPFLAGS" +LDFLAGS_AUTO="$LDFLAGS" +LDFLAGS_NOSHARED= +prefix= +exec_prefix='$prefix' +dynlibdir='$prefix/lib' +libexecdir='$exec_prefix/libexec' +bindir='$exec_prefix/bin' +sbindir='$exec_prefix/sbin' +libdir='$prefix/usr/lib/'$package +includedir='$prefix/usr/include' +sysdeps='$prefix/usr/lib/skalibs/sysdeps' +manualsysdeps=false +shared=false +static=true +slashpackage=false +sproot= +home= +exthome= +allstatic=true +evenmorestatic=false +addincpath='' +addlibspath='' +addlibdpath='' +vpaths='' +vpathd='' +cross="$CROSS_COMPILE" + +for arg ; do + case "$arg" in + --help) usage ;; + --prefix=*) prefix=${arg#*=} ;; + --exec-prefix=*) exec_prefix=${arg#*=} ;; + --dynlibdir=*) dynlibdir=${arg#*=} ;; + --libexecdir=*) libexecdir=${arg#*=} ;; + --bindir=*) bindir=${arg#*=} ;; + --sbindir=*) sbindir=${arg#*=} ;; + --libdir=*) libdir=${arg#*=} ;; + --includedir=*) includedir=${arg#*=} ;; + --with-sysdeps=*) sysdeps=${arg#*=} manualsysdeps=true ;; + --with-include=*) var=${arg#*=} ; stripdir var ; addincpath="$addincpath -I$var" ;; + --with-lib=*) var=${arg#*=} ; stripdir var ; addlibspath="$addlibspath -L$var" ; vpaths="$vpaths $var" ;; + --with-dynlib=*) var=${arg#*=} ; stripdir var ; addlibdpath="$addlibdpath -L$var" ; vpathd="$vpathd $var" ;; + --enable-shared|--enable-shared=yes) shared=true ;; + --disable-shared|--enable-shared=no) shared=false ;; + --enable-static|--enable-static=yes) static=true ;; + --disable-static|--enable-static=no) static=false ;; + --enable-allstatic|--enable-allstatic=yes) allstatic=true ;; + --disable-allstatic|--enable-allstatic=no) allstatic=false ;; + --enable-static-libc|--enable-static-libc=yes) evenmorestatic=true ;; + --disable-static-libc|--enable-static-libc=no) evenmorestatic=false ;; + --enable-slashpackage=*) sproot=${arg#*=} ; slashpackage=true ; ;; + --enable-slashpackage) sproot= ; slashpackage=true ;; + --disable-slashpackage) sproot= ; slashpackage=false ;; + --enable-cross=*) cross=${arg#*=} ;; + --enable-cross) cross= ;; + --disable-cross) cross= ;; + --enable-*|--disable-*|--with-*|--without-*|--*dir=*|--build=*) ;; + --host=*|--target=*) target=${arg#*=} ;; + -* ) echo "$0: unknown option $arg" ;; + *=*) ;; + *) target=$arg ;; + esac +done + +for i in prefix exec_prefix dynlibdir libexecdir bindir sbindir libdir includedir linkdynlibdir linkbindir linksbindir sysdeps sproot skalibs ; do + eval tmp=\${$i} + eval $i=$tmp + stripdir $i +done + +# Get usable temp filenames +i=0 +set -C +while : ; do + i=$(($i+1)) + tmpc="./tmp-configure-$$-$PPID-$i.c" + tmpe="./tmp-configure-$$-$PPID-$i.tmp" + 2>|/dev/null > "$tmpc" && break + 2>|/dev/null > "$tmpe" && break + test "$i" -gt 50 && fail "$0: cannot create temporary files" +done +set +C +trap 'rm -f "$tmpc" "$tmpe"' EXIT ABRT INT QUIT TERM HUP + +# Set slashpackage values +if $slashpackage ; then + home=${sproot}/package/${category}/${package}-${version} + exthome=${sproot}/package/${category}/${package} + if $manualsysdeps ; then + : + else + sysdeps=${sproot}/package/prog/skalibs/sysdeps + fi + binprefix=${home}/command + extbinprefix=${exthome}/command + dynlibdir=${home}/library.so + libexecdir=$binprefix + bindir=$binprefix + sbindir=$binprefix + libdir=${home}/library + includedir=${home}/include + while read dep ; do + addincpath="$addincpath -I${sproot}${dep}/include" + vpaths="$vpaths ${sproot}${dep}/library" + addlibspath="$addlibspath -L${sproot}${dep}/library" + if $allstatic ; then : ; else + vpathd="$vpathd ${sproot}${dep}/library.so" + addlibdpath="$addlibdpath -L${sproot}${dep}/library.so" + fi + done < package/deps-build +fi + +# Find a C compiler to use +echo "checking for C compiler..." +trycc ${cross}gcc +trycc ${cross}c99 +trycc ${cross}cc +test -n "$CC_AUTO" || { echo "$0: cannot find a C compiler" ; exit 1 ; } +echo " ... $CC_AUTO" +echo "checking whether C compiler works... " +echo "typedef int x;" > "$tmpc" +if $CC_AUTO $CPPFLAGS_AUTO $CFLAGS_AUTO -c -o /dev/null "$tmpc" 2>"$tmpe" ; then + echo " ... yes" +else + echo " ... no. Compiler output follows:" + cat < "$tmpe" + exit 1 +fi + +echo "checking target system type..." +test -n "$target" || target=$($CC_AUTO -dumpmachine 2>/dev/null) || target=unknown +echo " ... $target" +if test ! -d $sysdeps || test ! -f $sysdeps/target ; then + echo "$0: error: $sysdeps is not a valid sysdeps directory" + exit 1 +fi +if [ "x$target" != "x$(cat $sysdeps/target)" ] ; then + echo "$0: error: target $target does not match the contents of $sysdeps/target" + exit 1 +fi + +rt_lib=$(cat $sysdeps/rt.lib) +socket_lib=$(cat $sysdeps/socket.lib) +sysclock_lib=$(cat $sysdeps/sysclock.lib) +tainnow_lib=$(cat $sysdeps/tainnow.lib) +util_lib=$(cat $sysdeps/util.lib) + +tryflag CFLAGS_AUTO -std=c99 +tryflag CFLAGS_AUTO -fomit-frame-pointer +tryflag CFLAGS_AUTO -fno-exceptions +tryflag CFLAGS_AUTO -fno-unwind-tables +tryflag CFLAGS_AUTO -fno-asynchronous-unwind-tables +tryflag CFLAGS_AUTO -Wa,--noexecstack +tryflag CFLAGS_AUTO -fno-stack-protector +tryflag CPPFLAGS_AUTO -Werror=implicit-function-declaration +tryflag CPPFLAGS_AUTO -Werror=implicit-int +tryflag CPPFLAGS_AUTO -Werror=pointer-sign +tryflag CPPFLAGS_AUTO -Werror=pointer-arith + +if $evenmorestatic ; then + LDFLAGS_NOSHARED=-static +fi + +if $shared ; then + tryldflag LDFLAGS_AUTO -Wl,--hash-style=both +fi + +if test -z "$vpaths" ; then + while read dep ; do + base=$(basename $dep) ; + vpaths="$vpaths /usr/lib/$base" + addlibspath="$addlibspath -L/usr/lib/$base" + done < package/deps-build +fi + +CPPFLAGS_AUTO="$CPPFLAGS_AUTO $addincpath" +LDFLAGS_AUTO="$LDFLAGS_AUTO $addlibspath" +$allstatic || LDFLAGS_AUTO="$LDFLAGS_AUTO $addlibdpath" + +echo "creating config.mak..." +cmdline=$(quote "$0") +for i ; do cmdline="$cmdline $(quote "$i")" ; done +exec 3>&1 1>config.mak +cat << EOF +# This file was generated by: +# $cmdline +# Any changes made here will be lost if configure is re-run. + +target := $target +package := $package +prefix := $prefix +exec_prefix := $exec_prefix +dynlibdir := $dynlibdir +libexecdir := $libexecdir +bindir := $bindir +sbindir := $sbindir +libdir := $libdir +includedir := $includedir +sysdeps := $sysdeps +slashpackage := $slashpackage +sproot := $sproot +version := $version +home := $home +exthome := $exthome +RT_LIB := ${rt_lib} +SOCKET_LIB := ${socket_lib} +SYSCLOCK_LIB := ${sysclock_lib} +TAINNOW_LIB := ${tainnow_lib} +UTIL_LIB := ${util_lib} + +CC := $CC_AUTO +CFLAGS := $CFLAGS_AUTO +CPPFLAGS := $CPPFLAGS_AUTO +LDFLAGS := $LDFLAGS_AUTO +LDFLAGS_NOSHARED := $LDFLAGS_NOSHARED +CROSS_COMPILE := $cross + +vpath lib%a$vpaths +EOF +if $allstatic ; then + echo ".LIBPATTERNS := lib%.a" + vpathd= +fi + echo "vpath lib%.so$vpathd" +echo +$static || echo "STATIC_LIBS :=" +$shared || echo "SHARED_LIBS :=" +exec 1>&3 3>&- +echo " ... done." + +echo "creating src/include/${package}/config.h..." +mkdir -p -m 0755 src/include/${package} +exec 3>&1 1> src/include/${package}/config.h +cat <<EOF +/* ISC license. */ + +/* Generated by: $cmdline */ + +#ifndef ${package_macro_name}_CONFIG_H +#define ${package_macro_name}_CONFIG_H + +#define ${package_macro_name}_VERSION "$version" +EOF +if $slashpackage ; then + echo "#define ${package_macro_name}_BINPREFIX \"$binprefix/\"" + echo "#define ${package_macro_name}_EXTBINPREFIX \"$extbinprefix/\"" + echo "#define ${package_macro_name}_LIBEXECPREFIX \"$binprefix/\"" +else + echo "#define ${package_macro_name}_BINPREFIX \"\"" + echo "#define ${package_macro_name}_EXTBINPREFIX \"\"" + echo "#define ${package_macro_name}_LIBEXECPREFIX \"$libexecdir/\"" +fi +echo +echo "#endif" +exec 1>&3 3>&- +echo " ... done." diff --git a/doc/index.html b/doc/index.html new file mode 100644 index 0000000..93d68ce --- /dev/null +++ b/doc/index.html @@ -0,0 +1,182 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking - small networking utilities</title> + <meta name="Description" content="s6-networking - small networking utilities" /> + <meta name="Keywords" content="s6-networking network utilities tcpclient tcpserver s6 ucspi unix linux laurent bercot ska skarnet" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">www.skarnet.org</a> +</p> + +<h1> s6-networking </h1> + +<h2> What is it ? </h2> + +<p> + s6-networking is a suite of small networking utilities for Unix systems. +It includes command-line client and server management, TCP access +control, privilege escalation across UNIX domain sockets, IDENT +protocol management and clock synchronization. +</p> + +<p> + If the underlying +<a href="http://skarnet.org/software/skalibs/">skalibs</a> has been +compiled with IPv6 support, s6-networking is IPv6-ready. +</p> + +<hr /> + +<h2> Installation </h2> + +<h3> Requirements </h3> + +<ul> + <li> A POSIX-compliant system with a standard C development environment </li> + <li> GNU make, version 3.81 or later </li> + <li> <a href="http://skarnet.org/software/skalibs/">skalibs</a> version +2.0.0.0 or later </li> + <li> <a href="http://skarnet.org/software/execline/">execline</a> version +2.0.0.0 or later </li> + <li> <a href="http://skarnet.org/software/s6-dns/">s6-dns</a> version +2.0.0.0 or later </li> +</ul> + +<h3> Licensing </h3> + +<p> + s6-networking is free software. It is available under the +<a href="http://opensource.org/licenses/ISC">ISC license</a>. +</p> + +<h3> Download </h3> + +<ul> + <li> The current released version of s6-networking is <a href="s6-networking-2.0.0.0.tar.gz">2.0.0.0</a>. </li> + <li> Alternatively, you can checkout a copy of the s6-networking git repository: +<pre> git clone git://git.skarnet.org/s6-networking </pre> </li> +</ul> + +<h3> Compilation </h3> + +<ul> + <li> See the enclosed INSTALL file for installation details. </li> +</ul> + +<h3> Upgrade notes </h3> + +<ul> + <li> <a href="upgrade.html">This page</a> lists the differences to be aware of between +the previous versions of s6-networking and the current one. </li> +</ul> + +<h2> Reference </h2> + +<h3> Commands </h3> + +<p> + All these commands exit 111 if they encounter a temporary error or +hardware error, and +100 if they encounter a permanent error - such as a misuse. Short-lived +commands exit 0 on success. Other exit codes are documented in the +relevant page. +</p> + +<h4> System clock synchronization </h4> + +<ul> +<li><a href="s6-clockadd.html">The <tt>s6-clockadd</tt> program</a></li> +<li><a href="s6-clockview.html">The <tt>s6-clockview</tt> program</a></li> +<li><a href="s6-sntpclock.html">The <tt>s6-sntpclock</tt> program</a> </li> +<li><a href="s6-taiclock.html">The <tt>s6-taiclock</tt> program</a></li> +<li><a href="s6-taiclockd.html">The <tt>s6-taiclockd</tt> program</a></li> +</ul> + +<h4> UCSPI implementation </h4> + +<ul> +<li><a href="s6-tcpclient.html">The <tt>s6-tcpclient</tt> program</a></li> +<li><a href="s6-tcpserver.html">The <tt>s6-tcpserver</tt> program</a></li> +<li><a href="s6-tcpserver4.html">The <tt>s6-tcpserver4</tt> program</a></li> +<li><a href="s6-tcpserver6.html">The <tt>s6-tcpserver6</tt> program</a></li> +<li><a href="s6-ipcclient.html">The <tt>s6-ipcclient</tt> program</a></li> +<li><a href="s6-ipcserver.html">The <tt>s6-ipcserver</tt> program</a></li> +<li><a href="s6-ioconnect.html">The <tt>s6-ioconnect</tt> program</a></li> +</ul> + +<h4> TCP and Unix access control </h4> + +<ul> +<li><a href="s6-tcpserver-access.html">The <tt>s6-tcpserver-access</tt> program</a></li> +<li><a href="s6-ipcserver-access.html">The <tt>s6-ipcserver-access</tt> program</a></li> +<li><a href="s6-connlimit.html">The <tt>s6-connlimit</tt> program</a></li> +<li><a href="s6-accessrules-cdb-from-fs.html">The <tt>s6-accessrules-cdb-from-fs</tt> program</a></li> +<li><a href="s6-accessrules-fs-from-cdb.html">The <tt>s6-accessrules-fs-from-cdb</tt> program</a></li> +</ul> + +<h4> suidless privilege gain </h4> + +<ul> +<li><a href="s6-sudo.html">The <tt>s6-sudo</tt> program</a></li> +<li><a href="s6-sudoc.html">The <tt>s6-sudoc</tt> program</a></li> +<li><a href="s6-sudod.html">The <tt>s6-sudod</tt> program</a></li> +</ul> + +<h4> IDENT protocol implementation </h4> + +<ul> +<li><a href="s6-ident-client.html">The <tt>s6-ident-client</tt> program</a></li> +<li><a href="minidentd.html">The <tt>minidentd</tt> program</a></li> +</ul> + +<h4> Miscellaneous utilities </h4> + +<ul> +<li><a href="seekablepipe.html">The <tt>seekablepipe</tt> program</a></li> +<li><a href="s6-getservbyname.html">The <tt>s6-getservbyname</tt> program</a></li> +</ul> + +<h3> Libraries </h3> + +<ul> +<li> The <a href="libs6net/">s6net</a> library, containing: </li> +<li> <a href="libs6net/ident.html">The <tt>ident</tt> library interface</a> </li> +<li> <a href="libs6net/accessrules.html">The <tt>accessrules</tt> library interface</a> </li> +</ul> + +<hr /> + +<a name="related"> +<h2> Related resources </h2> +</a> + +<h3> s6-networking discussion </h3> + +<ul> + <li> <tt>s6-networking</tt> is discussed on the +<a href="http://skarnet.org/lists.html#skaware">skaware</a> mailing-list. </li> + <li> <tt>s6-networking</tt> has a +<a href="http://freecode.com/projects/s6-networking">freecode page</a>. + </li> +</ul> + +<h3> Similar work </h3> + +<ul> + <li> <a href="http://cr.yp.to/ucspi-tcp.html">ucspi-tcp</a> is the +original inspiration for s6-networking. +It works, but is unfortunately unmaintained by the author. s6-networking +follows <a href="http://skarnet.org/software/skalibs/djblegacy.html">the +same design principles</a>. </li> + <li> <a href="http://smarden.org/ipsvd/">ipsvd</a> is a very similar program +suite. </li> +</ul> + +</body> +</html> diff --git a/doc/libs6net/accessrules.html b/doc/libs6net/accessrules.html new file mode 100644 index 0000000..ea996b7 --- /dev/null +++ b/doc/libs6net/accessrules.html @@ -0,0 +1,331 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the accessrules library interface</title> + <meta name="Description" content="s6-networking: the accessrules library interface" /> + <meta name="Keywords" content="s6-networking net accessrules library libs6net unix tcp access control dns ipv4 ipv6" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">libs6net</a><br /> +<a href="../">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>accessrules</tt> library interface </h1> + +<p> + The following functions and structures are declared in the <tt>s6-networking/accessrules.h</tt> header, +and implemented in the <tt>libs6net.a</tt> or <tt>libs6net.so</tt> library. +</p> + +<h2> General information </h2> + +<p> + <tt>s6net_accessrules</tt> is an access control library. It looks up +a key in a user-specified database, then returns a code depending on +whether the database allows access (in which case additional information +can also be returned), denies access, or does not contain the key. +</p> + +<p> + <tt>accessrules</tt> has been designed to be easily extensible to any +database format and any key format. +</p> + +<p> + Check the <tt>s6-networking/accessrules.h</tt> header for the exact definitions. +</p> + +<h2> Data structures </h2> + +<ul> + <li> A <tt>s6net_accessrules_result_t</tt> is a scalar that +can have the following values: S6NET_ACCESSRULES_ERROR, +S6NET_ACCESSRULES_DENY, S6NET_ACCESSRULES_ALLOW or S6NET_ACCESSRULES_NOTFOUND. </li> + <li> A <tt>s6net_accessrules_params_t</tt> is a structure containing two +<a href="http://skarnet.org/software/skalibs/libstddjb/stralloc.html">strallocs</a>, +<em>.env</em> and <em>.exec</em>, used to return data contained in the +database when a key has been allowed. The interpretation of this data is +application-defined. </li> +</ul> + +<h2> Function types </h2> + +<h3> Backend lookups </h3> + +<p> + A <tt>s6net_accessrules_backend_func_t</tt> is the type of a function +that takes a single key, looks it up in a database, and returns the result. +Namely: +</p> + +<p> +<code>s6net_accessrules_result_t f (char const *key, unsigned int keylen, void *handle, s6net_accessrules_params_t *params) </code> +</p> + +<p> + <em>f</em> looks up key <em>key</em> of length <em>keylen</em> in the database +represented by <em>handle</em> in an implementation-defined way. It returns a +number that says the key has been allowed, denied or not found, or an error +occurred. If the key has been allowed, <em>f</em> stores additional information +from the database into *<em>params</em>. +</p> + +<p> + Two s6net_accessrules_backend_func_t functions are natively implemented: +</p> + +<ul> + <li> <tt>s6net_accessrules_backend_fs</tt> takes a <tt>char const *</tt> +<em>handle</em> and interprets it as a base directory to look up <em>key</em> +under, in the format understood by +<a href="../s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a>. </li> + <li> <tt>s6net_accessrules_backend_cdb</tt> takes a <tt>struct cdb *</tt> +<em>handle</em> and looks up <em>key</em> in the +<a href="http://cr.yp.to/cdb.html">CDB</a> it points to. <em>handle</em> must +already be mapped to a CDB file. Such a file can be built with the +<a href="../s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> +utility. </li> +</ul> + +<h3> Frontend key checking </h3> + +<p> + A <tt>s6net_accessrules_keycheck_func_t</tt> is the type of a function that +takes a user-level key, makes a list of corresponding backend-level keys and +calls a <tt>s6net_accessrules_backend_func_t</tt> function until it finds +a match. Namely: +</p> + +<p> +<code>s6net_accessrules_result_t f (void const *key, void *handle, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t *backend) </code> +</p> + +<p> + <em>f</em> derives a list of low-level keys to check from <em>key</em>. +Then, for each key <em>k</em> of length <em>klen</em> in this list, it calls +<tt>(*backend)(k, klen, handle, params)</tt>, returning *<em>backend</em>'s result if it +is not S6NET_ACCESSRULES_NOTFOUND. If no match can be found in the whole list, +<em>f</em> finally returns S6NET_ACCESSRULES_NOTFOUND. +</p> + +<p> + Five s6net_accessrules_keycheck_func_t functions are natively implemented: +</p> + +<ul> + <li> +<a name="uidgid" /> + <tt>s6net_accessrules_keycheck_uidgid</tt> interprets <em>key</em> as a +<a href="http://skarnet.org/software/skalibs/libstddjb/">diuint</a>, i.e. a +structure containing two unsigned ints. The first one is interpreted as an +uid <em>u</em>, the second one as a gid <em>g</em>. The function first looks +for a <tt>uid/<em>u</em></tt> match; if it cannot find one, it looks for a +<tt>gid/<em>g</em></tt> match. If it cannot find one either, it checks +<tt>uid/default</tt> and returns the result. </li> + <li> +<a name="reversedns" /> + <tt>s6net_accessrules_keycheck_reversedns</tt> interprets <em>key</em> +as a string containing a FQDN. Then for each suffix <em>k</em> of <em>key</em>, +starting with <em>key</em> itself and ending with <em>key</em>'s TLD, +it looks up <tt>reversedns/<em>k</em></tt>. The final dot is excluded from +<em>k</em>. If no match can be found, the function checks <tt>reversedns/@</tt> +and returns the result. For instance, if <em>key</em> is "foo.bar.com", +the following strings are looked up, in that order: + <ul> + <li> reversedns/foo.bar.com </li> + <li> reversedns/bar.com </li> + <li> reversedns/com </li> + <li> reversedns/@ </li> + </ul> </li> + <li> +<a name="ip4" /> + <tt>s6net_accessrules_keycheck_ip4</tt> interprets <em>key</em> as +4 network-byte-order characters containing an IPv4 address. Then for each +netmask <em>mask</em> from 32 to 0, it constructs the IPv4 network +prefix <em>addr</em> corresponding to that address, and looks up +<tt>ip4/<em>addr</em>_<em>mask</em></tt>. For instance, if <em>key</em> +is "\300\250\001\007", representing the 192.168.1.7 address, the following +strings are looked up, in that order: + <ul> + <li> ip4/192.168.1.7_32 </li> + <li> ip4/192.168.1.6_31 </li> + <li> ip4/192.168.1.4_30 </li> + <li> ip4/192.168.1.0_29 </li> + <li> ip4/192.168.0.0_28 </li> + <li> ip4/192.168.0.0_27 </li> + </ul> + and so on, down to: + <ul> + <li> ip4/192.0.0.0_3 </li> + <li> ip4/192.0.0.0_2 </li> + <li> ip4/128.0.0.0_1 </li> + <li> ip4/0.0.0.0_0 </li> + </ul> + Note that the <tt>ip4/0.0.0.0_0</tt> string is a catch-all key that +matches everything. </li> + <li> +<a name="ip6" /> + <tt>s6net_accessrules_keycheck_ip6</tt> interprets <em>key</em> as +16 network-byte-order characters containing an IPv6 address. Then for each +netmask <em>mask</em> from 128 to 0, it constructs the IPv6 network +prefix <em>addr</em> corresponding to that address, +<strong>in canonical form</strong>, +and looks up +<tt>ip6/<em>addr</em>_<em>mask</em></tt>. For instance, if <em>key</em> +is "*\0\024P@\002\b\003\0\0\0\0\0\0\020\006", representing the +2a00:1450:4002:803::1006 address, the following +strings are looked up, in that order: + <ul> + <li> ip6/2a00:1450:4002:803::1006_128 </li> + <li> ip6/2a00:1450:4002:803::1006_127 </li> + <li> ip6/2a00:1450:4002:803::1004_126 </li> + <li> ip6/2a00:1450:4002:803::1000_125 </li> + <li> ip6/2a00:1450:4002:803::1000_124 </li> + <li> ip6/2a00:1450:4002:803::1000_123 </li> + <li> ip6/2a00:1450:4002:803::1000_122 </li> + <li> ip6/2a00:1450:4002:803::1000_121 </li> + <li> ip6/2a00:1450:4002:803::1000_120 </li> + <li> ip6/2a00:1450:4002:803::1000_119 </li> + <li> ip6/2a00:1450:4002:803::1000_118 </li> + <li> ip6/2a00:1450:4002:803::1000_117 </li> + <li> ip6/2a00:1450:4002:803::1000_116 </li> + <li> ip6/2a00:1450:4002:803::1000_115 </li> + <li> ip6/2a00:1450:4002:803::1000_114 </li> + <li> ip6/2a00:1450:4002:803::1000_113 </li> + <li> ip6/2a00:1450:4002:803::_112 </li> + <li> ip6/2a00:1450:4002:803::_111 </li> + </ul> + and so on, down to: + <ul> + <li> ip6/2a00::_11 </li> + <li> ip6/2800::_10 </li> + <li> ip6/2800::_9 </li> + <li> ip6/2000::_8 </li> + <li> ip6/2000::_7 </li> + <li> ip6/2000::_6 </li> + <li> ip6/2000::_5 </li> + <li> ip6/2000::_4 </li> + <li> ip6/2000::_3 </li> + <li> ip6/::_2 </li> + <li> ip6/::_1 </li> + <li> ip6/::_0 </li> + </ul> + Note that the <tt>ip6/::_0</tt> string is a catch-all key that +matches everything. </li> + <li> +<a name="ip46" /> + <tt>s6net_accessrules_keycheck_ip46</tt> interprets <em>key</em> as a pointer to an +<a href="http://skarnet.org/software/skalibs/libstddjb/ip46.html">ip46_t</a>, and +behaves either as s6net_accessrules_keycheck_ip6 or s6net_accessrules_keycheck_ip4, +depending on the type of address *<em>key</em> contains. </li> +</ul> + +<h2> Ready-to-use functions </h2> + + Those functions are mostly macros; they're built by associating a frontend +function with a backend function. + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_uidgid_cdb +(unsigned int u, unsigned int g, struct cdb *c, +s6net_accessrules_params_t *params) </code> <br /> +Checks the *<em>c</em> CDB database for an authorization for uid <em>u</em> +and gid <em>g</em>. If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_uidgid_fs +(unsigned int u, unsigned int g, char const *dir, +s6net_accessrules_params_t *params) </code> <br /> +Checks the <em>dir</em> base directory for an authorization for uid <em>u</em> +and gid <em>g</em>. If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_reversedns_cdb +(char const *name, struct cdb *c, +s6net_accessrules_params_t *params) </code> <br /> +Checks the *<em>c</em> CDB database for an authorization for the +<em>name</em> FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_reversedns_fs +(char const *name, char const *dir, +s6net_accessrules_params_t *params) </code> <br /> +Checks the <em>dir</em> base directory for an authorization for the +<em>name</em> FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_ip4_cdb +(char const *ip4, struct cdb *c, +s6net_accessrules_params_t *params) </code> <br /> +Checks the *<em>c</em> CDB database for an authorization for the +<em>ip4</em> IPv4 address (4 network byte order characters). +If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_ip4_fs +(char const *ip4, char const *dir, +s6net_accessrules_params_t *params) </code> <br /> +Checks the <em>dir</em> base directory for an authorization for the +<em>ip4</em> IPv4 address (4 network byte order characters). +If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_ip6_cdb +(char const *ip6, struct cdb *c, +s6net_accessrules_params_t *params) </code> <br /> +Checks the *<em>c</em> CDB database for an authorization for the +<em>ip6</em> IPv6 address (16 network byte order characters). +If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_ip6_fs +(char const *ip6, char const *dir, +s6net_accessrules_params_t *params) </code> <br /> +Checks the <em>dir</em> base directory for an authorization for the +<em>ip6</em> IPv6 address (16 network byte order characters). +If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_ip46_cdb +(ip46_t *ip, struct cdb *c, +s6net_accessrules_params_t *params) </code> <br /> +Checks the *<em>c</em> CDB database for an authorization for the +<em>ip</em> IP address. +If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +<p> +<code> s6net_accessrules_result_t s6net_accessrules_ip46_fs +(ip46_t const *ip, char const *dir, +s6net_accessrules_params_t *params) </code> <br /> +Checks the <em>dir</em> base directory for an authorization for the +<em>ip</em> IP address. +If the result is S6NET_ACCESSRULES_ALLOW, additional +information may be stored into <em>params</em>. +</p> + +</body> +</html> diff --git a/doc/libs6net/ident.html b/doc/libs6net/ident.html new file mode 100644 index 0000000..74a9217 --- /dev/null +++ b/doc/libs6net/ident.html @@ -0,0 +1,124 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the ident library interface</title> + <meta name="Description" content="s6-networking: the ident library interface" /> + <meta name="Keywords" content="s6-networking net ident library libs6net ident RFC 1413" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">libs6net</a><br /> +<a href="../">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>ident</tt> library interface </h1> + +<p> + The following functions and structures are declared in the <tt>s6-networking/ident.h</tt> header, +and implemented in the <tt>libs6net.a</tt> or <tt>libs6net.so</tt> library. +</p> + +<h2> General information </h2> + +<p> + <tt>ident</tt> provides a C IDENT client, following RFC 1413. +</p> + +<p> + Please note that this protocol is of historical interest exclusively; +this client, as well as the <a href="../minidentd.html">minidentd</a> +server, is only provided for convenience and interoperability with +legacy systems. The IDENT protocol absolutely cannot be relied on for +any kind of authentication or secure operation. +</p> + +<h2> Functions </h2> + +<p> + Check the <tt>s6-networking/ident.h</tt> header for the exact function prototypes. +</p> + +<h3> Main interface </h3> + +<p> +<code> int s6net_ident_client (char *s, unsigned int max, ip46_t const *remoteip, uint16 remoteport, ip46_t const *localip, uint16 localport, +struct taia const *deadline, struct taia *stamp) </code> +</p> + +<p> +Makes an IDENT request to a server listening on IP <em>remoteip</em> port 113 +about the connection from IP <em>remoteip</em> port <em>remoteport</em> to +IP <em>localip</em> port <em>localport</em>. Writes the answer into +preallocated string <em>s</em> of max length <em>max</em>, and returns the +number of bytes in the answer. +</p> + +<ul> + <li> An <a href="http://skarnet.org/software/skalibs/libstddjb/ip46.html">ip46_t</a> +is a structure holding either an IPv4 address or an IPv6 address. </li> + <li> If an error occurs, the function returns -1 and sets errno to a +suitable value. If no answer can be gotten from the server, the function +returns 0 and sets errno to a suitable value. </li> + <li> If <em>max</em> is too small for <em>s</em> to hold the answer, the +function returns -1 ENAMETOOLONG. +This can be avoided by using S6NET_IDENT_REPLY_SIZE +as <em>max</em>. </li> + <li> Negative answers are mapped to errno in the following way: + <ul> + <li> INVALID-PORT is reported as EINVAL </li> + <li> NO-USER is reported as ESRCH </li> + <li> HIDDEN-USER is reported as EPERM </li> + <li> UNKNOWN-ERROR is reported as EIO </li> + <li> extended error codes are reported as EEXIST </li> + </ul> </li> + <li> *<em>deadline</em> and *<em>stamp</em> are +<a href="http://skarnet.org/software/skalibs/libstddjb/tai.h">absolute dates</a>: +*<em>stamp</em> must be an accurate enough approximation of the current time, and +is automatically updated when the function returns. If no answer has been gotten +from the server by *<em>deadline</em>, then the call is aborted and returns +-1 ETIMEDOUT. </li> +</ul> + +<p> +<code> char const *s6net_ident_error_str (int e) </code> +</p> + +<p> + Maps an error code representing a negative answer (i.e. errno when +<tt>s6net_ident_client</tt> returned 0) to a suitable string. +</p> + +<h3> Low-level functions </h3> + +<p> +<code> int s6net_ident_reply_get (char *s, ip46_t const *ra, uint16 rp, ip46_t const *la, uint16 lp, +struct taia const *deadline, struct taia *stamp) </code> +</p> + +<p> +The network part of <tt>s6net_ident_client</tt>. Connects to *<em>ra</em>:113 +and asks the server about (*<em>ra</em>:<em>rp</em>, *<em>la</em>:<em>lp</em>), +aborting if *<em>deadline</em> goes by. Writes the server answer into <em>s</em>; +at least S6NET_IDENT_REPLY_SIZE bytes must be preallocated in <em>s</em>. +Returns -1 if an error occurs, or the number of bytes written into <em>s</em>. +</p> + +<p> +<code> int s6net_ident_reply_parse (char const *s, uint16 rp, uint16 lp) </code> +</p> + +<p> +The local part of <tt>s6net_ident_client</tt>. Parses the server answer in +<em>s</em> for the connection from port <em>rp</em> to port <em>lp</em>. +Returns -1 EPROTO if the answer does not make sense, 0 if the answer is +negative, or a positive number if the answer is positive. This number is +an index where the ID can be found in <em>s</em>. +</p> + +</body> +</html> diff --git a/doc/libs6net/index.html b/doc/libs6net/index.html new file mode 100644 index 0000000..7a6a75b --- /dev/null +++ b/doc/libs6net/index.html @@ -0,0 +1,63 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6net library interface</title> + <meta name="Description" content="s6-networking: the s6net library interface" /> + <meta name="Keywords" content="s6-networking net s6net library libs6net" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="../">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6net</tt> library interface </h1> + +<h2> General information </h2> + +<p> + <tt>libs6net</tt> is a collection of networking-related utility +C interfaces, used in the s6-networking executables. +</p> + +<h2> Compiling </h2> + +<ul> + <li> Make sure the s6-networking headers, as well as the skalibs headers, +are visible in your header search path. </li> + <li> Use <tt>#include <s6-networking/s6net.h></tt> </li> +</ul> + +<h2> Linking </h2> + +<ul> + <li> Make sure the s6-networking libraries, as well as the skalibs +libraries, are visible in your library search path. </li> + <li> Link against <tt>-ls6net</tt>, <tt>-lskarnet</tt>, </li> +<tt>`cat $SYSDEPS/socket.lib`</tt> and +<tt>`cat $SYSDEPS/tainnow.lib`</tt>, $SYSDEPS being your skalibs +sysdeps directory. </li> +</ul> + +<h2> Programming </h2> + +<p> + The <tt>s6-networking/s6net.h</tt> header is actually a +concatenation of other headers: +the libs6net is separated into several modules, each of them with its +own header. +</p> + +<ul> + <li> The <a href="accessrules.html">s6-networking/accessrules.h</a> header +provides function to check credentials against configuration files. </li> + <li> The <a href="ident.html">s6-networking/ident.h</a> header provides +a small IDENT client (RFC 1413). </li> +</ul> + +</body> +</html> diff --git a/doc/localservice.html b/doc/localservice.html new file mode 100644 index 0000000..af7aafb --- /dev/null +++ b/doc/localservice.html @@ -0,0 +1,151 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: what is a local service</title> + <meta name="Description" content="s6-networking: what is a local service" /> + <meta name="Keywords" content="s6-networking local service s6-ipcserver" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> Local services </h1> + +<p> + A <em>local service</em> is a daemon that listens to incoming connections +on a Unix domain socket. Clients of the service are programs connecting to +this socket: the daemon performs operations on their behalf. +</p> + +<p> + The service is called <em>local</em> because it is not accessible to +clients from the network. +</p> + +<p> + A widely known example of a local service is the <tt>syslogd</tt> daemon. +On most implementations, it listens to the <tt>/dev/log</tt> socket. +Its clients connect to it and send their logs via the socket. The +<tt>openlog()</tt> function is just a wrapper arround the <tt>connect()</tt> +system call, the <tt>syslog()</tt> function a wrapper around <tt>write()</tt>, +and so on. +</p> + +<h2> Benefits </h2> + +<h3> Privileges </h3> + +<p> + The most important benefit of a local service is that it permits +<strong>controlled privilege gains without using setuid programs</strong>. +The daemon is run as user S; a client running as user C and connecting to +the daemon asks it to perform operations: those will be done as user S. +</p> + +<p> + Standard Unix permissions on the listening socket can be used to implement +some basic access control: to restrict access to clients belonging to group +G, change the socket to user S and group G, and give it 0420 permissions. +This is functionally equivalent to the basic access control for setuid +programs: a program having user S, group G and permissions 4750 will be +executable by group G and run with S rights. +</p> + +<p> + But modern systems implement the +<a href="http://www.superscript.com/ucspi-ipc/getpeereid.html">getpeereid()</a> +system call or library function. This function allows the server to know the +client's credentials: so fine-grained access control is possible. On those +systems, <strong>local services can do as much authentication as setuid programs, +in a much more controlled environment</strong>. +</p> + +<h3> fd-passing </h3> + +<p> + The most obvious difference between a local service and a network service +is that a local service does not serve network clients. But local services +have another nice perk: while network services usually only provide you +with a single channel (a TCP or UDP socket) of communication between the +client and the server, forcing you to multiplex your data into that +channel, local services allow you to have as many +communication channels as you want. +</p> + +<p> +(The SCTP transport layer provides a way for network services to use +several communication channels. Unfortunately, it is not widely deployed +yet, and a lot of network services still depend on TCP.) +</p> + +<p> + The <em>fd-passing</em> mechanism is Unix domain socket black magic +that allows one peer of the socket to send open file descriptors to +the other peer. So, if the server opens a pipe and sends one end of +this pipe to a client via this mechanism, there is effectively a +socket <em>and</em> a pipe between the client and the server. +</p> + +<h2> UCSPI </h2> + +<p> + The <a href="http://cr.yp.to/proto/ucspi.txt">UCSPI</a> protocol +is an easy way of abstracting clients and servers from the network. +A server written as a UCSPI server, just as it can be run +under inetd or s6-tcpserver, can be run under +<a href="s6-ipcserver.html">s6-ipcserver</a>: choose a socket +location and you have a local service. +</p> + +<p> + Fine-grained access control can be added by inserting +<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> in +your server command line after s6-ipcserver. +</p> + +<p> + A client written as an UCSPI client, i.e. assuming it has descriptor +6 (resp. 7) open and reading from (resp. writing to) the server socket, +can be run under <a href="s6-ipcclient.html">s6-ipcclient</a>. +</p> + +<h2> Use in skarnet.org software </h2> + +<p> + skarnet.org libraries often use a separate process to handle +asynchronicity and background work in a way that's invisible to +the user. Among them are: +</p> + +<ul> + <li> <a href="http://skarnet.org/software/s6/s6-ftrigrd.html">s6-ftrigrd</a>, +managing the reception of notifications and only waking up the client process +when the notification pattern matches a regular expression. </li> + <li> <a href="http://skarnet.org/software/s6/libs6lock/s6lockd.html">s6lockd</a>, +handling time-constrained lock acquisition on client behalf. </li> + <li> <a href="http://skarnet.org/software/s6-dns/skadns/skadnsd.html">skadnsd</a>, +performing asynchronous DNS queries and only waking up the client process +when an answer arrives. </li> +</ul> + +<p> + Those processes are usually spawned from a client, via the corresponding +<tt>*_startf*()</tt> library call. But they can also be spawned from a +s6-ipcserver program in a local service configuration. In both cases, they +need an additional control channel to be passed from the server to +the client: the main socket is used for synchronous commands from the client +to the server and their answers, whereas the additional channel, which is +now implemented as a socket as well (but created by the server on-demand +and not bound to a local path), is used for asynchronous +notifications from the server to the client. The fd-passing mechanism +is used to transfer the additional channel from the server to the client. +</p> + +</body> +</html> diff --git a/doc/minidentd.html b/doc/minidentd.html new file mode 100644 index 0000000..e23fa86 --- /dev/null +++ b/doc/minidentd.html @@ -0,0 +1,83 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the minidentd program</title> + <meta name="Description" content="s6-networking: the minidentd program" /> + <meta name="Keywords" content="s6-networking minidentd identd ident server rfc 1413" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>minidentd</tt> program </h1> + +<p> +<tt>minidentd</tt> is a small +<a href="http://cr.yp.to/proto/ucspi.txt">UCSPI</a> server application +that answers IDENT requests. +</p> + +<h2> Interface </h2> + +<pre> + minidentd [ -v ] [ -n | -i | -r ] [ -y <em>file</em> ] [ -t <em>timeout</em> ] +</pre> + +<p> +<tt>minidentd</tt> reads a series of IDENT requests on stdin and answers +them on stdout. It logs what it's doing on stderr. The environment +variables <em>x</em>LOCALIP and <em>x</em>REMOTEIP, where <em>x</em> is +the value of the PROTO environment variable, must contain the IDENT +server address and the IDENT client address, respectively. +</p> + +<p> + minidentd exits 0 on success, 100 on a usage error and 111 on a system +call failure. +</p> + +<p> + minidentd does not contact the network directly. It's meant to +run under a superserver like +<a href="s6-tcpserver.html">s6-tcpserver</a>. minidentd will +work with IPv4 as well as IPv6. +</p> + +<h2> Options </h2> + +<ul> + <li> <tt>-v</tt> : verbose mode. Log queries and replies.. </li> + <li> <tt>-n</tt> : send ERROR : HIDDEN-USER replies if +the user has a <tt>.ident</tt> file in his home directory. </li> + <li> <tt>-i</tt> : user-defined answers. The first 14 chars of the +user's <tt>.ident</tt> file, up to EOF or newline, are used instead of +the user name. If the file exists and is empty, send +ERROR : HIDDEN-USER. If it doesn't exist, send a normal reply. </li> + <li> <tt>-r</tt> : send random replies. </li> + <li> <tt>-y <em>file</em></tt> : valid with <tt>-n</tt> or <tt>-i</tt>. +Use <em>file</em> instead of <tt>.ident</tt>. </li> + <li> <tt>-t <em>timeout</em></tt> : close connection after +<em>timeout</em> milliseconds without a client request. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> minidentd works only under Linux (2.2 or later); +on other systems, it will compile and run, but report an error for every +request. +The problem is that <em>there is no portable Unix way</em> of listing active +outgoing TCP connections with the relevant uids. On Linux, minidentd parses +the <tt>/proc/net/tcp</tt> or <tt>/proc/net/tcp6</tt> virtual file. Other +systems have their own way of doing this, if you want your system to be +supported by minidentd, please contact the author. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-accessrules-cdb-from-fs.html b/doc/s6-accessrules-cdb-from-fs.html new file mode 100644 index 0000000..26105b1 --- /dev/null +++ b/doc/s6-accessrules-cdb-from-fs.html @@ -0,0 +1,141 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-accessrules-cdb-from-fs program</title> + <meta name="Description" content="s6-networking: the s6-accessrules-cdb-from-fs program" /> + <meta name="Keywords" content="s6-networking s6-accessrules-cdb-from-fs tcp unix access control ipcrules tcprules cdb filesystem" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-accessrules-cdb-from-fs</tt> program </h1> + +<p> +<tt>s6-accessrules-cdb-from-fs</tt> compiles a directory +containing a ruleset suitable for +<a href="s6-ipcserver-access.html">s6-ipcserver-access<a> or +<a href="s6-tcpserver-access.html">s6-tcpserver-access<a> into a +<a href="http://en.wikipedia.org/wiki/Cdb_(software)">CDB file</a>. +</p> + +<h2> Interface </h2> + +<pre> + s6-accessrules-cdb-from-fs <em>cdbfile</em> <em>dir</em> +</pre> + +<ul> + <li> s6-accessrules-cdb-from-fs compiles the <em>dir</em> +directory containing a ruleset into a +<a href="http://en.wikipedia.org/wiki/Cdb_(software)">CDB file</a> +<em>cdbfile</em> then exits 0. </li> +</ul> + +<h2> Ruleset directory format </h2> + +<p> + To be understood by s6-accessrules-cdb-from-fs, +<a href="s6-ipcserver-access.html">s6-ipcserver-access<a>, or +<a href="s6-tcpserver-access.html">s6-tcpserver-access<a>, +<em>dir</em> must have a specific format. +</p> + +<p> + <em>dir</em> contains a series of directories: +</p> + +<ul> + <li> <tt>ip4</tt> for rules on IPv4 addresses </li> + <li> <tt>ip6</tt> for rules on IPv6 addresses </li> + <li> <tt>reversedns</tt> for rules on host names </li> + <li> <tt>uid</tt> for rules on user IDs </li> + <li> <tt>gid</tt> for rules on group IDs </li> +</ul> + +<p> +Depending on the application, other directories can appear in <em>dir</em> +and be compiled into <em>cdbfile</em>, but +<a href="s6-tcpserver-access.html">s6-tcpserver-access<a> only +uses the first three, and +<a href="s6-ipcserver-access.html">s6-ipcserver-access<a> only +uses the last two. +</p> + +<p> + Each of those directories contains a set of rules. A rule is +a subdirectory named after the set of keys it matches, and containing +actions that will be executed if the rule is the first matching rule +for the tested key. +</p> + +<p> + The syntax for the rule name is dependent on the nature of keys, and +fully documented on the +<a href="libs6net/accessrules.html">accessrules</a> +library page. For instance, a subdirectory named <tt>192.168.0.0_27</tt> +in the <tt>ip4</tt> directory will match every IPv4 address in the +192.168.0.0/27 network that does not match a more precise rule. +</p> + +<p> + The syntax for the actions, however, is the same for every type of key. +A rule subdirectory can contain the following elements: +</p> + +<ul> + <li> a file (that can be empty) named <tt>allow</tt>. If such a file exists, +a key matching this rule will be immediately accepted. </li> + <li> a file (that can be empty) named <tt>deny</tt>. If such a file exists and +no <tt>allow</tt> file exists, a key matching this rule will be immediately +denied. </li> + <li> a subdirectory named <tt>env</tt>. If such a directory exists along +with an <tt>allow</tt> file, then its contents represent environment +modifications that will be applied after accepting the connection and +before executing the next program in the chain, as if the +<a href="http://www.skarnet.org/software/s6/s6-envdir.html">s6-envdir</a> +program, without options, was applied to <tt>env</tt>. <tt>env</tt> +has exactly the same format as a directory suitable for s6-envdir; +however, if the modifications take up more than 4096 bytes when +compiled into <em>cdbfile</em>, then s6-accessrules-cdb-from-fs will +complain and exit 100. </li> + <li> a file named <tt>exec</tt>. If such a file exists along with an +<tt>allow</tt> file, then its contents represent a command line that, +interpreted by the +<a href="http://www.skarnet.org/software/execline/execlineb.html">execlineb</a> +launcher, will be executed after accepting the connection, totally bypassing the +original command line. s6-accessrules-cdb-from-fs truncates the <tt>exec</tt> +file to 4096 bytes max when embedding it into <em>cdbfile</em>, so make +sure it is not larger than that. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> <em>cdbfile</em> can exist prior to, and during, the compilation, +which actually works in a temporary file in the same directory as +<em>cdbfile</em> and performs an atomic replacement when it is done. +So it is not necessary to interrupt a running service during the +compilation. </li> + <li> If s6-accessrules-cdb-from-fs fails at some point, the temporary +file is removed. However, this doesn't happen if +s6-accessrules-cdb-from-fs is interrupted by a signal. </li> + <li> After the program successfully completes, if <em>dir</em> +was a suitable candidate for the <tt>-i</tt> option of +<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> or +<a href="s6-tcpserver-access.html">s6-tcpserver-access</a>, then +<em>cdbfile</em> will be a suitable candidate for the <tt>-x</tt> option +of the same program, implementing the same ruleset. </li> + <li> <em>cdbfile</em> can be decompiled by the +<a href="s6-accessrules-fs-from-cdb.html">s6-accessrules-fs-from-cdb</a> +program. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-accessrules-fs-from-cdb.html b/doc/s6-accessrules-fs-from-cdb.html new file mode 100644 index 0000000..91ec98e --- /dev/null +++ b/doc/s6-accessrules-fs-from-cdb.html @@ -0,0 +1,60 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-accessrules-fs-from-cdb program</title> + <meta name="Description" content="s6-networking: the s6-accessrules-fs-from-cdb program" /> + <meta name="Keywords" content="s6-networking s6-accessrules-fs-from-cdb tcp unix access control ipcrules tcprules cdb filesystem" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-accessrules-fs-from-cdb</tt> program </h1> + +<p> +<tt>s6-accessrules-fs-from-cdb</tt> decompiles a CDB database +containing a ruleset suitable for +<a href="s6-ipcserver-access.html">s6-ipcserver-access<a> or +<a href="s6-tcpserver-access.html">s6-tcpserver-access<a> and +that has been compiled with +<a href="s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs<a>. +</p> + +<h2> Interface </h2> + +<pre> + s6-accessrules-fs-from-cdb <em>dir</em> <em>cdbfile</em> +</pre> + +<ul> + <li> s6-accessrules-fs-from-cdb decompiles the +<a href="http://en.wikipedia.org/wiki/Cdb_(software)">CDB file</a> +<em>cdbfile</em> into the directory <em>dir</em>, then exits 0. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> <em>dir</em> must not exist prior to the decompilation. </li> + <li> <em>dir</em> must be considered as a work in progress as long as +s6-accessrules-fs-from-cdb is running. It is only safe to use <em>dir</em> +as a ruleset once the program has exited. </li> + <li> If s6-accessrules-fs-from-cdb fails at some point, the partial +arborescence at <em>dir</em> is removed. However, this doesn't happen if +s6-accessrules-fs-from-cdb is interrupted by a signal. </li> + <li> After the program successfully completes, if <em>cdbfile</em> +was a suitable candidate for the <tt>-x</tt> option of +<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> or +<a href="s6-tcpserver-access.html">s6-tcpserver-access</a>, then +<em>dir</em> will be a suitable candidate for the <tt>-i</tt> option +of the same program, implementing the same ruleset. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-clockadd.html b/doc/s6-clockadd.html new file mode 100644 index 0000000..a998cd1 --- /dev/null +++ b/doc/s6-clockadd.html @@ -0,0 +1,61 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-clockadd program</title> + <meta name="Description" content="s6-networking: the s6-clockadd program" /> + <meta name="Keywords" content="s6-networking s6-clockadd tai clock tai64 tai64n tai64na clockadd setting the system clock" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-clockadd</tt> program </h1> + +<p> +<tt>s6-clockadd</tt> adjusts the system clock depending on the input +provided by a time client. +</p> + +<h2> Interface </h2> + +<pre> + s6-taiclock <em>server</em> | s6-clockadd [ -f ] [ -e <em>errmax</em> ] +</pre> + +<ul> + <li> s6-clockadd reads its stdin, expecting input from a program such +<a href="s6-taiclock.html">s6-taiclock</a> or +<a href="s6-sntpclock.html">s6-sntpclock</a> (which get time from a +time server). </li> + <li> It sets the system clock so the system time becomes the one +given by the server. Then it exits 0. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-f</tt> : force. Normally, s6-clockadd exits 1 if the +time discrepancy read from stdin is bigger than <em>errmax</em> +milliseconds. If this +option is set, it will print a warning message, but still set the +system time and exit 0. </li> + <li> <tt>-e <em>errmax</em></tt> : accept a maximum time +discrepancy of <em>errmax</em> milliseconds. By default, <em>errmax</em> +is 2000. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-clockadd must be run as root. The client getting the time +from a time server, however, does not have to. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-clockview.html b/doc/s6-clockview.html new file mode 100644 index 0000000..58d8ac9 --- /dev/null +++ b/doc/s6-clockview.html @@ -0,0 +1,41 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-clockview program</title> + <meta name="Description" content="s6-networking: the s6-clockview program" /> + <meta name="Keywords" content="s6-networking s6-clockview tai clock tai64 tai64n tai64na clockview" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-clockview</tt> program </h1> + +<p> +<tt>s6-clockview</tt> prints the time discrepancy between the local +system clock and the time provided by a time server. +</p> + +<h2> Interface </h2> + +<pre> + s6-taiclock <em>server</em> | s6-clockview +</pre> + +<ul> + <li> s6-clockview reads its stdin, expecting input from a program such +<a href="s6-taiclock.html">s6-taiclock</a> or +<a href="s6-sntpclock.html">s6-sntpclock</a> (which get time from a +time server). </li> + <li> It prints the local system time, and the time given by the +server, in human-readable form, then exits 0. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-connlimit.html b/doc/s6-connlimit.html new file mode 100644 index 0000000..f0422e6 --- /dev/null +++ b/doc/s6-connlimit.html @@ -0,0 +1,96 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-connlimit program</title> + <meta name="Description" content="s6-networking: the s6-connlimit program" /> + <meta name="Keywords" content="s6-networking connection limit s6-connlimit" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-connlimit</tt> program </h1> + +<p> +<tt>s6-connlimit</tt> is a small utility to perform IP-based +control on the number of client connections to a TCP socket, and +uid-based control on the number of client connections to a Unix +domain socket. +</p> + +<h2> Interface </h2> + +<pre> + s6-connlimit <em>prog...</em> +</pre> + +<ul> + <li> <tt>s6-connlimit</tt> reads its environment for the PROTO +environment variable, and then for ${PROTO}CONNNUM and ${PROTO}CONNMAX, +which must contain integers. </li> + <li> If the value of ${PROTO}CONNNUM is superior or equal to the value +of ${PROTO}CONNMAX, s6-connlimit exits 1 with an error message. </li> + <li> Else it execs into <em>prog...</em>. </li> + <li> If ${PROTO}CONNMAX is unset, s6-connlimit directly execs into +<em>prog...</em> without performing any check: +no maximum number of connection has been defined. </li> +</ul> + +<h2> Usage </h2> + +<p> + The <a href="s6-tcpserver4.html">s6-tcpserver4</a> and +<a href="s6-tcpserver6.html">s6-tcpserver6</a> define the PROTO environment +variable to "TCP", and spawn every child server with the TCPCONNNUM environment +variable set to the number of connections from the same IP address. + The <a href="s6-tcpserver-access.html">s6-tcpserver-access</a> program +can set environment variables depending on the client's IP address. If the +s6-tcpserver-access database is configured to set the TCPCONNMAX environment +variable for a given set of IP addresses, and s6-tcpserver-access execs into +s6-connlimit, then s6-connlimit will drop connections if there already are +${TCPCONNMAX} connections from the same client IP address. +</p> + +<p> + The <a href="s6-ipcserver.html">s6-ipcserver</a> and +<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> programs can +be used the same way, with "IPC" instead of "TCP", to limit the number +of client connections by UID. +</p> + +<h2> Example </h2> + +<p> + The following command line: +</p> + +<pre> + s6-tcpserver4 -v2 -c1000 -C40 1.2.3.4 80 \ + s6-tcpserver-access -v2 -RHl0 -i <em>dir</em> \ + s6-connlimit \ + <em>prog...</em> +</pre> + +<p> + will run a server listening to IPv4 address 1.2.3.4, on port 80, +serving up to 1000 concurrent connections, and up to 40 concurrent +connections from the same IP address, no matter what the IP address. +For every client connection, it will look up the database set up +in <em>dir</em>; if the connection is accepted, it will run <em>prog...</em>. +</p> + +<p> + If the <tt><em>dir</em>/ip4/5.6.7.8_32/env/TCPCONNMAX</tt> file +exists and contains the string <tt>30</tt>, then at most 30 concurrent +connections from 5.6.7.8 will execute <em>prog...</em>, instead of the +default of 40. +</p> + +</body> +</html> diff --git a/doc/s6-getservbyname.html b/doc/s6-getservbyname.html new file mode 100644 index 0000000..29a8235 --- /dev/null +++ b/doc/s6-getservbyname.html @@ -0,0 +1,48 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-getservbyname program</title> + <meta name="Description" content="s6-networking: the s6-getservbyname program" /> + <meta name="Keywords" content="s6-networking s6-getservbyname getservbyname" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-getservbyname</tt> program </h1> + +<p> +<tt>s6-getservbyname</tt> is a simple command-line interface to the +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/getservbyname.html">getservbyname()</a> +function, converting a service name and protocole into a port number. +</p> + +<h2> Interface </h2> + +<pre> + s6-getservbyname <em>name</em> <em>proto</em> +</pre> + +<ul> + <li> <tt>s6-getservbyname</tt> looks up the network services database +for an entry containing name <em>name</em> and protocol <em>proto</em>. </li> + <li> It prints the corresponding port number to stdout, then exits 0. </li> + <li> If it cannot find a related entry, it exits 1. </li> +</ul> + +<h2> Example </h2> + +<p> + On a standard machine with a correct <tt>/etc/services</tt> file and +a non-garbled NSS configuration: + <tt>s6-getservbyname smtp tcp</tt> prints 25. +</p> + +</body> +</html> diff --git a/doc/s6-ident-client.html b/doc/s6-ident-client.html new file mode 100644 index 0000000..fb7b0bf --- /dev/null +++ b/doc/s6-ident-client.html @@ -0,0 +1,52 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-ident-client program</title> + <meta name="Description" content="s6-networking: the s6-ident-client program" /> + <meta name="Keywords" content="s6-networking minidentd identd ident client rfc 1413" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-ident-client</tt> program </h1> + +<p> +<tt>s6-ident-client</tt> is a command-line client application that +performs IDENT (RFC 1413) queries. +</p> + +<h2> Interface </h2> + +<pre> + s6-ident-client [ -t <em>millisecs</em> ] <em>remoteaddr</em> <em>remoteport</em> <em>localaddr</em> <em>localport</em> +</pre> + +<ul> + <li> s6-ident-client contacts the IDENT server on address <em>remoteaddr</em> +port 113 and asks it about the connection from address <em>remoteaddr</em> +port <em>remoteport</em> to address <em>localaddr</em> port <em>localport</em>. </li> + <li> It prints the answer to stdout. </li> + <li> It exits 0 if the answer is positive or 1 if the answer is negative, +in which case it also prints an informative message to stderr. </li> + <li> <em>remoteaddr</em> and <em>localaddr</em> can be either IPv4 +or IPv6 addresses; however, they must both be of the same type. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-t <em>millisecs</em></tt> : if no answer has been +obtained within <em>millisecs</em> milliseconds, s6-ident-client will +exit 99 with an error message. By default, <em>millisecs</em> is 0, +which means no time limit. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-ioconnect.html b/doc/s6-ioconnect.html new file mode 100644 index 0000000..5e2b6c6 --- /dev/null +++ b/doc/s6-ioconnect.html @@ -0,0 +1,84 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-ioconnect program</title> + <meta name="Description" content="s6-networking: the s6-ioconnect program" /> + <meta name="Keywords" content="s6-networking ioconnect ucspi tcpconnect ipcconnect" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-ioconnect</tt> program </h1> + +<p> +<tt>s6-ioconnect</tt> performs full-duplex data transmission +between two sets of open file descriptors. +</p> + +<h2> Interface </h2> + +<pre> + s6-ioconnect [ -t <em>millisecs</em> ] [ -r <em>fdr</em> ] [ -w <em>fdw</em> ] [ -0 ] [ -1 ] [ -6 ] [ -7 ] +</pre> + +<ul> + <li> s6-ioconnect reads data from its stdin and writes it as is to +file descriptor 7, which is assumed to be open. </li> + <li> It also reads data from its file descriptor 6, which is assumed +to be open, and writes it as is to its stdout. </li> + <li> When both sides have transmitted EOF and s6-ioconnect has +flushed its buffers, it exits 0. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-t <em>millisecs</em></tt> : if no activity on +either side happens for <em>millisecs</em> milliseconds, s6-ioconnect +closes the connection on both ends and exits 1. By default, +<em>millisecs</em> is 0, which means no such timeout. </li> + <li> <tt>-r <em>fdr</em></tt> : Use fd <em>fdr</em> for +"remote" reading instead of fd 6. </li> + <li> <tt>-w <em>fdw</em></tt> : Use fd <em>fdw</em> for +"remote" writing instead of fd 7. </li> + <li> <tt>-0</tt>: assume stdin is a socket and needs to be shut down +for reading after an EOF. </li> + <li> <tt>-1</tt>: assume stdout is a socket and needs to be shut down +for writing to correctly transmit an EOF. </li> + <li> <tt>-6</tt>: assume the remote reading fd is a socket and needs to be shut down +for reading after an EOF. </li> + <li> <tt>-7</tt>: assume the remote writing fd is a socket and needs to be shut down +for writing to correctly transmit an EOF. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> Transmitting EOF across full-duplex sockets +<a href="http://cr.yp.to/tcpip/twofd.html">is ugly</a>. The right thing +in every case cannot be automatically determined, so it is up to the user +to mention that a socket must be shut down. Most of the time, though, +shutting down sockets after EOF <em>is</em> the right thing to do, so +<tt>s6-ioconnect -67</tt> should be the common use case. </li> + <li> The point of s6-ioconnect is to be used together with +<a href="s6-tcpclient.html">s6-tcpclient</a> or +<a href="s6-ipcclient.html">s6-ipcclient</a> to establish a full- +duplex connection between the client and the server, for instance +for testing purposes. <tt>s6-ioconnect</tt> is to s6-tcpclient as +<tt>cat</tt> is to s6-tcpserver: a program that will just echo +what it gets. </li> + <li> On modern Linux systems, s6-ioconnect will perform zero-copy +data transmission, via the +<a href="http://man7.org/linux/man-pages/man2/splice.2.html">splice</a> +system call. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-ipcclient.html b/doc/s6-ipcclient.html new file mode 100644 index 0000000..2bb66aa --- /dev/null +++ b/doc/s6-ipcclient.html @@ -0,0 +1,65 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-ipcclient program</title> + <meta name="Description" content="s6-networking: the s6-ipcclient program" /> + <meta name="Keywords" content="s6-networking s6-ipcclient ipcclient ucspi unix client" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-ipcclient</tt> program </h1> + +<p> +<tt>s6-ipcclient</tt> is an +<a href="http://cr.yp.to/proto/ucspi.txt">UCSPI client tool</a> for +Unix domain sockets. It connects to a socket, then executes into +a program. +</p> + +<h2> Interface </h2> + +<pre> + s6-ipcclient [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] <em>path</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-ipcclient connects to a Unix domain socket on <em>path</em>. </li> + <li> It executes into <em>prog...</em> with descriptor 6 reading from +the socket and descriptor 7 writing to it. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + <em>prog...</em> is run with +the following variables set: +</p> + +<ul> + <li> PROTO: always set to IPC </li> + <li> IPCLOCALPATH: set to the path associated with the local socket, +if any. Be aware that it may contain arbitrary characters. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-q</tt> : be quiet. </li> + <li> <tt>-Q</tt> : be normally verbose. This is the default. </li> + <li> <tt>-v</tt> : be verbose. </li> + <li> <tt>-p <em>localpath</em></tt> : bind the local +socket to <em>localpath</em> before connecting to <em>path</em>. </li> + <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> +as the value of the IPCLOCALPATH environment variable. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html new file mode 100644 index 0000000..817425b --- /dev/null +++ b/doc/s6-ipcserver-access.html @@ -0,0 +1,172 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-ipcserver-access program</title> + <meta name="Description" content="s6-networking: the s6-ipcserver-access program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver-access unix access control ipcrules" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-ipcserver-access</tt> program </h1> + +<p> +<tt>s6-ipcserver-access</tt> is a command-line access +control tool for Unix domain sockets on systems where the +<a href="http://www.superscript.com/ucspi-ipc/getpeereid.html">getpeereid()</a> system call can be implemented. +It is meant to be run after +<a href="s6-ipcserver.html">s6-ipcserver</a> and before +the application program on the s6-ipcserver command line. +</p> + +<h2> Interface </h2> + +<pre> + s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em> +</pre> + +<ul> + <li> s6-ipcserver-access checks it is run under a UCSPI server tool +such as <a href="s6-ipcserver.html">s6-ipcserver</a>. + <li> It checks that the remote end of the connection fits the +accepted criteria defined by the database contained in <em>rulesdir</em> +or <em>rulesfile</em>. If the database tells it to reject the connection, +the program exits 1. </li> + <li> It sets up a few additional environment variables. </li> + <li> It executes into <em>prog...</em>, +unless the first matching rule in the rule database +includes instructions to override <em>prog...</em>. </li> +</ul> + +<h2> Environment variables </h2> + +<p> +s6-ipcserver-access expects to inherit some environment variables from +its parent: +</p> + +<ul> + <li> PROTO: normally IPC, but could be anything else, like UNIX. </li> + <li> ${PROTO}REMOTEEUID: the effective UID of the client program connecting to the socket. </li> + <li> ${PROTO}REMOTEEGID: the effective GID of the client program connecting to the socket. </li> +</ul> + +<p> + Additionally, it exports the following variables before executing into +<em>prog...</em>: +</p> + +<ul> + <li> ${PROTO}LOCALPATH: set to the local "address" of the socket, as +reported by the +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/getsockname.html">getsockname()</a> +system call, truncated to 99 characters max. </li> +</ul> + +<p> + Also, the access rules database can instruct s6-ipcserver-access to set +up, or unset, more environment variables, depending on the client address. +</p> + +<h2> Options </h2> + +<ul> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose, i.e. +print more or less information to stderr: + <ul> + <li> 0: only log error messages. </li> + <li> 1: only log error and warning messages, and accepted connections. +This is the default. </li> + <li> 2: also log rejected connections and more warning messages. </li> + </ul> </li> + <li> <tt>-E</tt> : no environment. All environment variables potentially +set by s6-ipcserver-access, as well as those set by +<a href="s6-ipcserver.html">s6-ipcserver</a>, will be unset instead. </li> + <li> <tt>-e</tt> : set up environment variables normally. +This is the default. </li> + <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> +as the value for the ${PROTO}LOCALPATH environment variable, instead of +looking it up via getsockname(). </li> + <li> <tt>-i <em>rulesdir</em></tt> : check client credentials +against a filesystem-based database in the <em>rulesdir</em> directory. </li> + <li> <tt>-x <em>rulesfile</em></tt> : check client credentials +against a <a href="http://en.wikipedia.org/wiki/Cdb_(software)">cdb</a> +database in the <em>rulesfile</em> file. <tt>-i</tt> and <tt>-x</tt> are +mutually exclusive. If none of those options is given, no credential checking will be +performed, and a warning will be emitted on every connection if +<em>verbosity</em> is 2 or more. </li> +</ul> + +<h2> Access rule checking </h2> + +<p> + s6-ipcserver-access checks its client connection against +a ruleset. This ruleset can be implemented: +</p> + +<ul> + <li> either in the filesystem as an arborescence of directories and files, +if the <tt>-i</tt> option has been given. This option is the most flexible +one: the directory format is simple enough for scripts to understand and +modify it, and the ruleset can be changed dynamically. This is practical, +for instance, for roaming users. </li> +<li> or in a <a href="http://en.wikipedia.org/wiki/Cdb_(software)">CDB +file</a>, if the <tt>-x</tt> option has been given. This option is the most +efficient one if the ruleset is static enough: a lot less system calls are +needed to perform searches in a CDB than in the filesystem. </li> +</ul> + +<p> + The exact format of the ruleset is described on the +<a href="s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> page. +</p> + +<p> +s6-ipcserver-access first reads the client UID <em>uid</em> and +GID <em>gid</em> from the +${PROTO}REMOTEEUID and ${PROTO}REMOTEEGID environment variables, and checks +them with the +<a href="libs6net/accessrules.html#uidgid">s6net_accessrules_keycheck_uidgid()</a> +function. In other words, it tries to match: + +<ul> + <li> <tt>uid/</tt><em>uid</em> </li> + <li> <tt>gid/</tt><em>gid</em> </li> + <li> <tt>uid/default</tt> </li> +</ul> + +<p> + in that order. If no S6NET_ACCESSRULES_ALLOW result can be obtained, +the connection is denied. +</p> + +<h2> Environment and executable modifications </h2> + +<p> + s6-ipcserver-access interprets non-empty <tt>env</tt> subdirectories +and <tt>exec</tt> files +it finds in the first matching rule of the ruleset, as explained +in the <a href="s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> +page. +</p> + +<ul> + <li> An <tt>env</tt> subdirectory is interpreted as if the +<a href="http://skarnet.org/software/s6/s6-envdir.html">s6-envdir</a> +command had been called before executing <em>prog</em>: the environment +is modified according to the contents of <tt>env</tt>. </li> + <li> An <tt>exec</tt> file containing <em>newprog</em> completely +bypasses the rest of s6-ipcserver-access' command line. After +environment modifications, if any, s6-ipcserver-access execs into +<tt><a href="http://skarnet.org/software/execline/execlineb.html">execlineb</a> -c <em>newprog</em></tt>. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-ipcserver.html b/doc/s6-ipcserver.html new file mode 100644 index 0000000..331b139 --- /dev/null +++ b/doc/s6-ipcserver.html @@ -0,0 +1,148 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-ipcserver program</title> + <meta name="Description" content="s6-networking: the s6-ipcserver program" /> + <meta name="Keywords" content="s6-networking s6-ipcserver ipcserver ucspi unix server super-server" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-ipcserver</tt> program </h1> + +<p> +<tt>s6-ipcserver</tt> is an +<a href="http://cr.yp.to/proto/ucspi.txt">UCSPI server tool</a> for +Unix domain sockets, i.e. a super-server. +It accepts connections from clients, and forks a +program to handle each connection. +</p> + +<h2> Interface </h2> + +<pre> + s6-ipcserver [ -1 ] [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -c <em>maxconn</em> ] [ -C <em>localmaxconn</em> ] [ -b <em>backlog</em> ] [ -G <em>gidlist</em> ] [ -g <em>gid</em> ] [ -u <em>uid</em> ] [ -U ] <em>path</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-ipcserver binds to a Unix domain socket on <em>path</em>. </li> + <li> It closes its stdin and stdout. </li> + <li> For every client connection to this socket, it +forks. The child sets some environment variables, then +executes <em>prog...</em> with stdin reading from the socket and +stdout writing to it. </li> + <li> Depending on the verbosity level, it logs what it does to stderr. </li> + <li> It runs until killed by a signal. Depending on the received +signal, it may kill its children before exiting. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + For each connection, an instance of <em>prog...</em> is spawned with +the following variables set: +</p> + +<ul> + <li> PROTO: always set to IPC </li> + <li> IPCREMOTEEUID: set to the effective UID of the client, +unless credentials lookups have been disabled </li> + <li> IPCREMOTEEGID: set to the effective GID of the client, +unless credentials lookups have been disabled </li> + <li> IPCREMOTEPATH: set to the path associated with the remote socket, +if any. Be aware that it may contain arbitrary characters. </li> + <li> IPCCONNNUM: set to the number of connections originating from +the same user (i.e. same uid) </li> +</ul> + +<p> + If client credentials lookup has been disabled, IPCREMOTEEUID and +IPCREMOTEEUID will be set, but empty. +</p> + + +<h2> Options </h2> + +<ul> + <li> <tt>-1</tt> : write <em>path</em>, followed by a newline, +to stdout, before +closing it, right after binding and listening to the Unix socket. +If stdout is suitably redirected, this can be used by monitoring +programs to check when the server is ready to accept connections. </li> + <li> <tt>-q</tt> : be quiet. </li> + <li> <tt>-Q</tt> : be normally verbose. This is the default. </li> + <li> <tt>-v</tt> : be verbose. </li> + <li> <tt>-d</tt> : allow instant rebinding to the same path +even if it has been used not long ago - this is the SO_REUSEADDR flag to +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/setsockopt.html">setsockopt()</a> +and is generally used with server programs. This is the default. Note that +<em>path</em> will be deleted if it already exists at program start time. </li> + <li> <tt>-D</tt> : disallow instant rebinding to the same path. </li> + <li> <tt>-P</tt> : disable client credentials lookups. The +IPCREMOTEEUID and IPCREMOTEEGID environment variables will be unset +in every instance of <em>prog...</em>. This is the portable option, +because not every system supports credential lookup across Unix domain +sockets; but it is not as secure. </li> + <li> <tt>-p</tt> : enable client credentials lookups. This +is the default; it works at least on Linux, Solaris, and +*BSD systems. On systems that do not support it, every connection +attempt will fail with a warning message. </li> + <li> <tt>-c <em>maxconn</em></tt> : accept at most +<em>maxconn</em> concurrent connections. Default is 40. It is +impossible to set it higher than 1000. </li> + <li> <tt>-C <em>localmaxconn</em></tt> : accept at most +<em>localmaxconn</em> connections from the same user ID. +Default is 40. It is impossible to set it higher than <em>maxconn</em>. </li> + <li> <tt>-b <em>backlog</em></tt> : set a maximum of +<em>backlog</em> backlog connections on the socket. Extra +connection attempts will rejected by the kernel. </li> + <li> <tt>-G <em>gidlist</em></tt> : change s6-ipcserver's +supplementary group list to <em>gidlist</em> after binding the socket. +This is only valid when run as root. <em>gidlist</em> must be a +comma-separated list of numerical group IDs. </li> + <li> <tt>-g <em>gid</em></tt> : change s6-ipcserver's groupid +to <em>gid</em> after binding the socket. This is only valid when run +as root. </li> + <li> <tt>-u <em>uid</em></tt> : change s6-ipcserver's userid +to <em>uid</em> after binding the socket. This is only valid when run +as root. </li> + <li> <tt>-U</tt> : change s6-ipcserver's user id, group id and +supplementary group list +according to the values of the UID, GID and GIDLIST environment variables +after binding the socket. This is only valid when run as root. +This can be used with the +<a href="http://skarnet.org/software/s6/s6-envuidgid.html">s6-envuidgid</a> +program to easily script a service that binds to a privileged socket +then drops its privileges to those of a named non-root account. </li> +</ul> + +<h2> Signals </h2> + +<ul> + <li> SIGTERM: exit. </li> + <li> SIGHUP: send a SIGTERM and a SIGCONT to all children. </li> + <li> SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit. </li> + <li> SIGABRT: send a SIGKILL to all children, then exit. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> Unlike his close cousin +<a href="http://www.superscript.com/ucspi-ipc/ipcserver.html">ipcserver</a>, +s6-ipcserver does not perform operations such as access control. Those are +delegated to the +<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> program. </li> + <li> s6-ipcserver can be used to set up +<a href="localservice.html">local services</a>. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-sntpclock.html b/doc/s6-sntpclock.html new file mode 100644 index 0000000..0d4c45b --- /dev/null +++ b/doc/s6-sntpclock.html @@ -0,0 +1,166 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-sntpclock program</title> + <meta name="Description" content="s6-networking: the s6-sntpclock program" /> + <meta name="Keywords" content="s6-networking s6-sntpclock sntp clock sntpv4 client" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-sntpclock</tt> program </h1> + +<p> +<tt>s6-sntpclock</tt> is a small SNTP client. It connects to a +SNTP or NTP server, computes an estimated discrepancy between the +local clock time and the absolute time given by the server, and +outputs it on stdout. +</p> + +<h2> Interface </h2> + +<pre> + s6-sntpclock [ -f ] [ -v <em>verbosity</em> ] [ -r <em>roundtrips</em> ] [ -t <em>triptimeout</em> ] [ -h <em>throttle</em> ] [ -T <em>totaltimeout</em> ] [ -e <em>errmax</em> ] [ -p <em>port</em> ] <em>ipaddress</em> | s6-clockview +</pre> + +<ul> + <li> s6-sntpclock exchanges SNTPv4 messages with a SNTP server +listening on <em>ipaddress</em>, UDP port 123. +<em>ipaddress</em> can be IPv4 or IPv6. </li> + <li> It computes the mean difference between the absolute time +given by the system clock and the one given by the server. </li> + <li> It prints the difference to stdout in a format understood +by <a href="s6-clockadd">s6-clockadd</a> and +<a href="s6-clockview">s6-clockview</a>. It then exits 0. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-f</tt> : force. Normally, s6-sntpclock exits 111 if it cannot +compute a time with a smaller uncertainty than <em>errmax</em>. If this +option is set, it will output a time difference and exit 0 even if the +error is too big. </li> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose. +By default, <em>verbosity</em> is 1. 0 means only print fatal error +messages; 3 means trace every exchange with the server. </li> + <li> <tt>-r <em>roundtrips</em></tt> : perform <em>roundtrips</em> +exchanges with the server. By default, <em>roundtrip</em> is 10. A lower +value yields a higher time uncertainty; a higher value puts more load on +the server. </li> + <li> <tt>-t <em>triptimeout</em></tt> : if a SNTP exchange with +the server takes more than <em>triptimeout</em> milliseconds, abort this +exchange and move on to the next one. By default, <em>triptimeout</em> +is 2000. </li> + <li> <tt>-h <em>throttle</em></tt> : wait <em>throttle</em> +milliseconds between exchanges with the server. A lower value gets the +final result earlier, but exerts more load on the server. A higher +value puts a lighter load on the server, but delays the computation. +By default, <em>throttle</em> is 0. It is recommended to set it to a +reasonable nonzero value when increasing <em>roundtrips</em>. </li> + <li> <tt>-T <em>totaltimeout</em></tt> : if the whole +operation takes more than <em>totaltimeout</em> milliseconds, abort +and exit 1. By default, <em>totaltimeout</em> is 10000. </li> + <li> <tt>-e <em>errmax</em></tt> : accept a maximum time +uncertainty of <em>errmax</em> milliseconds. By default, <em>errmax</em> +is 100. </li> + <li> <tt>-p <em>port</em></tt> : contact a server on port +<em>port</em>. By default, <em>port</em> is 123. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> There are a lot of infelicities in the NTP protocol (which SNTP is +a subset of). The biggest offender is probably that NTP cannot handle +a time difference of more than 34 years: if the time given by the NTP +server is more than 34 years away from the time given by the system clock, +then NTP just cannot compute. This is a problem for CMOS-less systems, +where the system clock is initialized to the Unix Epoch. The solution +is to first manually initialize the system clock with a program such as +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/utilities/date.html">date</a> or +<a href="http://skarnet.org/software/s6-portable-utils/s6-clock.html">s6-clock</a> +to a closer time (such as 2013-01-01, which will be good up to 2047), then +contact the NTP server. </li> + <li> A less obvious problem with NTP is that it works with UTC time, +which means that it gives inaccurate results when close to a leap second, +up to one second off when used during a leap second, and this +is bound to the use of UTC: there is nothing you can do about it. The +only solution to get reliable results even around a leap second is to +use linear time such as TAI; the +<a href="s6-taiclock.html">s6-taiclock</a> and +<a href="s6-taiclockd.html">s6-taiclockd</a> programs provide tools to +do so. </li> +</ul> + +<a name="ntpd" /> +<h2> A word on ntpd </h2> + +<p> + From a Unix software engineering standpoint, the well-known +<a href="http://doc.ntp.org/4.1.0/ntpd.htm">ntpd</a> program is an +eldritch abomination. The main reason for it is that, just like its +lovely cousin <a href="http://www.isc.org/downloads/bind/">BIND</a>, +ntpd performs a lot of different tasks in a unique process, instead +of separating what could, and should, be separated. This is confusing +for both the programmer <em>and</em> the software user. +</p> + +<ul> + <li> The term "NTP server" means two different things: + <ul> + <li> A program that serves NTP time to the Internet and can be +accessed by NTP clients. </li> + <li> A daemon, i.e. a long-lived process, that runs on a machine +and handles NTP-related stuff such as keeping the system clock accurate. </li> + </ul> + The former is the real meaning of "NTP server". The latter is a common +usage for the term, but comes from a misuse of "server" to mean "daemon". +ntpd does not help clear the misunderstanding since it does both. It acts +as an NTP server, <em>and</em> as an NTP client getting its time from +lower-strata NTP servers, <em>and</em> as a local system clock management +daemon. Those are already 3 separate tasks. </li> + <li> Local system clock management itself involves several duties. There +is the regular setting of the system clock, which can be done with +a loop over a simple program such as <a href="s6-clockadd.html">s6-clockadd</a>. +There is also control of the clock skew, which s6-networking does not +provide because there is no portable interface for that; there is such a tool +in the <a href="http://cr.yp.to/clockspeed.html">clockspeed</a> package. </li> + <li> ntpd includes a complete cryptographic key management system for the +crypto part of NTP. NTP is not the only protocol that uses cryptography +and asymmetric keys; managing keys in a separate tool, not in the NTP +daemon itself, would be simpler and smarter. </li> + <li> ntpd provides monitoring support for client and server timekeeping +performance. This would be best implemented as a separate specific log +analyzing tool. </li> +</ul> + +<p> + And of course, no matter how many layers of complexity you add onto +ntpd, it will never be able to give accurate time in the vicinity of a +leap second, since the very <em>protocol</em> is flawed by design - but +the ntpd authors cannot be blamed for that. Also, the ntpd +<em>writers</em>, not the designers, should be praised: the history of +ntpd security flaws is remarkably small, which is quite a feat for a +huge monolithic root daemon. +</p> + +<p> + Network synchronization is important, NTP has its perks and +valid use cases, and its existence is a good thing. However, I wish that +the main NTP implementation weren't written as a big fat clumsy process +running as root. s6-sntpclock together with +<a href="s6-clockadd.html">s6-clockadd</a> aims to provide a small, simple +tool to keep system clocks, especially in embedded devices, synchronized +to a NTP server. +</p> + +</body> +</html> diff --git a/doc/s6-sudo.html b/doc/s6-sudo.html new file mode 100644 index 0000000..603ad8a --- /dev/null +++ b/doc/s6-sudo.html @@ -0,0 +1,59 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-sudo program</title> + <meta name="Description" content="s6-networking: the s6-sudo program" /> + <meta name="Keywords" content="s6-networking s6-sudo sudo setuid suid unix privilege gain getpeereid" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-sudo</tt> program </h1> + +<p> +<tt>s6-sudo</tt> connects to a Unix domain socket and passes +its standard file descriptors, command-line arguments and +environment to a program running on the server side, potentially +with different privileges. +</p> + +<h2> Interface </h2> + +<pre> + s6-sudo [ -q | -Q | -v ] [ -p <em>bindpath</em> ] [ -l <em>localname</em> ] [ -e ] [ -t <em>timeoutconn</em> ] [ -T <em>timeoutrun</em> ] <em>path</em> [ <em>args...</em> ] +</pre> + +<ul> + <li> s6-sudo executes into <tt><a href="s6-ipcclient.html">s6-ipcclient</a> <em>path</em> +<a href="s6-sudoc.html">s6-sudoc</a> args...</tt> It does nothing else: it is just a +convenience program. The <a href="s6-ipcclient.html">s6-ipcclient</a> program connects +to a Unix socket at <em>path</em>, and the +<a href="s6-sudoc.html">s6-sudoc program</a> transmits the desired elements over the +socket. </li> + <li> It should be used to connect to a +<a href="localservice.html">local service</a> running the +<a href="s6-sudod.html">s6-sudod</a> program, which will run a server program on the +client's behalf. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> The <tt>-q</tt>, <tt>-Q</tt>, <tt>-v</tt>, <tt>-p</tt> and </tt>-l</tt> +options are passed to <a href="s6-ipcclient.html">s6-ipcclient</a>. </li> + <li> The <tt>-e</tt>, <tt>-t</tt> and <tt>-T</tt> options are passed to +<a href="s6-sudoc.html">s6-sudoc</a>. </li> + <li> Command-line arguments, if any, are also passed to +<a href="s6-sudoc.html">s6-sudoc</a>, which will transmit them to +<a href="s6-sudod.html">s6-sudod</a> over the socket. +</ul> + +</body> +</html> diff --git a/doc/s6-sudoc.html b/doc/s6-sudoc.html new file mode 100644 index 0000000..0ca9918 --- /dev/null +++ b/doc/s6-sudoc.html @@ -0,0 +1,80 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-sudoc program</title> + <meta name="Description" content="s6-networking: the s6-sudoc program" /> + <meta name="Keywords" content="s6-networking s6-sudoc sudo setuid suid unix privilege gain getpeereid client" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-sudoc</tt> program </h1> + +<p> +<tt>s6-sudoc</tt> talks to a peer <a href="s6-sudod.html">s6-sudod</a> +program over a Unix socket, passing it command-line arguments, environment +variables and standard descriptors. +</p> + +<h2> Interface </h2> + +<pre> + s6-sudoc [ -e ] [ -t <em>timeoutconn</em> ] [ -T <em>timeoutrun</em> ] [ <em>args...</em> ] +</pre> + +<ul> + <li> s6-sudoc transmits its standard input, standard output and standard error +via fd-passing over a Unix socket that must be open on its descriptors 6 and 7. + It expects a <a href="s6-sudod.html">s6-sudod</a> process to be receiving them +on the other side. </li> +<li> It also transmits its command-line arguments <em>args</em>, and also its +environment by default. Note that s6-sudod will not necessarily accept all the +environment variables that s6-sudoc tries to transmit. </li> + <li> s6-sudoc waits for the server program run by s6-sudod to finish. It exits +the same exit code as the server program. If the server program is killed by a +signal, s6-sudoc kills itself with the same signal. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-e</tt> : do not attempt to transmit any environment variables +to <a href="s6-sudod.html">s6-sudod</a>. </li> + <li> <tt>-t <em>timeoutconn</em></tt> : if s6-sudod has not +managed to process the given information and start the server program after +<em>timeoutconn</em> milliseconds, give up. By default, <em>timeoutconn</em> +is 0, meaning infinite. Note that there is no reason to set up a nonzero +<em>timeoutconn</em> with a large value: s6-sudod is not supposed to block. +The option is only there to protect against ill-written services. </li> + <li> <tt>-T <em>timeoutrun</em></tt> : if the server program +has not exited after <em>timeoutrun</em> milliseconds, give up. By +default, <em>timeoutrun</em> is 0, meaning infinite. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> If s6-sudoc is killed, or exits after <em>timeoutrun</em> milliseconds, +while the server program is still running, s6-sudod will send a SIGTERM and a +SIGCONT to the server program - but this does not guarantee that it will die. +If the server program keeps running, it might still read from the file that +was s6-sudoc's stdin, or write to the files that were s6-sudod's stdout or +stderr. <strong>This is a potential security risk</strong>. +Administrators should audit their server programs to make sure this does not +happen. </li> + <li> More generally, anything using signals or terminals will not be +handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism +was designed to allow programs to gain privileges in specific situations: +short-lived, simple, noninteractive processes. It was not designed to emulate +the full suid functionality and will not go out of its way to do so. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-sudod.html b/doc/s6-sudod.html new file mode 100644 index 0000000..ac93219 --- /dev/null +++ b/doc/s6-sudod.html @@ -0,0 +1,162 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-sudod program</title> + <meta name="Description" content="s6-networking: the s6-sudod program" /> + <meta name="Keywords" content="s6-networking s6-sudod sudo setuid suid unix privilege gain getpeereid server" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-sudod</tt> program </h1> + +<p> +<tt>s6-sudod</tt> receives command-line arguments, environment variables +and standard descriptors from a peer <a href="s6-sudoc.html">s6-sudoc</a> +program over a Unix socket, then forks another program. +</p> + +<h2> Interface </h2> + +<pre> + s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -s ] [ -t <em>timeout</em> ] [ <em>sargv...</em> ] +</pre> + +<ul> + <li> s6-sudod gets 3 file descriptors via fd-passing over a Unix socket that +must be open on its descriptors 0 and 1. (The received descriptors will be the +stdin, stdout and stderr of the server program.) It expects a +<a href="s6-sudoc.html">s6-sudoc</a> process to be sending them on the +client side. </li> + <li> It also receives a list of command-line arguments <em>cargv...</em>, and +an environment <em>clientenv</em>. </li> + <li> s6-sudod forks and executes <em>sargv...</em> <em>cargv</em>... +The client command line is appended to the server command line. </li> + <li> s6-sudod waits for its child to exit and transmits its exit code +to the peer <a href="s6-sudoc.html">s6-sudoc</a> process. It then exits 0. </li> +</ul> + +<h2> Environment </h2> + +<p> +s6-sudod transmits its own environment to its child, plus the environment sent +by <a href="s6-sudoc.html">s6-sudoc</a>, filtered in the following manner: +for every variable sent by <a href="s6-sudoc.html">s6-sudoc</a>, if the +variable is <strong>present but empty</strong> in s6-sudod's environment, then +its value is overriden by the value given by s6-sudoc. A variable that is +already nonempty, or that doesn't exist, in s6-sudod's environment, will not +be transmitted to the child. +</p> + +<h2> Options </h2> + +<ul> + <li> <tt>-0</tt> : do not inherit stdin from s6-sudoc. The child will be +run with its stdin pointing to <tt>/dev/null</tt> instead. </li> + <li> <tt>-1</tt> : do not inherit stdout from s6-sudoc. The child will be +run with its stdout pointing to <tt>/dev/null</tt> instead. </li> + <li> <tt>-2</tt> : do not inherit stderr from s6-sudoc. The child will be +run with its stderr being a copy of s6-sudod's stderr instead. (This is useful +to still log the child's error messages without sending them to the client.) </li> + <li> <tt>-t <em>timeout</em></tt> : if s6-sudod has not +received all the needed data from the client after <em>timeout</em> +milliseconds, it will exit without spawning a child. By default, <em>timeout</em> +is 0, meaning infinite. This mechanism exists to protect the server from +malicious or buggy clients that would uselessly consume resources. </li> +</ul> + +<h2> Usage example </h2> + +<p> + The typical use of s6-sudod is in a +<a href="localservice.html">local service</a> with a +<a href="s6-ipcserver.html">s6-ipcserver</a> process listening on a Unix +socket, a <a href="s6-ipcserver-access.html">s6-ipcserver-access</a> process +performing client authentication and access control, and possibly a +<a href="http://skarnet.org/software/s6/s6-envdir.html">s6-envdir</a> +process setting up the environment variables that will be accepted by +s6-sudod. The following script, meant to be a <em>run script</em> in a +<a href="http://skarnet.org/software/s6/servicedir.html">service directory</a>, +will set up a privileged program: +</p> + +<pre> +#!/command/execlineb -P +fdmove -c 2 1 +s6-envuidgid serveruser +s6-ipcserver -U -- serversocket +s6-ipcserver-access -v2 -l0 -i rules -- +exec -c +s6-envdir env +s6-sudod +sargv +</pre> + +<ul> + <li> <a href="http://skarnet.org/software/execline/execlineb.html">execlineb</a> +executes the script. </li> + <li> <a href="http://skarnet.org/software/execline/fdmove.html">fdmove</a> makes +sure the script's error messages are sent to the service's logger. </li> + <li> <a href="http://skarnet.org/software/s6/s6-envuidgid.html">s6-envuidgid</a> +sets the UID, GID and GIDLIST environment variables for s6-ipcserver to interpret. </li> + <li> <a href="s6-ipcserver.html">s6-ipcserver</a> binds to <em>serversocket</em> +and drops its privileges to those of <em>serveruser</em>. Then, for every client +connecting to <em>serversocket</em>: + <ul> + <li> <a href="s6-ipcserver-access.html">s6-ipcserver-access</a> checks the +client's credentials according to the rules in directory <em>rules</em>. + <li> <a href="http://skarnet.org/software/execline/exec.html">exec -c</a> +clears the environment. </li> + <li> <a href="http://skarnet.org/software/s6/s6-envdir.html">s6-envdir</a> +sets environment variables according to the directory <em>env</em>. You can +make sure that a variable VAR will be present but empty by performing +<tt>echo > env/VAR</tt>. (A single newline is interpreted by s6-envdir as +an empty variable; whereas if <tt>env/VAR</tt> is totally empty, then the +VAR variable will be removed from the environment.) </li> + <li> s6-sudod reads a command line <em>cargv</em>, a client environment +and file descriptors over the socket. </li> + <li> s6-sudod spawns <tt>sargv cargv</tt>. </li> + </ul> +</ul> + +<p> + This means that user <em>clientuser</em> running +<tt><a href="s6-sudo.html">s6-sudo</a> serversocket cargv</tt> will be +able, if authorized by the configuration in <em>rules</em>, to run +<tt>sargv cargv</tt> as user <em>serveruser</em>, with stdin, +stdout, stderr and the environment variables properly listed in <em>env</em> +transmitted to <em>sargv</em>. +</p> + +<h2> Notes </h2> + +<ul> + <li> If s6-sudoc is killed, or exits after <em>timeoutrun</em> milliseconds, +while the server program is still running, s6-sudod will send a SIGTERM and a +SIGCONT to its child, then exit 1. However, sending a SIGTERM to the child +does not guarantee that it will die; and +if it keeps running, it might still read from the file that +was s6-sudoc's stdin, or write to the files that were s6-sudod's stdout or +stderr. <strong>This is a potential security risk</strong>. +Administrators should audit their server programs to make sure this does not +happen. </li> + <li> More generally, anything using signals or terminals will not be +handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism +was designed to allow programs to gain privileges in specific situations: +short-lived, simple, noninteractive processes. It was not designed to emulate +the full suid functionality and will not go out of its way to do so. </li> + <li> <em>sargv</em> may be empty. In that case, the client is in complete +control of the command line executed as <em>serveruser</em>. This setup is +permitted by s6-sudod, but it is very dangerous, and extreme attention should +be paid to the construction of the s6-ipcserver-access rules. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-taiclock.html b/doc/s6-taiclock.html new file mode 100644 index 0000000..bbdc680 --- /dev/null +++ b/doc/s6-taiclock.html @@ -0,0 +1,114 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-taiclock program</title> + <meta name="Description" content="s6-networking: the s6-taiclock program" /> + <meta name="Keywords" content="s6-networking s6-taiclock tai clock tai64 tai64n tai64na client" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-taiclock</tt> program </h1> + +<p> +<tt>s6-taiclock</tt> is a client for the +<a href="http://cr.yp.to/proto/taiclock.txt">TAICLOCK</a> protocol. +It connects to a TAICLOCK server, computes an estimated discrepancy +between the local clock time and the absolute time given by the server, +and outputs it on stdout. +</p> + +<h2> Interface </h2> + +<pre> + s6-taiclock [ -f ] [ -v <em>verbosity</em> ] [ -r <em>roundtrips</em> ] [ -t <em>triptimeout</em> ] [ -h <em>throttle</em> ] [ -T <em>totaltimeout</em> ] [ -e <em>errmax</em> ] [ -p <em>port</em> ] <em>ipaddress</em> | s6-clockview +</pre> + +<ul> + <li> s6-taiclock exchanges TAICLOCK messages with a server such as +<a href="s6-taiclockd.html">s6-taiclockd</a> +listening on <em>ipaddress</em>, UDP port 4014. +<em>ipaddress</em> can be IPv4 or IPv6. </li> + <li> It computes the mean difference between the absolute time +given by the system clock and the one given by the server. </li> + <li> It prints the difference to stdout in a format understood +by <a href="s6-clockadd">s6-clockadd</a> and +<a href="s6-clockview">s6-clockview</a>. It then exits 0. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-f</tt> : force. Normally, s6-taiclock exits 111 if it cannot +compute a time with a smaller uncertainty than <em>errmax</em>. If this +option is set, it will output a time difference and exit 0 even if the +error is too big. </li> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose. +By default, <em>verbosity</em> is 1. 0 means only print fatal error +messages; 2 means print advanced warnings. </li> + <li> <tt>-r <em>roundtrips</em></tt> : perform <em>roundtrips</em> +exchanges with the server. By default, <em>roundtrip</em> is 10. A lower +value yields a higher time uncertainty; a higher value puts more load on +the server. </li> + <li> <tt>-t <em>triptimeout</em></tt> : if a TAICLOCK exchange with +the server takes more than <em>triptimeout</em> milliseconds, abort this +exchange and move on to the next one. By default, <em>triptimeout</em> +is 2000. </li> + <li> <tt>-h <em>throttle</em></tt> : wait <em>throttle</em> +milliseconds between exchanges with the server. A lower value gets the +final result earlier, but exerts more load on the server. A higher +value puts a lighter load on the server, but delays the computation. +By default, <em>throttle</em> is 0. It is recommended to set it to a +reasonable nonzero value when increasing <em>roundtrips</em>. </li> + <li> <tt>-T <em>totaltimeout</em></tt> : if the whole +operation takes more than <em>totaltimeout</em> milliseconds, abort +and exit 1. By default, <em>totaltimeout</em> is 10000. </li> + <li> <tt>-e <em>errmax</em></tt> : accept a maximum time +uncertainty of <em>errmax</em> milliseconds. By default, <em>errmax</em> +is 100. </li> + <li> <tt>-p <em>port</em></tt> : contact a server on port +<em>port</em>. By default, <em>port</em> is 4014. </li> +</ul> + +<h2> Notes </h2> + +<h3> On the usage of NTP vs. TAICLOCK </h3> + +<ul> + <li> TAICLOCK is not as generic or failproof as NTP. It is not as +resistant to network latency. It has been designed to broadcast +time on a local area network, whereas NTP has been designed to +broadcast time over the whole Internet. </li> + <li> TAICLOCK will produce faster results on a LAN; moreover, the +point of TAICLOCK is to broadcast TAI instead of UTC, so it is +more accurate around a leap second. </li> + <li> The Internet is much more reliable latency-wise today +than it was when dialout connections and broken routing protocols +were the norm. So it is possible to use TAICLOCK +across a WAN if the accuracy expectations are not too strict. </li> + <li> TAICLOCK is much easier to implement. The +<a href="s6-sntpclock.html">s6-sntpclock</a> client binary code +(statically linked on a i386) is 50% bigger than the s6-taiclock +client. Also, the <a href="s6-taiclockd.html">s6-taiclockd</a> +server is extremely small (close to 50% smaller than the client), +whereas NTP servers, even SNTP servers, are behemoths requiring +a project of their own. </li> +</ul> + +<h3> Related work </h3> + +<ul> + <li> The <a href="http://cr.yp.to/clockspeed.html">clockspeed</a> package +is the original inspiration for the clock management part of s6-networking. +Unfortunately, it is unmaintained. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-taiclockd.html b/doc/s6-taiclockd.html new file mode 100644 index 0000000..915c181 --- /dev/null +++ b/doc/s6-taiclockd.html @@ -0,0 +1,51 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-taiclockd program</title> + <meta name="Description" content="s6-networking: the s6-taiclockd program" /> + <meta name="Keywords" content="s6-networking s6-taiclock tai clock tai64 tai64n tai64na server" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-taiclockd</tt> program </h1> + +<p> +<tt>s6-taiclockd</tt> is a server for the +<a href="http://cr.yp.to/proto/taiclock.txt">TAICLOCK</a> protocol. +It's a long-lived program listening to the network and answering +to TAICLOCK clients such as <a href="s6-taiclock.html">s6-taiclock</a>. +</p> + +<h2> Interface </h2> + +<pre> + s6-taiclockd [ -i <em>ip</em> ] [ -p <em>port</em> ] +</pre> + +<ul> + <li> s6-taiclockd listens to all network addresses on UDP +port 4014. </li> + <li> Whenever it receives a TAICLOCK request, it answers +immediately with the TAI time given by its local system clock. </li> + <li> It runs until killed by a signal. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-i <em>ip</em></tt> : bind to <em>ip</em> instead +of all available addresses. <em>ip</em> can be IPv4 or IPv6. </li> + <li> <tt>-p <em>port</em></tt> : bind to port +<em>port</em> instead of 4014. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpclient.html b/doc/s6-tcpclient.html new file mode 100644 index 0000000..42edaa9 --- /dev/null +++ b/doc/s6-tcpclient.html @@ -0,0 +1,133 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpclient program</title> + <meta name="Description" content="s6-networking: the s6-tcpclient program" /> + <meta name="Keywords" content="s6-networking s6-tcpclient tcpclient ucspi tcp inet network tcp/ip client" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpclient</tt> program </h1> + +<p> +<tt>s6-tcpclient</tt> is an +<a href="http://cr.yp.to/proto/ucspi.txt">UCSPI client tool</a> for +INET domain sockets. It establishes a TCP connection to a server, +then executes into a program. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpclient [ -q | -Q | -v ] [ -4 | -6 ] [ -d | -D ] [ -r | -R ] [ -h | -H ] [ -n | -N ] [ -t <em>timeout</em> ] [ -l <em>localname</em> ] [ -T <em>timeoutconn</em> ] [ -i <em>localip</em> ] [ -p <em>localport</em> ] <em>host</em> <em>port</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpclient establishes a TCP connection to host <em>host</em> +port <em>port</em>. </li> + <li> It executes into <em>prog...</em> with descriptor 6 reading from +the network and descriptor 7 writing to it. </li> +</ul> + +<h2> Host address determination </h2> + +<ul> + <li> <em>host</em> may be an IP address, in which case s6-tcpclient will +connect to that IP address. If the underlying skalibs has been +compiled with IPv6 support, <em>host</em> can be an IPv6 address as +well as an IPv4 one. </li> + <li> <em>host</em> may be a domain name, in which case a DNS +resolution will be performed on it, and a connection will be tried to +all the resulting IP addresses in a round-robin fashion, twice: +first with a small timeout, then with a longer timeout. The first +address to answer wins. The connection attempt fails if no address +in the list is able to answer. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + <em>prog...</em> is run with the following variables set: +</p> + +<ul> + <li> PROTO: always set to TCP </li> + <li> TCPREMOTEIP: set to the chosen IP address of <em>host</em>. </li> + <li> TCPREMOTEPORT: set to <em>port</em>. </li> + <li> TCPREMOTEHOST: if the <tt>-H</tt> has been given, set to the +name obtained by a reverse DNS resolution of the IP address chosen +for <em>host</em>. Else unset. </li> + <li> TCPLOCALHOST: if the <tt>-l</tt> option has been given, set to +<em>localname</em>. Else set to the name obtained by a reverse DNS +resolution of the IP address chosen for the local host. </li> + <li> TCPREMOTEINFO: if the <tt>-r</tt> option has been given, set +to the information given by an IDENT server on <em>host</em> about +the current connection (very unreliable). Else unset. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-q</tt> : be quiet. </li> + <li> <tt>-Q</tt> : be normally verbose. This is the default. </li> + <li> <tt>-v</tt> : be verbose. </li> + <li> <tt>-4</tt> : (only valid if the underlying skalibs has +IPv6 support) Interpret <em>host</em> as an IPv4 address or make A +queries to determine its addresses. </li> + <li> <tt>-6</tt> : (only valid if the underlying skalibs has +IPv6 support) Interpret <em>host</em> as an IPv6 address or make +AAAA queries to determine its addresses. This option and the previous +one are not mutually exclusive: if both are given, both IPv6 and +IPv4 addresses will be tried and IPv6 addresses will be given priority. +If neither option is given, only IPv4 address will be tried. </li> + <li> <tt>-d</tt> : don't use the TCP_NODELAY socket option. This +is the default. </li> + <li> <tt>-D</tt> : use the TCP_NODELAY socket option, which disables +Nagle's algorithm. </li> + <li> <tt>-r</tt> : try and obtain a TCPREMOTEINFO string via the +IDENT protocol. This is obsolete and unreliable, and should only be used for +compatibility with legacy programs. </li> + <li> <tt>-R</tt> : do not use the IDENT protocol. This is the +default. </li> + <li> <tt>-h</tt> : try and obtain the remote host name via DNS. +This is the default. </li> + <li> <tt>-H</tt> : do not try and obtain the remote host name +via DNS. </li> + <li> <tt>-n</tt> : qualify <em>host</em> when resolving it to +find suitable IP addresses. This is the default. </li> + <li> <tt>-N</tt> : do not qualify <em>host</em>. </li> + <li> <tt>-t :<em>timeout</em></tt> : put a global timeout +on the connection attempt. If no fully functional connection has been +established after <em>timeout</em> seconds, abort the program. By +default, <em>timeout</em> is 0, which means no timeout. </li> + <li> <tt>-i <em>localip</em></tt> : use <em>localip</em> as +the local socket address for the connection. By default, address selection +is left to the operating system. </li> + <li> <tt>-p <em>localport</em></tt> : use <em>localport</em> +as the local socket port for the connection. By default, port selection +is left to the operating system. </li> + <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> +as the value of the TCPLOCALPATH environment variable instead of +looking it up via the DNS. </li> + <li> <tt>-T :<em>timeoutconn</em></tt> : configure the +connection timeouts. <em>timeoutconn</em> must be of the form +<em>x</em><tt>+</tt><em>y</em>, where <em>x</em> and <em>y</em> are +integers. <em>x</em> is the first timeout and <em>y</em> is the +second one: all suitable addresses for <em>host</em> are first +tried with a timeout of <em>x</em> seconds, and if all of them +fail, then they are tried again with a timeout of <em>y</em> +seconds. (Be aware that the timeout specified with the <tt>-t</tt> +option overrides everything.) By default, <em>x</em> is 2 and +<em>y</em> is 58. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html new file mode 100644 index 0000000..7bf15a0 --- /dev/null +++ b/doc/s6-tcpserver-access.html @@ -0,0 +1,239 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver-access program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver-access program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver-access tcp access control tcprules tcpwrappers libwrap" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver-access</tt> program </h1> + +<p> +<tt>s6-tcpserver-access</tt> is a command-line TCP access +control tool, and additionally performs some fine-tuning on a +TCP socket. It is meant to be run after +<a href="s6-tcpserver.html">s6-tcpserver</a> and before +the application program on the s6-tcpserver command line, +just like tcpwrappers' <tt>tcpd</tt> program. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver-access [ -v <em>verbosity</em> ] [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l <em>localname</em> ] [ -B <em>banner</em> ] [ -t <em>timeout</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver-access checks it is run under a UCSPI server tool +such as <a href="s6-tcpserver.html">s6-tcpserver</a>, + <a href="s6-tcpserver4.html">s6-tcpserver4</a> or + <a href="s6-tcpserver6.html">s6-tcpserver6</a>. </li> + <li> It checks that the remote end of the connection fits the +accepted criteria defined by the database contained in <em>rulesdir</em> +or <em>rulesfile</em>. If the database tells it to reject the connection, +the program exits 1. </li> + <li> It sets up a few additional environment variables. </li> + <li> It executes into <em>prog...</em>, +unless the first matching rule in the rule database +includes instructions to override <em>prog...</em>. </li> +</ul> + +<h2> Environment variables </h2> + +<p> +s6-tcpserver-access expects to inherit some environment variables from +its parent: +</p> + +<ul> + <li> PROTO: normally TCP, but could be anything else, like SSL. </li> + <li> ${PROTO}REMOTEIP: the remote address of the socket, i.e. the client's +IP address. This can be IPv4 or (if the underlying skalibs supports it) IPv6. </li> + <li> ${PROTO}REMOTEPORT: the remote port of the socket. </li> +</ul> + +<p> + Additionally, it exports the following variables before executing into +<em>prog...</em>: +</p> + +<ul> + <li> ${PROTO}LOCALIP: set to the local address of the socket. </li> + <li> ${PROTO}LOCALPORT: set to the local port of the socket. </li> + <li> ${PROTO}REMOTEINFO: normally unset, but set to the information +retrieved from ${PROTO}REMOTEIP via the IDENT protocol if the <tt>-R</tt> +option has been given. </li> + <li> ${PROTO}REMOTEHOST: set to the remote host name obtained from +a DNS lookup. Unset if the <tt>-H</tt> option has been given. </li> + <li> ${PROTO}LOCALHOST: set to the local host name obtained from a +DNS lookup. If the <tt>-l</tt> option has been given, set to +<em>localname</em> instead. </li> +</ul> + +<p> + Also, the access rules database can instruct s6-tcpserver-access to set +up, or unset, more environment variables, depending on the client address. +</p> + +<h2> Options </h2> + +<ul> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose, i.e. +print more or less information to stderr: + <ul> + <li> 0: only log error messages. </li> + <li> 1: only log error and warning messages, and accepted connections. +This is the default. </li> + <li> 2: also log rejected connections and more warning messages. </li> + <li> 3: also log detailed warning messages from DNS and IDENT resolution. </li> + </ul> </li> + <li> <tt>-W</tt> : non-fatal. If errors happen during DNS or IDENT +resolution, the connection process is not aborted. However, incorrect or +incomplete results might still prevent a legitimate connection from being +authenticated against a DNS name. This is the default. </li> + <li> <tt>-w</tt> : fatal. Errors during DNS or IDENT resolution will +drop the connection. </li> + <li> <tt>-D</tt> : disable Nagle's algorithm. Sets the TCP_NODELAY +flag on the network socket. </li> + <li> <tt>-d</tt> : enable Nagle's algorithm. This is the default. </li> + <li> <tt>-H</tt> : disable DNS lookups for the ${PROTO}LOCALHOST and +${PROTO}REMOTEHOST environment variables. </li> + <li> <tt>-h</tt> : enable DNS lookups. This is the default. </li> + <li> <tt>-R</tt> : disable IDENT lookups for the ${PROTO}REMOTEINFO +environment variable. This is the default. </li> + <li> <tt>-r</tt> : enable IDENT lookups. This should only be done +for legacy programs that need it. </li> + <li> <tt>-P</tt> : no paranoid DNS lookups. This is the default. </li> + <li> <tt>-p</tt> : paranoid. After looking up a name for the remote +host, s6-tcpserver-access will lookup IP addresses for this name, and drop +the connection if none of the results matches the address the connection +is originating from. Note that this still does not replace real +authentication via a cryptographic protocol. </li> + <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> +as the value for the ${PROTO}LOCALHOST environment variable, instead of +looking it up in the DNS. </li> + <li> <tt>-B <em>banner</em></tt> : print <em>banner</em> to +the network as soon as the connection is attempted, even before +checking client credentials. The point is to speed up network protocols +that start with a server-side message. </li> + <li> <tt>-t <em>timeout</em></tt> : set a timeout on all the +operations performed by s6-tcpserver-access. If it is not able to do +its job in <em>timeout</em> milliseconds, it will instantly exit 99. +The default is 0, meaning no such timeout. </li> + <li> <tt>-i <em>rulesdir</em></tt> : check client credentials +against a filesystem-based database in the <em>rulesdir</em> directory. </li> + <li> <tt>-x <em>rulesfile</em></tt> : check client credentials +against a <a href="http://en.wikipedia.org/wiki/Cdb_(software)">cdb</a> +database in the <em>rulesfile</em> file. <tt>-i</tt> and <tt>-x</tt> are +mutually exclusive. If none of those options is given, no credential checking will be +performed, and a warning will be emitted on every connection if +<em>verbosity</em> is 2 or more. </li> +</ul> + +<h2> Access rule checking </h2> + +<p> + s6-tcpserver-access checks its client connection against +a ruleset. This ruleset can be implemented: +</p> + +<ul> + <li> either in the filesystem as an arborescence of directories and files, +if the <tt>-i</tt> option has been given. This option is the most flexible +one: the directory format is simple enough for scripts to understand and +modify it, and the ruleset can be changed dynamically. This is practical, +for instance, for roaming users. </li> +<li> or in a <a href="http://en.wikipedia.org/wiki/Cdb_(software)">CDB +file</a>, if the <tt>-x</tt> option has been given. This option is the most +efficient one if the ruleset is static enough: a lot less system calls are +needed to perform searches in a CDB than in the filesystem. </li> +</ul> + +<p> + The exact format of the ruleset is described on the +<a href="s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> page. +</p> + +<p> +s6-tcpserver-access first gets the remote address <em>ip</em> of the +client and converts it to canonical form. Then it checks it with the +<a href="libs6net/accessrules.html#ip4">s6net_accessrules_keycheck_ip46()</a> +function. In other words, it tries to match broader and broader network +prefixes of <em>ip</em>, from <tt>ip4/</tt><em>ip</em><tt>_32</tt> to +<tt>ip4/0.0.0.0_0</tt> if <em>ip</em> is v4, or from +<tt>ip6/</tt><em>ip</em><tt>/128</tt> to <tt>ip6/::_0</tt> if <em>ip</em> +is v6. If the result is: +</p> + + <li> S6NET_ACCESSRULES_ERROR: it immediately exits 111. </li> + <li> S6NET_ACCESSRULES_DENY: it immediately exits 1. </li> + <li> S6NET_ACCESSRULES_ALLOW: it grants access. </li> + <li> S6NET_ACCESSRULES_NOTFOUND: more information is needed. </li> +</ul> + +<p> + In the last case, if DNS lookups have been deactivated (<tt>-H</tt>) then access +is denied. But if s6-tcpserver-access is authorized to perform DNS lookups, +then it gets the remote name of the client, <em>remotehost</em>, and +checks it with the +<a href="libs6net/accessrules.html#reversedns">s6net_accessrules_keycheck_reversedns()</a> +function. In other words, it tries to match shorter and shorter suffixes +of <em>remotehost</em>, from <tt>reversedns/</tt><em>remotehost</em> to +<tt>reversedns/@</tt>. +This time, the connection is denied is the result is anything else than +S6NET_ACCESSRULES_ALLOW. +</p> + +<p> + Note that even if the access check succeeds, the connection can still be +denied if paranoid mode has been required (<tt>-p</tt>) and a forward DNS query +on <em>remotehost</em> does not match <em>ip</em>. +</p> + +<h2> Environment and executable modifications </h2> + +<p> + s6-tcpserver-access interprets non-empty <tt>env</tt> subdirectories +and <tt>exec</tt> files +it finds in the matching rule of the ruleset, as explained +in the <a href="s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> +page. +</p> + +<ul> + <li> An <tt>env</tt> subdirectory is interpreted as if the +<a href="http://skarnet.org/software/s6/s6-envdir.html">s6-envdir</a> +command had been called before executing <em>prog</em>: the environment +is modified according to the contents of <tt>env</tt>. </li> + <li> An <tt>exec</tt> file containing <em>newprog</em> completely +bypasses the rest of s6-tcpserver-access' command line. After +environment modifications, if any, s6-tcpserver-access execs into +<tt><a href="http://skarnet.org/software/execline/execlineb.html">execlineb</a> -c <em>newprog</em></tt>. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-tcpserver-access works with +<a href="s6-tcpserver4.html">s6-tcpserver4</a>, handling IPv4 addresses, +as well as +<a href="s6-tcpserver6.html">s6-tcpserver6</a>, handling IPv6 addresses. +It will automatically detect the remote address type and match it against the +correct subdatabase. </li> + <li> s6-tcpserver-access may perform several DNS queries. For efficiency +purposes, it does as many of them as possible in parallel. However, if asked +to do an IDENT query, it does not parallelize it with DNS queries. Take +that into account when estimating a proper <em>timeout</em> value. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpserver.html b/doc/s6-tcpserver.html new file mode 100644 index 0000000..41eb176 --- /dev/null +++ b/doc/s6-tcpserver.html @@ -0,0 +1,72 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver tcpserver ucspi tcp server super-server" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver</tt> program </h1> + +<p> +<tt>s6-tcpserver</tt> is an +<a href="http://cr.yp.to/proto/ucspi.txt">UCSPI tool</a> for +TCP connections, i.e. a super-server. It accepts connections from +clients, and forks a program to handle each connection. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver [ -q | -Q | -v ] [ -4 | -6 ] [ -1 ] [ -c <em>maxconn</em> ] [ -C <em>localmaxconn</em> ] [ -b <em>backlog</em> ] [ -G <em>gidlist</em> ] [ -g <em>gid</em> ] [ -u <em>uid</em> ] [ -U ] <em>ip</em> <em>port</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver executes into +<a href="s6-tcpserver4.html">s6-tcpserver4</a> or +<a href="s6-tcpserver6.html">s6-tcpserver6</a> depending on whether +<em>ip</em> is an IPv4 or IPv6 address. It modifies some of its +option syntax to match s6-tcpserver4 and s6-tcpserver6's.</li> + <li> s6-tcpserver4 or s6-tcpserver6 handles the connection itself. </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-q</tt> : be quiet. This is converted into <tt>-v 0</tt> +for s6-tcpserver4 or s6-tcpserver6. </li> + <li> <tt>-Q</tt> : be normally quiet. This is converted into <tt>-v 1</tt> +for s6-tcpserver4 or s6-tcpserver6. This is the default. </li> + <li> <tt>-v</tt> : be verbose. This is converted into <tt>-v 2</tt> +for s6-tcpserver4 or s6-tcpserver6. </li> + <li> <tt>-4</tt> : IPv4 only. Interpret <em>ip</em> as IPv4; if it is +invalid, exit 100. </li> + <li> <tt>-6</tt> : IPv6 only. Interpret <em>ip</em> as IPv6; if it is +invalid, exit 100. If neither the <tt>-4</tt> nor the <tt>-6</tt> option is +given, s6-tcpserver will parse <em>ip</em> to determine its family. </li> + <li> Every other option is passed verbatim to s6-tcpserver4 or s6-tcpserver6. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-tcpserver executes either into s6-tcpserver4, which only serves +IPv4, or into IPv6, which only serves IPv6. It will not bind to every +available IP address of the machine whether they are v4 or v6; on the +other hand, it can bind to every available IPv4 address (if <em>ip</em> +is <tt>0.0.0.0</tt>) or to every available IPv6 address (if <em>ip</em> +is <tt>::</tt>). Two instances of s6-tcpserver can cover every +available address. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpserver4.html b/doc/s6-tcpserver4.html new file mode 100644 index 0000000..e0270e0 --- /dev/null +++ b/doc/s6-tcpserver4.html @@ -0,0 +1,123 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver4 program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver4 program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver4 tcpserver ucspi tcp server super-server ipv4" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver4</tt> program </h1> + +<p> +<tt>s6-tcpserver4</tt> is a super-server for IPv4 TCP +connections. It accepts connections from clients, and forks a +program to handle each connection. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver4 [ -1 ] [ -v <em>verbosity</em> ] [ -c <em>maxconn</em> ] [ -C <em>localmaxconn</em> ] [ -b <em>backlog</em> ] [ -G <em>gidlist</em> ] [ -g <em>gid</em> ] [ -u <em>uid</em> ] [ -U ] <em>ip</em> <em>port</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver4 binds to local IPv4 address <em>ip</em>, +port <em>port</em>. </li> + <li> It closes its stdin and stdout. </li> + <li> For every TCP connection to this address and port, it +forks. The child sets some environment variables, then +executes <em>prog...</em> with stdin reading from the network +socket and stdout writing to it. </li> + <li> Depending on the verbosity level, it logs what it does to stderr. </li> + <li> It runs until killed by a signal. Depending on the received +signal, it may kill its children before exiting. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + For each connection, an instance of <em>prog...</em> is spawned with +the following variables set: +</p> + +<ul> + <li> PROTO: always set to TCP </li> + <li> TCPREMOTEIP: set to the originating address </li> + <li> TCPREMOTEPORT: set to the originating port </li> + <li> TCPCONNNUM: set to the number of connections originating from +the same IP address </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-1</tt> : write <em>port</em> to stdout, before +closing it, right after binding and listening to the network socket. +If stdout is suitably redirected, this can be used by monitoring +programs to check when the server is ready to accept connections. </li> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose. +By default, <em>verbosity</em> is 1: print warning messages to stderr. +0 means only print fatal error messages ; 2 means print status and +connection information for every client. </li> + <li> <tt>-c <em>maxconn</em></tt> : accept at most +<em>maxconn</em> concurrent connections. Default is 40. It is +impossible to set it higher than 1000. </li> + <li> <tt>-C <em>localmaxconn</em></tt> : accept at most +<em>localmaxconn</em> connections from the same IP address. +Default is 40. It is impossible to set it higher than <em>maxconn</em>. </li> + <li> <tt>-b <em>backlog</em></tt> : set a maximum of +<em>backlog</em> backlog connections on the socket. Extra +connection attempts will rejected by the kernel. </li> + <li> <tt>-G <em>gidlist</em></tt> : change s6-tcpserver4's +supplementary group list to <em>gidlist</em> after binding the socket. +This is only valid when run as root. <em>gidlist</em> must be a +comma-separated list of numerical group IDs. </li> + <li> <tt>-g <em>gid</em></tt> : change s6-tcpserver4's groupid +to <em>gid</em> after binding the socket. This is only valid when run +as root. </li> + <li> <tt>-u <em>uid</em></tt> : change s6-tcpserver4's userid +to <em>uid</em> after binding the socket. This is only valid when run +as root. </li> + <li> <tt>-U</tt> : change s6-tcpserver4's user id, group id and +supplementary group list +according to the values of the UID, GID and GIDLIST environment variables +after binding the socket. This is only valid when run as root. +This can be used with the +<a href="http://skarnet.org/software/s6/s6-envuidgid.html">s6-envuidgid</a> +program to easily script a service that binds to a privileged socket +then drops its privileges to those of a named non-root account. </li> +</ul> + +<h2> Signals </h2> + +<ul> + <li> SIGTERM: exit. </li> + <li> SIGHUP: send a SIGTERM and a SIGCONT to all children. </li> + <li> SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit. </li> + <li> SIGABRT: send a SIGKILL to all children, then exit. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> Unlike its ancestor +<a href="http://cr.yp.to/ucspi-tcp/tcpserver.html">tcpserver</a>, +s6-tcpserver4 performs just the bare minimum: the point is to have a +very small and very fast process to serve connections with the least +possible overhead. Features such as additional environment variables, +access control and DNS resolution are provided +via the <a href="s6-tcpserver-access.html">s6-tcpserver-access</a> +program. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpserver6.html b/doc/s6-tcpserver6.html new file mode 100644 index 0000000..e571010 --- /dev/null +++ b/doc/s6-tcpserver6.html @@ -0,0 +1,122 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver6 program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver6 program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver6 tcpserver ucspi tcp server super-server ipv6" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver6</tt> program </h1> + +<p> +<tt>s6-tcpserver6</tt> is a super-server for IPv6 TCP +connections. It accepts connections from clients, and forks a +program to handle each connection. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver6 [ -1 ] [ -v <em>verbosity</em> ] [ -c <em>maxconn</em> ] [ -C <em>localmaxconn</em> ] [ -b <em>backlog</em> ] [ -G <em>gidlist</em> ] [ -g <em>gid</em> ] [ -u <em>uid</em> ] [ -U ] <em>ip</em> <em>port</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver6 binds to local IPv6 address <em>ip</em>, +port <em>port</em>. </li> + <li> It closes its stdin and stdout. </li> + <li> For every TCP connection to this address and port, it +forks. The child sets some environment variables, then +executes <em>prog...</em> with stdin reading from the network socket +and stdout writing to it. </li> + <li> Depending on the verbosity level, it logs what it does to stderr. </li> + <li> It runs until killed by a signal. Depending on the received +signal, it may kill its children before exiting. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + For each connection, an instance of <em>prog...</em> is spawned with +the following variables set: +</p> + +<ul> + <li> PROTO: always set to TCP </li> + <li> TCPREMOTEIP: set to the originating address, in canonical IPv6 form </li> + <li> TCPREMOTEPORT: set to the originating port </li> + <li> TCPCONNNUM: set to the number of connections originating from +the same IPv6 address </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-1</tt> : write <em>port</em> to stdout, before +closing it, right after binding and listening to the network socket. +If stdout is suitably redirected, this can be used by monitoring +programs to check when the server is ready to accept connections. </li> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose. +By default, <em>verbosity</em> is 1: print warning messages to stderr. +0 means only print fatal error messages ; 2 means print status and +connection information for every client. </li> + <li> <tt>-c <em>maxconn</em></tt> : accept at most +<em>maxconn</em> concurrent connections. Default is 40. It is +impossible to set it higher than 1000. </li> + <li> <tt>-C <em>localmaxconn</em></tt> : accept at most +<em>localmaxconn</em> connections from the same IP address. +Default is 40. It is impossible to set it higher than <em>maxconn</em>. </li> + <li> <tt>-b <em>backlog</em></tt> : set a maximum of +<em>backlog</em> backlog connections on the socket. Extra +connection attempts will rejected by the kernel. </li> + <li> <tt>-G <em>gidlist</em></tt> : change s6-tcpserver6's +supplementary group list to <em>gidlist</em> after binding the socket. +This is only valid when run as root. <em>gidlist</em> must be a +comma-separated list of numerical group IDs. </li> + <li> <tt>-g <em>gid</em></tt> : change s6-tcpserver6's groupid +to <em>gid</em> after binding the socket. This is only valid when run +as root. </li> + <li> <tt>-u <em>uid</em></tt> : change s6-tcpserver6's userid +to <em>uid</em> after binding the socket. This is only valid when run +as root. </li> + <li> <tt>-U</tt> : change s6-tcpserver6's user id, group id and +supplementary group list +according to the values of the UID, GID and GIDLIST environment variables +after binding the socket. This is only valid when run as root. +This can be used with the +<a href="http://skarnet.org/software/s6/s6-envuidgid.html">s6-envuidgid</a> +program to easily script a service that binds to a privileged socket +then drops its privileges to those of a named non-root account. </li> +</ul> + +<h2> Signals </h2> + +<ul> + <li> SIGTERM: exit. </li> + <li> SIGHUP: send a SIGTERM and a SIGCONT to all children. </li> + <li> SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit. </li> + <li> SIGABRT: send a SIGKILL to all children, then exit. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-tcpserver6 will only serve real IPv6 addresses; it does not +default to an IPv4 address. The +<a href="s6-tcpserver4.html">s6-tcpserver4</a> program should be +used to serve IPv4 addresses. </li> + <li> s6-tcpserver6 will only work if the underlying +<a href="http://skarnet.org/software/skalibs/">skalibs</a> has +been compiled with IPv6 support. </li> +</ul> + +</body> +</html> diff --git a/doc/seekablepipe.html b/doc/seekablepipe.html new file mode 100644 index 0000000..cd17b2e --- /dev/null +++ b/doc/seekablepipe.html @@ -0,0 +1,36 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the seekablepipe program</title> + <meta name="Description" content="s6-networking: the seekablepipe program" /> + <meta name="Keywords" content="s6-networking seekablepipe pipe seekablepipe-io" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>seekablepipe</tt> program </h1> + +<tt>seekablepipe</tt> turns the reading end of a pipe into a seekable +file descriptor, using a temporary file. + +<h2> Interface </h2> + +<pre> + <em>writer</em> | seekablepipe <em>tmpfile reader [ args ... ]</em> +</pre> + +<p> +<tt>seekablepipe</tt> writes <em>writer</em>'s output to <em>tmpfile</em>, +which is unlinked as soon as it is created. Then it execs into +<em>reader</em>, reading from a file descriptor on <em>tmpfile</em>. +</p> + +</body> +</html> diff --git a/doc/upgrade.html b/doc/upgrade.html new file mode 100644 index 0000000..0f7e635 --- /dev/null +++ b/doc/upgrade.html @@ -0,0 +1,34 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: how to upgrade</title> + <meta name="Description" content="s6-networking: how to upgrade" /> + <meta name="Keywords" content="s6-networking installation upgrade" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> What has changed in s6-networking </h1> + +<h2> n 2.0.0.0 </h2> + +<ul> + <li> The build system has completely changed. It is now a standard +<tt>./configure && make && sudo make install</tt> +build system. See the enclosed INSTALL file for details. </li> + <li> slashpackage is not activated by default. </li> + <li> shared libraries are not used by default. </li> + <li> skalibs dependency bumped to 2.0.0.0. </li> + <li> execline dependency bumped to 2.0.0.0. </li> + <li> s6-dns dependency bumped to 2.0.0.0. </li> +</ul> + +</body> +</html> diff --git a/package/deps-build b/package/deps-build new file mode 100644 index 0000000..254622d --- /dev/null +++ b/package/deps-build @@ -0,0 +1,3 @@ +/package/prog/skalibs +/package/admin/execline +/package/web/s6-dns diff --git a/package/deps.mak b/package/deps.mak new file mode 100644 index 0000000..274d375 --- /dev/null +++ b/package/deps.mak @@ -0,0 +1,69 @@ +# +# This file has been generated by tools/gen-deps.sh +# + +src/include/s6-networking/s6net.h: src/include/s6-networking/accessrules.h src/include/s6-networking/ident.h +src/clock/s6-clockadd.o src/clock/s6-clockadd.lo: src/clock/s6-clockadd.c +src/clock/s6-clockview.o src/clock/s6-clockview.lo: src/clock/s6-clockview.c +src/clock/s6-sntpclock.o src/clock/s6-sntpclock.lo: src/clock/s6-sntpclock.c +src/clock/s6-taiclock.o src/clock/s6-taiclock.lo: src/clock/s6-taiclock.c +src/clock/s6-taiclockd.o src/clock/s6-taiclockd.lo: src/clock/s6-taiclockd.c +src/conn-tools/s6-accessrules-cdb-from-fs.o src/conn-tools/s6-accessrules-cdb-from-fs.lo: src/conn-tools/s6-accessrules-cdb-from-fs.c +src/conn-tools/s6-accessrules-fs-from-cdb.o src/conn-tools/s6-accessrules-fs-from-cdb.lo: src/conn-tools/s6-accessrules-fs-from-cdb.c +src/conn-tools/s6-connlimit.o src/conn-tools/s6-connlimit.lo: src/conn-tools/s6-connlimit.c +src/conn-tools/s6-getservbyname.o src/conn-tools/s6-getservbyname.lo: src/conn-tools/s6-getservbyname.c +src/conn-tools/s6-ident-client.o src/conn-tools/s6-ident-client.lo: src/conn-tools/s6-ident-client.c src/include/s6-networking/ident.h +src/conn-tools/s6-ioconnect.o src/conn-tools/s6-ioconnect.lo: src/conn-tools/s6-ioconnect.c +src/conn-tools/s6-ipcclient.o src/conn-tools/s6-ipcclient.lo: src/conn-tools/s6-ipcclient.c +src/conn-tools/s6-ipcserver-access.o src/conn-tools/s6-ipcserver-access.lo: src/conn-tools/s6-ipcserver-access.c src/include/s6-networking/accessrules.h +src/conn-tools/s6-ipcserver.o src/conn-tools/s6-ipcserver.lo: src/conn-tools/s6-ipcserver.c +src/conn-tools/s6-sudo.o src/conn-tools/s6-sudo.lo: src/conn-tools/s6-sudo.c src/include/s6-networking/config.h +src/conn-tools/s6-sudoc.o src/conn-tools/s6-sudoc.lo: src/conn-tools/s6-sudoc.c src/conn-tools/s6-sudo.h +src/conn-tools/s6-sudod.o src/conn-tools/s6-sudod.lo: src/conn-tools/s6-sudod.c src/conn-tools/s6-sudo.h +src/conn-tools/s6-tcpclient.o src/conn-tools/s6-tcpclient.lo: src/conn-tools/s6-tcpclient.c src/include/s6-networking/ident.h +src/conn-tools/s6-tcpserver-access.o src/conn-tools/s6-tcpserver-access.lo: src/conn-tools/s6-tcpserver-access.c src/include/s6-networking/s6net.h +src/conn-tools/s6-tcpserver.o src/conn-tools/s6-tcpserver.lo: src/conn-tools/s6-tcpserver.c src/include/s6-networking/config.h +src/conn-tools/s6-tcpserver4.o src/conn-tools/s6-tcpserver4.lo: src/conn-tools/s6-tcpserver4.c +src/conn-tools/s6-tcpserver6.o src/conn-tools/s6-tcpserver6.lo: src/conn-tools/s6-tcpserver6.c +src/conn-tools/seekablepipe.o src/conn-tools/seekablepipe.lo: src/conn-tools/seekablepipe.c +src/libs6net/s6net_accessrules_backend_cdb.o src/libs6net/s6net_accessrules_backend_cdb.lo: src/libs6net/s6net_accessrules_backend_cdb.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_accessrules_backend_fs.o src/libs6net/s6net_accessrules_backend_fs.lo: src/libs6net/s6net_accessrules_backend_fs.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_accessrules_keycheck_ip4.o src/libs6net/s6net_accessrules_keycheck_ip4.lo: src/libs6net/s6net_accessrules_keycheck_ip4.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_accessrules_keycheck_ip6.o src/libs6net/s6net_accessrules_keycheck_ip6.lo: src/libs6net/s6net_accessrules_keycheck_ip6.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_accessrules_keycheck_reversedns.o src/libs6net/s6net_accessrules_keycheck_reversedns.lo: src/libs6net/s6net_accessrules_keycheck_reversedns.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_accessrules_keycheck_uidgid.o src/libs6net/s6net_accessrules_keycheck_uidgid.lo: src/libs6net/s6net_accessrules_keycheck_uidgid.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_accessrules_uidgid_cdb.o src/libs6net/s6net_accessrules_uidgid_cdb.lo: src/libs6net/s6net_accessrules_uidgid_cdb.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_accessrules_uidgid_fs.o src/libs6net/s6net_accessrules_uidgid_fs.lo: src/libs6net/s6net_accessrules_uidgid_fs.c src/include/s6-networking/accessrules.h +src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_client.lo: src/libs6net/s6net_ident_client.c src/include/s6-networking/ident.h +src/libs6net/s6net_ident_error.o src/libs6net/s6net_ident_error.lo: src/libs6net/s6net_ident_error.c src/include/s6-networking/ident.h +src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_get.lo: src/libs6net/s6net_ident_reply_get.c src/include/s6-networking/ident.h +src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_reply_parse.lo: src/libs6net/s6net_ident_reply_parse.c src/include/s6-networking/ident.h +src/minidentd/mgetuid-default.o src/minidentd/mgetuid-default.lo: src/minidentd/mgetuid-default.c src/minidentd/mgetuid.h +src/minidentd/mgetuid-linux.o src/minidentd/mgetuid-linux.lo: src/minidentd/mgetuid-linux.c src/minidentd/mgetuid.h +src/minidentd/minidentd.o src/minidentd/minidentd.lo: src/minidentd/minidentd.c src/minidentd/mgetuid.h + +s6-clockadd: src/clock/s6-clockadd.o -lskarnet ${SYSCLOCK_LIB} +s6-clockview: src/clock/s6-clockview.o -lskarnet ${SYSCLOCK_LIB} +s6-sntpclock: src/clock/s6-sntpclock.o -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} +s6-taiclock: src/clock/s6-taiclock.o -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} +s6-taiclockd: src/clock/s6-taiclockd.o -lskarnet ${SOCKET_LIB} ${SYSCLOCK_LIB} +s6-accessrules-cdb-from-fs: src/conn-tools/s6-accessrules-cdb-from-fs.o -ls6net -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} +s6-accessrules-fs-from-cdb: src/conn-tools/s6-accessrules-fs-from-cdb.o -lskarnet +s6-connlimit: src/conn-tools/s6-connlimit.o -lskarnet +s6-getservbyname: src/conn-tools/s6-getservbyname.o -lskarnet +s6-ident-client: src/conn-tools/s6-ident-client.o -ls6net -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} +s6-ioconnect: src/conn-tools/s6-ioconnect.o -lskarnet ${TAINNOW_LIB} +s6-ipcclient: src/conn-tools/s6-ipcclient.o -lskarnet ${SOCKET_LIB} +s6-ipcserver: src/conn-tools/s6-ipcserver.o -lskarnet ${SOCKET_LIB} +s6-ipcserver-access: src/conn-tools/s6-ipcserver-access.o -ls6net -lskarnet +s6-sudo: src/conn-tools/s6-sudo.o -lskarnet +s6-sudoc: src/conn-tools/s6-sudoc.o -lskarnet ${TAINNOW_LIB} +s6-sudod: src/conn-tools/s6-sudod.o -lskarnet ${TAINNOW_LIB} +s6-tcpclient: src/conn-tools/s6-tcpclient.o -ls6net -ls6dns -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} +s6-tcpserver: src/conn-tools/s6-tcpserver.o -lskarnet +s6-tcpserver-access: src/conn-tools/s6-tcpserver-access.o -ls6net -ls6dns -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} +s6-tcpserver4: src/conn-tools/s6-tcpserver4.o -lskarnet ${SOCKET_LIB} +s6-tcpserver6: src/conn-tools/s6-tcpserver6.o -lskarnet ${SOCKET_LIB} +seekablepipe: src/conn-tools/seekablepipe.o -lskarnet +libs6net.a: src/libs6net/s6net_accessrules_backend_cdb.o src/libs6net/s6net_accessrules_backend_fs.o src/libs6net/s6net_accessrules_keycheck_ip4.o src/libs6net/s6net_accessrules_keycheck_ip6.o src/libs6net/s6net_accessrules_keycheck_reversedns.o src/libs6net/s6net_accessrules_keycheck_uidgid.o src/libs6net/s6net_accessrules_uidgid_cdb.o src/libs6net/s6net_accessrules_uidgid_fs.o src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_error.o +minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} diff --git a/package/info b/package/info new file mode 100644 index 0000000..1fa2d13 --- /dev/null +++ b/package/info @@ -0,0 +1,4 @@ +package=s6-networking +version=2.0.0.0 +category=net +package_macro_name=S6_NETWORKING diff --git a/package/modes b/package/modes new file mode 100644 index 0000000..bc896a6 --- /dev/null +++ b/package/modes @@ -0,0 +1,24 @@ +s6-connlimit 0755 +s6-getservbyname 0755 +s6-ioconnect 0755 +s6-ident-client 0755 +s6-ipcclient 0755 +s6-ipcserver 0755 +s6-tcpclient 0755 +s6-tcpserver4 0755 +s6-tcpserver6 0755 +s6-tcpserver 0755 +s6-accessrules-cdb-from-fs 0755 +s6-accessrules-fs-from-cdb 0755 +s6-ipcserver-access 0755 +s6-tcpserver-access 0755 +seekablepipe 0755 +s6-sudo 0755 +s6-sudoc 0755 +s6-sudod 0755 +s6-clockadd 0700 +s6-clockview 0755 +s6-sntpclock 0755 +s6-taiclock 0755 +s6-taiclockd 0755 +minidentd 0755 diff --git a/package/targets.mak b/package/targets.mak new file mode 100644 index 0000000..2125f4e --- /dev/null +++ b/package/targets.mak @@ -0,0 +1,40 @@ +BIN_TARGETS = \ +s6-connlimit \ +s6-getservbyname \ +s6-ioconnect \ +s6-ident-client \ +s6-ipcclient \ +s6-ipcserver \ +s6-tcpclient \ +s6-tcpserver4 \ +s6-tcpserver6 \ +s6-tcpserver \ +s6-accessrules-cdb-from-fs \ +s6-accessrules-fs-from-cdb \ +s6-ipcserver-access \ +s6-tcpserver-access \ +seekablepipe \ +s6-sudo \ +s6-sudoc \ +s6-sudod \ +s6-clockadd \ +s6-clockview \ +s6-sntpclock \ +s6-taiclock \ +s6-taiclockd \ +minidentd + +LIBEXEC_TARGETS = + +SHARED_LIBS = \ +libs6net.so + +STATIC_LIBS = \ +libs6net.a + +src/minidentd/mgetuid.c: src/minidentd/mgetuid-linux.c src/minidentd/mgetuid-default.c + if grep -iF -- -linux- $(sysdeps)/target ; then \ + ln -sf mgetuid-linux.c src/minidentd/mgetuid.c ; \ + else \ + ln -sf mgetuid-default.c src/minidentd/mgetuid.c ; \ + fi diff --git a/patch-for-solaris b/patch-for-solaris new file mode 100755 index 0000000..02f2e3c --- /dev/null +++ b/patch-for-solaris @@ -0,0 +1,17 @@ +#!/usr/xpg4/bin/sh + +patchit () { + echo '#!/usr/xpg4/bin/sh' > $1.tmp + tail -n +2 $1 >> $1.tmp + mv -f $1.tmp $1 + chmod 755 $1 +} + +patchit ./configure +patchit ./tools/install.sh +patchit ./tools/gen-deps.sh + +echo 'SHELL := /usr/xpg4/bin/sh' > Makefile.tmp +echo >> Makefile.tmp +cat Makefile >> Makefile.tmp +mv -f Makefile.tmp Makefile diff --git a/src/clock/deps-exe/s6-clockadd b/src/clock/deps-exe/s6-clockadd new file mode 100644 index 0000000..a11a5f4 --- /dev/null +++ b/src/clock/deps-exe/s6-clockadd @@ -0,0 +1,2 @@ +-lskarnet +${SYSCLOCK_LIB} diff --git a/src/clock/deps-exe/s6-clockview b/src/clock/deps-exe/s6-clockview new file mode 100644 index 0000000..a11a5f4 --- /dev/null +++ b/src/clock/deps-exe/s6-clockview @@ -0,0 +1,2 @@ +-lskarnet +${SYSCLOCK_LIB} diff --git a/src/clock/deps-exe/s6-sntpclock b/src/clock/deps-exe/s6-sntpclock new file mode 100644 index 0000000..e027835 --- /dev/null +++ b/src/clock/deps-exe/s6-sntpclock @@ -0,0 +1,3 @@ +-lskarnet +${SOCKET_LIB} +${TAINNOW_LIB} diff --git a/src/clock/deps-exe/s6-taiclock b/src/clock/deps-exe/s6-taiclock new file mode 100644 index 0000000..e027835 --- /dev/null +++ b/src/clock/deps-exe/s6-taiclock @@ -0,0 +1,3 @@ +-lskarnet +${SOCKET_LIB} +${TAINNOW_LIB} diff --git a/src/clock/deps-exe/s6-taiclockd b/src/clock/deps-exe/s6-taiclockd new file mode 100644 index 0000000..720fe7d --- /dev/null +++ b/src/clock/deps-exe/s6-taiclockd @@ -0,0 +1,3 @@ +-lskarnet +${SOCKET_LIB} +${SYSCLOCK_LIB} diff --git a/src/clock/s6-clockadd.c b/src/clock/s6-clockadd.c new file mode 100644 index 0000000..990f3ba --- /dev/null +++ b/src/clock/s6-clockadd.c @@ -0,0 +1,58 @@ +/* ISC license. */ + +#include <skalibs/sgetopt.h> +#include <skalibs/uint.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/strerr2.h> +#include <skalibs/tai.h> + +#define USAGE "s6-clockadd [ -f ] [ -e errmax ]" +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv) +{ + tain_t now, adj ; + unsigned int emax = 2000 ; + int flagforce = 0 ; + PROG = "s6-clockadd" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "fe:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'f' : flagforce = 1 ; break ; + case 'e' : if (!uint0_scan(l.arg, &emax)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + { + char buf[TAIN_PACK] ; + if (allread(0, buf, TAIN_PACK) < TAIN_PACK) + strerr_diefu1sys(111, "read 16 bytes from stdin") ; + tain_unpack(buf, &adj) ; + } + tain_from_millisecs(&now, emax) ; + if (tain_less(&now, &adj)) + { + tain_t tmp = TAIN_ZERO ; + tain_sub(&tmp, &tmp, &adj) ; + if (tain_less(&now, &tmp)) + { + char fmt[UINT_FMT] ; + fmt[uint_fmt(fmt, emax)] = 0 ; + if (flagforce) + strerr_warnw3x("time discrepancy bigger than ", fmt, " milliseconds") ; + else + strerr_dief3x(1, "time discrepancy bigger than ", fmt, " milliseconds") ; + } + } + if (!sysclock_get(&now)) strerr_diefu1sys(111, "sysclock_get") ; + tain_add(&now, &now, &adj) ; + if (!sysclock_set(&now)) strerr_diefu1sys(111, "sysclock_set") ; + return 0 ; +} diff --git a/src/clock/s6-clockview.c b/src/clock/s6-clockview.c new file mode 100644 index 0000000..3600cce --- /dev/null +++ b/src/clock/s6-clockview.c @@ -0,0 +1,31 @@ +/* ISC license. */ + +#include <skalibs/allreadwrite.h> +#include <skalibs/buffer.h> +#include <skalibs/strerr2.h> +#include <skalibs/tai.h> +#include <skalibs/djbtime.h> + +int main (void) +{ + char buf[TAIN_PACK] ; + tain_t now, adj ; + localtmn_t l ; + char fmt[LOCALTMN_FMT] ; + PROG = "s6-clockview" ; + + if (allread(0, buf, TAIN_PACK) < TAIN_PACK) strerr_diefu1sys(111, "read from stdin") ; + tain_unpack(buf, &adj) ; + if (!sysclock_get(&now)) strerr_diefu1sys(111, "sysclock_get") ; + if (!localtmn_from_sysclock(&l, &now, 1)) strerr_diefu1sys(111, "localtmn_from_sysclock") ; + if (buffer_puts(buffer_1, "before: ") < 0) goto fail ; + if (buffer_put(buffer_1, fmt, localtmn_fmt(fmt, &l)) < 0) goto fail ; + tain_add(&now, &now, &adj) ; + if (!localtmn_from_sysclock(&l, &now, 1)) strerr_diefu1sys(111, "localtmn_from_sysclock") ; + if (buffer_puts(buffer_1, "\nafter: ") < 0) goto fail ; + if (buffer_put(buffer_1, fmt, localtmn_fmt(fmt, &l)) < 0) goto fail ; + if (buffer_putflush(buffer_1, "\n", 1) < 0) goto fail ; + return 0 ; + fail: + strerr_diefu1sys(111, "write to stdout") ; +} diff --git a/src/clock/s6-sntpclock.c b/src/clock/s6-sntpclock.c new file mode 100644 index 0000000..a7bcc22 --- /dev/null +++ b/src/clock/s6-sntpclock.c @@ -0,0 +1,238 @@ +/* ISC license. */ + +#include <sys/types.h> +#include <unistd.h> +#include <errno.h> +#include <skalibs/error.h> +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include <skalibs/uint.h> +#include <skalibs/sgetopt.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/bytestr.h> +#include <skalibs/error.h> +#include <skalibs/strerr2.h> +#include <skalibs/tai.h> +#include <skalibs/djbtime.h> +#include <skalibs/iopause.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/socket.h> +#include <skalibs/ip46.h> + +#define USAGE "s6-sntpclock [ -f ] [ -v verbosity ] [ -r roundtrips ] [ -t triptimeout ] [ -h throttle ] [ -T totaltimeout ] [ -e errmax ] [ -p port ] ipaddress" +#define dieusage() strerr_dieusage(100, USAGE) + +static unsigned int verbosity = 1 ; + +int ntp_exchange (int s, ip46_t const *ip, uint16 port, tain_t *stamps, tain_t const *deadline) +{ + char query[48] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ; + char answer[48] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ; + tain_t starttime ; + uint64 ntpstamp ; + ip46_t dummyip ; + uint16 dummyport ; + int r ; + tain_copynow(&starttime) ; + query[0] = 35 ; /* SNTPv4, client */ + if (!ntp_from_tain(&ntpstamp, &starttime)) return 0 ; + uint64_pack_big(query+24, ntpstamp) ; + uint64_pack_big(query+40, ntpstamp) ; + if (verbosity >= 3) + { + char fmtntp[UINT64_XFMT] ; + fmtntp[uint64_xfmt(fmtntp, ntpstamp)] = 0 ; + strerr_warni2x("NTP stamp[0] sent: ", fmtntp) ; + } + r = socket_sendnb46_g(s, query, 48, ip, port, deadline) ; + if (r < 0) return 0 ; + if (r < 48) return (errno = EPIPE, 0) ; + r = socket_recvnb46_g(s, answer, 48, &dummyip, &dummyport, deadline) ; + if (r < 0) return 0 ; + if (r < 48) return (errno = EPROTO, 0) ; + if (((answer[0] & 7) != 2) && ((answer[0] & 7) != 4)) return (errno = EPROTO, 0) ; + if (!(answer[0] & 56)) return (errno = EPROTO, 0) ; + if (byte_diff(query+40, 8, answer+24)) return (errno = EPROTO, 0) ; + stamps[0] = starttime ; + uint64_unpack_big(answer+32, &ntpstamp) ; + tain_from_ntp(stamps+1, ntpstamp) ; + if (verbosity >= 3) + { + char fmtntp[UINT64_XFMT] ; + fmtntp[uint64_xfmt(fmtntp, ntpstamp)] = 0 ; + strerr_warni2x("NTP stamp[1] received: ", fmtntp) ; + } + uint64_unpack_big(answer+40, &ntpstamp) ; + tain_from_ntp(stamps+2, ntpstamp) ; + if (verbosity >= 3) + { + char fmtntp[UINT64_XFMT] ; + fmtntp[uint64_xfmt(fmtntp, ntpstamp)] = 0 ; + strerr_warni2x("NTP stamp[2] received: ", fmtntp) ; + } + tain_copynow(&stamps[3]) ; + return 1 ; +} + +int main (int argc, char const *const *argv) +{ + tain_t deltamin = TAIN_ZERO ; + tain_t deltaoffset ; + tain_t deltamax ; + tain_t errmax ; + tain_t timeouttto, throttletto, globaltto ; + tain_t globaldeadline ; + unsigned int roundtrips = 10 ; + unsigned int i = 0 ; + int sock ; + int flagforce = 0 ; + ip46_t ipremote ; + uint16 portremote = 123 ; + PROG = "s6-sntpclock" ; + + { + unsigned int timeout = 2000 ; + unsigned int throttle = 0 ; + unsigned int bigtimeout = 10000 ; + unsigned int emax = 100 ; + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "fv:r:t:h:T:e:p:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'f' : flagforce = 1 ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'r' : if (!uint0_scan(l.arg, &roundtrips)) dieusage() ; break ; + case 't' : if (!uint0_scan(l.arg, &timeout)) dieusage() ; break ; + case 'h' : if (!uint0_scan(l.arg, &throttle)) dieusage() ; break ; + case 'T' : if (!uint0_scan(l.arg, &bigtimeout)) dieusage() ; break ; + case 'e' : if (!uint0_scan(l.arg, &emax)) dieusage() ; break ; + case 'p' : if (!uint160_scan(l.arg, &portremote)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (timeout) tain_from_millisecs(&timeouttto, timeout) ; + else timeouttto = tain_infinite_relative ; + tain_from_millisecs(&throttletto, throttle) ; + if (bigtimeout) tain_from_millisecs(&globaltto, bigtimeout) ; + else globaltto = tain_infinite_relative ; + tain_from_millisecs(&errmax, emax) ; + } + if (!argc) dieusage() ; + if (!ip46_scan(argv[0], &ipremote)) dieusage() ; + + sock = socket_udp46(ip46_is6(&ipremote)) ; + if (sock < 0) strerr_diefu1sys(111, "socket_udp") ; + + tain_uint(&deltaoffset, 1072224000U) ; /* about 34 years, which is the best we can do with NTP */ + tain_add(&deltamax, &deltaoffset, &deltaoffset) ; + tain_now_g() ; + tain_add_g(&globaldeadline, &globaltto) ; + if (!socket_deadlineconnstamp46_g(sock, &ipremote, portremote, &globaldeadline)) + strerr_diefu1sys(111, "socket_deadlineconnstamp") ; + + for (; i < roundtrips ; i++) + { + tain_t stamps[4] ; + tain_t deadline ; + tain_add_g(&deadline, &timeouttto) ; + if (tain_less(&globaldeadline, &deadline)) deadline = globaldeadline ; + if (verbosity >= 3) + { + char fmt[UINT_FMT] ; + char fmtr[UINT_FMT] ; + fmt[uint_fmt(fmt, i+1)] = 0 ; + fmtr[uint_fmt(fmtr, roundtrips)] = 0 ; + strerr_warni4x("NTP round-trip ", fmt, "/", fmtr) ; + } + if (!ntp_exchange(sock, &ipremote, portremote, stamps, &deadline)) + { + if (verbosity >= 2) + { + char fmt[UINT_FMT] ; + char fmtr[UINT_FMT] ; + fmt[uint_fmt(fmt, i+1)] = 0 ; + fmtr[uint_fmt(fmtr, roundtrips)] = 0 ; + strerr_warni5sys("NTP round-trip ", fmt, "/", fmtr, " failed") ; + } + } + else + { + tain_t cur, min, max ; + if (verbosity >= 3) + { + unsigned int j = 0 ; + for (; j < 4 ; j++) + { + uint64 ntp ; + localtmn_t l ; + char fmt[UINT_FMT] ; + char fmtntp[UINT64_XFMT] ; + char fmttaia[TAIN_FMT] ; + char fmtlocal[LOCALTMN_FMT] ; + ntp_from_tain(&ntp, &stamps[j]) ; + localtmn_from_tain(&l, &stamps[j], 1) ; + fmt[uint_fmt(fmt, j)] = 0 ; + fmttaia[tain_fmt(fmttaia, &stamps[j])] = 0 ; + fmtntp[uint64_xfmt(fmtntp, ntp)] = 0 ; + fmtlocal[localtmn_fmt(fmtlocal, &l)] = 0 ; + strerr_warni6x("stamp[", fmt, "] : taia: ", fmttaia, ", ntp: ", fmtntp) ; + strerr_warni2x("localdate: ", fmtlocal) ; + } + } + tain_add(&cur, &stamps[1], &deltaoffset) ; + tain_add(&min, &stamps[0], &deltamin) ; + tain_add(&max, &stamps[0], &deltamax) ; + if (tain_less(&cur, &max) && !tain_less(&cur, &min)) + tain_sub(&deltamax, &cur, &stamps[0]) ; + tain_add(&cur, &stamps[2], &deltaoffset) ; + tain_add(&min, &stamps[3], &deltamin) ; + tain_add(&max, &stamps[3], &deltamax) ; + if (tain_less(&cur, &max) && !tain_less(&cur, &min)) + tain_sub(&deltamin, &cur, &stamps[3]) ; + } + + tain_add_g(&deadline, &throttletto) ; + if (tain_less(&globaldeadline, &deadline)) deadline = globaldeadline ; + deepsleepuntil_g(&deadline) ; + if (!tain_future(&globaldeadline)) + { + if (verbosity) + { + errno = ETIMEDOUT ; + strerr_diefu1sys(1, "complete series of SNTP exchanges") ; + } + else return 1 ; + } + } + + { + char adj[TAIN_PACK] ; + tain_t delta ; + if (tain_less(&deltamax, &deltamin)) tain_sub(&delta, &deltamin, &deltamax) ; + else tain_sub(&delta, &deltamax, &deltamin) ; + if (tain_less(&errmax, &delta)) + { + if (verbosity) + { + char fmtd[TAIN_FMT] ; + char fmte[TAIN_FMT] ; + fmtd[tain_fmt(fmtd, &delta)] = 0 ; + fmte[tain_fmt(fmte, &errmax)] = 0 ; + strerr_warnw2x("maximum acceptable uncertainty: ", fmte) ; + strerr_warnw2x("current calculated uncertainty: ", fmtd) ; + } + if (!flagforce) strerr_dief1x(111, "time uncertainty too large") ; + } + + tain_add(&delta, &deltamax, &deltamin) ; + tain_half(&delta, &delta) ; + tain_sub(&delta, &delta, &deltaoffset) ; + tain_pack(adj, &delta) ; + if (allwrite(1, adj, TAIN_PACK) < TAIN_PACK) strerr_diefu1sys(111, "write to stdout") ; + } + return 0 ; +} diff --git a/src/clock/s6-taiclock.c b/src/clock/s6-taiclock.c new file mode 100644 index 0000000..99150b5 --- /dev/null +++ b/src/clock/s6-taiclock.c @@ -0,0 +1,182 @@ +/* ISC license. */ + +#include <sys/types.h> +#include <unistd.h> +#include <errno.h> +#include <skalibs/error.h> +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include <skalibs/uint.h> +#include <skalibs/sgetopt.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/bytestr.h> +#include <skalibs/strerr2.h> +#include <skalibs/tai.h> +#include <skalibs/djbtime.h> +#include <skalibs/iopause.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/socket.h> +#include <skalibs/ip46.h> +#include <skalibs/random.h> + +#define USAGE "s6-taiclock [ -f ] [ -v verbosity ] [ -r roundtrips ] [ -t triptimeout ] [ -h throttle ] [ -T totaltimeout ] [ -e errmax ] [ -p port ] ipaddress" +#define dieusage() strerr_dieusage(100, USAGE) + +static unsigned int verbosity = 1 ; + +#define N 28 + +int tain_exchange (int s, ip46_t const *ip, uint16 port, tain_t *serversays, tain_t const *deadline) +{ + char query[N] = "ctai" ; + char answer[N] ; + ip46_t dummyip ; + int r ; + uint16 dummyport ; + tain_pack(query+4, &STAMP) ; + if (badrandom_string(query+20, N-20) < N-20) return 0 ; /* cookie */ + r = socket_sendnb46_g(s, query, N, ip, port, deadline) ; + if (r < 0) return 0 ; + if (r < N) return (errno = EPIPE, 0) ; + r = socket_recvnb46_g(s, answer, N, &dummyip, &dummyport, deadline) ; + if (r < 0) return 0 ; + if (r < N) return (errno = EPROTO, 0) ; + if (byte_diff(answer, 4, "stai")) return (errno = EPROTO, 0) ; + if (byte_diff(query+20, N-20, answer+20)) return (errno = EPROTO, 0) ; + tain_unpack(answer+4, serversays) ; + return 1 ; +} + +int main (int argc, char const *const *argv) +{ + tain_t deltamin = TAIN_ZERO ; + tain_t deltaoffset ; + tain_t deltamax ; + tain_t errmax ; + tain_t timeouttto, throttletto, globaltto ; + tain_t globaldeadline ; + unsigned int roundtrips = 10 ; + unsigned int i = 0 ; + ip46_t ipremote ; + int sock ; + int flagforce = 0 ; + uint16 portremote = 4014 ; + PROG = "s6-taiclock" ; + + { + unsigned int timeout = 2000 ; + unsigned int throttle = 0 ; + unsigned int bigtimeout = 10000 ; + unsigned int emax = 100 ; + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "fv:r:t:h:T:e:p:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'f' : flagforce = 1 ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'r' : if (!uint0_scan(l.arg, &roundtrips)) dieusage() ; break ; + case 't' : if (!uint0_scan(l.arg, &timeout)) dieusage() ; break ; + case 'h' : if (!uint0_scan(l.arg, &throttle)) dieusage() ; break ; + case 'T' : if (!uint0_scan(l.arg, &bigtimeout)) dieusage() ; break ; + case 'e' : if (!uint0_scan(l.arg, &emax)) dieusage() ; break ; + case 'p' : if (!uint160_scan(l.arg, &portremote)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (timeout) tain_from_millisecs(&timeouttto, timeout) ; + else timeouttto = tain_infinite_relative ; + tain_from_millisecs(&throttletto, throttle) ; + if (bigtimeout) tain_from_millisecs(&globaltto, bigtimeout) ; + else globaltto = tain_infinite_relative ; + tain_from_millisecs(&errmax, emax) ; + } + if (!argc) dieusage() ; + if (!ip46_scan(argv[0], &ipremote)) dieusage() ; + + sock = socket_udp46(ip46_is6(&ipremote)) ; + if (sock < 0) strerr_diefu1sys(111, "socket_udp") ; + + tain_uint(&deltaoffset, 0xffffffffU) ; + tain_add(&deltaoffset, &deltaoffset, &deltaoffset) ; /* about 136 years */ + tain_add(&deltamax, &deltaoffset, &deltaoffset) ; + tain_now_g() ; + tain_add_g(&globaldeadline, &globaltto) ; + if (!socket_deadlineconnstamp46_g(sock, &ipremote, portremote, &globaldeadline)) + strerr_diefu1sys(111, "socket_deadlineconnstamp") ; + + for (; i < roundtrips ; i++) + { + tain_t deadline, before, serversays ; + tain_add_g(&deadline, &timeouttto) ; + if (tain_less(&globaldeadline, &deadline)) deadline = globaldeadline ; + tain_copynow(&before) ; + if (!tain_exchange(sock, &ipremote, portremote, &serversays, &deadline)) + { + if (verbosity >= 2) + { + char fmt[UINT_FMT] ; + char fmtr[UINT_FMT] ; + fmt[uint_fmt(fmt, i+1)] = 0 ; + fmtr[uint_fmt(fmtr, roundtrips)] = 0 ; + strerr_warni5sys("TAIA round-trip ", fmt, "/", fmtr, " failed") ; + } + } + else + { + tain_t cur, min, max ; + tain_add(&cur, &serversays, &deltaoffset) ; + tain_add(&min, &before, &deltamin) ; + tain_add(&max, &before, &deltamax) ; + if (tain_less(&cur, &max) && !tain_less(&cur, &min)) + tain_sub(&deltamax, &cur, &before) ; + tain_add_g(&min, &deltamin) ; + tain_add_g(&max, &deltamax) ; + if (tain_less(&cur, &max) && !tain_less(&cur, &min)) + tain_sub(&deltamin, &cur, &STAMP) ; + } + + tain_add_g(&deadline, &throttletto) ; + if (tain_less(&globaldeadline, &deadline)) deadline = globaldeadline ; + deepsleepuntil_g(&deadline) ; + if (!tain_future(&globaldeadline)) + { + if (verbosity) + { + errno = ETIMEDOUT ; + strerr_diefu1sys(1, "complete series of TAIA exchanges") ; + } + else return 1 ; + } + } + + { + char adj[TAIN_PACK] ; + tain_t delta ; + if (tain_less(&deltamax, &deltamin)) tain_sub(&delta, &deltamin, &deltamax) ; + else tain_sub(&delta, &deltamax, &deltamin) ; + if (tain_less(&errmax, &delta)) + { + if (verbosity) + { + char fmtd[TAIN_FMT] ; + char fmte[TAIN_FMT] ; + fmtd[tain_fmt(fmtd, &delta)] = 0 ; + fmte[tain_fmt(fmte, &errmax)] = 0 ; + strerr_warnw2x("maximum acceptable uncertainty: ", fmte) ; + strerr_warnw2x("current calculated uncertainty: ", fmtd) ; + } + if (!flagforce) strerr_dief1x(111, "time uncertainty too large") ; + } + + tain_add(&delta, &deltamax, &deltamin) ; + tain_half(&delta, &delta) ; + tain_sub(&delta, &delta, &deltaoffset) ; + tain_pack(adj, &delta) ; + if (allwrite(1, adj, TAIN_PACK) < TAIN_PACK) strerr_diefu1sys(111, "write to stdout") ; + } + return 0 ; +} diff --git a/src/clock/s6-taiclockd.c b/src/clock/s6-taiclockd.c new file mode 100644 index 0000000..b206400 --- /dev/null +++ b/src/clock/s6-taiclockd.c @@ -0,0 +1,54 @@ +/* ISC license. */ + +#include <skalibs/bytestr.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/fmtscan.h> +#include <skalibs/djbunix.h> +#include <skalibs/socket.h> +#include <skalibs/tai.h> +#include <skalibs/ip46.h> + +#define USAGE "s6-taiclockd [ -i ip ] [ -p port ]" +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv) +{ + int s ; + ip46_t ip = IP46_ZERO ; + uint16 port = 4014 ; + subgetopt_t l = SUBGETOPT_ZERO ; + PROG = "s6-taiclockd" ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "i:p:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'i' : if (!ip46_scan(l.arg, &ip)) dieusage() ; break ; + case 'p' : if (!uint160_scan(l.arg, &port)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + s = socket_udp46(ip46_is6(&ip)) ; + if (s < 0) strerr_diefu1sys(111, "socket_udp") ; + if (ndelay_off(s) < 0) strerr_diefu1sys(111, "ndelay_off") ; + if (socket_bind46_reuse(s, &ip, port) < 0) + strerr_diefu1sys(111, "socket_bind_reuse") ; + + for (;;) + { + char packet[256] ; + register int r = socket_recv46(s, packet, 256, &ip, &port) ; + if ((r >= 20) && !byte_diff(packet, 4, "ctai")) + { + tain_t now ; + packet[0] = 's' ; + if (!tain_sysclock(&now)) strerr_diefu1sys(111, "tain_sysclock") ; + tain_pack(packet + 4, &now) ; + if (socket_send46(s, packet, r, &ip, port) < 0) + strerr_warnwu1sys("socket_send") ; + } + } +} diff --git a/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs b/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs new file mode 100644 index 0000000..7229c44 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs @@ -0,0 +1,4 @@ +-ls6net +-lskarnet +${SOCKET_LIB} +${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb b/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb @@ -0,0 +1 @@ +-lskarnet diff --git a/src/conn-tools/deps-exe/s6-connlimit b/src/conn-tools/deps-exe/s6-connlimit new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/conn-tools/deps-exe/s6-connlimit @@ -0,0 +1 @@ +-lskarnet diff --git a/src/conn-tools/deps-exe/s6-getservbyname b/src/conn-tools/deps-exe/s6-getservbyname new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/conn-tools/deps-exe/s6-getservbyname @@ -0,0 +1 @@ +-lskarnet diff --git a/src/conn-tools/deps-exe/s6-ident-client b/src/conn-tools/deps-exe/s6-ident-client new file mode 100644 index 0000000..7229c44 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-ident-client @@ -0,0 +1,4 @@ +-ls6net +-lskarnet +${SOCKET_LIB} +${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-ioconnect b/src/conn-tools/deps-exe/s6-ioconnect new file mode 100644 index 0000000..1840bc1 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-ioconnect @@ -0,0 +1,2 @@ +-lskarnet +${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-ipcclient b/src/conn-tools/deps-exe/s6-ipcclient new file mode 100644 index 0000000..19869b2 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-ipcclient @@ -0,0 +1,2 @@ +-lskarnet +${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-ipcserver b/src/conn-tools/deps-exe/s6-ipcserver new file mode 100644 index 0000000..19869b2 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-ipcserver @@ -0,0 +1,2 @@ +-lskarnet +${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-ipcserver-access b/src/conn-tools/deps-exe/s6-ipcserver-access new file mode 100644 index 0000000..fceb21d --- /dev/null +++ b/src/conn-tools/deps-exe/s6-ipcserver-access @@ -0,0 +1,2 @@ +-ls6net +-lskarnet diff --git a/src/conn-tools/deps-exe/s6-sudo b/src/conn-tools/deps-exe/s6-sudo new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/conn-tools/deps-exe/s6-sudo @@ -0,0 +1 @@ +-lskarnet diff --git a/src/conn-tools/deps-exe/s6-sudoc b/src/conn-tools/deps-exe/s6-sudoc new file mode 100644 index 0000000..1840bc1 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-sudoc @@ -0,0 +1,2 @@ +-lskarnet +${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-sudod b/src/conn-tools/deps-exe/s6-sudod new file mode 100644 index 0000000..1840bc1 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-sudod @@ -0,0 +1,2 @@ +-lskarnet +${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-tcpclient b/src/conn-tools/deps-exe/s6-tcpclient new file mode 100644 index 0000000..13ea615 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-tcpclient @@ -0,0 +1,5 @@ +-ls6net +-ls6dns +-lskarnet +${SOCKET_LIB} +${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-tcpserver b/src/conn-tools/deps-exe/s6-tcpserver new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/conn-tools/deps-exe/s6-tcpserver @@ -0,0 +1 @@ +-lskarnet diff --git a/src/conn-tools/deps-exe/s6-tcpserver-access b/src/conn-tools/deps-exe/s6-tcpserver-access new file mode 100644 index 0000000..13ea615 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-tcpserver-access @@ -0,0 +1,5 @@ +-ls6net +-ls6dns +-lskarnet +${SOCKET_LIB} +${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-tcpserver4 b/src/conn-tools/deps-exe/s6-tcpserver4 new file mode 100644 index 0000000..19869b2 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-tcpserver4 @@ -0,0 +1,2 @@ +-lskarnet +${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-tcpserver6 b/src/conn-tools/deps-exe/s6-tcpserver6 new file mode 100644 index 0000000..19869b2 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-tcpserver6 @@ -0,0 +1,2 @@ +-lskarnet +${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/seekablepipe b/src/conn-tools/deps-exe/seekablepipe new file mode 100644 index 0000000..e7187fe --- /dev/null +++ b/src/conn-tools/deps-exe/seekablepipe @@ -0,0 +1 @@ +-lskarnet diff --git a/src/conn-tools/s6-accessrules-cdb-from-fs.c b/src/conn-tools/s6-accessrules-cdb-from-fs.c new file mode 100644 index 0000000..82da64c --- /dev/null +++ b/src/conn-tools/s6-accessrules-cdb-from-fs.c @@ -0,0 +1,195 @@ +/* ISC license. */ + +#include <unistd.h> +#include <errno.h> +#include <stdio.h> /* for rename() */ +#include <skalibs/bytestr.h> +#include <skalibs/uint16.h> +#include <skalibs/fmtscan.h> +#include <skalibs/cdb_make.h> +#include <skalibs/strerr2.h> +#include <skalibs/stralloc.h> +#include <skalibs/direntry.h> +#include <skalibs/djbunix.h> +#include <skalibs/skamisc.h> +#include <skalibs/random.h> + +#define USAGE "s6-accessrules-cdb-from-fs cdbfile dir" + +static stralloc tmp = STRALLOC_ZERO ; + +static void cleanup (void) +{ + register int e = errno ; + unlink(tmp.s) ; + errno = e ; +} + +static void dienomem (void) +{ + cleanup() ; + strerr_diefu1sys(111, "stralloc_catb") ; +} + +static void doit (struct cdb_make *c, stralloc *sa, unsigned int start) +{ + unsigned int tmpbase = tmp.len ; + unsigned int k = sa->len ; + if (!stralloc_readyplus(sa, 10)) dienomem() ; + stralloc_catb(sa, "/allow", 7) ; + tmp.s[tmpbase] = 0 ; + if (access(sa->s, R_OK) < 0) + { + if ((errno != ENOENT) && (errno != EACCES)) + { + cleanup() ; + strerr_diefu2sys(111, "access ", sa->s) ; + } + sa->len = k+1 ; + stralloc_catb(sa, "deny", 5) ; + if (access(sa->s, R_OK) < 0) + if ((errno != ENOENT) && (errno != EACCES)) + { + cleanup() ; + strerr_diefu2sys(111, "access ", sa->s) ; + } + else return ; + else if (cdb_make_add(c, sa->s + start, k - start, "D", 1) < 0) + { + cleanup() ; + strerr_diefu1sys(111, "cdb_make_add") ; + } + } + else + { + uint16 envlen = 0 ; + uint16 execlen = 0 ; + register int r ; + tmp.s[tmpbase] = 'A' ; + sa->len = k+1 ; + stralloc_catb(sa, "env", 4) ; + tmp.len = tmpbase + 3 ; + if ((envdir(sa->s, &tmp) < 0) && (errno != ENOENT)) + { + cleanup() ; + strerr_diefu2sys(111, "s6_envdir ", sa->s) ; + } + if (tmp.len > tmpbase + 4103) + { + cleanup() ; + strerr_diefu2sys(100, sa->s, "too big") ; + } + envlen = tmp.len - tmpbase - 3 ; + tmp.len = tmpbase ; + uint16_pack_big(tmp.s + tmpbase + 1, envlen) ; + sa->len = k+1 ; + stralloc_catb(sa, "exec", 5) ; + r = openreadnclose(sa->s, tmp.s + tmpbase + 5 + envlen, 4096) ; + if ((r < 0) && (errno != ENOENT)) + { + cleanup() ; + strerr_diefu2sys(111, "openreadnclose ", sa->s) ; + } + if (r > 0) execlen = r ; + uint16_pack_big(tmp.s + tmpbase + 3 + envlen, execlen) ; + if (cdb_make_add(c, sa->s + start, k - start, tmp.s + tmpbase, 5 + envlen + execlen) < 0) + { + cleanup() ; + strerr_diefu1sys(111, "cdb_make_add") ; + } + } +} + + +int main (int argc, char const *const *argv) +{ + stralloc sa = STRALLOC_ZERO ; + struct cdb_make c = CDB_MAKE_ZERO ; + DIR *dir ; + unsigned int start ; + int fd ; + PROG = "s6-accessrules-cdb-from-fs" ; + if (argc < 3) strerr_dieusage(100, USAGE) ; + if (!stralloc_cats(&tmp, argv[1])) return 0 ; + if (random_sauniquename(&tmp, 8) < 0) + strerr_diefu1sys(111, "random_sauniquename") ; + if (!stralloc_readyplus(&tmp, 8210)) + strerr_diefu1sys(111, "stralloc_catb") ; + stralloc_0(&tmp) ; + fd = open_trunc(tmp.s) ; + if (fd < 0) strerr_diefu2sys(111, "open_trunc ", tmp.s) ; + if (cdb_make_start(&c, fd) < 0) + { + cleanup() ; + strerr_diefu1sys(111, "cdb_make_start") ; + } + dir = opendir(argv[2]) ; + if (!dir) + { + cleanup() ; + strerr_diefu2sys(111, "opendir ", argv[2]) ; + } + if (!stralloc_cats(&sa, argv[2]) || !stralloc_catb(&sa, "/", 1)) dienomem() ; + start = sa.len ; + + for (;;) + { + DIR *subdir ; + direntry *d ; + unsigned int base ; + errno = 0 ; + d = readdir(dir) ; + if (!d) break ; + if (d->d_name[0] == '.') continue ; + sa.len = start ; + if (!stralloc_cats(&sa, d->d_name) || !stralloc_0(&sa)) dienomem() ; + base = sa.len ; + subdir = opendir(sa.s) ; + if (!subdir) + { + cleanup() ; + strerr_diefu2sys(111, "opendir ", sa.s) ; + } + sa.s[base-1] = '/' ; + for (;;) + { + errno = 0 ; + d = readdir(subdir) ; + if (!d) break ; + if (d->d_name[0] == '.') continue ; + sa.len = base ; + if (!stralloc_cats(&sa, d->d_name)) dienomem() ; + doit(&c, &sa, start) ; + } + if (errno) + { + sa.s[base-1] = 0 ; + cleanup() ; + strerr_diefu2sys(111, "readdir ", sa.s) ; + } + dir_close(subdir) ; + } + if (errno) + { + cleanup() ; + strerr_diefu2sys(111, "readdir ", argv[2]) ; + } + dir_close(dir) ; + if (cdb_make_finish(&c) < 0) + { + cleanup() ; + strerr_diefu1sys(111, "cdb_make_finish") ; + } + if (fd_sync(fd) < 0) + { + cleanup() ; + strerr_diefu1sys(111, "fd_sync") ; + } + fd_close(fd) ; + if (rename(tmp.s, argv[1]) < 0) + { + cleanup() ; + strerr_diefu4sys(111, "rename ", tmp.s, " to ", argv[1]) ; + } + return 0 ; +} diff --git a/src/conn-tools/s6-accessrules-fs-from-cdb.c b/src/conn-tools/s6-accessrules-fs-from-cdb.c new file mode 100644 index 0000000..cbe67ef --- /dev/null +++ b/src/conn-tools/s6-accessrules-fs-from-cdb.c @@ -0,0 +1,177 @@ +/* ISC license. */ + +#include <sys/types.h> +#include <sys/stat.h> +#include <errno.h> +#include <unistd.h> +#include <skalibs/bytestr.h> +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include <skalibs/cdb.h> +#include <skalibs/strerr2.h> +#include <skalibs/djbunix.h> + +#define USAGE "s6-accessrules-fs-from-cdb dir cdbfile" + +static char const *basedir ; +unsigned int basedirlen ; + +static void cleanup () +{ + int e = errno ; + rm_rf(basedir) ; + errno = e ; +} + +static int domkdir (char const *s) +{ + return mkdir(s, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH | S_ISGID) < 0 ? (errno == EEXIST) : 1 ; +} + +static void mkdirp (char *s) +{ + mode_t m = umask(0) ; + unsigned int len = str_len(s) ; + register unsigned int i = basedirlen + 1 ; + for (; i < len ; i++) if (s[i] == '/') + { + s[i] = 0 ; + if (!domkdir(s)) goto err ; + s[i] = '/' ; + } + if (!domkdir(s)) goto err ; + umask(m) ; + return ; + + err: + cleanup() ; + strerr_diefu2sys(111, "mkdir ", s) ; +} + +static void touchtrunc (char const *file) +{ + register int fd = open_trunc(file) ; + if (fd < 0) strerr_diefu2sys(111, "open_trunc ", file) ; + fd_close(fd) ; +} + +static int doenv (char const *dir, unsigned int dirlen, char *env, unsigned int envlen) +{ + mode_t m = umask(0) ; + unsigned int i = 0 ; + if (!domkdir(dir)) + { + cleanup() ; + strerr_diefu2sys(111, "mkdir ", dir) ; + } + umask(m) ; + while (i < envlen) + { + unsigned int n = byte_chr(env + i, envlen - i, 0) ; + if (i + n >= envlen) return 0 ; + { + unsigned int p = byte_chr(env + i, n, '=') ; + char tmp[dirlen + p + 2] ; + byte_copy(tmp, dirlen, dir) ; + tmp[dirlen] = '/' ; + byte_copy(tmp + dirlen + 1, p, env + i) ; + tmp[dirlen + p + 1] = 0 ; + if (p < n) + { + env[i+n] = '\n' ; + if (!openwritenclose_unsafe(tmp, env + i + p + 1, n - p)) + { + cleanup() ; + strerr_diefu2sys(111, "openwritenclose_unsafe ", tmp) ; + } + } + else touchtrunc(tmp) ; + } + i += n + 1 ; + } + return 1 ; +} + +static int doit (struct cdb *c) +{ + unsigned int klen = cdb_keylen(c) ; + unsigned int dlen = cdb_datalen(c) ; + { + uint16 envlen, execlen ; + char name[basedirlen + klen + 8] ; + char data[dlen] ; + byte_copy(name, basedirlen, basedir) ; + name[basedirlen] = '/' ; + if (!dlen || (dlen > 8201)) return (errno = EINVAL, 0) ; + if ((cdb_read(c, name+basedirlen+1, klen, cdb_keypos(c)) < 0) + || (cdb_read(c, data, dlen, cdb_datapos(c)) < 0)) + { + cleanup() ; + strerr_diefu1sys(111, "cdb_read") ; + } + name[basedirlen + klen + 1] = 0 ; + mkdirp(name) ; + name[basedirlen + klen + 1] = '/' ; + if (data[0] == 'A') + { + byte_copy(name + basedirlen + klen + 2, 6, "allow") ; + touchtrunc(name) ; + } + else if (data[0] == 'D') + { + byte_copy(name + basedirlen + klen + 2, 5, "deny") ; + touchtrunc(name) ; + } + if (dlen < 3) return 1 ; + uint16_unpack_big(data + 1, &envlen) ; + if ((envlen > 4096U) || (3U + envlen > dlen)) return (errno = EINVAL, 0) ; + uint16_unpack_big(data + 3 + envlen, &execlen) ; + if ((execlen > 4096U) || (5U + envlen + execlen != dlen)) return (errno = EINVAL, 0) ; + if (envlen) + { + byte_copy(name + basedirlen + klen + 2, 4, "env") ; + if (!doenv(name, basedirlen + klen + 5, data + 3, envlen)) return (errno = EINVAL, 0) ; + } + byte_copy(name + basedirlen + klen + 2, 5, "exec") ; + if (execlen && !openwritenclose_unsafe(name, data + 5 + envlen, execlen)) + { + cleanup() ; + strerr_diefu2sys(111, "openwritenclose_unsafe ", name) ; + } + } + return 1 ; +} + +int main (int argc, char const *const *argv) +{ + struct cdb c = CDB_ZERO ; + uint32 kpos ; + PROG = "s6-accessrules-fs-from-cdb" ; + if (argc < 3) strerr_dieusage(100, USAGE) ; + if (cdb_mapfile(&c, argv[2]) < 0) strerr_diefu1sys(111, "cdb_mapfile") ; + basedir = argv[1] ; + basedirlen = str_len(argv[1]) ; + { + mode_t m = umask(0) ; + if (mkdir(basedir, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH | S_ISGID) < 0) + strerr_diefu2sys(111, "mkdir ", basedir) ; + umask(m) ; + } + cdb_traverse_init(&c, &kpos) ; + for (;;) + { + register int r = cdb_nextkey(&c, &kpos) ; + if (r < 0) + { + cleanup() ; + strerr_diefu1sys(111, "cdb_nextkey") ; + } + else if (!r) break ; + else if (!doit(&c)) + { + cleanup() ; + strerr_diefu1sys(111, "handle key") ; + } + } + return 0 ; +} diff --git a/src/conn-tools/s6-connlimit.c b/src/conn-tools/s6-connlimit.c new file mode 100644 index 0000000..19f4a2d --- /dev/null +++ b/src/conn-tools/s6-connlimit.c @@ -0,0 +1,39 @@ +/* ISC license. */ + +#include <skalibs/uint.h> +#include <skalibs/bytestr.h> +#include <skalibs/strerr2.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> + +int main (int argc, char const *const *argv, char const *const *envp) +{ + char const *x ; + unsigned int protolen ; + PROG = "s6-connlimit" ; + x = env_get2(envp, "PROTO") ; + if (!x) strerr_dienotset(100, "PROTO") ; + protolen = str_len(x) ; + if (!protolen) strerr_dief1x(100, "empty PROTO") ; + { + unsigned int num ; + char s[protolen + 8] ; + byte_copy(s, protolen, x) ; + byte_copy(s + protolen, 8, "CONNNUM") ; + x = env_get2(envp, s) ; + if (!x) strerr_dienotset(100, s) ; + if (!uint0_scan(x, &num)) strerr_dief2x(100, "invalid ", s) ; + byte_copy(s + protolen + 4, 4, "MAX") ; + x = env_get2(envp, s) ; + if (x) + { + unsigned int max ; + if (!uint0_scan(x, &max)) strerr_dief2x(100, "invalid ", s) ; + if (num > max) + strerr_dief2x(1, "number of connections from this client limited to ", x) ; + } + } + pathexec0_run(argv+1, envp) ; + (void)argc ; + strerr_dieexec(111, argv[1]) ; +} diff --git a/src/conn-tools/s6-getservbyname.c b/src/conn-tools/s6-getservbyname.c new file mode 100644 index 0000000..0888df5 --- /dev/null +++ b/src/conn-tools/s6-getservbyname.c @@ -0,0 +1,28 @@ +/* ISC license. */ + +#include <netdb.h> +#include <skalibs/uint16.h> +#include <skalibs/buffer.h> +#include <skalibs/strerr2.h> + +#define USAGE "s6-getservbyname service proto" + +int main (int argc, char const *const *argv) +{ + char fmt[UINT16_FMT] ; + uint16 port ; + PROG = "s6-getservbyname" ; + if (argc < 3) strerr_dieusage(100, USAGE) ; + if (!uint160_scan(argv[1], &port)) + { + struct servent *se = getservbyname(argv[1], argv[2]) ; + uint16 tmpport ; + if (!se) return 1 ; + tmpport = (uint16)se->s_port ; + uint16_unpack_big((char const *)&tmpport, &port) ; + } + if ((buffer_put(buffer_1small, fmt, uint16_fmt(fmt, port)) < 0) + || (buffer_putflush(buffer_1small, "\n", 1) < 1)) + strerr_diefu1sys(111, "write to stdout") ; + return 0 ; +} diff --git a/src/conn-tools/s6-ident-client.c b/src/conn-tools/s6-ident-client.c new file mode 100644 index 0000000..e475870 --- /dev/null +++ b/src/conn-tools/s6-ident-client.c @@ -0,0 +1,71 @@ +/* ISC license. */ + +#include <errno.h> +#include <skalibs/uint16.h> +#include <skalibs/uint.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/buffer.h> +#include <skalibs/tai.h> +#include <skalibs/djbunix.h> +#include <skalibs/ip46.h> +#include <skalibs/unix-timed.h> +#include <s6-networking/ident.h> + +#define USAGE "s6-ident-client [ -t timeout ] ra rp la lp" +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv) +{ + tain_t deadline ; + ip46_t ra, la ; + uint16 rp, lp ; + PROG = "s6-ident-client" ; + { + unsigned int t = 0 ; + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "t:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (t) tain_from_millisecs(&deadline, t) ; else deadline = tain_infinite_relative ; + } + if (argc < 4) dieusage() ; + + if (!ip46_scan(argv[0], &ra)) + strerr_dief2x(100, "invalid IP address: ", argv[0]) ; + if (!uint160_scan(argv[1], &rp)) + strerr_dief2x(100, "invalid port number: ", argv[1]) ; + if (!ip46_scan(argv[2], &la)) + strerr_dief2x(100, "invalid IP address: ", argv[2]) ; + if (!uint160_scan(argv[3], &lp)) + strerr_dief2x(100, "invalid port number: ", argv[3]) ; + if (ip46_is6(&ra) != ip46_is6(&la)) + strerr_dief1x(100, "address family mismatch") ; + + tain_now_g() ; + tain_add_g(&deadline, &deadline) ; + + { + char buf[BUFFER_OUTSIZE_SMALL] ; + register int r = s6net_ident_client_g(buf, BUFFER_OUTSIZE_SMALL, &ra, rp, &la, lp, &deadline) ; + if (r < 0) strerr_diefu1sys(errno == ETIMEDOUT ? 99 : 111, "s6net_ident_client") ; + else if (!r) + { + strerr_warnw2x("ident server replied: ", s6net_ident_error_str(errno)) ; + return 1 ; + } + buffer_putnoflush(buffer_1small, buf, r-1) ; + } + buffer_putnoflush(buffer_1small, "\n", 1) ; + if (!buffer_timed_flush_g(buffer_1small, &deadline)) + strerr_diefu1sys(111, "write to stdout") ; + return 0 ; +} diff --git a/src/conn-tools/s6-ioconnect.c b/src/conn-tools/s6-ioconnect.c new file mode 100644 index 0000000..e687d70 --- /dev/null +++ b/src/conn-tools/s6-ioconnect.c @@ -0,0 +1,189 @@ +/* ISC license. */ + +#include <sys/types.h> +#include <sys/param.h> +#include <sys/socket.h> +#include <errno.h> +#include <signal.h> +#include <skalibs/uint.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/sgetopt.h> +#include <skalibs/error.h> +#include <skalibs/iobuffer.h> +#include <skalibs/sig.h> +#include <skalibs/selfpipe.h> +#include <skalibs/strerr2.h> +#include <skalibs/tai.h> +#include <skalibs/iopause.h> +#include <skalibs/djbunix.h> + +#define USAGE "s6-ioconnect [ -t timeout ] [ -r fdr ] [ -w fdw ] [ -0 ] [ -1 ] [ -6 ] [ -7 ]" +#define dieusage() strerr_dieusage(100, USAGE) + + +typedef struct ioblah_s ioblah_t, *ioblah_t_ref ; +struct ioblah_s +{ + unsigned int fd ; + unsigned int xindex ; + unsigned int flagsocket : 1 ; + unsigned int flagopen : 1 ; +} ; + +static ioblah_t a[2][2] = { { { 0, 4, 0, 1 }, { 7, 4, 0, 1 } }, { { 6, 4, 0, 1 }, { 1, 4, 0, 1 } } } ; +static iobuffer b[2] ; +static iopause_fd x[5] = { { -1, IOPAUSE_READ, 0 } } ; + +static void closeit (unsigned int i, unsigned int j) +{ + if (a[i][j].flagsocket) + { + if ((shutdown(a[i][j].fd, j) < 0) && (errno != ENOTSOCK) && (errno != ENOTCONN)) + strerr_warnwu4sys("shutdown ", i ? "incoming" : "outgoing", " socket for ", j ? "writing" : "reading") ; + } + fd_close(a[i][j].fd) ; + a[i][j].flagopen = 0 ; + a[i][j].xindex = 5 ; +} + +static inline void finishit (unsigned int i) +{ + closeit(i, 1) ; + iobuffer_finish(&b[i]) ; +} + +static void handle_signals (void) +{ + for (;;) + { + char c = selfpipe_read() ; + switch (c) + { + case -1 : strerr_diefu1sys(111, "selfpipe_read") ; + case 0 : return ; + case SIGTERM : + { + if (a[0][0].xindex < 5) x[a[0][0].xindex].revents |= IOPAUSE_EXCEPT ; + if (a[1][0].xindex < 5) x[a[1][0].xindex].revents |= IOPAUSE_EXCEPT ; + break ; + } + default : + strerr_dief1x(101, "internal error: inconsistent signal state. Please submit a bug-report.") ; + } + } +} + +int main (int argc, char const *const *argv) +{ + tain_t tto ; + register unsigned int i, j ; + PROG = "s6-ioconnect" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int t = 0 ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "0167t:r:w:", &l) ; + if (opt < 0) break ; + switch (opt) + { + case '0' : a[0][0].flagsocket = 1 ; break ; + case '1' : a[1][1].flagsocket = 1 ; break ; + case '6' : a[1][0].flagsocket = 1 ; break ; + case '7' : a[0][1].flagsocket = 1 ; break ; + case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + case 'r' : if (!uint0_scan(l.arg, &a[1][0].fd)) dieusage() ; break ; + case 'w' : if (!uint0_scan(l.arg, &a[0][1].fd)) dieusage() ; break ; + default : dieusage() ; + } + } + if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ; + argc -= l.ind ; argv += l.ind ; + } + if ((a[0][1].fd < 3) || (a[1][0].fd < 3)) dieusage() ; + for (i = 0 ; i < 2 ; i++) + { + for (j = 0 ; j < 2 ; j++) + if (ndelay_on(a[i][j].fd) == -1) strerr_diefu1sys(111, "ndelay_on") ; + if (!iobuffer_init(&b[i], a[i][0].fd, a[i][1].fd) < 0) strerr_diefu1sys(111, "iobuffer_init") ; + } + if (sig_ignore(SIGPIPE) == -1) strerr_diefu1sys(111, "sig_ignore") ; + + tain_now_g() ; + x[0].fd = selfpipe_init() ; + if (x[0].fd < 0) strerr_diefu1sys(111, "selfpipe_init") ; + if (selfpipe_trap(SIGTERM) < 0) + strerr_diefu1sys(111, "trap SIGTERM") ; + + for (;;) + { + tain_t deadline ; + unsigned int xlen = 1 ; + int r ; + + tain_add_g(&deadline, iobuffer_isempty(&b[0]) && iobuffer_isempty(&b[1]) ? &tto : &tain_infinite_relative) ; + for (i = 0 ; i < 2 ; i++) + { + a[i][0].xindex = 5 ; + if (a[i][0].flagopen && iobuffer_isreadable(&b[i])) + { + x[xlen].fd = a[i][0].fd ; + x[xlen].events = IOPAUSE_READ ; + a[i][0].xindex = xlen++ ; + } + a[i][1].xindex = 5 ; + if (a[i][1].flagopen) + { + x[xlen].fd = a[i][1].fd ; + x[xlen].events = IOPAUSE_EXCEPT | (iobuffer_isempty(&b[i]) ? 0 : IOPAUSE_WRITE) ; + a[i][1].xindex = xlen++ ; + } + } + if (xlen <= 1) break ; + + r = iopause_g(x, xlen, &deadline) ; + if (r < 0) strerr_diefu1sys(111, "iopause") ; + else if (!r) return 1 ; + + if (x[0].revents & IOPAUSE_READ) handle_signals() ; + + for (i = 0 ; i < 2 ; i++) if (a[i][1].xindex < 4) + { + if (x[a[i][1].xindex].revents & IOPAUSE_WRITE) + { + if (!iobuffer_flush(&b[i])) + { + if (!error_isagain(errno)) x[a[i][1].xindex].revents |= IOPAUSE_EXCEPT ; + } + else if (!a[i][0].flagopen) finishit(i) ; + } + if (x[a[i][1].xindex].revents & IOPAUSE_EXCEPT) + { + if (!iobuffer_isempty(&b[i])) + { + iobuffer_flush(&b[i]) ; /* sets errno */ + strerr_warnwu3sys("write ", i ? "incoming" : "outgoing", " data") ; + } + closeit(i, 0) ; finishit(i) ; + } + } + + for (i = 0 ; i < 2 ; i++) if (a[i][0].xindex < 4) + { + if (x[a[i][0].xindex].revents & IOPAUSE_READ) + { + if (sanitize_read(iobuffer_fill(&b[i])) < 0) + { + if (errno != EPIPE) strerr_warnwu3sys("read ", i ? "incoming" : "outgoing", " data") ; + x[a[i][0].xindex].revents |= IOPAUSE_EXCEPT ; + } + } + if (x[a[i][0].xindex].revents & IOPAUSE_EXCEPT) + { + closeit(i, 0) ; + if (iobuffer_isempty(&b[i])) finishit(i) ; + } + } + } + return 0 ; +} diff --git a/src/conn-tools/s6-ipcclient.c b/src/conn-tools/s6-ipcclient.c new file mode 100644 index 0000000..3e3162c --- /dev/null +++ b/src/conn-tools/s6-ipcclient.c @@ -0,0 +1,66 @@ +/* ISC license. */ + +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/webipc.h> + +#define USAGE "s6-ipcclient [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] path prog..." + +int main (int argc, char const *const *argv, char const *const *envp) +{ + char const *bindpath = 0 ; + char const *localname = 0 ; + unsigned int verbosity = 1 ; + PROG = "s6-ipcclient" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "qQvp:l:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'q' : if (verbosity) verbosity-- ; break ; + case 'Q' : verbosity = 1 ; break ; + case 'v' : verbosity++ ; break ; + case 'p' : bindpath = l.arg ; break ; + case 'l' : localname = l.arg ; break ; + default : strerr_dieusage(100, USAGE) ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (argc < 2) strerr_dieusage(100, USAGE) ; + { + char modif[24 + IPCPATH_MAX] = "PROTO=IPC\0IPCLOCALPATH=" ; + unsigned int i = 23 ; + int s = ipc_stream() ; + if (s == -1) strerr_diefu1sys(111, "create socket") ; + if (bindpath && (ipc_bind(s, bindpath) == -1)) + strerr_diefu2sys(111, "bind socket to ", bindpath) ; + if (ipc_connect(s, argv[0]) < 0) + strerr_diefu2sys(111, "connect to ", argv[0]) ; + if (verbosity >= 2) strerr_warn3x(PROG, ": connected to ", argv[0]) ; + if (localname) + { + register unsigned int n = str_len(localname) ; + if (n > IPCPATH_MAX) n = IPCPATH_MAX ; + byte_copy(modif + i, n, localname) ; + i += n ; modif[i++] = 0 ; + } + else + { + int dummy ; + if (ipc_local(s, modif + i, IPCPATH_MAX, &dummy) < 0) modif[--i] = 0 ; + else i += str_len(modif + i) + 1 ; + } + if (fd_move(6, s) < 0) + strerr_diefu2sys(111, "set up fd ", "6") ; + if (fd_copy(7, 6) < 0) + strerr_diefu2sys(111, "set up fd ", "7") ; + pathexec_r(argv+1, envp, env_len(envp), modif, i) ; + } + strerr_dieexec(111, argv[1]) ; +} diff --git a/src/conn-tools/s6-ipcserver-access.c b/src/conn-tools/s6-ipcserver-access.c new file mode 100644 index 0000000..183f56c --- /dev/null +++ b/src/conn-tools/s6-ipcserver-access.c @@ -0,0 +1,211 @@ +/* ISC license. */ + +#include <unistd.h> +#include <errno.h> +#include <skalibs/gccattributes.h> +#include <skalibs/uint.h> +#include <skalibs/strerr2.h> +#include <skalibs/sgetopt.h> +#include <skalibs/cdb.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/webipc.h> +#include <execline/config.h> +#include <s6-networking/accessrules.h> + +#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog..." + +static unsigned int verbosity = 1 ; + + /* Utility functions */ + +static inline void dieusage (void) gccattr_noreturn ; +static inline void dieusage () +{ + strerr_dieusage(100, USAGE) ; +} + +static inline void dienomem (void) gccattr_noreturn ; +static inline void dienomem () +{ + strerr_diefu1sys(111, "update environment") ; +} + +static inline void X (void) gccattr_noreturn ; +static inline void X () +{ + strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; +} + + + /* Logging */ + +static void logit (unsigned int pid, unsigned int uid, unsigned int gid, int h) +{ + char fmtpid[UINT_FMT] ; + char fmtuid[UINT_FMT] ; + char fmtgid[UINT_FMT] ; + fmtpid[uint_fmt(fmtpid, pid)] = 0 ; + fmtuid[uint_fmt(fmtuid, uid)] = 0 ; + fmtgid[uint_fmt(fmtgid, gid)] = 0 ; + if (h) strerr_warni7x("allow", " pid ", fmtpid, " uid ", fmtuid, " gid ", fmtgid) ; + else strerr_warni7sys("deny", " pid ", fmtpid, " uid ", fmtuid, " gid ", fmtgid) ; +} + +static inline void log_accept (unsigned int pid, unsigned int uid, unsigned int gid) +{ + logit(pid, uid, gid, 1) ; +} + +static inline void log_deny (unsigned int pid, unsigned int uid, unsigned int gid) +{ + logit(pid, uid, gid, 0) ; +} + + + /* Checking */ + +static s6net_accessrules_result_t check_cdb (unsigned int uid, unsigned int gid, char const *file, s6net_accessrules_params_t *params) +{ + struct cdb c = CDB_ZERO ; + int fd = open_readb(file) ; + register s6net_accessrules_result_t r ; + if (fd < 0) return -1 ; + if (cdb_init(&c, fd) < 0) strerr_diefu2sys(111, "cdb_init ", file) ; + r = s6net_accessrules_uidgid_cdb(uid, gid, &c, params) ; + cdb_free(&c) ; + fd_close(fd) ; + return r ; +} + +static inline int check (s6net_accessrules_params_t *params, char const *rules, unsigned int rulestype, unsigned int uid, unsigned int gid) +{ + char const *x = "" ; + s6net_accessrules_result_t r ; + switch (rulestype) + { + case 0 : + if (verbosity >= 2) strerr_warnw1x("invoked without a ruleset!") ; + return 1 ; + case 1 : + r = s6net_accessrules_uidgid_fs(uid, gid, rules, params) ; + x = "fs" ; + break ; + case 2 : + r = check_cdb(uid, gid, rules, params) ; + x = "cdb" ; + break ; + default : X() ; + } + switch (r) + { + case S6NET_ACCESSRULES_ERROR : strerr_diefu4sys(111, "check ", x, " ruleset in ", rules) ; + case S6NET_ACCESSRULES_ALLOW : return 1 ; + case S6NET_ACCESSRULES_DENY : return (errno = EACCES, 0) ; + case S6NET_ACCESSRULES_NOTFOUND : return (errno = ENOENT, 0) ; + default : X() ; + } +} + + +int main (int argc, char const *const *argv, char const *const *envp) +{ + s6net_accessrules_params_t params = S6NET_ACCESSRULES_PARAMS_ZERO ; + char const *rules = 0 ; + char const *localname = 0 ; + char const *proto ; + unsigned int protolen ; + unsigned int uid = 0, gid = 0 ; + unsigned int rulestype = 0 ; + int doenv = 1 ; + PROG = "s6-ipcserver-access" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "v:Eel:i:x:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'E' : doenv = 0 ; break ; + case 'e' : doenv = 1 ; break ; + case 'l' : localname = l.arg ; break ; + case 'i' : rules = l.arg ; rulestype = 1 ; break ; + case 'x' : rules = l.arg ; rulestype = 2 ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (!argc) dieusage() ; + if (!*argv[0]) dieusage() ; + + proto = env_get2(envp, "PROTO") ; + if (!proto) strerr_dienotset(100, "PROTO") ; + protolen = str_len(proto) ; + + { + char const *x ; + char tmp[protolen + 11] ; + byte_copy(tmp, protolen, proto) ; + byte_copy(tmp + protolen, 11, "REMOTEEUID") ; + x = env_get2(envp, tmp) ; + if (!x) strerr_dienotset(100, tmp) ; + if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, tmp) ; + tmp[protolen + 7] = 'G' ; + x = env_get2(envp, tmp) ; + if (!x) strerr_dienotset(100, tmp) ; + if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, tmp) ; + } + + if (!check(¶ms, rules, rulestype, uid, gid)) + { + if (verbosity >= 2) log_deny(getpid(), uid, gid) ; + return 1 ; + } + if (verbosity) log_accept(getpid(), uid, gid) ; + + if (doenv) + { + char tmp[protolen + 10] ; + byte_copy(tmp, protolen, proto) ; + byte_copy(tmp + protolen, 10, "LOCALPATH") ; + if (localname) + { + if (!env_addmodif(¶ms.env, tmp, localname)) dienomem() ; + } + else + { + char curname[IPCPATH_MAX+1] ; + int dummy ; + if (ipc_local(0, curname, IPCPATH_MAX+1, &dummy) < 0) + strerr_diefu1sys(111, "ipc_local") ; + if (!env_addmodif(¶ms.env, tmp, curname)) dienomem() ; + } + } + else + { + char tmp[protolen + 11] ; + byte_copy(tmp, protolen, proto) ; + byte_copy(tmp + protolen, 11, "REMOTEEUID") ; + if (!env_addmodif(¶ms.env, "PROTO", 0)) dienomem() ; + if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; + tmp[protolen + 7] = 'G' ; + if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; + byte_copy(tmp + protolen + 6, 5, "PATH") ; + if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; + byte_copy(tmp + protolen, 10, "LOCALPATH") ; + if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; + } + + if (params.exec.len) + { + char *specialargv[4] = { EXECLINE_EXTBINPREFIX "execlineb", "-c", params.exec.s, 0 } ; + pathexec_r((char const *const *)specialargv, envp, env_len(envp), params.env.s, params.env.len) ; + strerr_dieexec(111, specialargv[0]) ; + } + + pathexec_r(argv, envp, env_len(envp), params.env.s, params.env.len) ; + strerr_dieexec(111, argv[0]) ; +} diff --git a/src/conn-tools/s6-ipcserver.c b/src/conn-tools/s6-ipcserver.c new file mode 100644 index 0000000..edee033 --- /dev/null +++ b/src/conn-tools/s6-ipcserver.c @@ -0,0 +1,441 @@ +/* ISC license. */ + +#ifndef _BSD_SOURCE +#define _BSD_SOURCE +#endif + +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <errno.h> +#include <unistd.h> +#include <grp.h> +#include <limits.h> +#include <signal.h> +#include <skalibs/uint.h> +#include <skalibs/gidstuff.h> +#include <skalibs/setgroups.h> +#include <skalibs/gccattributes.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/bytestr.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/diuint.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/sig.h> +#include <skalibs/selfpipe.h> +#include <skalibs/iopause.h> +#include <skalibs/webipc.h> + +#define USAGE "s6-ipcserver [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] path prog..." + +#define ABSOLUTE_MAXCONN 1000 + +static unsigned int maxconn = 40 ; +static unsigned int localmaxconn = 40 ; +static char fmtmaxconn[UINT_FMT+1] = "/" ; +static char fmtlocalmaxconn[UINT_FMT+1] = "/" ; +static int flaglookup = 1 ; +static unsigned int verbosity = 1 ; +static int cont = 1 ; + +static diuint *piduid ; +static unsigned int numconn = 0 ; +static diuint *uidnum ; +static unsigned int uidlen = 0 ; + + + /* Utility functions */ + +static inline void dieusage () +{ + strerr_dieusage(100, USAGE) ; +} + +static inline void X (void) +{ + strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; +} + + + /* Lookup primitives */ + +static unsigned int lookup_diuint (diuint const *tab, unsigned int tablen, unsigned int key) +{ + register unsigned int i = 0 ; + for (; i < tablen ; i++) if (key == tab[i].left) break ; + return i ; +} + +static inline unsigned int lookup_pid (unsigned int pid) +{ + return lookup_diuint(piduid, numconn, pid) ; +} + +static inline unsigned int lookup_uid (unsigned int uid) +{ + return lookup_diuint(uidnum, uidlen, uid) ; +} + + + /* Logging */ + +static inline void log_start (char const *path) +{ + strerr_warni2x("starting - listening on ", path) ; +} + +static inline void log_exit (void) +{ + strerr_warni1x("exiting") ; +} + +static void log_status (void) +{ + char fmt[UINT_FMT] ; + fmt[uint_fmt(fmt, numconn)] = 0 ; + strerr_warni3x("status: ", fmt, fmtmaxconn) ; +} + +static void log_deny (unsigned int uid, unsigned int gid, unsigned int num) +{ + char fmtuid[UINT_FMT] = "?" ; + char fmtgid[UINT_FMT] = "?" ; + char fmtnum[UINT_FMT] = "?" ; + if (flaglookup) + { + fmtuid[uint_fmt(fmtuid, uid)] = 0 ; + fmtgid[uint_fmt(fmtgid, gid)] = 0 ; + fmtnum[uint_fmt(fmtnum, num)] = 0 ; + } + strerr_warni7sys("deny ", fmtuid, ":", fmtgid, " count ", fmtnum, fmtlocalmaxconn) ; +} + +static void log_accept (unsigned int pid, unsigned int uid, unsigned int gid, unsigned int num) +{ + char fmtuidgid[UINT_FMT * 2 + 1] = "?:?" ; + char fmtpid[UINT_FMT] ; + char fmtnum[UINT_FMT] = "?" ; + if (flaglookup) + { + register unsigned int n = uint_fmt(fmtuidgid, uid) ; + fmtuidgid[n++] = ':' ; + n += uint_fmt(fmtuidgid + n, gid) ; + fmtuidgid[n] = 0 ; + fmtnum[uint_fmt(fmtnum, num)] = 0 ; + } + fmtpid[uint_fmt(fmtpid, pid)] = 0 ; + strerr_warni7x("allow ", fmtuidgid, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ; +} + +static void log_close (unsigned int pid, unsigned int uid, int w) +{ + char fmtpid[UINT_FMT] ; + char fmtuid[UINT_FMT] = "?" ; + char fmtw[UINT_FMT] ; + fmtpid[uint_fmt(fmtpid, pid)] = 0 ; + if (flaglookup) fmtuid[uint_fmt(fmtuid, uid)] = 0 ; + fmtw[uint_fmt(fmtw, WIFSIGNALED(w) ? WTERMSIG(w) : WEXITSTATUS(w))] = 0 ; + strerr_warni6x("end pid ", fmtpid, " uid ", fmtuid, WIFSIGNALED(w) ? " signal " : " exitcode ", fmtw) ; +} + + + /* Signal handling */ + +static void killthem (int sig) +{ + register unsigned int i = 0 ; + for (; i < numconn ; i++) kill(piduid[i].left, sig) ; +} + +static void wait_children (void) +{ + for (;;) + { + unsigned int i ; + int w ; + register int pid = wait_nohang(&w) ; + if (pid < 0) + if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ; + else break ; + else if (!pid) break ; + i = lookup_pid(pid) ; + if (i < numconn) + { + unsigned int uid = piduid[i].right ; + register unsigned int j = lookup_uid(uid) ; + if (j >= uidlen) X() ; + if (!--uidnum[j].right) uidnum[j] = uidnum[--uidlen] ; + piduid[i] = piduid[--numconn] ; + if (verbosity >= 2) + { + log_close(pid, uid, w) ; + log_status() ; + } + } + } +} + +static void handle_signals (void) +{ + for (;;) switch (selfpipe_read()) + { + case -1 : strerr_diefu1sys(111, "read selfpipe") ; + case 0 : return ; + case SIGCHLD : wait_children() ; break ; + case SIGTERM : + { + if (verbosity >= 2) + strerr_warni3x("received ", "SIGTERM,", " quitting") ; + cont = 0 ; + break ; + } + case SIGHUP : + { + if (verbosity >= 2) + strerr_warni5x("received ", "SIGHUP,", " sending ", "SIGTERM+SIGCONT", " to all connections") ; + killthem(SIGTERM) ; + killthem(SIGCONT) ; + break ; + } + case SIGQUIT : + { + if (verbosity >= 2) + strerr_warni6x("received ", "SIGQUIT,", " sending ", "SIGTERM+SIGCONT", " to all connections", " and quitting") ; + cont = 0 ; + killthem(SIGTERM) ; + killthem(SIGCONT) ; + break ; + } + case SIGABRT : + { + if (verbosity >= 2) + strerr_warni6x("received ", "SIGABRT,", " sending ", "SIGKILL", " to all connections", " and quitting") ; + cont = 0 ; + killthem(SIGKILL) ; + break ; + } + default : X() ; + } +} + + + /* New connection handling */ + +static void run_child (int, unsigned int, unsigned int, unsigned int, char const *, char const *const *, char const *const *) gccattr_noreturn ; +static void run_child (int s, unsigned int uid, unsigned int gid, unsigned int num, char const *remotepath, char const *const *argv, char const *const *envp) +{ + unsigned int rplen = str_len(remotepath) + 1 ; + unsigned int n = 0 ; + char fmt[65 + UINT_FMT * 3 + rplen] ; + PROG = "s6-ipcserver (child)" ; + if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) + strerr_diefu1sys(111, "move fds") ; + byte_copy(fmt+n, 23, "PROTO=IPC\0IPCREMOTEEUID") ; n += 23 ; + if (flaglookup) + { + fmt[n++] = '=' ; + n += uint_fmt(fmt+n, uid) ; + } + fmt[n++] = 0 ; + byte_copy(fmt+n, 13, "IPCREMOTEEGID") ; n += 13 ; + if (flaglookup) + { + fmt[n++] = '=' ; + n += uint_fmt(fmt+n, gid) ; + } + fmt[n++] = 0 ; + byte_copy(fmt+n, 11, "IPCCONNNUM=") ; n += 11 ; + if (flaglookup) n += uint_fmt(fmt+n, num) ; + fmt[n++] = 0 ; + byte_copy(fmt+n, 14, "IPCREMOTEPATH=") ; n += 14 ; + byte_copy(fmt+n, rplen, remotepath) ; n += rplen ; + pathexec_r(argv, envp, env_len(envp), fmt, n) ; + strerr_dieexec(111, argv[0]) ; +} + +static void new_connection (int s, char const *remotepath, char const *const *argv, char const *const *envp) +{ + unsigned int uid = 0, gid = 0 ; + unsigned int num, i ; + register int pid ; + if (flaglookup && (ipc_eid(s, &uid, &gid) < 0)) + { + if (verbosity) strerr_warnwu1sys("ipc_eid") ; + return ; + } + i = lookup_uid(uid) ; + num = (i < uidlen) ? uidnum[i].right : 0 ; + if (num >= localmaxconn) + { + log_deny(uid, gid, num) ; + return ; + } + pid = fork() ; + if (pid < 0) + { + if (verbosity) strerr_warnwu1sys("fork") ; + return ; + } + else if (!pid) + { + selfpipe_finish() ; + run_child(s, uid, gid, num+1, remotepath, argv, envp) ; + } + + if (i < uidlen) uidnum[i].right = num + 1 ; + else + { + uidnum[uidlen].left = uid ; + uidnum[uidlen++].right = 1 ; + } + piduid[numconn].left = (unsigned int)pid ; + piduid[numconn++].right = uid ; + if (verbosity >= 2) + { + log_accept((unsigned int)pid, uid, gid, uidnum[i].right) ; + log_status() ; + } +} + + + /* And the main */ + +int main (int argc, char const *const *argv, char const *const *envp) +{ + iopause_fd x[2] = { { -1, IOPAUSE_READ, 0 }, { -1, IOPAUSE_READ | IOPAUSE_EXCEPT, 0 } } ; + PROG = "s6-ipcserver" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int uid = 0, gid = 0 ; + gid_t gids[NGROUPS_MAX] ; + unsigned int gidn = 0 ; + unsigned int backlog = 20 ; + int flagreuse = 1, flag1 = 0 ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "qQvDd1UPpc:C:b:u:g:G:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'q' : verbosity = 0 ; break ; + case 'Q' : verbosity = 1 ; break ; + case 'v' : verbosity = 2 ; break ; + case 'D' : flagreuse = 0 ; break ; + case 'd' : flagreuse = 1 ; break ; + case 'P' : flaglookup = 0 ; break ; + case 'p' : flaglookup = 1 ; break ; + case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ; + case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ; + case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; + case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn)) dieusage() ; break ; + case '1' : flag1 = 1 ; break ; + case 'U' : + { + char const *x = env_get2(envp, "UID") ; + if (!x) strerr_dienotset(100, "UID") ; + if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, "UID") ; + x = env_get2(envp, "GID") ; + if (!x) strerr_dienotset(100, "GID") ; + if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, "GID") ; + x = env_get2(envp, "GIDLIST") ; + if (!x) strerr_dienotset(100, "GIDLIST") ; + if (!gid_scanlist(gids, NGROUPS_MAX, x, &gidn) && *x) + strerr_dieinvalid(100, "GIDLIST") ; + break ; + } + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (argc < 2) dieusage() ; + if (!*argv[0]) dieusage() ; + fd_close(0) ; + if (!flag1) fd_close(1) ; + if (!maxconn) maxconn = 1 ; + if (maxconn > ABSOLUTE_MAXCONN) maxconn = ABSOLUTE_MAXCONN ; + if (!flaglookup || (localmaxconn > maxconn)) localmaxconn = maxconn ; + x[1].fd = ipc_stream() ; + if ((x[1].fd < 0) || (coe(x[1].fd) < 0)) + strerr_diefu1sys(111, "create socket") ; + { + mode_t m = umask(0) ; + if ((flagreuse ? ipc_bind_reuse(x[1].fd, argv[0]) : ipc_bind(x[1].fd, argv[0])) < 0) + strerr_diefu2sys(111, "bind to ", argv[0]) ; + umask(m) ; + } + if (ipc_listen(x[1].fd, backlog) < 0) strerr_diefu1sys(111, "listen") ; + if (gidn && (setgroups(gidn, gids) < 0)) strerr_diefu1sys(111, "setgroups") ; + if (gid && (setgid(gid) < 0)) strerr_diefu1sys(111, "drop gid") ; + if (uid && (setuid(uid) < 0)) strerr_diefu1sys(111, "drop uid") ; + + x[0].fd = selfpipe_init() ; + if (x[0].fd == -1) strerr_diefu1sys(111, "create selfpipe") ; + if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + { + sigset_t set ; + sigemptyset(&set) ; + sigaddset(&set, SIGCHLD) ; + sigaddset(&set, SIGTERM) ; + sigaddset(&set, SIGHUP) ; + sigaddset(&set, SIGQUIT) ; + sigaddset(&set, SIGABRT) ; + if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; + } + + if (flag1) + { + unsigned int n = str_len(argv[0]) ; + char s[n+1] ; + byte_copy(s, n, argv[0]) ; + s[n++] = '\n' ; + if (allwrite(1, s, n) < n) strerr_diefu1sys(111, "write to stdout") ; + fd_close(1) ; + } + fmtlocalmaxconn[1+uint_fmt(fmtlocalmaxconn+1, localmaxconn)] = 0 ; + if (verbosity >= 2) + { + fmtmaxconn[1+uint_fmt(fmtmaxconn+1, maxconn)] = 0 ; + log_start(argv[0]) ; + log_status() ; + } + } + + { + diuint inyostack[maxconn + (flaglookup ? maxconn : 1)] ; + piduid = inyostack ; uidnum = inyostack + maxconn ; + + while (cont) + { + if (iopause(x, 1 + (numconn < maxconn), 0, 0) == -1) + strerr_diefu1sys(111, "iopause") ; + + if (x[0].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with selfpipe") ; + if (x[0].revents & IOPAUSE_READ) handle_signals() ; + if (numconn < maxconn) + { + if (x[1].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with socket") ; + if (x[1].revents & IOPAUSE_READ) + { + int dummy ; + char remotepath[IPCPATH_MAX+1] ; + register int s = ipc_accept(x[1].fd, remotepath, IPCPATH_MAX+1, &dummy) ; + if (s < 0) + { + if (verbosity) strerr_warnwu1sys("accept") ; + } + else + { + new_connection(s, remotepath, argv+1, envp) ; + fd_close(s) ; + } + } + } + } + } + if (verbosity >= 2) log_exit() ; + return 0 ; +} diff --git a/src/conn-tools/s6-sudo.c b/src/conn-tools/s6-sudo.c new file mode 100644 index 0000000..8541b60 --- /dev/null +++ b/src/conn-tools/s6-sudo.c @@ -0,0 +1,67 @@ +/* ISC license. */ + +#include <skalibs/uint.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/djbunix.h> +#include <s6-networking/config.h> + +#define USAGE "s6-sudo [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] [ -e ] [ -t timeout ] [ -T timeoutrun ] path [ args... ]" +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv, char const *const *envp) +{ + unsigned int verbosity = 1, t = 0, T = 0 ; + char const *bindpath = 0 ; + char const *localname = 0 ; + int nodoenv = 0 ; + PROG = "s6-sudo" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "qQvp:l:et:T:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'q' : if (verbosity) verbosity-- ; break ; + case 'Q' : verbosity = 1 ; break ; + case 'v' : verbosity++ ; break ; + case 'p' : bindpath = l.arg ; break ; + case 'l' : localname = l.arg ; break ; + case 'e' : nodoenv = 1 ; break ; + case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + case 'T' : if (!uint0_scan(l.arg, &T)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (!argc) dieusage() ; + { + char const *eargv[9 + argc + ((verbosity < 2 ? 1 : verbosity-1)) + ((!!bindpath + !!localname) << 1) + nodoenv] ; + char fmt1[UINT_FMT] ; + char fmt2[UINT_FMT] ; + unsigned int n = 0 ; + eargv[n++] = "s6-ipcclient" ; + if (!verbosity) eargv[n++] = "-Q" ; + else while (--verbosity) eargv[n++] = "-v" ; + if (bindpath) { eargv[n++] = "-p" ; eargv[n++] = bindpath ; } + if (localname) { eargv[n++] = "-l" ; eargv[n++] = localname ; } + eargv[n++] = "--" ; + eargv[n++] = *argv++ ; argc-- ; + eargv[n++] = S6_NETWORKING_BINPREFIX "s6-sudoc" ; + if (nodoenv) eargv[n++] = "-e" ; + eargv[n++] = "-t" ; + fmt1[uint_fmt(fmt1, t)] = 0 ; + eargv[n++] = fmt1 ; + eargv[n++] = "-T" ; + fmt2[uint_fmt(fmt2, T)] = 0 ; + eargv[n++] = fmt2 ; + eargv[n++] = "--" ; + while (argc--) eargv[n++] = *argv++ ; + eargv[n++] = 0 ; + pathexec_run(eargv[0], eargv, envp) ; + } + strerr_dieexec(111, S6_NETWORKING_BINPREFIX "s6-ipcclient") ; +} diff --git a/src/conn-tools/s6-sudo.h b/src/conn-tools/s6-sudo.h new file mode 100644 index 0000000..8c5797f --- /dev/null +++ b/src/conn-tools/s6-sudo.h @@ -0,0 +1,11 @@ +/* ISC license. */ + +#ifndef S6_SUDO_H +#define S6_SUDO_H + +#define S6_SUDO_BANNERB "s6-sudo b v1.0\n" +#define S6_SUDO_BANNERB_LEN (sizeof(S6_SUDO_BANNERB) - 1) +#define S6_SUDO_BANNERA "s6-sudo a v1.0\n" +#define S6_SUDO_BANNERA_LEN (sizeof(S6_SUDO_BANNERA) - 1) + +#endif diff --git a/src/conn-tools/s6-sudoc.c b/src/conn-tools/s6-sudoc.c new file mode 100644 index 0000000..c417efc --- /dev/null +++ b/src/conn-tools/s6-sudoc.c @@ -0,0 +1,115 @@ +/* ISC license. */ + +#include <errno.h> +#include <fcntl.h> +#include <signal.h> +#include <sys/wait.h> +#include <skalibs/uint.h> +#include <skalibs/sgetopt.h> +#include <skalibs/bytestr.h> +#include <skalibs/buffer.h> +#include <skalibs/stralloc.h> +#include <skalibs/strerr2.h> +#include <skalibs/djbunix.h> +#include <skalibs/tai.h> +#include <skalibs/env.h> +#include <skalibs/unix-timed.h> +#include <skalibs/unixmessage.h> +#include "s6-sudo.h" + +#define USAGE "s6-sudoc [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] [ args... ]" +#define dieusage() strerr_dieusage(100, USAGE) +#define dienomem() strerr_diefu1sys(111, "stralloc_catb") + +int main (int argc, char const *const *argv, char const *const *envp) +{ + char buf6[64] ; + buffer b6 = BUFFER_INIT(&buffer_read, 6, buf6, 64) ; + unixmessage_sender_t b7 = UNIXMESSAGE_SENDER_INIT(7) ; + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int t = 0, T = 0 ; + int doenv = 1 ; + + tain_t deadline = TAIN_INFINITE_RELATIVE ; + PROG = "s6-sudoc" ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "et:T:", &l) ; + if (opt < 0) break ; + switch (opt) + { + case 'e' : doenv = 0 ; break ; + case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + case 'T' : if (!uint0_scan(l.arg, &T)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (t) tain_from_millisecs(&deadline, t) ; + if ((ndelay_on(6) < 0) || (ndelay_on(7) < 0)) + strerr_diefu1sys(111, "make socket non-blocking") ; + if (!fd_sanitize() || !fd_ensure_open(2, 1)) + strerr_diefu1sys(111, "sanitize stdin/stdout/stderr") ; + + tain_now_g() ; + tain_add_g(&deadline, &deadline) ; + { + char tmp[S6_SUDO_BANNERB_LEN] ; + if (buffer_timed_get_g(&b6, tmp, S6_SUDO_BANNERB_LEN, &deadline) < S6_SUDO_BANNERB_LEN) + strerr_diefu1sys(111, "read banner from s6-sudod") ; + if (str_diffn(tmp, S6_SUDO_BANNERB, S6_SUDO_BANNERB_LEN)) + strerr_dief1x(100, "wrong server banner") ; + } + { + int fds[3] = { 0, 1, 2 } ; + char pack[16] ; + siovec_t v[3] = { + { .s = S6_SUDO_BANNERA, .len = S6_SUDO_BANNERA_LEN }, + { .s = pack, .len = 16 }, + { .s = 0, .len = 0 } } ; + unixmessage_v_t mv = { .v = v, .vlen = 3, .fds = fds, .nfds = 3 } ; + stralloc sa = STRALLOC_ZERO ; + unsigned int envlen = doenv ? env_len(envp) : 0 ; + uint32_pack_big(pack, (uint32)argc) ; + uint32_pack_big(pack + 4, (uint32)envlen) ; + if (!env_string(&sa, argv, argc)) dienomem() ; + uint32_pack_big(pack + 8, (uint32)sa.len) ; + if (doenv) + { + unsigned int start = sa.len ; + if (!env_string(&sa, envp, envlen)) dienomem() ; + envlen = sa.len - start ; + } + else envlen = 0 ; + uint32_pack_big(pack + 12, (uint32)envlen) ; + v[2].s = sa.s ; + v[2].len = sa.len ; + if (!unixmessage_putv_and_close(&b7, &mv, (unsigned char const *)"\003")) + strerr_diefu1sys(111, "unixmessage_putv") ; + stralloc_free(&sa) ; + } + if (!unixmessage_sender_timed_flush_g(&b7, &deadline)) + strerr_diefu1sys(111, "send args to server") ; + unixmessage_sender_free(&b7) ; + { + char c ; + if (buffer_timed_get_g(&b6, &c, 1, &deadline) < 1) + strerr_diefu1sys(111, "get confirmation from server") ; + if (c) + { + errno = c ; + strerr_diefu1sys(111, "start privileged program: server answered: ") ; + } + } + + if (T) tain_from_millisecs(&deadline, T) ; else deadline = tain_infinite_relative ; + tain_add_g(&deadline, &deadline) ; + { + char pack[UINT_PACK] ; + if (buffer_timed_get_g(&b6, pack, UINT_PACK, &deadline) < UINT_PACK) + strerr_diefu1sys(111, "get exit status from server") ; + uint_unpack_big(pack, &t) ; + } + if (WIFSIGNALED(t)) raise(WTERMSIG(t)) ; + return WEXITSTATUS(t) ; +} diff --git a/src/conn-tools/s6-sudod.c b/src/conn-tools/s6-sudod.c new file mode 100644 index 0000000..9ea6167 --- /dev/null +++ b/src/conn-tools/s6-sudod.c @@ -0,0 +1,233 @@ +/* ISC license. */ + +#include <sys/types.h> +#include <unistd.h> +#include <errno.h> +#include <fcntl.h> +#include <signal.h> +#include <skalibs/uint.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/sgetopt.h> +#include <skalibs/bytestr.h> +#include <skalibs/buffer.h> +#include <skalibs/stralloc.h> +#include <skalibs/strerr2.h> +#include <skalibs/tai.h> +#include <skalibs/iopause.h> +#include <skalibs/selfpipe.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/unix-timed.h> +#include <skalibs/unixmessage.h> +#include "s6-sudo.h" + +#define USAGE "s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -t timeout ] args..." +#define dieusage() strerr_dieusage(100, USAGE) +#define dienomem() strerr_diefu1sys(111, "stralloc_catb") + +int main (int argc, char const *const *argv, char const *const *envp) +{ + subgetopt_t l = SUBGETOPT_ZERO ; + unixmessage_t m ; + unsigned int nullfds = 0, t = 2000 ; + pid_t pid ; + uint32 envc = env_len(envp) ; + uint32 cargc, cenvc, carglen, cenvlen ; + int spfd ; + tain_t deadline = TAIN_INFINITE_RELATIVE ; + PROG = "s6-sudod" ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "012t:", &l) ; + if (opt < 0) break ; + switch (opt) + { + case '0' : nullfds |= 1 ; break ; + case '1' : nullfds |= 2 ; break ; + case '2' : nullfds |= 4 ; break ; + case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (t) tain_from_millisecs(&deadline, t) ; + if ((ndelay_on(0) < 0) || (ndelay_on(1) < 0)) + strerr_diefu1sys(111, "make socket non-blocking") ; + + tain_now_g() ; + tain_add_g(&deadline, &deadline) ; + buffer_putnoflush(buffer_1small, S6_SUDO_BANNERB, S6_SUDO_BANNERB_LEN) ; + if (!buffer_timed_flush_g(buffer_1small, &deadline)) + strerr_diefu1sys(111, "write banner to client") ; + if (unixmessage_timed_receive_g(unixmessage_receiver_0, &m, &deadline) <= 0) + strerr_diefu1sys(111, "read message from client") ; + if (m.nfds != 3) + strerr_dief1x(100, "client did not send 3 fds") ; + if (m.len < 16 + S6_SUDO_BANNERA_LEN) + strerr_dief1x(100, "wrong client message") ; + if (str_diffn(m.s, S6_SUDO_BANNERA, S6_SUDO_BANNERA_LEN)) + strerr_dief1x(100, "wrong client banner") ; + uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN, &cargc) ; + uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 4, &cenvc) ; + uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 8, &carglen) ; + uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 12, &cenvlen) ; + if (S6_SUDO_BANNERA_LEN + 16 + carglen + cenvlen != m.len) + strerr_dief1x(100, "wrong client argc/envlen") ; + if ((cargc > 131072) || (cenvc > 131072)) + strerr_dief1x(100, "too many args/envvars from client") ; + + if (nullfds & 1) + { + close(m.fds[0]) ; + m.fds[0] = open2("/dev/null", O_RDONLY) ; + if (m.fds[0] < 0) strerr_diefu2sys(111, "open /dev/null for ", "reading") ; + } + if (nullfds & 2) + { + close(m.fds[1]) ; + m.fds[1] = open2("/dev/null", O_WRONLY) ; + if (m.fds[1] < 0) strerr_diefu2sys(111, "open /dev/null for ", "writing") ; + } + if (nullfds & 4) + { + close(m.fds[2]) ; + m.fds[2] = 2 ; + } + + { + char const *targv[argc + 1 + cargc] ; + char const *tenvp[envc + 1 + cenvc] ; + int p[2] ; + register unsigned int i = 0 ; + for (; i < (unsigned int)argc ; i++) targv[i] = argv[i] ; + for (i = 0 ; i <= envc ; i++) tenvp[i] = envp[i] ; + if (!env_make(targv + argc, cargc, m.s + S6_SUDO_BANNERA_LEN + 16, carglen)) + { + char c = errno ; + buffer_putnoflush(buffer_1small, &c, 1) ; + buffer_timed_flush_g(buffer_1small, &deadline) ; + errno = c ; + strerr_diefu1sys(111, "make child argv") ; + } + if (!env_make(tenvp + envc + 1, cenvc, m.s + S6_SUDO_BANNERA_LEN + 16 + carglen, cenvlen)) + { + char c = errno ; + buffer_putnoflush(buffer_1small, &c, 1) ; + buffer_timed_flush_g(buffer_1small, &deadline) ; + errno = c ; + strerr_diefu1sys(111, "make child envp") ; + } + targv[argc + cargc] = 0 ; + + for (i = 0 ; i < cenvlen ; i++) + { + char const *var = tenvp[envc + 1 + i] ; + register unsigned int j = 0 ; + register unsigned int len = str_chr(var, '=') ; + if (!var[len]) + { + char c = EINVAL ; + buffer_putnoflush(buffer_1small, &c, 1) ; + buffer_timed_flush_g(buffer_1small, &deadline) ; + strerr_dief1x(100, "bad environment from client") ; + } + for (; j < envc ; j++) if (!str_diffn(var, tenvp[j], len+1)) break ; + if ((j < envc) && !tenvp[j][len+1]) tenvp[j] = var ; + } + + spfd = selfpipe_init() ; + if (spfd < 0) strerr_diefu1sys(111, "selfpipe_init") ; + if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ; + if (pipe(p) < 0) strerr_diefu1sys(111, "pipe") ; + if (coe(p[1]) < 0) strerr_diefu1sys(111, "coe pipe") ; + pid = fork() ; + if (pid < 0) strerr_diefu1sys(111, "fork") ; + if (!pid) + { + PROG = "s6-sudod (child)" ; + fd_close(p[0]) ; + if ((fd_move(2, m.fds[2]) < 0) + || (fd_move(1, m.fds[1]) < 0) + || (fd_move(0, m.fds[0]) < 0)) + { + char c = errno ; + fd_write(p[1], &c, 1) ; + strerr_diefu1sys(111, "move fds") ; + } + selfpipe_finish() ; + pathexec0_run(targv, tenvp) ; + { + char c = errno ; + fd_write(p[1], &c, 1) ; + } + strerr_dieexec(111, targv[0]) ; + } + fd_close(p[1]) ; + { + char c ; + register int r = fd_read(p[0], &c, 1) ; + if (r < 0) strerr_diefu1sys(111, "read from child") ; + if (r) + { + buffer_putnoflush(buffer_1small, &c, 1) ; + buffer_timed_flush_g(buffer_1small, &deadline) ; + return 111 ; + } + } + fd_close(p[0]) ; + } + + fd_close(m.fds[0]) ; + fd_close(m.fds[1]) ; + if (!(nullfds & 4)) fd_close(m.fds[2]) ; + unixmessage_receiver_free(unixmessage_receiver_0) ; + buffer_putnoflush(buffer_1small, "", 1) ; + if (!buffer_timed_flush_g(buffer_1small, &deadline)) + strerr_diefu1sys(111, "send confirmation to client") ; + + { + iopause_fd x[2] = { { .fd = 0, .events = 0 }, { .fd = spfd, .events = IOPAUSE_READ } } ; + int cont = 1 ; + while (cont) + { + if (iopause_g(x, 2, 0) < 0) strerr_diefu1sys(111, "iopause") ; + if (x[1].revents) + { + for (;;) + { + int c = selfpipe_read() ; + if (c < 0) strerr_diefu1sys(111, "read from selfpipe") ; + else if (!c) break ; + else if (c == SIGCHLD) + { + int wstat ; + register int r = wait_pid_nohang(pid, &wstat) ; + if ((r < 0) && (errno != ECHILD)) + strerr_diefu1sys(111, "wait_pid_nohang") ; + else if (r > 0) + { + char pack[UINT_PACK] ; + uint_pack_big(pack, (unsigned int)wstat) ; + buffer_putnoflush(buffer_1small, pack, UINT_PACK) ; + cont = 0 ; + } + } + else + strerr_dief1sys(101, "internal inconsistency, please submit a bug-report") ; + } + } + if (x[0].revents && cont) + { + kill(pid, SIGTERM) ; + kill(pid, SIGCONT) ; + x[0].fd = -1 ; + return 1 ; + } + } + } + if (ndelay_off(1) < 0) + strerr_diefu1sys(111, "set stdout blocking") ; + if (!buffer_flush(buffer_1small)) + strerr_diefu1sys(111, "write status to client") ; + return 0 ; +} diff --git a/src/conn-tools/s6-tcpclient.c b/src/conn-tools/s6-tcpclient.c new file mode 100644 index 0000000..4686636 --- /dev/null +++ b/src/conn-tools/s6-tcpclient.c @@ -0,0 +1,377 @@ +/* ISC license. */ + +#include <errno.h> +#include <skalibs/uint16.h> +#include <skalibs/uint.h> +#include <skalibs/bytestr.h> +#include <skalibs/sgetopt.h> +#include <skalibs/fmtscan.h> +#include <skalibs/strerr2.h> +#include <skalibs/stralloc.h> +#include <skalibs/genalloc.h> +#include <skalibs/tai.h> +#include <skalibs/djbunix.h> +#include <skalibs/skamisc.h> +#include <skalibs/socket.h> +#include <skalibs/ip46.h> +#include <s6-dns/s6dns.h> +#include <s6-networking/ident.h> + +#ifdef SKALIBS_IPV6_ENABLED +# define USAGE "s6-tcpclient [ -q | -Q | -v ] [ -4 | -6 ] [ -d | -D ] [ -r | -R ] [ -h | -H ] [ -n | -N ] [ -t timeoutinfo ] [ -l localname ] [ -T timeoutconn ] [ -i localip ] [ -p localport ] host port prog..." +# define TFLAGS_DEFAULT { 0, 0, { 2, 58 }, IP46_ZERO, 0, 1, 0, 0, 1, 0, 1, 1 } +# define OPTSTRING "qQv46dDrRhHnNt:l:T:i:p:" +#else +# define USAGE "s6-tcpclient [ -q | -Q | -v ] [ -d | -D ] [ -r | -R ] [ -h | -H ] [ -n | -N ] [ -t timeoutinfo ] [ -l localname ] [ -T timeoutconn ] [ -i localip ] [ -p localport ] host port prog..." +# define TFLAGS_DEFAULT { 0, 0, { 2, 58 }, IP46_ZERO, 0, 1, 1, 0, 1, 1 } +# define OPTSTRING "qQvdDrRhHnNt:l:T:i:p:" +#endif + +#define usage() strerr_dieusage(100, USAGE) +#define dienomem() strerr_diefu1sys(111, "allocate") + +#define MAXIP 16 + +typedef struct tflags_s tflags, *tflags_ref ; +struct tflags_s +{ + char const *localname ; + unsigned int timeout ; + unsigned int timeoutconn[2] ; + ip46_t localip ; + uint16 localport ; + unsigned int verbosity : 2 ; +#ifdef SKALIBS_IPV6_ENABLED + unsigned int ip4 : 1 ; + unsigned int ip6 : 1 ; +#endif + unsigned int delay : 1 ; + unsigned int remoteinfo : 1 ; + unsigned int remotehost : 1 ; + unsigned int qualif : 1 ; +} ; + +static tain_t deadline ; + +int main (int argc, char const *const *argv) +{ + int s ; + tflags flags = TFLAGS_DEFAULT ; + uint16 remoteport ; + PROG = "s6-tcpclient" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, OPTSTRING, &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'q' : if (flags.verbosity) flags.verbosity-- ; break ; + case 'Q' : flags.verbosity = 1 ; break ; + case 'v' : flags.verbosity++ ; break ; +#ifdef SKALIBS_IPV6_ENABLED + case '4' : flags.ip4 = 1 ; break ; + case '6' : flags.ip6 = 1 ; break ; +#endif + case 'd' : flags.delay = 1 ; break ; + case 'D' : flags.delay = 0 ; break ; + case 'r' : flags.remoteinfo = 1 ; break ; + case 'R' : flags.remoteinfo = 0 ; break ; + case 'h' : flags.remotehost = 1 ; break ; + case 'H' : flags.remotehost = 0 ; break ; + case 'n' : flags.qualif = 1 ; break ; + case 'N' : flags.qualif = 0 ; break ; + case 't' : if (!uint0_scan(l.arg, &flags.timeout)) usage() ; break ; + case 'l' : flags.localname = l.arg ; break ; + case 'T' : + { + unsigned int n = uint_scan(l.arg, &flags.timeoutconn[0]) ; + if (!n) usage() ; + if (!l.arg[n]) + { + flags.timeoutconn[1] = 0 ; + break ; + } + if (l.arg[n] != '+') usage() ; + if (!uint0_scan(l.arg + n + 1, &flags.timeoutconn[1])) usage() ; + break ; + } + case 'i' : if (!ip46_scan(l.arg, &flags.localip)) usage() ; break ; + case 'p' : if (!uint160_scan(l.arg, &flags.localport)) usage() ; break ; + default : usage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (argc < 3) usage() ; +#ifdef SKALIBS_IPV6_ENABLED + if (!flags.ip6) flags.ip4 = 1 ; +#endif + if (!uint160_scan(argv[1], &remoteport)) + strerr_dief2x(100, "invalid port number: ", argv[1]) ; + tain_now_g() ; + if (flags.timeout) tain_addsec_g(&deadline, flags.timeout) ; + else tain_add_g(&deadline, &tain_infinite_relative) ; + + { + ip46_t ip[2][MAXIP] ; + unsigned int j = 0 ; + unsigned int n[2] = { 0, 0 } ; + register unsigned int i = 0 ; + if (!**argv || ((**argv == '0') && !argv[0][1])) + { +#ifdef SKALIBS_IPV6_ENABLED + ip46_from_ip6(&ip[0][n[0]++], IP6_LOCAL) ; +#endif + ip46_from_ip4(&ip[0][n[0]++], IP4_LOCAL) ; + } + else + { + if (!flags.remotehost) + { +#ifdef SKALIBS_IPV6_ENABLED + if (flags.ip6 && !flags.ip4) + { + char ip6[MAXIP << 4] ; + register unsigned int i = 0 ; + if (!ip6_scanlist(ip6, MAXIP, argv[0], &n[0])) usage() ; + for (; i < n[0] ; i++) ip46_from_ip6(&ip[0][i], ip6 + (i << 4)) ; + } + else if (!flags.ip6) + { + char ip4[MAXIP << 2] ; + register unsigned int i = 0 ; + if (!ip4_scanlist(ip4, MAXIP, argv[0], &n[0])) usage() ; + for (; i < n[0] ; i++) ip46_from_ip4(&ip[0][i], ip4 + (i << 2)) ; + } + else +#endif + if (!ip46_scanlist(ip[0], MAXIP, argv[0], &n[0])) usage() ; + } + else + { +#ifdef SKALIBS_IPV6_ENABLED + if (flags.ip6 && flags.ip4) + { + if (!ip46_scanlist(ip[0], MAXIP, argv[0], &n[0])) + { + genalloc ips = STRALLOC_ZERO ; + if (s6dns_resolve_aaaaa_g(&ips, argv[0], str_len(argv[0]), flags.qualif, &deadline) <= 0) + strerr_diefu4x(111, "resolve ", argv[0], ": ", s6dns_constants_error_str(errno)) ; + n[0] = genalloc_len(ip46_t, &ips) ; + if (n[0] >= MAXIP) n[0] = MAXIP ; + for (; i < n[0] ; i++) ip[0][i] = genalloc_s(ip46_t, &ips)[i] ; + genalloc_free(ip46_t, &ips) ; + } + } + else if (flags.ip6) + { + char ip6[MAXIP << 4] ; + if (ip6_scanlist(ip6, MAXIP, argv[0], &n[0])) + { + register unsigned int i = 0 ; + for (; i < n[0] ; i++) ip46_from_ip6(&ip[0][i], ip6 + (i << 4)) ; + } + else + { + stralloc ip6s = STRALLOC_ZERO ; + if (s6dns_resolve_aaaa_g(&ip6s, argv[0], str_len(argv[0]), flags.qualif, &deadline) <= 0) + strerr_diefu4x(111, "resolve ", argv[0], ": ", s6dns_constants_error_str(errno)) ; + n[0] = ip6s.len >> 4 ; + if (n[0] >= MAXIP) n[0] = MAXIP ; + for (; i < n[0] ; i++) ip46_from_ip6(&ip[0][i], ip6s.s + (i << 4)) ; + stralloc_free(&ip6s) ; + } + } + else +#endif + { + char ip4[MAXIP << 2] ; + if (ip4_scanlist(ip4, MAXIP, argv[0], &n[0])) + { + register unsigned int i = 0 ; + for (; i < n[0] ; i++) ip46_from_ip4(&ip[0][i], ip4 + (i << 2)) ; + } + else + { + stralloc ip4s = STRALLOC_ZERO ; + if (s6dns_resolve_a_g(&ip4s, argv[0], str_len(argv[0]), flags.qualif, &deadline) <= 0) + strerr_diefu4x(111, "resolve ", argv[0], ": ", s6dns_constants_error_str(errno)) ; + n[0] = ip4s.len >> 2 ; + if (n[0] >= MAXIP) n[0] = MAXIP ; + for (; i < n[0] ; i++) ip46_from_ip4(&ip[0][i], ip4s.s + (i << 2)) ; + stralloc_free(&ip4s) ; + } + } + } + if (!n[0]) strerr_dief2x(100, "no IP address for ", argv[0]) ; + } + + if (n[0] == 1) + { + flags.timeoutconn[0] += flags.timeoutconn[1] ; + flags.timeoutconn[1] = 0 ; + } + + for (; j < 2 ; j++) + { + unsigned int i = 0 ; + for (; i < n[j] ; i++) + { + tain_t localdeadline ; + s = socket_tcp46(ip46_is6(&flags.localip)) ; + if (s < 0) strerr_diefu1sys(111, "create socket") ; + if (socket_bind46(s, &flags.localip, flags.localport) < 0) + strerr_diefu1sys(111, "bind socket") ; + tain_addsec_g(&localdeadline, flags.timeoutconn[j]) ; + if (tain_less(&deadline, &localdeadline)) localdeadline = deadline ; + if (socket_deadlineconnstamp46_g(s, &ip[j][i], remoteport, &localdeadline)) goto connected ; + fd_close(s) ; + if (!j && flags.timeoutconn[1]) ip[1][n[1]++] = ip[0][i] ; + else + { + char fmtip[IP46_FMT] ; + char fmtport[UINT16_FMT] ; + fmtip[ip46_fmt(fmtip, &ip[j][i])] = 0 ; + fmtport[uint16_fmt(fmtport, remoteport)] = 0 ; + strerr_warnwu4sys("connect to ", fmtip, " port ", fmtport) ; + } + } + } + strerr_diefu2x(111, "connect to ", "a suitable IP address") ; + } + + connected: + + if (ndelay_off(s) == -1) + strerr_diefu1sys(111, "ndelay_off") ; + if (!flags.delay) socket_tcpnodelay(s) ; + if (socket_local46(s, &flags.localip, &flags.localport) == -1) + strerr_diefu2sys(111, "get local", " address and port") ; + + { + ip46_t remoteip ; + char fmtip[IP46_FMT] ; + char fmtport[UINT16_FMT] ; + + if (socket_remote46(s, &remoteip, &remoteport) == -1) + strerr_diefu2sys(111, "get remote", " address and port") ; + fmtip[ip46_fmt(fmtip, &remoteip)] = 0 ; + fmtport[uint16_fmt(fmtport, remoteport)] = 0 ; + if (flags.verbosity >= 2) + strerr_warni4x("connected to ", fmtip, " port ", fmtport) ; + if (!pathexec_env("PROTO", "TCP") + || !pathexec_env("TCPREMOTEIP", fmtip) + || !pathexec_env("TCPREMOTEPORT", fmtport)) dienomem() ; + + fmtip[ip46_fmt(fmtip, &flags.localip)] = 0 ; + fmtport[uint16_fmt(fmtport, flags.localport)] = 0 ; + if (!pathexec_env("TCPLOCALIP", fmtip) + || !pathexec_env("TCPLOCALPORT", fmtport)) dienomem() ; + + if (flags.localname) + { + if (!pathexec_env("TCPLOCALHOST", flags.localname)) dienomem() ; + } + + /* DNS resolution for TCPLOCALHOST and TCPREMOTEHOST */ + + if (!flags.localname || flags.remotehost) + { + s6dns_resolve_t blob[2] ; + s6dns_dpag_t data[2] = { S6DNS_DPAG_ZERO, S6DNS_DPAG_ZERO } ; + if (!flags.localname) + { + s6dns_domain_arpafromip46(&blob[0].q, &flags.localip) ; + s6dns_domain_encode(&blob[0].q) ; + blob[0].qtype = S6DNS_T_PTR ; + blob[0].deadline = deadline ; + blob[0].parsefunc = &s6dns_message_parse_answer_domain ; + blob[0].data = &data[0] ; + blob[0].options = S6DNS_O_RECURSIVE ; + data[0].rtype = S6DNS_T_PTR ; + } + if (flags.remotehost) + { + s6dns_domain_arpafromip46(&blob[1].q, &remoteip) ; + s6dns_domain_encode(&blob[1].q) ; + blob[1].qtype = S6DNS_T_PTR ; + blob[1].deadline = deadline ; + blob[1].parsefunc = &s6dns_message_parse_answer_domain ; + blob[1].data = &data[1] ; + blob[1].options = S6DNS_O_RECURSIVE ; + data[1].rtype = S6DNS_T_PTR ; + } + { + tain_t infinite = TAIN_INFINITE ; + if (!s6dns_resolven_parse_g(blob + !!flags.localname, !flags.localname + !!flags.remotehost, &infinite)) + strerr_diefu2x(111, "resolve IP addresses: ", s6dns_constants_error_str(errno)) ; + } + if (!flags.localname) + { + if (blob[0].status) + { + if (!pathexec_env("TCPLOCALHOST", 0)) dienomem() ; + } + else + { + char s[256] ; + register unsigned int len = 0 ; + if (genalloc_len(s6dns_domain_t, &data[0].ds)) + len = s6dns_domain_tostring(s, 255, genalloc_s(s6dns_domain_t, &data[0].ds)) ; + genalloc_free(s6dns_domain_t, &data[0].ds) ; + s[len] = 0 ; + if (!pathexec_env("TCPLOCALHOST", s)) dienomem() ; + } + } + if (flags.remotehost) + { + if (blob[1].status) + { + if (!pathexec_env("TCPREMOTEHOST", 0)) dienomem() ; + } + else + { + char s[256] ; + register unsigned int len = 0 ; + if (genalloc_len(s6dns_domain_t, &data[1].ds)) + len = s6dns_domain_tostring(s, 255, genalloc_s(s6dns_domain_t, &data[1].ds)) ; + genalloc_free(s6dns_domain_t, &data[1].ds) ; + s[len] = 0 ; + if (!pathexec_env("TCPREMOTEHOST", s)) dienomem() ; + } + } + } + + + /* TCPREMOTEINFO */ + /* + Yes, I should have made all the network queries in parallel, + not only the DNS ones, but the IDENT one too. Well, that was + too much work for an obsolete protocol. Sue me. + */ + { + char idbuf[S6NET_IDENT_ID_SIZE] ; + if (flags.remoteinfo) + { + register int r = s6net_ident_client_g(idbuf, S6NET_IDENT_ID_SIZE, &remoteip, remoteport, &flags.localip, flags.localport, &deadline) ; + if (r <= 0) + { + if (flags.verbosity) + { + if (r < 0) strerr_warnwu1sys("s6net_ident_client") ; + else strerr_warnw2x("ident server replied: ", s6net_ident_error_str(errno)) ; + } + if (!pathexec_env("TCPREMOTEINFO", "")) dienomem() ; + } + else if (!pathexec_env("TCPREMOTEINFO", idbuf)) dienomem() ; + } + } + } + + if (fd_move(6, s) < 0) strerr_diefu2sys(111, "set up fd ", "6") ; + if (fd_copy(7, 6) < 0) strerr_diefu2sys(111, "set up fd ", "7") ; + pathexec(argv+2) ; + strerr_dieexec(111, argv[2]) ; +} diff --git a/src/conn-tools/s6-tcpserver-access.c b/src/conn-tools/s6-tcpserver-access.c new file mode 100644 index 0000000..ef2771b --- /dev/null +++ b/src/conn-tools/s6-tcpserver-access.c @@ -0,0 +1,387 @@ +/* ISC license. */ + +#include <unistd.h> +#include <errno.h> +#include <skalibs/gccattributes.h> +#include <skalibs/uint16.h> +#include <skalibs/uint.h> +#include <skalibs/strerr2.h> +#include <skalibs/sgetopt.h> +#include <skalibs/buffer.h> +#include <skalibs/stralloc.h> +#include <skalibs/genalloc.h> +#include <skalibs/cdb.h> +#include <skalibs/tai.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/socket.h> +#include <skalibs/ip46.h> +#include <skalibs/unix-timed.h> +#include <execline/config.h> +#include <s6-dns/s6dns.h> +#include <s6-networking/s6net.h> + +#define USAGE "s6-tcpserver-access [ -v verbosity ] [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ] prog..." +#define dieusage() strerr_dieusage(100, USAGE) +#define dienomem() strerr_diefu1sys(111, "update environment") +#define X() strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") + + +static void logit (unsigned int pid, ip46_t const *ip, int h) +{ + char fmtpid[UINT_FMT] ; + char fmtip[IP46_FMT] ; + fmtip[ip46_fmt(fmtip, ip)] = 0 ; + fmtpid[uint_fmt(fmtpid, pid)] = 0 ; + if (h) strerr_warni5x("allow", " pid ", fmtpid, " ip ", fmtip) ; + else strerr_warni5sys("deny", " pid ", fmtpid, " ip ", fmtip) ; +} + +static inline void log_accept (unsigned int pid, ip46_t const *ip) +{ + logit(pid, ip, 1) ; +} + +static inline void log_deny (unsigned int pid, ip46_t const *ip) +{ + logit(pid, ip, 0) ; +} + + +int main (int argc, char const *const *argv, char const *const *envp) +{ + s6net_accessrules_params_t params = S6NET_ACCESSRULES_PARAMS_ZERO ; + stralloc modifs = STRALLOC_ZERO ; + tain_t deadline, tto ; + char const *rulestypestr[3] = { "no", "fs", "cdb" } ; + char const *rules = 0 ; + char const *localname = 0 ; + char const *proto ; + struct cdb c = CDB_ZERO ; + int cdbfd = -1 ; + unsigned int rulestype = 0 ; + unsigned int verbosity = 1 ; + unsigned int protolen ; + s6net_accessrules_result_t accepted ; + ip46_t remoteip, localip ; + int flagfatal = 1, flagnodelay = 0, flagdnslookup = 1, + flagident = 0, flagparanoid = 0, e = 0 ; + uint16 remoteport, localport ; + PROG = "s6-tcpserver-access" ; + { + unsigned int timeout = 0 ; + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "WwDdHhRrPpv:l:B:t:i:x:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'W' : flagfatal = 0 ; break ; + case 'w' : flagfatal = 1 ; break ; + case 'D' : flagnodelay = 1 ; break ; + case 'd' : flagnodelay = 0 ; break ; + case 'H' : flagdnslookup = 0 ; break ; + case 'h' : flagdnslookup = 1 ; break ; + case 'R' : flagident = 0 ; break ; + case 'r' : flagident = 1 ; break ; + case 'P' : flagparanoid = 0 ; break ; + case 'p' : flagparanoid = 1 ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'l' : localname = l.arg ; break ; + case 'B' : + { + register unsigned int n = str_len(l.arg) ; + if (buffer_putnoflush(buffer_1small, l.arg, n) < n) + strerr_dief1x(100, "banner too long") ; + break ; + } + case 't' : if (!uint0_scan(l.arg, &timeout)) dieusage() ; break ; + case 'i' : rules = l.arg ; rulestype = 1 ; break ; + case 'x' : rules = l.arg ; rulestype = 2 ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (timeout) tain_from_millisecs(&tto, timeout) ; + else tto = tain_infinite_relative ; + } + if (!argc) dieusage() ; + if (!*argv[0]) dieusage() ; + + proto = env_get2(envp, "PROTO") ; + if (!proto) strerr_dienotset(100, "PROTO") ; + protolen = str_len(proto) ; + { + char const *x ; + char tmp[protolen + 11] ; + byte_copy(tmp, protolen, proto) ; + byte_copy(tmp + protolen, 9, "REMOTEIP") ; + x = env_get2(envp, tmp) ; + if (!x) strerr_dienotset(100, tmp) ; + if (!ip46_scan(x, &remoteip)) strerr_dieinvalid(100, tmp) ; + byte_copy(tmp + protolen + 6, 5, "PORT") ; + x = env_get2(envp, tmp) ; + if (!x) strerr_dienotset(100, tmp) ; + if (!uint160_scan(x, &remoteport)) strerr_dieinvalid(100, tmp) ; + } + + if (flagnodelay) + { + if (socket_tcpnodelay(1) < 0) + if (verbosity) strerr_warnwu1sys("socket_tcpnodelay") ; + } + tain_now_g() ; + tain_add_g(&deadline, &tto) ; + if (!buffer_timed_flush_g(buffer_1small, &deadline)) + strerr_diefu1sys(111, "write banner") ; + + switch (rulestype) + { + case 0 : + if (verbosity >= 2) strerr_warnw1x("invoked without a ruleset!") ; + accepted = S6NET_ACCESSRULES_ALLOW ; + break ; + case 1 : + accepted = s6net_accessrules_ip46_fs(&remoteip, (void *)rules, ¶ms) ; + break ; + case 2 : + cdbfd = open_readb(rules) ; + if (cdbfd < 0) strerr_diefu2sys(111, "open_readb ", rules) ; + if (cdb_init(&c, cdbfd) < 0) strerr_diefu2sys(111, "cdb_init ", rules) ; + accepted = s6net_accessrules_ip46_cdb(&remoteip, &c, ¶ms) ; + if (accepted == S6NET_ACCESSRULES_ALLOW) + { + cdb_free(&c) ; + fd_close(cdbfd) ; + } + break ; + default : X() ; + } + switch (accepted) + { + case S6NET_ACCESSRULES_ERROR : + strerr_diefu6sys(111, "check ", rulestypestr[rulestype], " ruleset for ", "IP", " in ", rules) ; + case S6NET_ACCESSRULES_ALLOW : break ; + case S6NET_ACCESSRULES_DENY : + if (verbosity >= 2) { errno = EACCES ; log_deny(getpid(), &remoteip) ; } + return 1 ; + case S6NET_ACCESSRULES_NOTFOUND : + if (flagdnslookup) break ; + if (verbosity >= 2) { errno = ENOENT ; log_deny(getpid(), &remoteip) ; } + return 1 ; + default: X() ; + } + + { + char const *x = 0 ; + char idbuf[S6NET_IDENT_ID_SIZE] ; + char fmt[IP46_FMT] ; + char tmp[protolen + 11] ; + if (socket_local46(0, &localip, &localport) < 0) + strerr_diefu1sys(111, "socket_local") ; + fmt[ip46_fmt(fmt, &localip)] = 0 ; + byte_copy(tmp, protolen, proto) ; + byte_copy(tmp + protolen, 8, "LOCALIP") ; + if (!env_addmodif(&modifs, tmp, fmt)) dienomem() ; + fmt[uint16_fmt(fmt, localport)] = 0 ; + byte_copy(tmp + protolen + 5, 5, "PORT") ; + if (!env_addmodif(&modifs, tmp, fmt)) dienomem() ; + byte_copy(tmp + protolen, 11, "REMOTEINFO") ; + if (flagident) + { + register int r = s6net_ident_client_g(idbuf, S6NET_IDENT_ID_SIZE, &remoteip, remoteport, &localip, localport, &deadline) ; + if (r < 0) + { + if (verbosity >= 3) strerr_warnwu1sys("s6net_ident_client") ; + if (flagfatal) + { + e = errno == ETIMEDOUT ? 99 : 111 ; + goto reject ; + } + } + else if (!r) + { + if (verbosity >= 3) strerr_warnw2x("ident server replied: ", s6net_ident_error_str(errno)) ; + if (flagfatal) + { + e = 2 ; + goto reject ; + } + } + else x = idbuf ; + } + + if (!env_addmodif(&modifs, tmp, x)) dienomem() ; + } + + if (!flagdnslookup) + { + char tmp[protolen + 11] ; + byte_copy(tmp, protolen, proto) ; + byte_copy(tmp + protolen, 10, "LOCALHOST") ; + if (!env_addmodif(&modifs, tmp, localname)) dienomem() ; + byte_copy(tmp + protolen, 11, "REMOTEHOST") ; + if (!env_addmodif(&modifs, tmp, 0)) dienomem() ; + } + else + { + static tain_t const infinite = TAIN_INFINITE ; + s6dns_dpag_t data[2] = { S6DNS_DPAG_ZERO, S6DNS_DPAG_ZERO } ; + s6dns_resolve_t blob[2] ; + char remotebuf[256] ; + unsigned int remotelen = 0 ; + char tcplocalhost[(protolen << 1) + 21] ; + char *tcpremotehost = tcplocalhost + protolen + 10 ; + byte_copy(tcplocalhost, protolen, proto) ; + byte_copy(tcplocalhost + protolen, 10, "LOCALHOST") ; + byte_copy(tcpremotehost, protolen, proto) ; + byte_copy(tcpremotehost + protolen, 11, "REMOTEHOST") ; + + if (localname) + { + if (!env_addmodif(&modifs, tcplocalhost, localname)) dienomem() ; + } + { + s6dns_domain_arpafromip46(&blob[0].q, &localip) ; + s6dns_domain_encode(&blob[0].q) ; + blob[0].qtype = S6DNS_T_PTR ; + blob[0].deadline = deadline ; + blob[0].parsefunc = &s6dns_message_parse_answer_domain ; + blob[0].data = &data[0] ; + blob[0].options = S6DNS_O_RECURSIVE ; + data[0].rtype = S6DNS_T_PTR ; + } + s6dns_domain_arpafromip46(&blob[1].q, &remoteip) ; + s6dns_domain_encode(&blob[1].q) ; + blob[1].qtype = S6DNS_T_PTR ; + blob[1].deadline = deadline ; + blob[1].parsefunc = &s6dns_message_parse_answer_domain ; + blob[1].data = &data[1] ; + blob[1].options = S6DNS_O_RECURSIVE ; + data[1].rtype = S6DNS_T_PTR ; + if (!s6dns_resolven_parse_g(blob + !!localname, 1 + !localname, &infinite)) + { + if (verbosity >= 3) strerr_warnwu2x("resolve IP addresses: ", s6dns_constants_error_str(errno)) ; + if (flagfatal) + { + e = 111 ; + goto reject ; + } + } + else + { + if (!localname) + { + if (blob[0].status) + { + if (!env_addmodif(&modifs, tcplocalhost, 0)) dienomem() ; + } + else + { + char s[256] ; + register unsigned int len = 0 ; + if (genalloc_len(s6dns_domain_t, &data[0].ds)) + { + s6dns_domain_noqualify(genalloc_s(s6dns_domain_t, &data[0].ds)) ; + len = s6dns_domain_tostring(s, 255, genalloc_s(s6dns_domain_t, &data[0].ds)) ; + } + genalloc_free(s6dns_domain_t, &data[0].ds) ; + s[len] = 0 ; + if (!env_addmodif(&modifs, tcplocalhost, s)) dienomem() ; + } + } + if (!blob[1].status) + { + if (genalloc_len(s6dns_domain_t, &data[1].ds)) + { + s6dns_domain_noqualify(genalloc_s(s6dns_domain_t, &data[1].ds)) ; + remotelen = s6dns_domain_tostring(remotebuf, 255, genalloc_s(s6dns_domain_t, &data[1].ds)) ; + } + remotebuf[remotelen] = 0 ; + if (flagparanoid) + { + register int r ; + data[1].ds.len = 0 ; + r = ip46_is6(&remoteip) ? s6dns_resolve_aaaa_g(&data[1].ds, remotebuf, remotelen, 0, &deadline) : s6dns_resolve_a_g(&data[1].ds, remotebuf, remotelen, 0, &deadline) ; + if (r <= 0) + { + if (verbosity >= 3) strerr_warnwu4x("(paranoidly) resolve ", remotebuf, ": ", s6dns_constants_error_str(errno)) ; + if (flagfatal) + { + e = errno == ETIMEDOUT ? 99 : 111 ; + goto reject ; + } + remotelen = 0 ; + } + else + { + register unsigned int i = 0 ; + for (; i < data[1].ds.len ; i += ip46_is6(&remoteip) ? 16 : 4) + if (!byte_diff(remoteip.ip, ip46_is6(&remoteip) ? 16 : 4, data[1].ds.s + i)) break ; + if (i >= data[1].ds.len) remotelen = 0 ; + } + } + stralloc_free(&data[1].ds) ; + } + } + if (!env_addmodif(&modifs, tcpremotehost, remotelen ? remotebuf : 0)) dienomem() ; + if (remotelen && (accepted == S6NET_ACCESSRULES_NOTFOUND)) + { + switch (rulestype) + { + case 1 : + accepted = s6net_accessrules_reversedns_fs(remotebuf, (void *)rules, ¶ms) ; + break ; + case 2 : + accepted = s6net_accessrules_reversedns_cdb(remotebuf, &c, ¶ms) ; + break ; + default : X() ; + } + } + + if ((rulestype == 2) && (accepted != S6NET_ACCESSRULES_ALLOW)) + { + cdb_free(&c) ; + fd_close(cdbfd) ; + } + + switch (accepted) + { + case S6NET_ACCESSRULES_ERROR : + strerr_diefu6sys(111, "check ", rulestypestr[rulestype], " ruleset for ", "reverse DNS", " in ", rules) ; + case S6NET_ACCESSRULES_ALLOW : break ; + case S6NET_ACCESSRULES_DENY : + if (verbosity >= 2) { errno = EACCES ; log_deny(getpid(), &remoteip) ; } + return 1 ; + case S6NET_ACCESSRULES_NOTFOUND : + if (verbosity >= 2) { errno = ENOENT ; log_deny(getpid(), &remoteip) ; } + return 1 ; + default : X() ; + } + } + + if (!stralloc_catb(¶ms.env, modifs.s, modifs.len)) dienomem() ; + stralloc_free(&modifs) ; + if (verbosity) log_accept(getpid(), &remoteip) ; + if (params.exec.len) + { + char *specialargv[4] = { EXECLINE_EXTBINPREFIX "execlineb", "-c", params.exec.s, 0 } ; + pathexec_r((char const *const *)specialargv, envp, env_len(envp), params.env.s, params.env.len) ; + strerr_dieexec(111, specialargv[0]) ; + } + + pathexec_r(argv, envp, env_len(envp), params.env.s, params.env.len) ; + strerr_dieexec(111, argv[0]) ; + + reject: + if (verbosity >= 2) + { + char fmtpid[UINT_FMT] ; + char fmtip[IP46_FMT] ; + fmtip[ip46_fmt(fmtip, &remoteip)] = 0 ; + fmtpid[uint_fmt(fmtpid, getpid())] = 0 ; + strerr_dief5x(e, "reject", " pid ", fmtpid, " ip ", fmtip) ; + } + else return e ; +} diff --git a/src/conn-tools/s6-tcpserver.c b/src/conn-tools/s6-tcpserver.c new file mode 100644 index 0000000..fcbf4f2 --- /dev/null +++ b/src/conn-tools/s6-tcpserver.c @@ -0,0 +1,71 @@ +/* ISC license. */ + +#include <skalibs/uint.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/djbunix.h> +#include <skalibs/ip46.h> +#include <s6-networking/config.h> + +#define USAGE "s6-tcpserver [ -q | -Q | -v ] [ -1 ] [ -4 | -6 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip port prog..." +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv, char const *const *envp) +{ + char const *newargv[2 + (argc << 1)] ; + char const *path ; + unsigned int m = 3 ; + int what = 0 ; + unsigned int verbosity = 1 ; + char fmtv[UINT_FMT] ; + PROG = "s6-tcpserver" ; + newargv[1] = "-v" ; + newargv[2] = fmtv ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "qQv146Uc:C:b:u:g:G:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case '4' : if (what) dieusage() ; what = 4 ; break ; + case '6' : if (what) dieusage() ; what = 6 ; break ; + case 'q' : verbosity = 0 ; break ; + case 'Q' : verbosity = 1 ; break ; + case 'v' : verbosity = 2 ; break ; + case '1' : newargv[m++] = "-1" ; break ; + case 'U' : newargv[m++] = "-U" ; break ; + case 'c' : newargv[m++] = "-c" ; newargv[m++] = l.arg ; break ; + case 'C' : newargv[m++] = "-C" ; newargv[m++] = l.arg ; break ; + case 'b' : newargv[m++] = "-b" ; newargv[m++] = l.arg ; break ; + case 'u' : newargv[m++] = "-u" ; newargv[m++] = l.arg ; break ; + case 'g' : newargv[m++] = "-g" ; newargv[m++] = l.arg ; break ; + case 'G' : newargv[m++] = "-G" ; newargv[m++] = l.arg ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (argc < 3) dieusage() ; + fmtv[uint_fmt(fmtv, verbosity)] = 0 ; + newargv[m++] = 0 ; + if (!what) + { + ip46_t ip ; + if (!ip46_scan(argv[0], &ip)) dieusage() ; + what = ip46_is6(&ip) ? 6 : 4 ; + } + if (what == 6) + { + newargv[0] = "s6-tcpserver6" ; + path = S6_NETWORKING_BINPREFIX "s6-tcpserver6" ; + } + else + { + newargv[0] = "s6-tcpserver4" ; + path = S6_NETWORKING_BINPREFIX "s6-tcpserver4" ; + } + pathexec_run(path, newargv, envp) ; + strerr_dieexec(111, path) ; +} diff --git a/src/conn-tools/s6-tcpserver4.c b/src/conn-tools/s6-tcpserver4.c new file mode 100644 index 0000000..5435f55 --- /dev/null +++ b/src/conn-tools/s6-tcpserver4.c @@ -0,0 +1,414 @@ +/* ISC license. */ + +#ifndef _BSD_SOURCE +#define _BSD_SOURCE +#endif + +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <errno.h> +#include <unistd.h> +#include <limits.h> +#include <grp.h> +#include <signal.h> +#include <skalibs/gccattributes.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include <skalibs/uint.h> +#include <skalibs/gidstuff.h> +#include <skalibs/setgroups.h> +#include <skalibs/bytestr.h> +#include <skalibs/sgetopt.h> +#include <skalibs/fmtscan.h> +#include <skalibs/strerr2.h> +#include <skalibs/diuint32.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/sig.h> +#include <skalibs/selfpipe.h> +#include <skalibs/iopause.h> +#include <skalibs/socket.h> + +#define ABSOLUTE_MAXCONN 1000 + +#define USAGE "s6-tcpserver4 [ -v verbosity ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip port prog..." + +static unsigned int maxconn = 40 ; +static unsigned int localmaxconn = 40 ; +static unsigned int verbosity = 1 ; +static int cont = 1 ; +static diuint32 *pidip = 0 ; +static unsigned int numconn = 0 ; +static diuint32 *ipnum = 0 ; +static unsigned int iplen = 0 ; + +static char fmtmaxconn[UINT_FMT+1] = "/" ; +static char fmtlocalmaxconn[UINT_FMT+1] = "/" ; + + + /* Utility functions */ + +static inline void dieusage () +{ + strerr_dieusage(100, USAGE) ; +} + +static inline void X (void) +{ + strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; +} + + + /* Lookup primitives */ + +static unsigned int lookup_diuint32 (diuint32 const *, unsigned int, unsigned int) gccattr_pure ; +static unsigned int lookup_diuint32 (diuint32 const *tab, unsigned int tablen, unsigned int key) +{ + register unsigned int i = 0 ; + for (; i < tablen ; i++) if (key == tab[i].left) break ; + return i ; +} + +static inline unsigned int lookup_pid (uint32 pid) +{ + return lookup_diuint32(pidip, numconn, pid) ; +} + +static inline unsigned int lookup_ip (uint32 ip) +{ + return lookup_diuint32(ipnum, iplen, ip) ; +} + + + /* Logging */ + +static void log_start (char const *ip, uint16 port) +{ + char fmtip[IP4_FMT] ; + char fmtport[UINT16_FMT] ; + fmtip[ip4_fmt(fmtip, ip)] = 0 ; + fmtport[uint16_fmt(fmtport, port)] = 0 ; + strerr_warni4x("starting - listening on ", fmtip, ":", fmtport) ; +} + +static inline void log_exit (void) +{ + strerr_warni1x("exiting") ; +} + +static void log_status (void) +{ + char fmt[UINT_FMT] ; + fmt[uint_fmt(fmt, numconn)] = 0 ; + strerr_warni3x("status: ", fmt, fmtmaxconn) ; +} + +static void log_deny (uint32 ip, uint16 port, unsigned int num) +{ + char fmtip[UINT32_FMT] ; + char fmtport[UINT16_FMT] ; + char fmtnum[UINT_FMT] ; + fmtip[ip4_fmtu32(fmtip, ip)] = 0 ; + fmtport[uint16_fmt(fmtport, port)] = 0 ; + fmtnum[uint_fmt(fmtnum, num)] = 0 ; + strerr_warni7sys("deny ", fmtip, ":", fmtport, " count ", fmtnum, fmtlocalmaxconn) ; +} + +static void log_accept (uint32 pid, uint32 ip, uint16 port, unsigned int num) +{ + char fmtipport[IP4_FMT + UINT16_FMT + 1] ; + char fmtpid[UINT32_FMT] ; + char fmtnum[UINT_FMT] ; + register unsigned int n ; + n = ip4_fmtu32(fmtipport, ip) ; + fmtipport[n++] = ':' ; + n += uint16_fmt(fmtipport + n, port) ; + fmtipport[n] = 0 ; + fmtnum[uint_fmt(fmtnum, num)] = 0 ; + fmtpid[uint32_fmt(fmtpid, pid)] = 0 ; + strerr_warni7x("allow ", fmtipport, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ; +} + +static void log_close (uint32 pid, uint32 ip, int w) +{ + char fmtpid[UINT32_FMT] ; + char fmtip[IP4_FMT] = "?" ; + char fmtw[UINT_FMT] ; + fmtpid[uint32_fmt(fmtpid, pid)] = 0 ; + fmtip[ip4_fmtu32(fmtip, ip)] = 0 ; + fmtw[uint_fmt(fmtw, WIFSIGNALED(w) ? WTERMSIG(w) : WEXITSTATUS(w))] = 0 ; + strerr_warni6x("end pid ", fmtpid, " ip ", fmtip, WIFSIGNALED(w) ? " signal " : " exitcode ", fmtw) ; +} + + + /* Signal handling */ + +static void killthem (int sig) +{ + register unsigned int i = 0 ; + for (; i < numconn ; i++) kill(pidip[i].left, sig) ; +} + +static void wait_children (void) +{ + for (;;) + { + unsigned int i ; + int w ; + register int pid = wait_nohang(&w) ; + if (pid < 0) + if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ; + else break ; + else if (!pid) break ; + i = lookup_pid(pid) ; + if (i < numconn) /* it's one of ours ! */ + { + uint32 ip = pidip[i].right ; + register unsigned int j = lookup_ip(ip) ; + if (j >= iplen) X() ; + if (!--ipnum[j].right) ipnum[j] = ipnum[--iplen] ; + pidip[i] = pidip[--numconn] ; + if (verbosity >= 2) + { + log_close(pid, ip, w) ; + log_status() ; + } + } + } +} + +static void handle_signals (void) +{ + for (;;) switch (selfpipe_read()) + { + case -1 : strerr_diefu1sys(111, "read selfpipe") ; + case 0 : return ; + case SIGCHLD : wait_children() ; break ; + case SIGTERM : + { + if (verbosity >= 2) + strerr_warni3x("received ", "SIGTERM,", " quitting") ; + cont = 0 ; + break ; + } + case SIGHUP : + { + if (verbosity >= 2) + strerr_warni5x("received ", "SIGHUP,", " sending ", "SIGTERM+SIGCONT", " to all connections") ; + killthem(SIGTERM) ; + killthem(SIGCONT) ; + break ; + } + case SIGQUIT : + { + if (verbosity >= 2) + strerr_warni6x("received ", "SIGQUIT,", " sending ", "SIGTERM+SIGCONT", " to all connections", " and quitting") ; + cont = 0 ; + killthem(SIGTERM) ; + killthem(SIGCONT) ; + break ; + } + case SIGABRT : + { + if (verbosity >= 2) + strerr_warni6x("received ", "SIGABRT,", " sending ", "SIGKILL", " to all connections", " and quitting") ; + cont = 0 ; + killthem(SIGKILL) ; + break ; + } + default : X() ; + } +} + + + /* New connection handling */ + +static void run_child (int, uint32, uint16, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; +static void run_child (int s, uint32 ip, uint16 port, unsigned int num, char const *const *argv, char const *const *envp) +{ + char fmt[74] ; + unsigned int n = 0 ; + PROG = "s6-tcpserver (child)" ; + if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) + strerr_diefu1sys(111, "move fds") ; + byte_copy(fmt+n, 22, "PROTO=TCP\0TCPREMOTEIP=") ; n += 22 ; + n += ip4_fmtu32(fmt+n, ip) ; fmt[n++] = 0 ; + byte_copy(fmt+n, 14, "TCPREMOTEPORT=") ; n += 14 ; + n += uint16_fmt(fmt+n, port) ; fmt[n++] = 0 ; + byte_copy(fmt+n, 11, "TCPCONNNUM=") ; n += 11 ; + n += uint_fmt(fmt+n, num) ; fmt[n++] = 0 ; + pathexec_r(argv, envp, env_len(envp), fmt, n) ; + strerr_dieexec(111, argv[0]) ; +} + +static void new_connection (int s, uint32 ip, uint16 port, char const *const *argv, char const *const *envp) +{ + unsigned int i = lookup_ip(ip) ; + unsigned int num = (i < iplen) ? ipnum[i].right : 0 ; + register int pid ; + if (num >= localmaxconn) + { + log_deny(ip, port, num) ; + return ; + } + pid = fork() ; + if (pid < 0) + { + if (verbosity) strerr_warnwu1sys("fork") ; + return ; + } + else if (!pid) + { + selfpipe_finish() ; + run_child(s, ip, port, num+1, argv, envp) ; + } + + if (i < iplen) ipnum[i].right = num + 1 ; + else + { + ipnum[iplen].left = ip ; + ipnum[iplen++].right = 1 ; + } + pidip[numconn].left = (uint32)pid ; + pidip[numconn++].right = ip ; + if (verbosity >= 2) + { + log_accept((uint32)pid, ip, port, ipnum[i].right) ; + log_status() ; + } +} + + + /* And the main */ + +int main (int argc, char const *const *argv, char const *const *envp) +{ + iopause_fd x[2] = { { -1, IOPAUSE_READ, 0 }, { -1, IOPAUSE_READ | IOPAUSE_EXCEPT, 0 } } ; + PROG = "s6-tcpserver4" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int uid = 0, gid = 0 ; + gid_t gids[NGROUPS_MAX] ; + unsigned int gidn = 0 ; + unsigned int backlog = 20 ; + char ip[4] ; + int flag1 = 0 ; + uint16 port ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "1Uc:C:b:u:g:G:v:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case '1' : flag1 = 1 ; break ; + case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ; + case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ; + case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; + case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn)) dieusage() ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'U' : + { + char const *x = env_get2(envp, "UID") ; + if (!x) strerr_dienotset(100, "UID") ; + if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, "UID") ; + x = env_get2(envp, "GID") ; + if (!x) strerr_dienotset(100, "GID") ; + if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, "GID") ; + x = env_get2(envp, "GIDLIST") ; + if (!x) strerr_dienotset(100, "GIDLIST") ; + if (!gid_scanlist(gids, NGROUPS_MAX, x, &gidn) && *x) + strerr_dieinvalid(100, "GIDLIST") ; + break ; + } + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (argc < 3) dieusage() ; + if (!ip4_scan(argv[0], ip) || !uint160_scan(argv[1], &port)) dieusage() ; + fd_close(0) ; + if (!flag1) fd_close(1) ; + if (!maxconn) maxconn = 1 ; + if (maxconn > ABSOLUTE_MAXCONN) maxconn = ABSOLUTE_MAXCONN ; + if (localmaxconn > maxconn) localmaxconn = maxconn ; + x[1].fd = socket_tcp4() ; + if ((x[1].fd == -1) || (coe(x[1].fd) == -1)) + strerr_diefu1sys(111, "create socket") ; + if (socket_bind4_reuse(x[1].fd, ip, port) < 0) + strerr_diefu2sys(111, "bind to ", argv[0]) ; + if (socket_listen(x[1].fd, backlog) == -1) + strerr_diefu1sys(111, "listen") ; + if (gidn && (setgroups(gidn, gids) < 0)) strerr_diefu1sys(111, "setgroups") ; + if (gid && (setgid(gid) < 0)) strerr_diefu1sys(111, "drop gid") ; + if (uid && (setuid(uid) < 0)) strerr_diefu1sys(111, "drop uid") ; + + x[0].fd = selfpipe_init() ; + if (x[0].fd == -1) strerr_diefu1sys(111, "create selfpipe") ; + if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + { + sigset_t set ; + sigemptyset(&set) ; + sigaddset(&set, SIGCHLD) ; + sigaddset(&set, SIGTERM) ; + sigaddset(&set, SIGHUP) ; + sigaddset(&set, SIGQUIT) ; + sigaddset(&set, SIGABRT) ; + if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; + } + if (flag1) + { + char fmt[UINT16_FMT] ; + unsigned int n = uint16_fmt(fmt, port) ; + fmt[n++] = '\n' ; + if (allwrite(1, fmt, n) < n) strerr_diefu1sys(111, "write to stdout") ; + fd_close(1) ; + } + fmtlocalmaxconn[1+uint_fmt(fmtlocalmaxconn+1, localmaxconn)] = 0 ; + if (verbosity >= 2) + { + fmtmaxconn[1+uint_fmt(fmtmaxconn+1, maxconn)] = 0 ; + log_start(ip, port) ; + log_status() ; + } + } + + { + diuint32 inyostack[maxconn<<1] ; + pidip = inyostack ; ipnum = inyostack + maxconn ; + while (cont) + { + if (iopause(x, 1 + (numconn < maxconn), 0, 0) == -1) + strerr_diefu1sys(111, "iopause") ; + + if (x[0].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with selfpipe") ; + if (x[0].revents & IOPAUSE_READ) handle_signals() ; + if (numconn < maxconn) + { + if (x[1].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with socket") ; + if (x[1].revents & IOPAUSE_READ) + { + char packedip[4] ; + uint16 port ; + register int fd = socket_accept4(x[1].fd, packedip, &port) ; + if (fd < 0) + { + if (verbosity) strerr_warnwu1sys("accept") ; + } + else + { + uint32 ip ; + uint32_unpack_big(packedip, &ip) ; + new_connection(fd, ip, port, argv+2, envp) ; + fd_close(fd) ; + } + } + } + } + } + if (verbosity >= 2) log_exit() ; + return 0 ; +} diff --git a/src/conn-tools/s6-tcpserver6.c b/src/conn-tools/s6-tcpserver6.c new file mode 100644 index 0000000..9b27f42 --- /dev/null +++ b/src/conn-tools/s6-tcpserver6.c @@ -0,0 +1,412 @@ +/* ISC license. */ + +#ifndef _BSD_SOURCE +#define _BSD_SOURCE +#endif + +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <errno.h> +#include <unistd.h> +#include <limits.h> +#include <grp.h> +#include <signal.h> +#include <skalibs/gccattributes.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/uint16.h> +#include <skalibs/uint.h> +#include <skalibs/gidstuff.h> +#include <skalibs/setgroups.h> +#include <skalibs/bytestr.h> +#include <skalibs/sgetopt.h> +#include <skalibs/fmtscan.h> +#include <skalibs/strerr2.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/sig.h> +#include <skalibs/selfpipe.h> +#include <skalibs/iopause.h> +#include <skalibs/socket.h> + +#define ABSOLUTE_MAXCONN 1000 + +#define USAGE "s6-tcpserver6 [ -v verbosity ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip6 port prog..." + +typedef struct ipnum_s ipnum_t, *ipnum_t_ref ; +struct ipnum_s +{ + char ip[16] ; + unsigned int num ; +} ; +#define IPNUM_ZERO { "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 0 } + +static unsigned int maxconn = 40 ; +static unsigned int localmaxconn = 40 ; +static unsigned int verbosity = 1 ; +static int cont = 1 ; +static ipnum_t_ref pidip = 0 ; +static unsigned int numconn = 0 ; +static ipnum_t_ref ipnum = 0 ; +static unsigned int iplen = 0 ; + +static char fmtmaxconn[UINT_FMT+1] = "/" ; +static char fmtlocalmaxconn[UINT_FMT+1] = "/" ; + + + /* Utility functions */ + +static inline void dieusage () +{ + strerr_dieusage(100, USAGE) ; +} + +static inline void X (void) +{ + strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; +} + + + /* Lookup primitives */ + +static unsigned int lookup_pid (unsigned int pid) +{ + register unsigned int i = 0 ; + for (; i < numconn ; i++) if (pid == pidip[i].num) break ; + return i ; +} + +static unsigned int lookup_ip (char const *ip) +{ + register unsigned int i = 0 ; + for (; i < iplen ; i++) if (!byte_diff(ip, 16, ipnum[i].ip)) break ; + return i ; +} + + + /* Logging */ + +static void log_start (char const *ip, uint16 port) +{ + char fmtip[IP6_FMT] ; + char fmtport[UINT16_FMT] ; + fmtip[ip6_fmt(fmtip, ip)] = 0 ; + fmtport[uint16_fmt(fmtport, port)] = 0 ; + strerr_warni4x("starting - listening on ", fmtip, " port ", fmtport) ; +} + +static inline void log_exit (void) +{ + strerr_warni1x("exiting") ; +} + +static void log_status (void) +{ + char fmt[UINT_FMT] ; + fmt[uint_fmt(fmt, numconn)] = 0 ; + strerr_warni3x("status: ", fmt, fmtmaxconn) ; +} + +static void log_deny (char const *ip, uint16 port, unsigned int num) +{ + char fmtip[IP6_FMT] ; + char fmtport[UINT16_FMT] ; + char fmtnum[UINT_FMT] ; + fmtip[ip6_fmt(fmtip, ip)] = 0 ; + fmtport[uint16_fmt(fmtport, port)] = 0 ; + fmtnum[uint_fmt(fmtnum, num)] = 0 ; + strerr_warni7sys("deny ", fmtip, " port ", fmtport, " count ", fmtnum, fmtlocalmaxconn) ; +} + +static void log_accept (unsigned int pid, char const *ip, uint16 port, unsigned int num) +{ + char fmtipport[IP6_FMT + UINT16_FMT + 6] ; + char fmtpid[UINT_FMT] ; + char fmtnum[UINT_FMT] ; + register unsigned int n ; + n = ip6_fmt(fmtipport, ip) ; + byte_copy(fmtipport + n, 6, " port ") ; n += 6 ; + n += uint16_fmt(fmtipport + n, port) ; + fmtipport[n] = 0 ; + fmtnum[uint_fmt(fmtnum, num)] = 0 ; + fmtpid[uint_fmt(fmtpid, pid)] = 0 ; + strerr_warni7x("allow ", fmtipport, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ; +} + +static void log_close (unsigned int pid, char const *ip, int w) +{ + char fmtpid[UINT_FMT] ; + char fmtip[IP6_FMT] = "?" ; + char fmtw[UINT_FMT] ; + fmtpid[uint_fmt(fmtpid, pid)] = 0 ; + fmtip[ip6_fmt(fmtip, ip)] = 0 ; + fmtw[uint_fmt(fmtw, WIFSIGNALED(w) ? WTERMSIG(w) : WEXITSTATUS(w))] = 0 ; + strerr_warni6x("end pid ", fmtpid, " ip ", fmtip, WIFSIGNALED(w) ? " signal " : " exitcode ", fmtw) ; +} + + + /* Signal handling */ + +static void killthem (int sig) +{ + register unsigned int i = 0 ; + for (; i < numconn ; i++) kill(pidip[i].num, sig) ; +} + +static void wait_children (void) +{ + for (;;) + { + unsigned int i ; + int w ; + register int pid = wait_nohang(&w) ; + if (pid < 0) + if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ; + else break ; + else if (!pid) break ; + i = lookup_pid(pid) ; + if (i < numconn) /* it's one of ours ! */ + { + register unsigned int j = lookup_ip(pidip[i].ip) ; + if (j >= iplen) X() ; + if (!--ipnum[j].num) ipnum[j] = ipnum[--iplen] ; + --numconn ; + if (verbosity >= 2) + { + log_close(pid, pidip[i].ip, w) ; + log_status() ; + } + pidip[i] = pidip[numconn] ; + } + } +} + +static void handle_signals (void) +{ + for (;;) switch (selfpipe_read()) + { + case -1 : strerr_diefu1sys(111, "read selfpipe") ; + case 0 : return ; + case SIGCHLD : wait_children() ; break ; + case SIGTERM : + { + if (verbosity >= 2) + strerr_warni3x("received ", "SIGTERM,", " quitting") ; + cont = 0 ; + break ; + } + case SIGHUP : + { + if (verbosity >= 2) + strerr_warni5x("received ", "SIGHUP,", " sending ", "SIGTERM+SIGCONT", " to all connections") ; + killthem(SIGTERM) ; + killthem(SIGCONT) ; + break ; + } + case SIGQUIT : + { + if (verbosity >= 2) + strerr_warni6x("received ", "SIGQUIT,", " sending ", "SIGTERM+SIGCONT", " to all connections", " and quitting") ; + cont = 0 ; + killthem(SIGTERM) ; + killthem(SIGCONT) ; + break ; + } + case SIGABRT : + { + if (verbosity >= 2) + strerr_warni6x("received ", "SIGABRT,", " sending ", "SIGKILL", " to all connections", " and quitting") ; + cont = 0 ; + killthem(SIGKILL) ; + break ; + } + default : X() ; + } +} + + + /* New connection handling */ + +static void run_child (int, char const *, uint16, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; +static void run_child (int s, char const *ip, uint16 port, unsigned int num, char const *const *argv, char const *const *envp) +{ + char fmt[98] ; + unsigned int n = 0 ; + PROG = "s6-tcpserver6 (child)" ; + if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) + strerr_diefu1sys(111, "move fds") ; + byte_copy(fmt+n, 24, "PROTO=TCP\0TCPREMOTEIP=") ; n += 22 ; + n += ip6_fmt(fmt+n, ip) ; fmt[n++] = 0 ; + byte_copy(fmt+n, 14, "TCPREMOTEPORT=") ; n += 14 ; + n += uint16_fmt(fmt+n, port) ; fmt[n++] = 0 ; + byte_copy(fmt+n, 11, "TCPCONNNUM=") ; n += 11 ; + n += uint_fmt(fmt+n, num) ; fmt[n++] = 0 ; + pathexec_r(argv, envp, env_len(envp), fmt, n) ; + strerr_dieexec(111, argv[0]) ; +} + +static void new_connection (int s, char const *ip, uint16 port, char const *const *argv, char const *const *envp) +{ + unsigned int i = lookup_ip(ip) ; + unsigned int num = (i < iplen) ? ipnum[i].num : 0 ; + register int pid ; + if (num >= localmaxconn) + { + log_deny(ip, port, num) ; + return ; + } + pid = fork() ; + if (pid < 0) + { + if (verbosity) strerr_warnwu1sys("fork") ; + return ; + } + else if (!pid) + { + selfpipe_finish() ; + run_child(s, ip, port, num+1, argv, envp) ; + } + + if (i < iplen) ipnum[i].num = num + 1 ; + else + { + byte_copy(ipnum[iplen].ip, 16, ip) ; + ipnum[iplen++].num = 1 ; + } + pidip[numconn].num = pid ; + byte_copy(pidip[numconn++].ip, 16, ip) ; + if (verbosity >= 2) + { + log_accept(pid, ip, port, ipnum[i].num) ; + log_status() ; + } +} + + +int main (int argc, char const *const *argv, char const *const *envp) +{ + iopause_fd x[2] = { { -1, IOPAUSE_READ, 0 }, { -1, IOPAUSE_READ | IOPAUSE_EXCEPT, 0 } } ; + PROG = "s6-tcpserver6" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int uid = 0, gid = 0 ; + gid_t gids[NGROUPS_MAX] ; + unsigned int gidn = 0 ; + unsigned int backlog = 20 ; + char ip[16] ; + int flag1 = 0 ; + uint16 port ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "1Uc:C:b:u:g:G:v:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case '1' : flag1 = 1 ; break ; + case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ; + case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ; + case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; + case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn)) dieusage() ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'U' : + { + char const *x = env_get2(envp, "UID") ; + if (!x) strerr_dienotset(100, "UID") ; + if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, "UID") ; + x = env_get2(envp, "GID") ; + if (!x) strerr_dienotset(100, "GID") ; + if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, "GID") ; + x = env_get2(envp, "GIDLIST") ; + if (!x) strerr_dienotset(100, "GIDLIST") ; + if (!gid_scanlist(gids, NGROUPS_MAX, x, &gidn) && *x) + strerr_dieinvalid(100, "GIDLIST") ; + break ; + } + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (argc < 3) dieusage() ; + if (!ip6_scan(argv[0], ip) || !uint160_scan(argv[1], &port)) dieusage() ; + fd_close(0) ; + if (!flag1) fd_close(1) ; + if (!maxconn) maxconn = 1 ; + if (maxconn > ABSOLUTE_MAXCONN) maxconn = ABSOLUTE_MAXCONN ; + if (localmaxconn > maxconn) localmaxconn = maxconn ; + x[1].fd = socket_tcp6() ; + if ((x[1].fd == -1) || (coe(x[1].fd) == -1)) + strerr_diefu1sys(111, "create socket") ; + if (socket_bind6_reuse(x[1].fd, ip, port) < 0) + strerr_diefu2sys(111, "bind to ", argv[0]) ; + if (socket_listen(x[1].fd, backlog) == -1) + strerr_diefu1sys(111, "listen") ; + if (gidn && (setgroups(gidn, gids) < 0)) strerr_diefu1sys(111, "setgroups") ; + if (gid && (setgid(gid) < 0)) strerr_diefu1sys(111, "drop gid") ; + if (uid && (setuid(uid) < 0)) strerr_diefu1sys(111, "drop uid") ; + + x[0].fd = selfpipe_init() ; + if (x[0].fd == -1) strerr_diefu1sys(111, "create selfpipe") ; + if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + { + sigset_t set ; + sigemptyset(&set) ; + sigaddset(&set, SIGCHLD) ; + sigaddset(&set, SIGTERM) ; + sigaddset(&set, SIGHUP) ; + sigaddset(&set, SIGQUIT) ; + sigaddset(&set, SIGABRT) ; + if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; + } + if (flag1) + { + char fmt[UINT16_FMT] ; + unsigned int n = uint16_fmt(fmt, port) ; + fmt[n++] = '\n' ; + if (allwrite(1, fmt, n) < n) strerr_diefu1sys(111, "write to stdout") ; + fd_close(1) ; + } + fmtlocalmaxconn[1+uint_fmt(fmtlocalmaxconn+1, localmaxconn)] = 0 ; + if (verbosity >= 2) + { + fmtmaxconn[1+uint_fmt(fmtmaxconn+1, maxconn)] = 0 ; + log_start(ip, port) ; + log_status() ; + } + } + + { + ipnum_t inyostack[maxconn<<1] ; + pidip = inyostack ; ipnum = inyostack + maxconn ; + while (cont) + { + if (iopause(x, 1 + (numconn < maxconn), 0, 0) == -1) + strerr_diefu1sys(111, "iopause") ; + + if (x[0].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with selfpipe") ; + if (x[0].revents & IOPAUSE_READ) handle_signals() ; + if (numconn < maxconn) + { + if (x[1].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with socket") ; + if (x[1].revents & IOPAUSE_READ) + { + char ip[16] ; + uint16 port ; + register int fd = socket_accept6(x[1].fd, ip, &port) ; + if (fd < 0) + { + if (verbosity) strerr_warnwu1sys("accept") ; + } + else + { + new_connection(fd, ip, port, argv+2, envp) ; + fd_close(fd) ; + } + } + } + } + } + if (verbosity >= 2) log_exit() ; + return 0 ; +} diff --git a/src/conn-tools/seekablepipe.c b/src/conn-tools/seekablepipe.c new file mode 100644 index 0000000..611f227 --- /dev/null +++ b/src/conn-tools/seekablepipe.c @@ -0,0 +1,41 @@ +/* ISC license. */ + +#include <unistd.h> +#include <skalibs/strerr2.h> +#include <skalibs/iobuffer.h> +#include <skalibs/djbunix.h> + +#define USAGE "seekablepipe tempfile prog..." + +#define N 8192 + +int main (int argc, char const *const *argv, char const *const *envp) +{ + iobuffer b ; + int fdr, fdw ; + int r ; + PROG = "seekablepipe" ; + if (argc < 3) strerr_dieusage(100, USAGE) ; + fdw = open_trunc(argv[1]) ; + if (fdw < 0) + strerr_diefu2sys(111, "create temporary ", argv[1]) ; + fdr = open_readb(argv[1]) ; + if (fdr < 0) + strerr_diefu3sys(111, "open ", argv[1], " for reading") ; + if (unlink(argv[1]) < 0) + strerr_diefu2sys(111, "unlink ", argv[1]) ; + if (ndelay_off(fdw) < 0) + strerr_diefu1sys(111, "set fdw blocking") ; + if (!iobuffer_init(&b, 0, fdw)) + strerr_diefu1sys(111, "iobuffer_init") ; + while ((r = iobuffer_fill(&b)) > 0) + if (!iobuffer_flush(&b)) + strerr_diefu2sys(111, "write to ", argv[1]) ; + if (r < 0) strerr_diefu1sys(111, "read from stdin") ; + iobuffer_finish(&b) ; + fd_close(fdw) ; + if (fd_move(0, fdr) < 0) + strerr_diefu1sys(111, "move fdr to stdin") ; + pathexec_run(argv[2], argv+2, envp) ; + strerr_dieexec(111, argv[2]) ; +} diff --git a/src/include/s6-networking/accessrules.h b/src/include/s6-networking/accessrules.h new file mode 100644 index 0000000..ec7a0d5 --- /dev/null +++ b/src/include/s6-networking/accessrules.h @@ -0,0 +1,53 @@ +/* ISC license. */ + +#ifndef S6NET_ACCESSRULES_H +#define S6NET_ACCESSRULES_H + +#include <skalibs/cdb.h> +#include <skalibs/stralloc.h> +#include <skalibs/ip46.h> + +typedef struct s6net_accessrules_params_s s6net_accessrules_params_t, *s6net_accessrules_params_t_ref ; +struct s6net_accessrules_params_s +{ + stralloc env ; + stralloc exec ; +} ; +#define S6NET_ACCESSRULES_PARAMS_ZERO { STRALLOC_ZERO, STRALLOC_ZERO } + +typedef enum s6net_accessrules_result_e s6net_accessrules_result_t, *s6net_accessrules_result_t_ref ; +enum s6net_accessrules_result_e +{ + S6NET_ACCESSRULES_ERROR = -1, + S6NET_ACCESSRULES_DENY = 0, + S6NET_ACCESSRULES_ALLOW = 1, + S6NET_ACCESSRULES_NOTFOUND = 2 +} ; + +typedef s6net_accessrules_result_t s6net_accessrules_backend_func_t (char const *, unsigned int, void *, s6net_accessrules_params_t *) ; +typedef s6net_accessrules_backend_func_t *s6net_accessrules_backend_func_t_ref ; + +extern s6net_accessrules_backend_func_t s6net_accessrules_backend_fs ; +extern s6net_accessrules_backend_func_t s6net_accessrules_backend_cdb ; + +typedef s6net_accessrules_result_t s6net_accessrules_keycheck_func_t (void const *, void *, s6net_accessrules_params_t *, s6net_accessrules_backend_func_t_ref) ; +typedef s6net_accessrules_keycheck_func_t *s6net_accessrules_keycheck_func_t_ref ; + +extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_uidgid ; +extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_ip4 ; +extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_ip6 ; +extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_reversedns ; +#define s6net_accessrules_keycheck_ip46(key, data, params, f) (ip46_is6((ip46_t const *)(key)) ? s6net_accessrules_keycheck_ip6(((ip46_t const *)(key))->ip, data, params, f) : s6net_accessrules_keycheck_ip4(((ip46_t const *)(key))->ip, data, params, f)) + +extern s6net_accessrules_result_t s6net_accessrules_uidgid_cdb (unsigned int, unsigned int, struct cdb *, s6net_accessrules_params_t *) ; +extern s6net_accessrules_result_t s6net_accessrules_uidgid_fs (unsigned int, unsigned int, char const *, s6net_accessrules_params_t *) ; +#define s6net_accessrules_ip4_cdb(ip4, c, params) s6net_accessrules_keycheck_ip4(ip4, c, (params), &s6net_accessrules_backend_cdb) +#define s6net_accessrules_ip4_fs(ip4, rulesdir, params) s6net_accessrules_keycheck_ip4(ip4, rulesdir, (params), &s6net_accessrules_backend_fs) +#define s6net_accessrules_ip6_cdb(ip6, c, params) s6net_accessrules_keycheck_ip6(ip6, c, (params), &s6net_accessrules_backend_cdb) +#define s6net_accessrules_ip6_fs(ip6, rulesdir, params) s6net_accessrules_keycheck_ip6(ip6, rulesdir, (params), &s6net_accessrules_backend_fs) +#define s6net_accessrules_ip46_cdb(ip, c, params) s6net_accessrules_keycheck_ip46(ip, c, (params), &s6net_accessrules_backend_cdb) +#define s6net_accessrules_ip46_fs(ip, rulesdir, params) s6net_accessrules_keycheck_ip46(ip, rulesdir, (params), &s6net_accessrules_backend_fs) +#define s6net_accessrules_reversedns_cdb(name, c, params) s6net_accessrules_keycheck_reversedns(name, c, (params), &s6net_accessrules_backend_cdb) +#define s6net_accessrules_reversedns_fs(name, c, params) s6net_accessrules_keycheck_reversedns(name, c, (params), &s6net_accessrules_backend_fs) + +#endif diff --git a/src/include/s6-networking/ident.h b/src/include/s6-networking/ident.h new file mode 100644 index 0000000..723fc89 --- /dev/null +++ b/src/include/s6-networking/ident.h @@ -0,0 +1,26 @@ +/* ISC license. */ + +#ifndef IDENT1413_H +#define IDENT1413_H + +#include <skalibs/uint16.h> +#include <skalibs/tai.h> +#include <skalibs/ip46.h> + +#define S6NET_IDENT_ID_SIZE 512 +#define S6NET_IDENT_REPLY_SIZE 1024 + + /* High-level */ + +extern int s6net_ident_client (char *, unsigned int, ip46_t const *, uint16, ip46_t const *, uint16, tain_t const *, tain_t *) ; +#define s6net_ident_client_g(s, max, ra, rp, la, lp, deadline) s6net_ident_client(s, max, ra, rp, la, lp, (deadline), &STAMP) +extern char const *s6net_ident_error_str (int) ; + + + /* Low-level */ + +extern int s6net_ident_reply_get (char *, ip46_t const *, uint16, ip46_t const *, uint16, tain_t const *, tain_t *) ; +#define s6net_ident_reply_get_g(s, ra, rp, la, lp, deadline) s6net_ident_reply_get(s, ra, rp, la, lp, (deadline), &STAMP) +extern int s6net_ident_reply_parse (char const *, uint16, uint16) ; + +#endif diff --git a/src/include/s6-networking/s6net.h b/src/include/s6-networking/s6net.h new file mode 100644 index 0000000..81d804e --- /dev/null +++ b/src/include/s6-networking/s6net.h @@ -0,0 +1,9 @@ +/* ISC license. */ + +#ifndef S6NET_H +#define S6NET_H + +#include <s6-networking/accessrules.h> +#include <s6-networking/ident.h> + +#endif diff --git a/src/libs6net/deps-lib/s6net b/src/libs6net/deps-lib/s6net new file mode 100644 index 0000000..7b497ac --- /dev/null +++ b/src/libs6net/deps-lib/s6net @@ -0,0 +1,12 @@ +s6net_accessrules_backend_cdb.o +s6net_accessrules_backend_fs.o +s6net_accessrules_keycheck_ip4.o +s6net_accessrules_keycheck_ip6.o +s6net_accessrules_keycheck_reversedns.o +s6net_accessrules_keycheck_uidgid.o +s6net_accessrules_uidgid_cdb.o +s6net_accessrules_uidgid_fs.o +s6net_ident_client.o +s6net_ident_reply_get.o +s6net_ident_reply_parse.o +s6net_ident_error.o diff --git a/src/libs6net/s6net_accessrules_backend_cdb.c b/src/libs6net/s6net_accessrules_backend_cdb.c new file mode 100644 index 0000000..e75f755 --- /dev/null +++ b/src/libs6net/s6net_accessrules_backend_cdb.c @@ -0,0 +1,38 @@ +/* ISC license. */ + +#include <unistd.h> +#include <errno.h> +#include <skalibs/bytestr.h> +#include <skalibs/uint16.h> +#include <skalibs/cdb.h> +#include <skalibs/stralloc.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_backend_cdb (char const *key, unsigned int keylen, void *data, s6net_accessrules_params_t *params) +{ + struct cdb *c = data ; + unsigned int execbase, n ; + uint16 envlen, execlen ; + register int r = cdb_find(c, key, keylen) ; + if (r < 0) return S6NET_ACCESSRULES_ERROR ; + else if (!r) return S6NET_ACCESSRULES_NOTFOUND ; + n = cdb_datalen(c) ; + if ((n < 5U) || (n > 8197U)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; + if (!stralloc_readyplus(¶ms->exec, n)) return S6NET_ACCESSRULES_ERROR ; + execbase = params->exec.len ; + if (cdb_read(c, params->exec.s + execbase, n, cdb_datapos(c)) < 0) return S6NET_ACCESSRULES_ERROR ; + if (params->exec.s[execbase] == 'D') return S6NET_ACCESSRULES_DENY ; + else if (params->exec.s[execbase] != 'A') return S6NET_ACCESSRULES_NOTFOUND ; + uint16_unpack_big(params->exec.s + execbase + 1U, &envlen) ; + if ((envlen > 4096U) || (envlen+5U > n)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; + uint16_unpack_big(params->exec.s + execbase + 3 + envlen, &execlen) ; + if ((execlen > 4096U) || (5U + envlen + execlen != n)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; + if (!stralloc_catb(¶ms->env, params->exec.s + execbase + 3U, envlen)) return S6NET_ACCESSRULES_ERROR ; + byte_copy(params->exec.s + execbase, execlen, params->exec.s + execbase + 5U + envlen) ; + if (execlen) + { + params->exec.len += execlen ; + params->exec.s[params->exec.len++] = 0 ; + } + return S6NET_ACCESSRULES_ALLOW ; +} diff --git a/src/libs6net/s6net_accessrules_backend_fs.c b/src/libs6net/s6net_accessrules_backend_fs.c new file mode 100644 index 0000000..d609285 --- /dev/null +++ b/src/libs6net/s6net_accessrules_backend_fs.c @@ -0,0 +1,58 @@ +/* ISC license. */ + +#include <unistd.h> +#include <errno.h> +#include <skalibs/bytestr.h> +#include <skalibs/fmtscan.h> +#include <skalibs/stralloc.h> +#include <skalibs/djbunix.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_backend_fs (char const *key, unsigned int keylen, void *data, s6net_accessrules_params_t *params) +{ + char *dir = data ; + unsigned int dirlen = str_len(dir) ; + unsigned int envbase = params->env.len ; + int wasnull = !params->env.s ; + { + char tmp[dirlen + keylen + 10] ; + byte_copy(tmp, dirlen, dir) ; + tmp[dirlen] = '/' ; + byte_copy(tmp + dirlen + 1, keylen, key) ; + byte_copy(tmp + dirlen + keylen + 1, 7, "/allow") ; + if (access(tmp, R_OK) < 0) + { + if ((errno != EACCES) && (errno != ENOENT)) + return S6NET_ACCESSRULES_ERROR ; + byte_copy(tmp + dirlen + keylen + 2, 5, "deny") ; + return (access(tmp, R_OK) == 0) ? S6NET_ACCESSRULES_DENY : + (errno != EACCES) && (errno != ENOENT) ? S6NET_ACCESSRULES_ERROR : + S6NET_ACCESSRULES_NOTFOUND ; + } + byte_copy(tmp + dirlen + keylen + 2, 4, "env") ; + if ((envdir(tmp, ¶ms->env) < 0) && (errno != ENOENT)) + return S6NET_ACCESSRULES_ERROR ; + if (!stralloc_readyplus(¶ms->exec, 4097)) + { + if (wasnull) stralloc_free(¶ms->env) ; + else params->env.len = envbase ; + return S6NET_ACCESSRULES_ERROR ; + } + byte_copy(tmp + dirlen + keylen + 2, 5, "exec") ; + { + register int r = openreadnclose(tmp, params->exec.s + params->exec.len, 4096) ; + if ((r < 0) && (errno != EACCES) && (errno != ENOENT)) + { + if (wasnull) stralloc_free(¶ms->env) ; + else params->env.len = envbase ; + return S6NET_ACCESSRULES_ERROR ; + } + if (r > 0) + { + params->exec.len += r ; + params->exec.s[params->exec.len++] = 0 ; + } + } + } + return S6NET_ACCESSRULES_ALLOW ; +} diff --git a/src/libs6net/s6net_accessrules_keycheck_ip4.c b/src/libs6net/s6net_accessrules_keycheck_ip4.c new file mode 100644 index 0000000..1f96bd8 --- /dev/null +++ b/src/libs6net/s6net_accessrules_keycheck_ip4.c @@ -0,0 +1,24 @@ +/* ISC license. */ + +#include <skalibs/uint32.h> +#include <skalibs/uint.h> +#include <skalibs/fmtscan.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_keycheck_ip4 (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) +{ + char fmt[IP4_FMT + UINT_FMT + 6] = "ip4/" ; + uint32 ip ; + unsigned int i = 0 ; + uint32_unpack_big((char const *)key, &ip) ; + for (; i <= 32 ; i++) + { + register s6net_accessrules_result_t r ; + register unsigned int len = 4 + ip4_fmtu32(fmt+4, (i == 32) ? 0 : ip & ~((1U << i) - 1)) ; + fmt[len++] = '_' ; + len += uint_fmt(fmt + len, 32 - i) ; + r = (*check1)(fmt, len, data, params) ; + if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; + } + return S6NET_ACCESSRULES_NOTFOUND ; +} diff --git a/src/libs6net/s6net_accessrules_keycheck_ip6.c b/src/libs6net/s6net_accessrules_keycheck_ip6.c new file mode 100644 index 0000000..c2ee5ae --- /dev/null +++ b/src/libs6net/s6net_accessrules_keycheck_ip6.c @@ -0,0 +1,27 @@ +/* ISC license. */ + +#include <skalibs/uint.h> +#include <skalibs/bytestr.h> +#include <skalibs/bitarray.h> +#include <skalibs/fmtscan.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_keycheck_ip6 (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) +{ + char fmt[IP6_FMT + UINT_FMT + 6] = "ip6/" ; + char ip6[16] ; + unsigned int i = 0 ; + byte_copy(ip6, 16, (char const *)key) ; + for (; i <= 128 ; i++) + { + unsigned int len ; + register s6net_accessrules_result_t r ; + if (i) bitarray_clear(ip6, 128 - i) ; + len = 4 + ip6_fmt(fmt+4, ip6) ; + fmt[len++] = '_' ; + len += uint_fmt(fmt + len, 128 - i) ; + r = (*check1)(fmt, len, data, params) ; + if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; + } + return S6NET_ACCESSRULES_NOTFOUND ; +} diff --git a/src/libs6net/s6net_accessrules_keycheck_reversedns.c b/src/libs6net/s6net_accessrules_keycheck_reversedns.c new file mode 100644 index 0000000..f4c0213 --- /dev/null +++ b/src/libs6net/s6net_accessrules_keycheck_reversedns.c @@ -0,0 +1,27 @@ +/* ISC license. */ + +#include <errno.h> +#include <skalibs/bytestr.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_keycheck_reversedns (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) +{ + char const *name = key ; + unsigned int len = str_len(name) ; + if (!len) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; + if (name[len-1] == '.') len-- ; + { + unsigned int i = 0 ; + char tmp[len + 11] ; + byte_copy(tmp, 11, "reversedns/") ; + while (i < len) + { + register s6net_accessrules_result_t r ; + byte_copy(tmp+11, len-i, name+i) ; + r = (*check1)(tmp, 11+len-i, data, params) ; + if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; + i += byte_chr(name+i, len-i, '.') + 1 ; + } + } + return (*check1)("reversedns/@", 12, data, params) ; +} diff --git a/src/libs6net/s6net_accessrules_keycheck_uidgid.c b/src/libs6net/s6net_accessrules_keycheck_uidgid.c new file mode 100644 index 0000000..a7e2200 --- /dev/null +++ b/src/libs6net/s6net_accessrules_keycheck_uidgid.c @@ -0,0 +1,16 @@ +/* ISC license. */ + +#include <skalibs/uint.h> +#include <skalibs/diuint.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_keycheck_uidgid (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) +{ + char fmt[4 + UINT_FMT] = "uid/" ; + register s6net_accessrules_result_t r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->left), data, params) ; + if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; + fmt[0] = 'g' ; + r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->right), data, params) ; + return (r != S6NET_ACCESSRULES_NOTFOUND) ? r : + (*check1)("uid/default", 11, data, params) ; +} diff --git a/src/libs6net/s6net_accessrules_uidgid_cdb.c b/src/libs6net/s6net_accessrules_uidgid_cdb.c new file mode 100644 index 0000000..1836389 --- /dev/null +++ b/src/libs6net/s6net_accessrules_uidgid_cdb.c @@ -0,0 +1,11 @@ +/* ISC license. */ + +#include <skalibs/diuint.h> +#include <skalibs/cdb.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_uidgid_cdb (unsigned int uid, unsigned int gid, struct cdb *c, s6net_accessrules_params_t *params) +{ + diuint uidgid = { uid, gid } ; + return s6net_accessrules_keycheck_uidgid(&uidgid, c, params, &s6net_accessrules_backend_cdb) ; +} diff --git a/src/libs6net/s6net_accessrules_uidgid_fs.c b/src/libs6net/s6net_accessrules_uidgid_fs.c new file mode 100644 index 0000000..db2e909 --- /dev/null +++ b/src/libs6net/s6net_accessrules_uidgid_fs.c @@ -0,0 +1,10 @@ +/* ISC license. */ + +#include <skalibs/diuint.h> +#include <s6-networking/accessrules.h> + +s6net_accessrules_result_t s6net_accessrules_uidgid_fs (unsigned int uid, unsigned int gid, char const *rulesdir, s6net_accessrules_params_t *params) +{ + diuint uidgid = { uid, gid } ; + return s6net_accessrules_keycheck_uidgid(&uidgid, (void *)rulesdir, params, &s6net_accessrules_backend_fs) ; +} diff --git a/src/libs6net/s6net_ident_client.c b/src/libs6net/s6net_ident_client.c new file mode 100644 index 0000000..c6b9ac0 --- /dev/null +++ b/src/libs6net/s6net_ident_client.c @@ -0,0 +1,22 @@ +/* ISC license. */ + +#include <errno.h> +#include <skalibs/uint16.h> +#include <skalibs/bytestr.h> +#include <skalibs/tai.h> +#include <skalibs/ip46.h> +#include <s6-networking/ident.h> + +int s6net_ident_client (char *s, unsigned int max, ip46_t const *remoteip, uint16 remoteport, ip46_t const *localip, uint16 localport, tain_t const *deadline, tain_t *stamp) +{ + char buf[S6NET_IDENT_REPLY_SIZE] ; + unsigned int len ; + register int r = s6net_ident_reply_get(buf, remoteip, remoteport, localip, localport, deadline, stamp) ; + if (r < 0) return errno == EPIPE ? (errno = EIO, 0) : -1 ; /* the RFC says so */ + len = r ; + r = s6net_ident_reply_parse(buf, remoteport, localport) ; + if (r <= 0) return r ; + if (max + r < len + 1) return (errno = ENAMETOOLONG, -1) ; + byte_copy(s, len - r + 1, buf + r) ; + return len - r + 1 ; +} diff --git a/src/libs6net/s6net_ident_error.c b/src/libs6net/s6net_ident_error.c new file mode 100644 index 0000000..de01714 --- /dev/null +++ b/src/libs6net/s6net_ident_error.c @@ -0,0 +1,33 @@ +/* ISC license */ + +#include <errno.h> +#include <skalibs/error.h> +#include <s6-networking/ident.h> + +#define N 5 + +static char const *s6net_ident_error_strings[N+1] = +{ + "invalid port", + "no such user", + "identification denied", + "unknown error", + "X-error-token", + "(invalid error code)" +} ; + +static int const s6net_ident_error_codes[N] = +{ + EINVAL, + ESRCH, + EPERM, + EIO, + EEXIST +} ; + +char const *s6net_ident_error_str (int e) +{ + register unsigned int i = 0 ; + for (; i < N ; i++) if (e == s6net_ident_error_codes[i]) break ; + return s6net_ident_error_strings[i] ; +} diff --git a/src/libs6net/s6net_ident_reply_get.c b/src/libs6net/s6net_ident_reply_get.c new file mode 100644 index 0000000..3e11121 --- /dev/null +++ b/src/libs6net/s6net_ident_reply_get.c @@ -0,0 +1,46 @@ +/* ISC license. */ + +#include <errno.h> +#include <skalibs/uint16.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/buffer.h> +#include <skalibs/error.h> +#include <skalibs/tai.h> +#include <skalibs/djbunix.h> +#include <skalibs/ip46.h> +#include <skalibs/unix-timed.h> +#include <s6-networking/ident.h> + +int s6net_ident_reply_get (char *s, ip46_t const *remoteip, uint16 remoteport, ip46_t const *localip, uint16 localport, tain_t const *deadline, tain_t *stamp) +{ + unsigned int len ; + int fd ; + if (ip46_is6(remoteip) != ip46_is6(localip)) return (errno = EAFNOSUPPORT, -1) ; + fd = socket_tcp46(ip46_is6(remoteip)) ; + if (fd < 0) return -1 ; + if (socket_bind46(fd, localip, 0) < 0) goto err ; + if (socket_deadlineconnstamp46(fd, remoteip, 113, deadline, stamp) <= 0) goto err ; + { + char buf[S6NET_IDENT_REPLY_SIZE + 1] ; + char fmt[UINT16_FMT] ; + buffer b = BUFFER_INIT(&buffer_write, fd, buf, 256) ; + unsigned int n = uint16_fmt(fmt, remoteport) ; + buffer_putnoflush(&b, fmt, n) ; + buffer_putnoflush(&b, " , ", 3) ; + n = uint16_fmt(fmt, localport) ; + buffer_putnoflush(&b, fmt, n) ; + buffer_putnoflush(&b, "\r\n", 2) ; + if (!buffer_timed_flush(&b, deadline, stamp)) goto err ; + buffer_init(&b, &buffer_read, fd, buf, S6NET_IDENT_REPLY_SIZE + 1) ; + if (sanitize_read(timed_getlnmax(&b, s, S6NET_IDENT_REPLY_SIZE, &len, '\n', deadline, stamp)) <= 0) goto err ; + } + fd_close(fd) ; + if (len < 2) return (errno = EPROTO, -1) ; + len -= 2 ; + s[len] = 0 ; + return (int)len ; + +err: + fd_close(fd) ; + return -1 ; +} diff --git a/src/libs6net/s6net_ident_reply_parse.c b/src/libs6net/s6net_ident_reply_parse.c new file mode 100644 index 0000000..a895d60 --- /dev/null +++ b/src/libs6net/s6net_ident_reply_parse.c @@ -0,0 +1,58 @@ +/* ISC license. */ + +#include <errno.h> +#include <skalibs/uint16.h> +#include <skalibs/bytestr.h> +#include <skalibs/error.h> +#include <s6-networking/ident.h> + +static unsigned int skipspace (char const *s) +{ + register unsigned int n = 0 ; + while ((s[n] == ' ') || (s[n] == '\t')) n++ ; + return n ; +} + +int s6net_ident_reply_parse (char const *s, uint16 rp, uint16 lp) +{ + unsigned int n = 0 ; + n += skipspace(s+n) ; if (!s[n]) goto err ; + { + unsigned int i ; + uint16 u ; + i = uint16_scan(s+n, &u) ; if (!i) goto err ; n += i ; + if (u != rp) goto err ; + n += skipspace(s+n) ; if (!s[n]) goto err ; + if (s[n++] != ',') goto err ; + n += skipspace(s+n) ; if (!s[n]) goto err ; + i = uint16_scan(s+n, &u) ; if (!i) goto err ; n += i ; + if (u != lp) goto err ; + } + n += skipspace(s+n) ; if (!s[n]) goto err ; + if (s[n++] != ':') goto err ; + n += skipspace(s+n) ; if (!s[n]) goto err ; + if (!str_diffn(s+n, "ERROR", 5)) goto ERROR ; + if (!str_diffn(s+n, "USERID", 6)) goto USERID ; + err: + return (errno = EPROTO, -1) ; + + ERROR: + n += 5 ; + n += skipspace(s+n) ; if (!s[n]) goto err ; + if (s[n++] != ':') goto err ; + n += skipspace(s+n) ; if (!s[n]) goto err ; + if (!str_diffn(s+n, "INVALID-PORT", 12)) return (errno = EINVAL, 0) ; + if (!str_diffn(s+n, "NO-USER", 7)) return (errno = ESRCH, 0) ; + if (!str_diffn(s+n, "HIDDEN-USER", 11)) return (errno = EPERM, 0) ; + if (!str_diffn(s+n, "UNKNOWN-ERROR", 13)) return (errno = EIO, 0) ; + if (s[n] == 'X') return (errno = EEXIST, 0) ; + goto err ; + + USERID: + n += 6 ; + n += skipspace(s+n) ; if (!s[n]) goto err ; + if (s[n++] != ':') goto err ; + n += str_chr(s+n, ':') ; if (!s[n]) goto err ; + n++ ; if ((s[n] == ' ') || (s[n] == '\t')) n++ ; + return n ; +} diff --git a/src/minidentd/deps-exe/minidentd b/src/minidentd/deps-exe/minidentd new file mode 100755 index 0000000..37c2de8 --- /dev/null +++ b/src/minidentd/deps-exe/minidentd @@ -0,0 +1,4 @@ +mgetuid.o +-lskarnet +${SOCKET_LIB} +${TAINNOW_LIB} diff --git a/src/minidentd/mgetuid-default.c b/src/minidentd/mgetuid-default.c new file mode 100644 index 0000000..6c9ae9b --- /dev/null +++ b/src/minidentd/mgetuid-default.c @@ -0,0 +1,15 @@ +/* ISC license. */ + +#include <errno.h> +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include "mgetuid.h" + +int mgetuid (ip46_t const *localaddr, uint16 localport, ip46_t const *remoteaddr, uint16 remoteport) +{ + (void)localaddr ; + (void)localport ; + (void)remoteaddr ; + (void)remoteport ; + return (errno = ENOSYS, -2) ; +} diff --git a/src/minidentd/mgetuid-linux.c b/src/minidentd/mgetuid-linux.c new file mode 100644 index 0000000..442f642 --- /dev/null +++ b/src/minidentd/mgetuid-linux.c @@ -0,0 +1,169 @@ +/* ISC license. */ + +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include <skalibs/uint.h> +#include <skalibs/bytestr.h> +#include <skalibs/fmtscan.h> +#include <skalibs/buffer.h> +#include <skalibs/stralloc.h> +#include <skalibs/djbunix.h> +#include <skalibs/ip46.h> +#include <skalibs/skamisc.h> +#include "mgetuid.h" + +#ifdef DEBUG +#include <skalibs/strerr2.h> +#define bug(a) do { strerr_warn4x("bug parsing ", a, "remaining: ", cur) ; return 0 ; } while (0) +#else +#define bug(a) return 0 +#endif + +#define LINESIZE 256 + +static int skipspace (char **s) +{ + while (**s && ((**s == ' ') || (**s == '\t'))) + (*s)++ ; + return (int)**s ; +} + +static int parseline (char *s, unsigned int len, unsigned int *u, char *la, uint16 *lp, char *ra, uint16 *rp, int is6) +{ + char *cur = s ; + unsigned int pos ; + uint32 junk ; + register unsigned int iplen = is6 ? 16 : 4 ; + + if (!skipspace(&cur)) bug("initial whitespace") ; + pos = uint32_scan(cur, &junk) ; /* sl */ + if (!pos || (cur-s+1+pos) > len) bug("sl") ; + cur += pos ; + if ((*cur++) != ':') bug("sl:") ; + if (!skipspace(&cur)) bug("sl: SPACE") ; + + if ((cur - s + 1 + iplen) > len) bug("local_address") ; + pos = ucharn_scan(cur, la, iplen) ; /* local_address */ + if (!pos) bug("local_address") ; + cur += pos ; + if ((*cur++) != ':') bug("local_address:") ; + + pos = uint16_xscan(cur, lp) ; /* :port */ + if (!pos || (cur-s+pos) > len) bug("local_port") ; + cur += pos ; + if (!skipspace(&cur)) bug("local_port SPACE") ; + + if ((cur - s + 1 + iplen) > len) bug("remote_address") ; + pos = ucharn_scan(cur, ra, iplen) ; /* remote_address */ + if (!pos) bug("remote_address") ; + cur += pos ; + if ((*cur++) != ':') bug("remote_address:") ; + + pos = uint16_xscan(cur, rp) ; /* :port */ + if (!pos || (cur-s+pos) > len) bug("remote_port") ; + cur += pos ; + if (!skipspace(&cur)) bug("remote_port SPACE"); + + pos = uint32_xscan(cur, &junk) ; /* st */ + if (!pos || (cur-s+pos) > len) bug("st") ; + cur += pos ; + if (!skipspace(&cur)) bug("st SPACE") ; + pos = uint32_xscan(cur, &junk) ; /* tx_queue */ + if (!pos || (cur-s+1+pos) > len) bug("tx_queue") ; + cur += pos ; + if ((*cur++) != ':') bug("tx_queue:") ; + pos = uint32_xscan(cur, &junk) ; /* rx_queue */ + if (!pos || (cur-s+pos) > len) bug("rx_queue") ; + cur += pos ; + if (!skipspace(&cur)) bug("rx_queue SPACE") ; + pos = uint32_xscan(cur, &junk) ; /* tr */ + if (!pos || (cur-s+1+pos) > len) bug("tr") ; + cur += pos ; + if ((*cur++) != ':') bug("tr:") ; + pos = uint32_xscan(cur, &junk) ; /* tm->when */ + if (!pos || (cur-s+pos) > len) bug("tm->when") ; + cur += pos ; + if (!skipspace(&cur)) bug("tm->when SPACE") ; + pos = uint32_xscan(cur, &junk) ; /* retrnsmt */ + if (!pos || (cur-s+pos) > len) bug("retrnsmt") ; + cur += pos ; + + if (!skipspace(&cur)) bug("retrnsmt SPACE") ; + pos = uint_scan(cur, u) ; /* uid */ + if (!pos || (cur-s+1+pos) > len) bug("uid") ; + + return 1 ; +} + +#ifdef DEBUG + +static void debuglog (uint16 a, uint16 b, unsigned int c, char const *d, char const *e, int is6) +{ + char sa[UINT16_FMT] ; + char sb[UINT16_FMT] ; + char sc[UINT_FMT] ; + char sd[IP46_FMT] ; + char se[IP46_FMT] ; + + sa[uint16_fmt(sa, a)] = 0 ; + sb[uint16_fmt(sb, b)] = 0 ; + sc[uint_fmt(sc, c)] = 0 ; + sd[is6 ? ip6_fmt(sd, d) : ip4_fmt(sd, d)] = 0 ; + se[is6 ? ip6_fmt(se, e) : ip4_fmt(se, e)] = 0 ; + + buffer_puts(buffer_2, sd) ; + buffer_puts(buffer_2, ":") ; + buffer_puts(buffer_2, sa) ; + buffer_puts(buffer_2, " , ") ; + buffer_puts(buffer_2, se) ; + buffer_puts(buffer_2, ":") ; + buffer_puts(buffer_2, sb) ; + buffer_puts(buffer_2, " -> ") ; + buffer_puts(buffer_2, sc) ; + buffer_putsflush(buffer_2, "\n") ; +} + +#endif + +int mgetuid (ip46_t const *localaddr, uint16 localport, ip46_t const *remoteaddr, uint16 remoteport) +{ + int r ; + int u = -2 ; + stralloc line = STRALLOC_ZERO ; + buffer b ; + char y[BUFFER_INSIZE] ; + register int is6 = ip46_is6(localaddr) ; + int fd = open_readb(is6 ? "/proc/net/tcp6" : "/proc/net/tcp") ; + if (fd == -1) return -2 ; + buffer_init(&b, &buffer_read, fd, y, BUFFER_INSIZE_SMALL) ; + if (skagetln(&b, &line, '\n') < 1) goto err ; +#ifdef DEBUG + line.s[line.len-1] = 0 ; + debuglog(localport, remoteport, 65535, localaddr->ip, remoteaddr->ip, is6) ; +#endif + for (;;) + { + char la[16] ; + char ra[16] ; + unsigned int nu ; + uint16 lp, rp ; + line.len = 0 ; + r = skagetln(&b, &line, '\n') ; + if (r <= 0) { u = -1 ; break ; } + line.s[line.len-1] = 0 ; + if (!parseline(line.s, line.len, &nu, la, &lp, ra, &rp, is6)) break ; +#ifdef DEBUG + debuglog(lp, rp, nu, la, ra, is6) ; +#endif + if ((lp == localport) && (rp == remoteport) + && !byte_diff(la, is6 ? 16 : 4, localaddr->ip) + && !byte_diff(ra, is6 ? 16 : 4, remoteaddr->ip)) + { + u = nu ; break ; + } + } + stralloc_free(&line) ; + err: + fd_close(fd) ; + return u ; +} diff --git a/src/minidentd/mgetuid.h b/src/minidentd/mgetuid.h new file mode 100644 index 0000000..0572385 --- /dev/null +++ b/src/minidentd/mgetuid.h @@ -0,0 +1,11 @@ +/* ISC license. */ + +#ifndef MGETUID_H +#define MGETUID_H + +#include <skalibs/uint16.h> +#include <skalibs/ip46.h> + +extern int mgetuid (ip46_t const *, uint16, ip46_t const *, uint16) ; + +#endif diff --git a/src/minidentd/minidentd.c b/src/minidentd/minidentd.c new file mode 100644 index 0000000..0bd86be --- /dev/null +++ b/src/minidentd/minidentd.c @@ -0,0 +1,273 @@ +/* ISC license. */ + +#include <unistd.h> +#include <errno.h> +#include <pwd.h> +#include <skalibs/uint16.h> +#include <skalibs/uint32.h> +#include <skalibs/uint.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/bytestr.h> +#include <skalibs/fmtscan.h> +#include <skalibs/buffer.h> +#include <skalibs/strerr2.h> +#include <skalibs/stralloc.h> +#include <skalibs/djbunix.h> +#include <skalibs/sgetopt.h> +#include <skalibs/tai.h> +#include <skalibs/random.h> +#include <skalibs/unix-timed.h> +#include "mgetuid.h" + +#define USAGE "minidentd [ -v ] [ -n | -i | -r ] [ -y file ] [ -t timeout ]" +#define dieusage() strerr_dieusage(100, USAGE) + + +static int how = 0 ; +static int flagverbose = 0 ; +static char const *userfile = ".ident" ; + +static tain_t deadline ; +static unsigned int nquery = 0 ; +static char logfmt[UINT_FMT] ; + +#define DECIMAL "0123456789" +#define godecimal(s) while (*(s) && !DECIMAL[str_chr(DECIMAL, *(s))]) (s)++ + +static int parseline (char const *s, uint16 *localport, uint16 *remoteport) +{ + unsigned int pos = 0 ; + + godecimal(s) ; + if (!*s) return 0 ; + s += uint16_scan(s, localport) ; + if (!*s) return 0 ; + s += str_chr(s+pos, ',') ; + if (*s) s++ ; + godecimal(s) ; + if (!*s) return 0 ; + if (!uint16_scan(s, remoteport)) return 0 ; + return 1 ; +} + +static void formatlr (char *s, uint16 lp, uint16 rp) +{ + s += uint16_fmt(s, lp) ; + *s++ = ',' ; + *s++ = ' ' ; + s += uint16_fmt(s, rp) ; + *s = 0 ; +} + +static void reply (char const *s, char const *r, char const *info) +{ + buffer_puts(buffer_1small, s) ; + buffer_put(buffer_1small, " : ", 3) ; + buffer_puts(buffer_1small, r) ; + buffer_put(buffer_1small, " : ", 3) ; + buffer_puts(buffer_1small, info) ; + buffer_put(buffer_1small, "\r\n", 2) ; + if (!buffer_timed_flush_g(buffer_1small, &deadline)) + strerr_diefu1sys(111, "write to stdout") ; +} + +static void logquery (char const *s) +{ + if (!flagverbose) return ; + logfmt[uint_fmt(logfmt, ++nquery)] = 0 ; + buffer_put(buffer_2, "query ", 6) ; + buffer_puts(buffer_2, logfmt) ; + buffer_put(buffer_2, ": ", 2) ; + buffer_puts(buffer_2, s) ; + buffer_putflush(buffer_2, "\n", 1) ; +} + +static void logreply (char const *type, char const *reply1, char const *reply2) +{ + if (!flagverbose) return ; + buffer_puts(buffer_2, "reply type ") ; + buffer_puts(buffer_2, type) ; + buffer_put(buffer_2, ": ", 2) ; + buffer_puts(buffer_2, logfmt) ; + buffer_put(buffer_2, ": ", 2) ; + buffer_puts(buffer_2, reply1) ; + buffer_put(buffer_2, ": ", 2) ; + buffer_puts(buffer_2, reply2) ; + buffer_putflush(buffer_2, "\n", 1) ; +} + +static int userident (char *s, char const *home) +{ + int fd ; + int r = 1 ; + { + unsigned int homelen = str_len(home) ; + unsigned int userlen = str_len(userfile) ; + char tmp[homelen + userlen + 2] ; + byte_copy(tmp, homelen, home) ; + tmp[homelen] = '/' ; + byte_copy(tmp + homelen + 1, userlen + 1, userfile) ; + fd = open_readb(tmp) ; + } + if (fd == -1) return (errno != ENOENT) ? -1 : 0 ; + if (how == 1) + { + fd_close(fd) ; + return 1 ; + } + r = allread(fd, s, 14) ; + fd_close(fd) ; + if (r == -1) return -1 ; + if (!r) return 1 ; + s[r] = 0 ; + s[byte_chr(s, r, '\n')] = 0 ; + return 2 ; +} + + +static void doit (char const *s, ip46_t const *localaddr, ip46_t const *remoteaddr) +{ + char lr[15] ; + uint16 localport, remoteport ; + struct passwd *pw ; + int uid ; + if (!parseline(s, &localport, &remoteport)) + { + reply("0, 0", "ERROR", "INVALID-PORT") ; + return ; + } + formatlr(lr, localport, remoteport) ; + logquery(lr) ; + + uid = mgetuid(localaddr, localport, remoteaddr, remoteport) ; + if (uid == -2) + { + strerr_warnwu1sys("get uid") ; + reply(lr, "ERROR", "UNKNOWN-ERROR") ; + return ; + } + else if (uid == -1) + { + reply(lr, "ERROR", "NO-USER") ; + logreply("error", "ERROR", "NO-USER") ; + return ; + } + + if (how == 3) + { + char name[9] ; + char fmt[4 + UINT_FMT] = "uid " ; + fmt[4 + uint_fmt(fmt+4, uid)] = 0 ; + if (random_name(name, 8) < 8) + { + strerr_warnwu1sys("perform random") ; + reply(lr, "ERROR", "UNKNOWN-ERROR") ; + return ; + } + reply(lr, "UNIX", name) ; + logreply("random", fmt, name) ; + return ; + } + + pw = getpwuid(uid) ; + if (!pw) + { + char fmt[UINT_FMT] ; + fmt[uint_fmt(fmt, uid)] = 0 ; + strerr_warnw2x("unknown uid ", fmt) ; + reply(lr, "ERROR", "UNKNOWN-ERROR") ; + return ; + } + + if (how) + { + char s[15] ; + register int r = userident(s, pw->pw_dir) ; + if ((how == 1) || (r == 1)) + { + reply(lr, "ERROR", "HIDDEN-USER") ; + logreply("user", "ERROR", "HIDDEN-USER") ; + return ; + } + else if (r == 2) + { + reply(lr, "USERID : UNIX", s) ; + logreply("user", "UNIX", s) ; + return ; + } + } + + reply(lr, "USERID : UNIX", pw->pw_name) ; + logreply("user", "UNIX", pw->pw_name) ; +} + + +int main (int argc, char const *const *argv, char const *const *envp) +{ + stralloc line = STRALLOC_ZERO ; + tain_t tto ; + ip46_t localaddr, remoteaddr ; + PROG = "minidentd" ; + + { + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int t = 0 ; + for (;;) + { + register int opt = subgetopt_r(argc, argv, "vniry:t:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'v' : flagverbose = 1 ; break ; + case 'n' : how = 1 ; break ; + case 'i' : how = 2 ; break ; + case 'r' : how = 3 ; break ; + case 'y' : userfile = l.arg ; break ; + case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + default : dieusage() ; + } + } + if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ; + argc -= l.ind ; argv += l.ind ; + } + + { + char const *proto = env_get2(envp, "PROTO") ; + if (!proto) strerr_dienotset(100, "PROTO") ; + { + char const *x ; + unsigned int protolen = str_len(proto) ; + char tmp[protolen + 9] ; + byte_copy(tmp, protolen, proto) ; + byte_copy(tmp + protolen, 8, "LOCALIP") ; + x = env_get2(envp, tmp) ; + if (!x) strerr_dienotset(100, tmp) ; + if (!ip46_scan(x, &localaddr)) strerr_dieinvalid(100, tmp) ; + byte_copy(tmp + protolen, 9, "REMOTEIP") ; + x = env_get2(envp, tmp) ; + if (!x) strerr_dienotset(100, tmp) ; + if (!ip46_scan(x, &remoteaddr)) strerr_dieinvalid(100, tmp) ; + } + } + + if (ip46_is6(&localaddr) != ip46_is6(&remoteaddr)) + strerr_dief1x(100, "local and remote address not of the same family") ; + tain_now_g() ; + + for (;;) + { + register int r ; + line.len = 0 ; + tain_add_g(&deadline, &tto) ; + r = timed_getln_g(buffer_0small, &line, '\n', &deadline) ; + if (r == -1) + { + if (errno == ETIMEDOUT) return 1 ; + else strerr_diefu1sys(111, "read from stdin") ; + } + if (!r) break ; + line.s[line.len - 1] = 0 ; + doit(line.s, &localaddr, &remoteaddr) ; + } + return 0 ; +} diff --git a/tools/gen-deps.sh b/tools/gen-deps.sh new file mode 100755 index 0000000..af31259 --- /dev/null +++ b/tools/gen-deps.sh @@ -0,0 +1,79 @@ +#!/bin/sh -e + +. package/info + +echo '#' +echo '# This file has been generated by tools/gen-deps.sh' +echo '#' +echo + +for dir in src/include/${package} src/* ; do + for file in $(ls -1 $dir | grep -- \\.h$) ; do + { + grep -F -- "#include <${package}/" < ${dir}/$file | cut -d'<' -f2 | cut -d'>' -f1 ; + grep -- '#include ".*\.h"' < ${dir}/$file | cut -d'"' -f2 + } | sort -u | { + deps= + while read dep ; do + if echo $dep | grep -q "^${package}/" ; then + deps="$deps src/include/$dep" + elif test -f "${dir}/$dep" ; then + deps="$deps ${dir}/$dep" + else + deps="$deps src/include-local/$dep" + fi + done + if test -n "$deps" ; then + echo "${dir}/${file}:${deps}" + fi + } + done +done + +for dir in src/* ; do + for file in $(ls -1 $dir | grep -- \\.c$) ; do + { + grep -F -- "#include <${package}/" < ${dir}/$file | cut -d'<' -f2 | cut -d'>' -f1 ; + grep -- '#include ".*\.h"' < ${dir}/$file | cut -d'"' -f2 + } | sort -u | { + deps=" ${dir}/$file" + while read dep ; do + if echo $dep | grep -q "^${package}/" ; then + deps="$deps src/include/$dep" + elif test -f "${dir}/$dep" ; then + deps="$deps ${dir}/$dep" + else + deps="$deps src/include-local/$dep" + fi + done + o=$(echo $file | sed s/\\.c$/.o/) + lo=$(echo $file | sed s/\\.c$/.lo/) + echo "${dir}/${o} ${dir}/${lo}:${deps}" + } + done +done +echo + +for dir in $(ls -1 src | grep -v ^include) ; do + for file in $(ls -1 src/$dir/deps-lib) ; do + deps= + while read dep ; do + deps="$deps src/$dir/$dep" + done < src/$dir/deps-lib/$file + echo "lib$file.a: $deps" + if test -x "src/$dir/deps-lib/$file" ; then + echo "lib${file}.so: $(echo "$deps" | sed 's/\.o/.lo/g')" + fi + done + + for file in $(ls -1 src/$dir/deps-exe) ; do + deps= + while read dep ; do + if echo $dep | grep -q -- \\.o$ ; then + dep="src/$dir/$dep" + fi + deps="$deps $dep" + done < src/$dir/deps-exe/$file + echo "$file: src/$dir/$file.o$deps" + done +done diff --git a/tools/install.sh b/tools/install.sh new file mode 100755 index 0000000..89f9428 --- /dev/null +++ b/tools/install.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +usage() { + echo "usage: $0 [-D] [-l] [-m mode] src dst" 1>&2 + exit 1 +} + +mkdirp=false +symlink=false +mode=0755 + +while getopts Dlm: name ; do + case "$name" in + D) mkdirp=true ;; + l) symlink=true ;; + m) mode=$OPTARG ;; + ?) usage ;; + esac +done +shift $(($OPTIND - 1)) + +test "$#" -eq 2 || usage +src=$1 +dst=$2 +tmp="$dst.tmp.$$" + +case "$dst" in + */) echo "$0: $dst ends in /" 1>&2 ; exit 1 ;; +esac + +set -C +set -e + +if $mkdirp ; then + umask 022 + case "$2" in + */*) mkdir -p "${dst%/*}" ;; + esac +fi + +trap 'rm -f "$tmp"' EXIT INT QUIT TERM HUP + +umask 077 + +if $symlink ; then + ln -s "$src" "$tmp" +else + cat < "$1" > "$tmp" + chmod "$mode" "$tmp" +fi + +mv -f "$tmp" "$dst" +if test -d "$dst" ; then + rm -f "$dst/$(basename $tmp)" + if $symlink ; then + mkdir "$tmp" + ln -s "$src" "$tmp/$(basename $dst)" + mv -f "$tmp/$(basename $dst)" "${dst%/*}" + rmdir "$tmp" + else + echo "$0: $dst is a directory" 1>&2 + exit 1 + fi +fi |