From ebfd0ba17e0d4b220725018d16e294e8e22a1745 Mon Sep 17 00:00:00 2001
From: Laurent Bercot
Date: Thu, 15 Jan 2015 20:51:39 +0000
Subject: Move Unix domain socket and access control stuff to s6. Move
seekablepipe to s6-portable-utils. Version: 2.0.1.0, release candidate
---
doc/index.html | 26 +-
doc/libs6net/accessrules.html | 331 -----------------
doc/libs6net/index.html | 2 -
doc/localservice.html | 151 --------
doc/s6-accessrules-cdb-from-fs.html | 141 --------
doc/s6-accessrules-fs-from-cdb.html | 60 ----
doc/s6-connlimit.html | 96 -----
doc/s6-ioconnect.html | 84 -----
doc/s6-ipcclient.html | 65 ----
doc/s6-ipcserver-access.html | 172 ---------
doc/s6-ipcserver-socketbinder.html | 72 ----
doc/s6-ipcserver.html | 173 ---------
doc/s6-ipcserverd.html | 131 -------
doc/s6-sudo.html | 59 ---
doc/s6-sudoc.html | 80 -----
doc/s6-sudod.html | 165 ---------
doc/s6-tcpserver-access.html | 18 +-
doc/seekablepipe.html | 36 --
package/deps.mak | 58 +--
package/modes | 13 -
package/targets.mak | 13 -
src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs | 4 -
src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb | 1 -
src/conn-tools/deps-exe/s6-connlimit | 1 -
src/conn-tools/deps-exe/s6-ioconnect | 3 -
src/conn-tools/deps-exe/s6-ipcclient | 2 -
src/conn-tools/deps-exe/s6-ipcserver | 1 -
src/conn-tools/deps-exe/s6-ipcserver-access | 3 -
src/conn-tools/deps-exe/s6-ipcserver-socketbinder | 2 -
src/conn-tools/deps-exe/s6-ipcserverd | 2 -
src/conn-tools/deps-exe/s6-sudo | 1 -
src/conn-tools/deps-exe/s6-sudoc | 3 -
src/conn-tools/deps-exe/s6-sudod | 3 -
src/conn-tools/deps-exe/s6-tcpserver-access | 1 +
src/conn-tools/deps-exe/seekablepipe | 1 -
src/conn-tools/s6-accessrules-cdb-from-fs.c | 195 ----------
src/conn-tools/s6-accessrules-fs-from-cdb.c | 177 ---------
src/conn-tools/s6-connlimit.c | 39 --
src/conn-tools/s6-ioconnect.c | 187 ----------
src/conn-tools/s6-ipcclient.c | 66 ----
src/conn-tools/s6-ipcserver-access.c | 211 -----------
src/conn-tools/s6-ipcserver-socketbinder.c | 49 ---
src/conn-tools/s6-ipcserver.c | 128 -------
src/conn-tools/s6-ipcserverd.c | 399 ---------------------
src/conn-tools/s6-sudo.c | 67 ----
src/conn-tools/s6-sudo.h | 11 -
src/conn-tools/s6-sudoc.c | 115 ------
src/conn-tools/s6-sudod.c | 233 ------------
src/conn-tools/s6-tcpserver-access.c | 39 +-
src/conn-tools/seekablepipe.c | 41 ---
src/include/s6-networking/accessrules.h | 53 ---
src/include/s6-networking/s6net.h | 1 -
src/libs6net/deps-lib/s6net | 8 -
src/libs6net/s6net_accessrules_backend_cdb.c | 38 --
src/libs6net/s6net_accessrules_backend_fs.c | 58 ---
src/libs6net/s6net_accessrules_keycheck_ip4.c | 24 --
src/libs6net/s6net_accessrules_keycheck_ip6.c | 27 --
.../s6net_accessrules_keycheck_reversedns.c | 27 --
src/libs6net/s6net_accessrules_keycheck_uidgid.c | 16 -
src/libs6net/s6net_accessrules_uidgid_cdb.c | 11 -
src/libs6net/s6net_accessrules_uidgid_fs.c | 10 -
61 files changed, 39 insertions(+), 4165 deletions(-)
delete mode 100644 doc/libs6net/accessrules.html
delete mode 100644 doc/localservice.html
delete mode 100644 doc/s6-accessrules-cdb-from-fs.html
delete mode 100644 doc/s6-accessrules-fs-from-cdb.html
delete mode 100644 doc/s6-connlimit.html
delete mode 100644 doc/s6-ioconnect.html
delete mode 100644 doc/s6-ipcclient.html
delete mode 100644 doc/s6-ipcserver-access.html
delete mode 100644 doc/s6-ipcserver-socketbinder.html
delete mode 100644 doc/s6-ipcserver.html
delete mode 100644 doc/s6-ipcserverd.html
delete mode 100644 doc/s6-sudo.html
delete mode 100644 doc/s6-sudoc.html
delete mode 100644 doc/s6-sudod.html
delete mode 100644 doc/seekablepipe.html
delete mode 100644 src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs
delete mode 100644 src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb
delete mode 100644 src/conn-tools/deps-exe/s6-connlimit
delete mode 100644 src/conn-tools/deps-exe/s6-ioconnect
delete mode 100644 src/conn-tools/deps-exe/s6-ipcclient
delete mode 100644 src/conn-tools/deps-exe/s6-ipcserver
delete mode 100644 src/conn-tools/deps-exe/s6-ipcserver-access
delete mode 100644 src/conn-tools/deps-exe/s6-ipcserver-socketbinder
delete mode 100644 src/conn-tools/deps-exe/s6-ipcserverd
delete mode 100644 src/conn-tools/deps-exe/s6-sudo
delete mode 100644 src/conn-tools/deps-exe/s6-sudoc
delete mode 100644 src/conn-tools/deps-exe/s6-sudod
delete mode 100644 src/conn-tools/deps-exe/seekablepipe
delete mode 100644 src/conn-tools/s6-accessrules-cdb-from-fs.c
delete mode 100644 src/conn-tools/s6-accessrules-fs-from-cdb.c
delete mode 100644 src/conn-tools/s6-connlimit.c
delete mode 100644 src/conn-tools/s6-ioconnect.c
delete mode 100644 src/conn-tools/s6-ipcclient.c
delete mode 100644 src/conn-tools/s6-ipcserver-access.c
delete mode 100644 src/conn-tools/s6-ipcserver-socketbinder.c
delete mode 100644 src/conn-tools/s6-ipcserver.c
delete mode 100644 src/conn-tools/s6-ipcserverd.c
delete mode 100644 src/conn-tools/s6-sudo.c
delete mode 100644 src/conn-tools/s6-sudo.h
delete mode 100644 src/conn-tools/s6-sudoc.c
delete mode 100644 src/conn-tools/s6-sudod.c
delete mode 100644 src/conn-tools/seekablepipe.c
delete mode 100644 src/include/s6-networking/accessrules.h
delete mode 100644 src/libs6net/s6net_accessrules_backend_cdb.c
delete mode 100644 src/libs6net/s6net_accessrules_backend_fs.c
delete mode 100644 src/libs6net/s6net_accessrules_keycheck_ip4.c
delete mode 100644 src/libs6net/s6net_accessrules_keycheck_ip6.c
delete mode 100644 src/libs6net/s6net_accessrules_keycheck_reversedns.c
delete mode 100644 src/libs6net/s6net_accessrules_keycheck_uidgid.c
delete mode 100644 src/libs6net/s6net_accessrules_uidgid_cdb.c
delete mode 100644 src/libs6net/s6net_accessrules_uidgid_fs.c
diff --git a/doc/index.html b/doc/index.html
index 3b65640..c6d61fa 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -45,7 +45,7 @@ compiled with IPv6 support, s6-networking is IPv6-ready.
execline version
2.0.1.1 or later
s6 version
-2.0.1.0 or later
+2.0.2.0 or later
s6-dns version
2.0.0.2 or later
@@ -60,7 +60,7 @@ compiled with IPv6 support, s6-networking is IPv6-ready.
Download
@@ -102,7 +102,7 @@ relevant page.
The s6-taiclockd program
- UCSPI implementation
+ UCSPI TCP implementation
- TCP and Unix access control
+ TCP access control
-
- suidless privilege gain
-
-
IDENT protocol implementation
@@ -148,7 +132,6 @@ relevant page.
Miscellaneous utilities
@@ -157,7 +140,6 @@ relevant page.
diff --git a/doc/libs6net/accessrules.html b/doc/libs6net/accessrules.html
deleted file mode 100644
index ea996b7..0000000
--- a/doc/libs6net/accessrules.html
+++ /dev/null
@@ -1,331 +0,0 @@
-
-
-
-
- s6-networking: the accessrules library interface
-
-
-
-
-
-
-
-libs6net
-s6-networking
-Software
-skarnet.org
-
-
- The accessrules library interface
-
-
- The following functions and structures are declared in the s6-networking/accessrules.h header,
-and implemented in the libs6net.a or libs6net.so library.
-
-
- General information
-
-
- s6net_accessrules is an access control library. It looks up
-a key in a user-specified database, then returns a code depending on
-whether the database allows access (in which case additional information
-can also be returned), denies access, or does not contain the key.
-
-
-
- accessrules has been designed to be easily extensible to any
-database format and any key format.
-
-
-
- Check the s6-networking/accessrules.h header for the exact definitions.
-
-
- Data structures
-
-
- - A s6net_accessrules_result_t is a scalar that
-can have the following values: S6NET_ACCESSRULES_ERROR,
-S6NET_ACCESSRULES_DENY, S6NET_ACCESSRULES_ALLOW or S6NET_ACCESSRULES_NOTFOUND.
- - A s6net_accessrules_params_t is a structure containing two
-strallocs,
-.env and .exec, used to return data contained in the
-database when a key has been allowed. The interpretation of this data is
-application-defined.
-
-
- Function types
-
- Backend lookups
-
-
- A s6net_accessrules_backend_func_t is the type of a function
-that takes a single key, looks it up in a database, and returns the result.
-Namely:
-
-
-
-s6net_accessrules_result_t f (char const *key, unsigned int keylen, void *handle, s6net_accessrules_params_t *params)
-
-
-
- f looks up key key of length keylen in the database
-represented by handle in an implementation-defined way. It returns a
-number that says the key has been allowed, denied or not found, or an error
-occurred. If the key has been allowed, f stores additional information
-from the database into *params.
-
-
-
- Two s6net_accessrules_backend_func_t functions are natively implemented:
-
-
-
- - s6net_accessrules_backend_fs takes a char const *
-handle and interprets it as a base directory to look up key
-under, in the format understood by
-s6-accessrules-cdb-from-fs.
- - s6net_accessrules_backend_cdb takes a struct cdb *
-handle and looks up key in the
-CDB it points to. handle must
-already be mapped to a CDB file. Such a file can be built with the
-s6-accessrules-cdb-from-fs
-utility.
-
-
- Frontend key checking
-
-
- A s6net_accessrules_keycheck_func_t is the type of a function that
-takes a user-level key, makes a list of corresponding backend-level keys and
-calls a s6net_accessrules_backend_func_t function until it finds
-a match. Namely:
-
-
-
-s6net_accessrules_result_t f (void const *key, void *handle, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t *backend)
-
-
-
- f derives a list of low-level keys to check from key.
-Then, for each key k of length klen in this list, it calls
-(*backend)(k, klen, handle, params), returning *backend's result if it
-is not S6NET_ACCESSRULES_NOTFOUND. If no match can be found in the whole list,
-f finally returns S6NET_ACCESSRULES_NOTFOUND.
-
-
-
- Five s6net_accessrules_keycheck_func_t functions are natively implemented:
-
-
-
- -
-
- s6net_accessrules_keycheck_uidgid interprets key as a
-diuint, i.e. a
-structure containing two unsigned ints. The first one is interpreted as an
-uid u, the second one as a gid g. The function first looks
-for a uid/u match; if it cannot find one, it looks for a
-gid/g match. If it cannot find one either, it checks
-uid/default and returns the result.
- -
-
- s6net_accessrules_keycheck_reversedns interprets key
-as a string containing a FQDN. Then for each suffix k of key,
-starting with key itself and ending with key's TLD,
-it looks up reversedns/k. The final dot is excluded from
-k. If no match can be found, the function checks reversedns/@
-and returns the result. For instance, if key is "foo.bar.com",
-the following strings are looked up, in that order:
-
- - reversedns/foo.bar.com
- - reversedns/bar.com
- - reversedns/com
- - reversedns/@
-
- -
-
- s6net_accessrules_keycheck_ip4 interprets key as
-4 network-byte-order characters containing an IPv4 address. Then for each
-netmask mask from 32 to 0, it constructs the IPv4 network
-prefix addr corresponding to that address, and looks up
-ip4/addr_mask. For instance, if key
-is "\300\250\001\007", representing the 192.168.1.7 address, the following
-strings are looked up, in that order:
-
- - ip4/192.168.1.7_32
- - ip4/192.168.1.6_31
- - ip4/192.168.1.4_30
- - ip4/192.168.1.0_29
- - ip4/192.168.0.0_28
- - ip4/192.168.0.0_27
-
- and so on, down to:
-
- - ip4/192.0.0.0_3
- - ip4/192.0.0.0_2
- - ip4/128.0.0.0_1
- - ip4/0.0.0.0_0
-
- Note that the ip4/0.0.0.0_0 string is a catch-all key that
-matches everything.
- -
-
- s6net_accessrules_keycheck_ip6 interprets key as
-16 network-byte-order characters containing an IPv6 address. Then for each
-netmask mask from 128 to 0, it constructs the IPv6 network
-prefix addr corresponding to that address,
-in canonical form,
-and looks up
-ip6/addr_mask. For instance, if key
-is "*\0\024P@\002\b\003\0\0\0\0\0\0\020\006", representing the
-2a00:1450:4002:803::1006 address, the following
-strings are looked up, in that order:
-
- - ip6/2a00:1450:4002:803::1006_128
- - ip6/2a00:1450:4002:803::1006_127
- - ip6/2a00:1450:4002:803::1004_126
- - ip6/2a00:1450:4002:803::1000_125
- - ip6/2a00:1450:4002:803::1000_124
- - ip6/2a00:1450:4002:803::1000_123
- - ip6/2a00:1450:4002:803::1000_122
- - ip6/2a00:1450:4002:803::1000_121
- - ip6/2a00:1450:4002:803::1000_120
- - ip6/2a00:1450:4002:803::1000_119
- - ip6/2a00:1450:4002:803::1000_118
- - ip6/2a00:1450:4002:803::1000_117
- - ip6/2a00:1450:4002:803::1000_116
- - ip6/2a00:1450:4002:803::1000_115
- - ip6/2a00:1450:4002:803::1000_114
- - ip6/2a00:1450:4002:803::1000_113
- - ip6/2a00:1450:4002:803::_112
- - ip6/2a00:1450:4002:803::_111
-
- and so on, down to:
-
- - ip6/2a00::_11
- - ip6/2800::_10
- - ip6/2800::_9
- - ip6/2000::_8
- - ip6/2000::_7
- - ip6/2000::_6
- - ip6/2000::_5
- - ip6/2000::_4
- - ip6/2000::_3
- - ip6/::_2
- - ip6/::_1
- - ip6/::_0
-
- Note that the ip6/::_0 string is a catch-all key that
-matches everything.
- -
-
- s6net_accessrules_keycheck_ip46 interprets key as a pointer to an
-ip46_t, and
-behaves either as s6net_accessrules_keycheck_ip6 or s6net_accessrules_keycheck_ip4,
-depending on the type of address *key contains.
-
-
- Ready-to-use functions
-
- Those functions are mostly macros; they're built by associating a frontend
-function with a backend function.
-
-
- s6net_accessrules_result_t s6net_accessrules_uidgid_cdb
-(unsigned int u, unsigned int g, struct cdb *c,
-s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for uid u
-and gid g. If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_uidgid_fs
-(unsigned int u, unsigned int g, char const *dir,
-s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for uid u
-and gid g. If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_reversedns_cdb
-(char const *name, struct cdb *c,
-s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the
-name FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_reversedns_fs
-(char const *name, char const *dir,
-s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the
-name FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_ip4_cdb
-(char const *ip4, struct cdb *c,
-s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the
-ip4 IPv4 address (4 network byte order characters).
-If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_ip4_fs
-(char const *ip4, char const *dir,
-s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the
-ip4 IPv4 address (4 network byte order characters).
-If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_ip6_cdb
-(char const *ip6, struct cdb *c,
-s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the
-ip6 IPv6 address (16 network byte order characters).
-If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_ip6_fs
-(char const *ip6, char const *dir,
-s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the
-ip6 IPv6 address (16 network byte order characters).
-If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_ip46_cdb
-(ip46_t *ip, struct cdb *c,
-s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the
-ip IP address.
-If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
- s6net_accessrules_result_t s6net_accessrules_ip46_fs
-(ip46_t const *ip, char const *dir,
-s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the
-ip IP address.
-If the result is S6NET_ACCESSRULES_ALLOW, additional
-information may be stored into params.
-
-
-
-
diff --git a/doc/libs6net/index.html b/doc/libs6net/index.html
index 4fb35ff..36440ac 100644
--- a/doc/libs6net/index.html
+++ b/doc/libs6net/index.html
@@ -53,8 +53,6 @@ own header.
diff --git a/doc/localservice.html b/doc/localservice.html
deleted file mode 100644
index af7aafb..0000000
--- a/doc/localservice.html
+++ /dev/null
@@ -1,151 +0,0 @@
-
-
-
-
- s6-networking: what is a local service
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- Local services
-
-
- A local service is a daemon that listens to incoming connections
-on a Unix domain socket. Clients of the service are programs connecting to
-this socket: the daemon performs operations on their behalf.
-
-
-
- The service is called local because it is not accessible to
-clients from the network.
-
-
-
- A widely known example of a local service is the syslogd daemon.
-On most implementations, it listens to the /dev/log socket.
-Its clients connect to it and send their logs via the socket. The
-openlog() function is just a wrapper arround the connect()
-system call, the syslog() function a wrapper around write(),
-and so on.
-
-
- Benefits
-
- Privileges
-
-
- The most important benefit of a local service is that it permits
-controlled privilege gains without using setuid programs.
-The daemon is run as user S; a client running as user C and connecting to
-the daemon asks it to perform operations: those will be done as user S.
-
-
-
- Standard Unix permissions on the listening socket can be used to implement
-some basic access control: to restrict access to clients belonging to group
-G, change the socket to user S and group G, and give it 0420 permissions.
-This is functionally equivalent to the basic access control for setuid
-programs: a program having user S, group G and permissions 4750 will be
-executable by group G and run with S rights.
-
-
-
- But modern systems implement the
-getpeereid()
-system call or library function. This function allows the server to know the
-client's credentials: so fine-grained access control is possible. On those
-systems, local services can do as much authentication as setuid programs,
-in a much more controlled environment.
-
-
- fd-passing
-
-
- The most obvious difference between a local service and a network service
-is that a local service does not serve network clients. But local services
-have another nice perk: while network services usually only provide you
-with a single channel (a TCP or UDP socket) of communication between the
-client and the server, forcing you to multiplex your data into that
-channel, local services allow you to have as many
-communication channels as you want.
-
-
-
-(The SCTP transport layer provides a way for network services to use
-several communication channels. Unfortunately, it is not widely deployed
-yet, and a lot of network services still depend on TCP.)
-
-
-
- The fd-passing mechanism is Unix domain socket black magic
-that allows one peer of the socket to send open file descriptors to
-the other peer. So, if the server opens a pipe and sends one end of
-this pipe to a client via this mechanism, there is effectively a
-socket and a pipe between the client and the server.
-
-
- UCSPI
-
-
- The UCSPI protocol
-is an easy way of abstracting clients and servers from the network.
-A server written as a UCSPI server, just as it can be run
-under inetd or s6-tcpserver, can be run under
-s6-ipcserver: choose a socket
-location and you have a local service.
-
-
-
- Fine-grained access control can be added by inserting
-s6-ipcserver-access in
-your server command line after s6-ipcserver.
-
-
-
- A client written as an UCSPI client, i.e. assuming it has descriptor
-6 (resp. 7) open and reading from (resp. writing to) the server socket,
-can be run under s6-ipcclient.
-
-
- Use in skarnet.org software
-
-
- skarnet.org libraries often use a separate process to handle
-asynchronicity and background work in a way that's invisible to
-the user. Among them are:
-
-
-
- - s6-ftrigrd,
-managing the reception of notifications and only waking up the client process
-when the notification pattern matches a regular expression.
- - s6lockd,
-handling time-constrained lock acquisition on client behalf.
- - skadnsd,
-performing asynchronous DNS queries and only waking up the client process
-when an answer arrives.
-
-
-
- Those processes are usually spawned from a client, via the corresponding
-*_startf*() library call. But they can also be spawned from a
-s6-ipcserver program in a local service configuration. In both cases, they
-need an additional control channel to be passed from the server to
-the client: the main socket is used for synchronous commands from the client
-to the server and their answers, whereas the additional channel, which is
-now implemented as a socket as well (but created by the server on-demand
-and not bound to a local path), is used for asynchronous
-notifications from the server to the client. The fd-passing mechanism
-is used to transfer the additional channel from the server to the client.
-
-
-
-
diff --git a/doc/s6-accessrules-cdb-from-fs.html b/doc/s6-accessrules-cdb-from-fs.html
deleted file mode 100644
index 26105b1..0000000
--- a/doc/s6-accessrules-cdb-from-fs.html
+++ /dev/null
@@ -1,141 +0,0 @@
-
-
-
-
- s6-networking: the s6-accessrules-cdb-from-fs program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-accessrules-cdb-from-fs program
-
-
-s6-accessrules-cdb-from-fs compiles a directory
-containing a ruleset suitable for
-s6-ipcserver-access or
-s6-tcpserver-access into a
-CDB file.
-
-
- Interface
-
-
- s6-accessrules-cdb-from-fs cdbfile dir
-
-
-
- - s6-accessrules-cdb-from-fs compiles the dir
-directory containing a ruleset into a
-CDB file
-cdbfile then exits 0.
-
-
- Ruleset directory format
-
-
- To be understood by s6-accessrules-cdb-from-fs,
-s6-ipcserver-access, or
-s6-tcpserver-access,
-dir must have a specific format.
-
-
-
- dir contains a series of directories:
-
-
-
- - ip4 for rules on IPv4 addresses
- - ip6 for rules on IPv6 addresses
- - reversedns for rules on host names
- - uid for rules on user IDs
- - gid for rules on group IDs
-
-
-
-Depending on the application, other directories can appear in dir
-and be compiled into cdbfile, but
-s6-tcpserver-access only
-uses the first three, and
-s6-ipcserver-access only
-uses the last two.
-
-
-
- Each of those directories contains a set of rules. A rule is
-a subdirectory named after the set of keys it matches, and containing
-actions that will be executed if the rule is the first matching rule
-for the tested key.
-
-
-
- The syntax for the rule name is dependent on the nature of keys, and
-fully documented on the
-accessrules
-library page. For instance, a subdirectory named 192.168.0.0_27
-in the ip4 directory will match every IPv4 address in the
-192.168.0.0/27 network that does not match a more precise rule.
-
-
-
- The syntax for the actions, however, is the same for every type of key.
-A rule subdirectory can contain the following elements:
-
-
-
- - a file (that can be empty) named allow. If such a file exists,
-a key matching this rule will be immediately accepted.
- - a file (that can be empty) named deny. If such a file exists and
-no allow file exists, a key matching this rule will be immediately
-denied.
- - a subdirectory named env. If such a directory exists along
-with an allow file, then its contents represent environment
-modifications that will be applied after accepting the connection and
-before executing the next program in the chain, as if the
-s6-envdir
-program, without options, was applied to env. env
-has exactly the same format as a directory suitable for s6-envdir;
-however, if the modifications take up more than 4096 bytes when
-compiled into cdbfile, then s6-accessrules-cdb-from-fs will
-complain and exit 100.
- - a file named exec. If such a file exists along with an
-allow file, then its contents represent a command line that,
-interpreted by the
-execlineb
-launcher, will be executed after accepting the connection, totally bypassing the
-original command line. s6-accessrules-cdb-from-fs truncates the exec
-file to 4096 bytes max when embedding it into cdbfile, so make
-sure it is not larger than that.
-
-
- Notes
-
-
- - cdbfile can exist prior to, and during, the compilation,
-which actually works in a temporary file in the same directory as
-cdbfile and performs an atomic replacement when it is done.
-So it is not necessary to interrupt a running service during the
-compilation.
- - If s6-accessrules-cdb-from-fs fails at some point, the temporary
-file is removed. However, this doesn't happen if
-s6-accessrules-cdb-from-fs is interrupted by a signal.
- - After the program successfully completes, if dir
-was a suitable candidate for the -i option of
-s6-ipcserver-access or
-s6-tcpserver-access, then
-cdbfile will be a suitable candidate for the -x option
-of the same program, implementing the same ruleset.
- - cdbfile can be decompiled by the
-s6-accessrules-fs-from-cdb
-program.
-
-
-
-
diff --git a/doc/s6-accessrules-fs-from-cdb.html b/doc/s6-accessrules-fs-from-cdb.html
deleted file mode 100644
index 91ec98e..0000000
--- a/doc/s6-accessrules-fs-from-cdb.html
+++ /dev/null
@@ -1,60 +0,0 @@
-
-
-
-
- s6-networking: the s6-accessrules-fs-from-cdb program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-accessrules-fs-from-cdb program
-
-
-s6-accessrules-fs-from-cdb decompiles a CDB database
-containing a ruleset suitable for
-s6-ipcserver-access or
-s6-tcpserver-access and
-that has been compiled with
-s6-accessrules-cdb-from-fs.
-
-
- Interface
-
-
- s6-accessrules-fs-from-cdb dir cdbfile
-
-
-
- - s6-accessrules-fs-from-cdb decompiles the
-CDB file
-cdbfile into the directory dir, then exits 0.
-
-
- Notes
-
-
- - dir must not exist prior to the decompilation.
- - dir must be considered as a work in progress as long as
-s6-accessrules-fs-from-cdb is running. It is only safe to use dir
-as a ruleset once the program has exited.
- - If s6-accessrules-fs-from-cdb fails at some point, the partial
-arborescence at dir is removed. However, this doesn't happen if
-s6-accessrules-fs-from-cdb is interrupted by a signal.
- - After the program successfully completes, if cdbfile
-was a suitable candidate for the -x option of
-s6-ipcserver-access or
-s6-tcpserver-access, then
-dir will be a suitable candidate for the -i option
-of the same program, implementing the same ruleset.
-
-
-
-
diff --git a/doc/s6-connlimit.html b/doc/s6-connlimit.html
deleted file mode 100644
index 5008b4d..0000000
--- a/doc/s6-connlimit.html
+++ /dev/null
@@ -1,96 +0,0 @@
-
-
-
-
- s6-networking: the s6-connlimit program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-connlimit program
-
-
-s6-connlimit is a small utility to perform IP-based
-control on the number of client connections to a TCP socket, and
-uid-based control on the number of client connections to a Unix
-domain socket.
-
-
- Interface
-
-
- s6-connlimit prog...
-
-
-
- - s6-connlimit reads its environment for the PROTO
-environment variable, and then for ${PROTO}CONNNUM and ${PROTO}CONNMAX,
-which must contain integers.
- - If the value of ${PROTO}CONNNUM is superior or equal to the value
-of ${PROTO}CONNMAX, s6-connlimit exits 1 with an error message.
- - Else it execs into prog....
- - If ${PROTO}CONNMAX is unset, s6-connlimit directly execs into
-prog... without performing any check:
-no maximum number of connections has been defined.
-
-
- Usage
-
-
- The s6-tcpserver4 and
-s6-tcpserver6 define the PROTO environment
-variable to "TCP", and spawn every child server with the TCPCONNNUM environment
-variable set to the number of connections from the same IP address.
- The s6-tcpserver-access program
-can set environment variables depending on the client's IP address. If the
-s6-tcpserver-access database is configured to set the TCPCONNMAX environment
-variable for a given set of IP addresses, and s6-tcpserver-access execs into
-s6-connlimit, then s6-connlimit will drop connections if there already are
-${TCPCONNMAX} connections from the same client IP address.
-
-
-
- The s6-ipcserver and
-s6-ipcserver-access programs can
-be used the same way, with "IPC" instead of "TCP", to limit the number
-of client connections by UID.
-
-
- Example
-
-
- The following command line:
-
-
-
- s6-tcpserver4 -v2 -c1000 -C40 1.2.3.4 80 \
- s6-tcpserver-access -v2 -RHl0 -i dir \
- s6-connlimit \
- prog...
-
-
-
- will run a server listening to IPv4 address 1.2.3.4, on port 80,
-serving up to 1000 concurrent connections, and up to 40 concurrent
-connections from the same IP address, no matter what the IP address.
-For every client connection, it will look up the database set up
-in dir; if the connection is accepted, it will run prog....
-
-
-
- If the dir/ip4/5.6.7.8_32/env/TCPCONNMAX file
-exists and contains the string 30, then at most 30 concurrent
-connections from 5.6.7.8 will execute prog..., instead of the
-default of 40.
-
-
-
-
diff --git a/doc/s6-ioconnect.html b/doc/s6-ioconnect.html
deleted file mode 100644
index 5e2b6c6..0000000
--- a/doc/s6-ioconnect.html
+++ /dev/null
@@ -1,84 +0,0 @@
-
-
-
-
- s6-networking: the s6-ioconnect program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-ioconnect program
-
-
-s6-ioconnect performs full-duplex data transmission
-between two sets of open file descriptors.
-
-
- Interface
-
-
- s6-ioconnect [ -t millisecs ] [ -r fdr ] [ -w fdw ] [ -0 ] [ -1 ] [ -6 ] [ -7 ]
-
-
-
- - s6-ioconnect reads data from its stdin and writes it as is to
-file descriptor 7, which is assumed to be open.
- - It also reads data from its file descriptor 6, which is assumed
-to be open, and writes it as is to its stdout.
- - When both sides have transmitted EOF and s6-ioconnect has
-flushed its buffers, it exits 0.
-
-
- Options
-
-
- - -t millisecs : if no activity on
-either side happens for millisecs milliseconds, s6-ioconnect
-closes the connection on both ends and exits 1. By default,
-millisecs is 0, which means no such timeout.
- - -r fdr : Use fd fdr for
-"remote" reading instead of fd 6.
- - -w fdw : Use fd fdw for
-"remote" writing instead of fd 7.
- - -0: assume stdin is a socket and needs to be shut down
-for reading after an EOF.
- - -1: assume stdout is a socket and needs to be shut down
-for writing to correctly transmit an EOF.
- - -6: assume the remote reading fd is a socket and needs to be shut down
-for reading after an EOF.
- - -7: assume the remote writing fd is a socket and needs to be shut down
-for writing to correctly transmit an EOF.
-
-
- Notes
-
-
- - Transmitting EOF across full-duplex sockets
-is ugly. The right thing
-in every case cannot be automatically determined, so it is up to the user
-to mention that a socket must be shut down. Most of the time, though,
-shutting down sockets after EOF is the right thing to do, so
-s6-ioconnect -67 should be the common use case.
- - The point of s6-ioconnect is to be used together with
-s6-tcpclient or
-s6-ipcclient to establish a full-
-duplex connection between the client and the server, for instance
-for testing purposes. s6-ioconnect is to s6-tcpclient as
-cat is to s6-tcpserver: a program that will just echo
-what it gets.
- - On modern Linux systems, s6-ioconnect will perform zero-copy
-data transmission, via the
-splice
-system call.
-
-
-
-
diff --git a/doc/s6-ipcclient.html b/doc/s6-ipcclient.html
deleted file mode 100644
index 2bb66aa..0000000
--- a/doc/s6-ipcclient.html
+++ /dev/null
@@ -1,65 +0,0 @@
-
-
-
-
- s6-networking: the s6-ipcclient program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-ipcclient program
-
-
-s6-ipcclient is an
-UCSPI client tool for
-Unix domain sockets. It connects to a socket, then executes into
-a program.
-
-
- Interface
-
-
- s6-ipcclient [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] path prog...
-
-
-
- - s6-ipcclient connects to a Unix domain socket on path.
- - It executes into prog... with descriptor 6 reading from
-the socket and descriptor 7 writing to it.
-
-
- Environment variables
-
-
- prog... is run with
-the following variables set:
-
-
-
- - PROTO: always set to IPC
- - IPCLOCALPATH: set to the path associated with the local socket,
-if any. Be aware that it may contain arbitrary characters.
-
-
- Options
-
-
- - -q : be quiet.
- - -Q : be normally verbose. This is the default.
- - -v : be verbose.
- - -p localpath : bind the local
-socket to localpath before connecting to path.
- - -l localname : use localname
-as the value of the IPCLOCALPATH environment variable.
-
-
-
-
diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html
deleted file mode 100644
index 515138c..0000000
--- a/doc/s6-ipcserver-access.html
+++ /dev/null
@@ -1,172 +0,0 @@
-
-
-
-
- s6-networking: the s6-ipcserver-access program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-ipcserver-access program
-
-
-s6-ipcserver-access is a command-line access
-control tool for Unix domain sockets on systems where the
-getpeereid() system call can be implemented.
-It is meant to be run after
-s6-ipcserverd and before
-the application program on the s6-ipcserver command line.
-
-
- Interface
-
-
- s6-ipcserver-access [ -v verbosity ] [ -E | -e ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog...
-
-
-
- - s6-ipcserver-access checks it is run under a UCSPI server tool
-such as s6-ipcserver.
-
- It checks that the remote end of the connection fits the
-accepted criteria defined by the database contained in rulesdir
-or rulesfile. If the database tells it to reject the connection,
-the program exits 1.
- - It sets up a few additional environment variables.
- - It executes into prog...,
-unless the first matching rule in the rule database
-includes instructions to override prog....
-
-
- Environment variables
-
-
-s6-ipcserver-access expects to inherit some environment variables from
-its parent:
-
-
-
- - PROTO: normally IPC, but could be anything else, like UNIX.
- - ${PROTO}REMOTEEUID: the effective UID of the client program connecting to the socket.
- - ${PROTO}REMOTEEGID: the effective GID of the client program connecting to the socket.
-
-
-
- Additionally, it exports the following variables before executing into
-prog...:
-
-
-
- - ${PROTO}LOCALPATH: set to the local "address" of the socket, as
-reported by the
-getsockname()
-system call, truncated to 99 characters max.
-
-
-
- Also, the access rules database can instruct s6-ipcserver-access to set
-up, or unset, more environment variables, depending on the client address.
-
-
- Options
-
-
- - -v verbosity : be more or less verbose, i.e.
-print more or less information to stderr:
-
- - 0: only log error messages.
- - 1: only log error and warning messages, and accepted connections.
-This is the default.
- - 2: also log rejected connections and more warning messages.
-
- - -E : no environment. All environment variables potentially
-set by s6-ipcserver-access, as well as those set by
-s6-ipcserver, will be unset instead.
- - -e : set up environment variables normally.
-This is the default.
- - -l localname : use localname
-as the value for the ${PROTO}LOCALPATH environment variable, instead of
-looking it up via getsockname().
- - -i rulesdir : check client credentials
-against a filesystem-based database in the rulesdir directory.
- - -x rulesfile : check client credentials
-against a cdb
-database in the rulesfile file. -i and -x are
-mutually exclusive. If none of those options is given, no credential checking will be
-performed, and a warning will be emitted on every connection if
-verbosity is 2 or more.
-
-
- Access rule checking
-
-
- s6-ipcserver-access checks its client connection against
-a ruleset. This ruleset can be implemented:
-
-
-
- - either in the filesystem as an arborescence of directories and files,
-if the -i option has been given. This option is the most flexible
-one: the directory format is simple enough for scripts to understand and
-modify it, and the ruleset can be changed dynamically. This is practical,
-for instance, for roaming users.
-- or in a CDB
-file, if the -x option has been given. This option is the most
-efficient one if the ruleset is static enough: a lot less system calls are
-needed to perform searches in a CDB than in the filesystem.
-
-
-
- The exact format of the ruleset is described on the
-s6-accessrules-cdb-from-fs page.
-
-
-
-s6-ipcserver-access first reads the client UID uid and
-GID gid from the
-${PROTO}REMOTEEUID and ${PROTO}REMOTEEGID environment variables, and checks
-them with the
-s6net_accessrules_keycheck_uidgid()
-function. In other words, it tries to match:
-
-
- - uid/uid
- - gid/gid
- - uid/default
-
-
-
- in that order. If no S6NET_ACCESSRULES_ALLOW result can be obtained,
-the connection is denied.
-
-
- Environment and executable modifications
-
-
- s6-ipcserver-access interprets non-empty env subdirectories
-and exec files
-it finds in the first matching rule of the ruleset, as explained
-in the s6-accessrules-cdb-from-fs
-page.
-
-
-
- - An env subdirectory is interpreted as if the
-s6-envdir
-command had been called before executing prog: the environment
-is modified according to the contents of env.
- - An exec file containing newprog completely
-bypasses the rest of s6-ipcserver-access' command line. After
-environment modifications, if any, s6-ipcserver-access execs into
-execlineb -c newprog.
-
-
-
-
diff --git a/doc/s6-ipcserver-socketbinder.html b/doc/s6-ipcserver-socketbinder.html
deleted file mode 100644
index 2c8d993..0000000
--- a/doc/s6-ipcserver-socketbinder.html
+++ /dev/null
@@ -1,72 +0,0 @@
-
-
-
-
- s6-networking: the s6-ipcserver-socketbinder program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-ipcserver-socketbinder program
-
-
-s6-ipcserver-socketbinder binds a Unix domain
-socket, then executes a program.
-
-
- Interface
-
-
- s6-ipcserver-socketbinder [ -d | -D ] [ -b backlog ] path prog...
-
-
-
- - s6-ipcserver-socketbinder creates a Unix domain socket of type SOCK_STREAM
-and binds it to path. It prepares the socket to accept
-connections by calling
-listen().
- - It then execs into prog... with the open socket
-as its standard input.
-
-
- Options
-
-
- - -d : allow instant rebinding to the same path
-even if it has been used not long ago - this is the SO_REUSEADDR flag to
-setsockopt()
-and is generally used with server programs. This is the default. Note that
-path will be deleted if it already exists at program start time.
- - -D : disallow instant rebinding to the same path.
- - -b backlog : set a maximum of
-backlog backlog connections on the socket. Extra
-connection attempts will rejected by the kernel.
-
-
- Notes
-
-
- - s6-ipcserver-socketbinder is part of a set of basic blocks used to
-build a flexible Unix super-server. It normally should be given a
-command line crafted to make it execute into
-s6-ipcserverd to accept connections
-from clients, or into a program such as
-s6-applyuidgid
-to drop privileges before doing so.
- - The s6-ipcserver program does
-exactly this. It implements
-a full Unix super-server by building a command line starting with
-s6-ipcserver-socketbinder and ending with s6-ipcserverd followed by the
-application program, and executing into it.
-
-
-
-
diff --git a/doc/s6-ipcserver.html b/doc/s6-ipcserver.html
deleted file mode 100644
index 4b52888..0000000
--- a/doc/s6-ipcserver.html
+++ /dev/null
@@ -1,173 +0,0 @@
-
-
-
-
- s6-networking: the s6-ipcserver program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-ipcserver program
-
-
-s6-ipcserver is an
-UCSPI server tool for
-Unix domain sockets, i.e. a super-server.
-It accepts connections from clients, and forks a
-program to handle each connection.
-
-
- Interface
-
-
- s6-ipcserver [ -1 ] [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ] path prog...
-
-
-
- - s6-ipcserver binds a Unix domain socket to path.
- - It can drop its root privileges.
- - It closes its stdin and stdout.
- - For every client connection to this socket, it
-forks. The child sets some environment variables, then
-executes prog... with stdin reading from the socket and
-stdout writing to it.
- - Depending on the verbosity level, it logs what it does to stderr.
- - It runs until killed by a signal. Depending on the received
-signal, it may kill its children before exiting.
- - s6-ipcserver actually doesn't do any of this itself. It is
-a wrapper, rewriting the command line and executing into a chain
-of programs that perform those duties.
-
-
- Implementation
-
-
- - s6-ipcserver parses the options and arguments it is given, and
-builds a new command line with them. It then executes into that new
-command line.
- - The first program s6-ipcserver executes into is
-s6-ipcserver-socketbinder.
-It will create and bind a Unix domain socket to path, then
-execute into the rest of the command line.
- - If a privilege-dropping operation has been requested, the
-program that s6-ipcserver-socketbinder executes into is
-s6-applyuidgid.
-It will drop the root privileges, then execute into the rest of the
-command line.
- - The next program in the chain is
-s6-ipcserverd. It is executed into
-by s6-applyuidgid, or directly by s6-ipcserver-socketbinder if no
-privilege-dropping operation has been requested. s6-ipcserverd is
-the long-lived process, the "daemon" itself, accepting connections
-from clients.
- - For every client, s6-ipcserverd will spawn an instance of
-prog..., the remainder of the command line.
-
-
-
- Options
-
-
- - -1 : write path, followed by a newline,
-to stdout, before
-closing it, right after binding and listening to the Unix socket.
-If stdout is suitably redirected, this can be used by monitoring
-programs to check when the server is ready to accept connections.
- - -q : be quiet.
- - -Q : be normally verbose. This is the default.
- - -v : be verbose.
- - -d : allow instant rebinding to the same path
-even if it has been used not long ago - this is the SO_REUSEADDR flag to
-setsockopt()
-and is generally used with server programs. This is the default. Note that
-path will be deleted if it already exists at program start time.
- - -D : disallow instant rebinding to the same path.
- - -P : disable client credentials lookups. The
-IPCREMOTEEUID and IPCREMOTEEGID environment variables will be unset
-in every instance of prog.... This is the portable option,
-because not every system supports credential lookup across Unix domain
-sockets; but it is not as secure.
- - -p : enable client credentials lookups. This
-is the default; it works at least on Linux, Solaris, and
-*BSD systems. On systems that do not support it, every connection
-attempt will fail with a warning message.
- - -c maxconn : accept at most
-maxconn concurrent connections. Default is 40. It is
-impossible to set it higher than 1000.
- - -C localmaxconn : accept at most
-localmaxconn connections from the same user ID.
-Default is 40. It is impossible to set it higher than maxconn.
- - -b backlog : set a maximum of
-backlog backlog connections on the socket. Extra
-connection attempts will rejected by the kernel.
- - -G gidlist : change s6-ipcserver's
-supplementary group list to gidlist after binding the socket.
-This is only valid when run as root. gidlist must be a
-comma-separated list of numerical group IDs.
- - -g gid : change s6-ipcserver's groupid
-to gid after binding the socket. This is only valid when run
-as root.
- - -u uid : change s6-ipcserver's userid
-to uid after binding the socket. This is only valid when run
-as root.
- - -U : change s6-ipcserver's user id, group id and
-supplementary group list
-according to the values of the UID, GID and GIDLIST environment variables
-after binding the socket. This is only valid when run as root.
-This can be used with the
-s6-envuidgid
-program to easily script a service that binds to a privileged socket
-then drops its privileges to those of a named non-root account.
-
-
- Implementation
-
-
- - s6-ipcserver parses the options and arguments it is given, and
-builds a new command line with them. It then executes into that new
-command line.
- - The first program s6-ipcserver executes into is
-s6-ipcserver-socketbinder.
-It will create and bind a Unix domain socket to path, then
-execute into the rest of the command line.
- - If a privilege-dropping operation has been requested, the
-program that s6-ipcserver-socketbinder executes into is
-s6-applyuidgid.
-It will drop the root privileges, then execute into the rest of the
-command line.
- - The next program in the chain is
-s6-ipcserverd. It is executed into
-by s6-applyuidgid, or directly by s6-ipcserver-socketbinder if no
-privilege-dropping operation has been requested. s6-ipcserverd is
-the long-lived process, the "daemon" itself, accepting connections
-from clients.
- - For every client, s6-ipcserverd will spawn an instance of
-prog..., the remainder of the command line.
-
-
- Notes
-
-
- - s6-ipcserver does not interpret its options itself. It just
-dispatches them to the appropriate program on the command line that
-it builds.
- - In previous releases of s6-networking, s6-ipcserver was
-monolithic: it did the work of s6-ipcserver-socketbinder,
-s6-applyuidgid and s6-ipcserverd itself. The functionality has now
-been split into several different programs because some service startup
-schemes require the daemon to get its socket from an external
-program instead of creating and binding it itself. The most obvious
-application of this is upgrading a long-lived process without
-losing existing connections.
-
-
-
-
diff --git a/doc/s6-ipcserverd.html b/doc/s6-ipcserverd.html
deleted file mode 100644
index 916de12..0000000
--- a/doc/s6-ipcserverd.html
+++ /dev/null
@@ -1,131 +0,0 @@
-
-
-
-
- s6-networking: the s6-ipcserverd program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-ipcserverd program
-
-
-s6-ipcserverd is the serving part of the
-s6-ipcserver super-server.
-It assumes that its stdin is a bound and listening Unix
-domain socket, and
-it accepts connections from clients connecting to it, forking a
-program to handle each connection.
-
-
- Interface
-
-
- s6-ipcserverd [ -1 ] [ -v verbosity ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] prog...
-
-
-
- - s6-ipcserverd accepts connections from clients to an already
-bound and listening SOCK_STREAM Unix domain socket which is its
-standard input.
- - For every client connection to this socket, it
-forks. The child sets some environment variables, then
-executes prog... with stdin reading from the socket and
-stdout writing to it.
- - Depending on the verbosity level, it logs what it does to stderr.
- - It runs until killed by a signal. Depending on the received
-signal, it may kill its children before exiting.
-
-
- Environment variables
-
-
- For each connection, an instance of prog... is spawned with
-the following variables set:
-
-
-
- - PROTO: always set to IPC
- - IPCREMOTEEUID: set to the effective UID of the client,
-unless credentials lookups have been disabled
- - IPCREMOTEEGID: set to the effective GID of the client,
-unless credentials lookups have been disabled
- - IPCREMOTEPATH: set to the path associated with the remote socket,
-if any. Be aware that it may contain arbitrary characters.
- - IPCCONNNUM: set to the number of connections originating from
-the same user (i.e. same uid)
-
-
-
- If client credentials lookup has been disabled, IPCREMOTEEUID and
-IPCREMOTEEUID will be set, but empty.
-
-
-
- Options
-
-
- - -1 : write a newline to stdout, and close stdout,
-right before entering the client-accepting loop.
-If stdout is suitably redirected, this can be used by monitoring
-programs to check when the server is accepting connections.
-The s6-notifywhenup
-program can be used before the s6-ipcserver
-invocation to notify listeners when the server is ready.
- - -v verbosity : be more or less
-verbose. verbosity can be 0 (quiet), 1 (normal), or 2
-(verbose).
- - -P : disable client credentials lookups. The
-IPCREMOTEEUID and IPCREMOTEEGID environment variables will be unset
-in every instance of prog.... This is the portable option,
-because not every system supports credential lookup across Unix domain
-sockets; but it is not as secure.
- - -p : enable client credentials lookups. This
-is the default; it works at least on Linux, Solaris, and
-*BSD systems. On systems that do not support it, every connection
-attempt will fail with a warning message.
- - -c maxconn : accept at most
-maxconn concurrent connections. Default is 40. It is
-impossible to set it higher than 1000.
- - -C localmaxconn : accept at most
-localmaxconn connections from the same user ID.
-Default is 40. It is impossible to set it higher than maxconn.
-
-
- Signals
-
-
- - SIGTERM: exit.
- - SIGHUP: send a SIGTERM and a SIGCONT to all children.
- - SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit.
- - SIGABRT: send a SIGKILL to all children, then exit.
-
-
- Notes
-
-
- - Unlike his close cousin
-ipcserver,
-s6-ipcserverd does not perform operations such as access control. Those are
-delegated to the
-s6-ipcserver-access program.
- - s6-ipcserverd can be used to set up
-local services.
- - s6-ipcserverd is meant to be execve'd into by a program that gets
-the listening socket. That program is normally
-s6-ipcserver-socketbinder,
-which creates the socket itself; but it can be a different one if the
-socket is to be retrieved by another means, for instance by fd-passing
-from a fd-holding daemon (some people call this "socket activation").
-
-
-
-
diff --git a/doc/s6-sudo.html b/doc/s6-sudo.html
deleted file mode 100644
index 603ad8a..0000000
--- a/doc/s6-sudo.html
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-
- s6-networking: the s6-sudo program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-sudo program
-
-
-s6-sudo connects to a Unix domain socket and passes
-its standard file descriptors, command-line arguments and
-environment to a program running on the server side, potentially
-with different privileges.
-
-
- Interface
-
-
- s6-sudo [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] path [ args... ]
-
-
-
- - s6-sudo executes into s6-ipcclient path
-s6-sudoc args... It does nothing else: it is just a
-convenience program. The s6-ipcclient program connects
-to a Unix socket at path, and the
-s6-sudoc program transmits the desired elements over the
-socket.
- - It should be used to connect to a
-local service running the
-s6-sudod program, which will run a server program on the
-client's behalf.
-
-
- Options
-
-
- - The -q, -Q, -v, -p and -l
-options are passed to s6-ipcclient.
- - The -e, -t and -T options are passed to
-s6-sudoc.
- - Command-line arguments, if any, are also passed to
-s6-sudoc, which will transmit them to
-s6-sudod over the socket.
-
-
-
-
diff --git a/doc/s6-sudoc.html b/doc/s6-sudoc.html
deleted file mode 100644
index def09a9..0000000
--- a/doc/s6-sudoc.html
+++ /dev/null
@@ -1,80 +0,0 @@
-
-
-
-
- s6-networking: the s6-sudoc program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-sudoc program
-
-
-s6-sudoc talks to a peer s6-sudod
-program over a Unix socket, passing it command-line arguments, environment
-variables and standard descriptors.
-
-
- Interface
-
-
- s6-sudoc [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] [ args... ]
-
-
-
- - s6-sudoc transmits its standard input, standard output and standard error
-via fd-passing over a Unix socket that must be open on its descriptors 6 and 7.
- It expects a s6-sudod process to be receiving them
-on the other side.
-- It also transmits its command-line arguments args, and also its
-environment by default. Note that s6-sudod will not necessarily accept all the
-environment variables that s6-sudoc tries to transmit.
- - s6-sudoc waits for the server program run by s6-sudod to finish. It exits
-the same exit code as the server program. If the server program is killed by a
-signal, s6-sudoc kills itself with the same signal.
-
-
- Options
-
-
- - -e : do not attempt to transmit any environment variables
-to s6-sudod.
- - -t timeoutconn : if s6-sudod has not
-managed to process the given information and start the server program after
-timeoutconn milliseconds, give up. By default, timeoutconn
-is 0, meaning infinite. Note that there is no reason to set up a nonzero
-timeoutconn with a large value: s6-sudod is not supposed to block.
-The option is only there to protect against ill-written services.
- - -T timeoutrun : if the server program
-has not exited after timeoutrun milliseconds, give up. By
-default, timeoutrun is 0, meaning infinite.
-
-
- Notes
-
-
- - If s6-sudoc is killed, or exits after timeoutrun milliseconds,
-while the server program is still running, s6-sudod will send a SIGTERM and a
-SIGCONT to the server program - but this does not guarantee that it will die.
-If the server program keeps running, it might still read from the file that
-was s6-sudoc's stdin, or write to the files that were s6-sudoc's stdout or
-stderr. This is a potential security risk.
-Administrators should audit their server programs to make sure this does not
-happen.
- - More generally, anything using signals or terminals will not be
-handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism
-was designed to allow programs to gain privileges in specific situations:
-short-lived, simple, noninteractive processes. It was not designed to emulate
-the full suid functionality and will not go out of its way to do so.
-
-
-
-
diff --git a/doc/s6-sudod.html b/doc/s6-sudod.html
deleted file mode 100644
index c783736..0000000
--- a/doc/s6-sudod.html
+++ /dev/null
@@ -1,165 +0,0 @@
-
-
-
-
- s6-networking: the s6-sudod program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The s6-sudod program
-
-
-s6-sudod receives command-line arguments, environment variables
-and standard descriptors from a peer s6-sudoc
-program over a Unix socket, then forks another program.
-
-
- Interface
-
-
- s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -s ] [ -t timeout ] [ sargv... ]
-
-
-
- - s6-sudod gets 3 file descriptors via fd-passing over a Unix socket that
-must be open on its descriptors 0 and 1. (The received descriptors will be the
-stdin, stdout and stderr of the server program.) It expects a
-s6-sudoc process to be sending them on the
-client side.
- - It also receives a list of command-line arguments cargv..., and
-an environment clientenv.
- - s6-sudod forks and executes sargv... cargv...
-The client command line is appended to the server command line.
- - s6-sudod waits for its child to exit and transmits its exit code
-to the peer s6-sudoc process. It then exits 0.
-
-
- Environment
-
-
-s6-sudod transmits its own environment to its child, plus the environment sent
-by s6-sudoc, filtered in the following manner:
-for every variable sent by s6-sudoc, if the
-variable is present but empty in s6-sudod's environment, then
-its value is overriden by the value given by s6-sudoc. A variable that is
-already nonempty, or that doesn't exist, in s6-sudod's environment, will not
-be transmitted to the child.
-
-
- Options
-
-
- - -0 : do not inherit stdin from s6-sudoc. The child will be
-run with its stdin pointing to /dev/null instead.
- - -1 : do not inherit stdout from s6-sudoc. The child will be
-run with its stdout pointing to /dev/null instead.
- - -2 : do not inherit stderr from s6-sudoc. The child will be
-run with its stderr being a copy of s6-sudod's stderr instead. (This is useful
-to still log the child's error messages without sending them to the client.)
- - -t timeout : if s6-sudod has not
-received all the needed data from the client after timeout
-milliseconds, it will exit without spawning a child. By default, timeout
-is 0, meaning infinite. This mechanism exists to protect the server from
-malicious or buggy clients that would uselessly consume resources.
-
-
- Usage example
-
-
- The typical use of s6-sudod is in a
-local service with a
-s6-ipcserver process listening on a Unix
-socket, a s6-ipcserver-access process
-performing client authentication and access control, and possibly a
-s6-envdir
-process setting up the environment variables that will be accepted by
-s6-sudod. The following script, meant to be a run script in a
-service directory,
-will set up a privileged program:
-
-
-
-#!/command/execlineb -P
-fdmove -c 2 1
-s6-envuidgid serveruser
-s6-ipcserver -U -- serversocket
-s6-ipcserver-access -v2 -l0 -i rules --
-exec -c
-s6-envdir env
-s6-sudod
-sargv
-
-
-
- - execlineb
-executes the script.
- - fdmove makes
-sure the script's error messages are sent to the service's logger.
- - s6-envuidgid
-sets the UID, GID and GIDLIST environment variables for s6-ipcserver to interpret.
- - s6-ipcserver binds to serversocket
-and drops its privileges to those of serveruser. Then, for every client
-connecting to serversocket:
-
- - s6-ipcserver-access checks the
-client's credentials according to the rules in directory rules.
-
- exec -c
-clears the environment.
- - s6-envdir
-sets environment variables according to the directory env. You can
-make sure that a variable VAR will be present but empty by performing
-echo > env/VAR. (A single newline is interpreted by s6-envdir as
-an empty variable; whereas if env/VAR is totally empty, then the
-VAR variable will be removed from the environment.)
- - s6-sudod reads a command line cargv, a client environment
-and file descriptors over the socket.
- - s6-sudod spawns sargv cargv.
-
- (Actually, s6-ipcserver does not do this
-itself: it executes into other programs that each do one of the tasks. But for
-our example, it does not matter.)
-
-
-
- This means that user clientuser running
-s6-sudo serversocket cargv will be
-able, if authorized by the configuration in rules, to run
-sargv cargv as user serveruser, with stdin,
-stdout, stderr and the environment variables properly listed in env
-transmitted to sargv.
-
-
- Notes
-
-
- - If s6-sudoc is killed, or exits after timeoutrun milliseconds,
-while the server program is still running, s6-sudod will send a SIGTERM and a
-SIGCONT to its child, then exit 1. However, sending a SIGTERM to the child
-does not guarantee that it will die; and
-if it keeps running, it might still read from the file that
-was s6-sudoc's stdin, or write to the files that were s6-sudoc's stdout or
-stderr. This is a potential security risk.
-Administrators should audit their server programs to make sure this does not
-happen.
- - More generally, anything using signals or terminals will not be
-handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism
-was designed to allow programs to gain privileges in specific situations:
-short-lived, simple, noninteractive processes. It was not designed to emulate
-the full suid functionality and will not go out of its way to do so.
- - sargv may be empty. In that case, the client is in complete
-control of the command line executed as serveruser. This setup is
-permitted by s6-sudod, but it is very dangerous, and extreme attention should
-be paid to the construction of the s6-ipcserver-access rules.
-
-
-
-
diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html
index a89d9e3..435c92d 100644
--- a/doc/s6-tcpserver-access.html
+++ b/doc/s6-tcpserver-access.html
@@ -163,13 +163,13 @@ needed to perform searches in a CDB than in the filesystem.
The exact format of the ruleset is described on the
-s6-accessrules-cdb-from-fs page.
+s6-accessrules-cdb-from-fs page.
s6-tcpserver-access first gets the remote address ip of the
client and converts it to canonical form. Then it checks it with the
-s6net_accessrules_keycheck_ip46()
+s6_accessrules_keycheck_ip46()
function. In other words, it tries to match broader and broader network
prefixes of ip, from ip4/ip_32 to
ip4/0.0.0.0_0 if ip is v4, or from
@@ -177,10 +177,10 @@ prefixes of ip, from ip4/ip_32 to
is v6. If the result is:
- S6NET_ACCESSRULES_ERROR: it immediately exits 111.
- S6NET_ACCESSRULES_DENY: it immediately exits 1.
- S6NET_ACCESSRULES_ALLOW: it grants access.
- S6NET_ACCESSRULES_NOTFOUND: more information is needed.
+ S6_ACCESSRULES_ERROR: it immediately exits 111.
+ S6_ACCESSRULES_DENY: it immediately exits 1.
+ S6_ACCESSRULES_ALLOW: it grants access.
+ S6_ACCESSRULES_NOTFOUND: more information is needed.
@@ -188,12 +188,12 @@ is v6. If the result is:
is denied. But if s6-tcpserver-access is authorized to perform DNS lookups,
then it gets the remote name of the client, remotehost, and
checks it with the
-s6net_accessrules_keycheck_reversedns()
+s6_accessrules_keycheck_reversedns()
function. In other words, it tries to match shorter and shorter suffixes
of remotehost, from reversedns/remotehost to
reversedns/@.
This time, the connection is denied is the result is anything else than
-S6NET_ACCESSRULES_ALLOW.
+S6_ACCESSRULES_ALLOW.
@@ -208,7 +208,7 @@ query on remotehost does not match ip.
s6-tcpserver-access interprets non-empty env subdirectories
and exec files
it finds in the matching rule of the ruleset, as explained
-in the s6-accessrules-cdb-from-fs
+in the s6-accessrules-cdb-from-fs
page.
diff --git a/doc/seekablepipe.html b/doc/seekablepipe.html
deleted file mode 100644
index cd17b2e..0000000
--- a/doc/seekablepipe.html
+++ /dev/null
@@ -1,36 +0,0 @@
-
-
-
-
- s6-networking: the seekablepipe program
-
-
-
-
-
-
-
-s6-networking
-Software
-skarnet.org
-
-
- The seekablepipe program
-
-seekablepipe turns the reading end of a pipe into a seekable
-file descriptor, using a temporary file.
-
- Interface
-
-
- writer | seekablepipe tmpfile reader [ args ... ]
-
-
-
-seekablepipe writes writer's output to tmpfile,
-which is unlinked as soon as it is created. Then it execs into
-reader, reading from a file descriptor on tmpfile.
-
-
-
-
diff --git a/package/deps.mak b/package/deps.mak
index ab24798..b0f8835 100644
--- a/package/deps.mak
+++ b/package/deps.mak
@@ -2,28 +2,16 @@
# This file has been generated by tools/gen-deps.sh
#
-src/include/s6-networking/s6net.h: src/include/s6-networking/accessrules.h src/include/s6-networking/ident.h
+src/include/s6-networking/s6net.h: src/include/s6-networking/ident.h
src/clock/s6-clockadd.o src/clock/s6-clockadd.lo: src/clock/s6-clockadd.c
src/clock/s6-clockview.o src/clock/s6-clockview.lo: src/clock/s6-clockview.c
src/clock/s6-sntpclock.o src/clock/s6-sntpclock.lo: src/clock/s6-sntpclock.c
src/clock/s6-taiclock.o src/clock/s6-taiclock.lo: src/clock/s6-taiclock.c
src/clock/s6-taiclockd.o src/clock/s6-taiclockd.lo: src/clock/s6-taiclockd.c
-src/conn-tools/s6-accessrules-cdb-from-fs.o src/conn-tools/s6-accessrules-cdb-from-fs.lo: src/conn-tools/s6-accessrules-cdb-from-fs.c
-src/conn-tools/s6-accessrules-fs-from-cdb.o src/conn-tools/s6-accessrules-fs-from-cdb.lo: src/conn-tools/s6-accessrules-fs-from-cdb.c
-src/conn-tools/s6-connlimit.o src/conn-tools/s6-connlimit.lo: src/conn-tools/s6-connlimit.c
src/conn-tools/s6-getservbyname.o src/conn-tools/s6-getservbyname.lo: src/conn-tools/s6-getservbyname.c
src/conn-tools/s6-ident-client.o src/conn-tools/s6-ident-client.lo: src/conn-tools/s6-ident-client.c src/include/s6-networking/ident.h
-src/conn-tools/s6-ioconnect.o src/conn-tools/s6-ioconnect.lo: src/conn-tools/s6-ioconnect.c
-src/conn-tools/s6-ipcclient.o src/conn-tools/s6-ipcclient.lo: src/conn-tools/s6-ipcclient.c
-src/conn-tools/s6-ipcserver-access.o src/conn-tools/s6-ipcserver-access.lo: src/conn-tools/s6-ipcserver-access.c src/include/s6-networking/accessrules.h
-src/conn-tools/s6-ipcserver-socketbinder.o src/conn-tools/s6-ipcserver-socketbinder.lo: src/conn-tools/s6-ipcserver-socketbinder.c
-src/conn-tools/s6-ipcserver.o src/conn-tools/s6-ipcserver.lo: src/conn-tools/s6-ipcserver.c src/include/s6-networking/config.h
-src/conn-tools/s6-ipcserverd.o src/conn-tools/s6-ipcserverd.lo: src/conn-tools/s6-ipcserverd.c
-src/conn-tools/s6-sudo.o src/conn-tools/s6-sudo.lo: src/conn-tools/s6-sudo.c src/include/s6-networking/config.h
-src/conn-tools/s6-sudoc.o src/conn-tools/s6-sudoc.lo: src/conn-tools/s6-sudoc.c src/conn-tools/s6-sudo.h
-src/conn-tools/s6-sudod.o src/conn-tools/s6-sudod.lo: src/conn-tools/s6-sudod.c src/conn-tools/s6-sudo.h
src/conn-tools/s6-tcpclient.o src/conn-tools/s6-tcpclient.lo: src/conn-tools/s6-tcpclient.c src/include/s6-networking/ident.h
-src/conn-tools/s6-tcpserver-access.o src/conn-tools/s6-tcpserver-access.lo: src/conn-tools/s6-tcpserver-access.c src/include/s6-networking/s6net.h
+src/conn-tools/s6-tcpserver-access.o src/conn-tools/s6-tcpserver-access.lo: src/conn-tools/s6-tcpserver-access.c src/include/s6-networking/ident.h
src/conn-tools/s6-tcpserver.o src/conn-tools/s6-tcpserver.lo: src/conn-tools/s6-tcpserver.c src/include/s6-networking/config.h
src/conn-tools/s6-tcpserver4-socketbinder.o src/conn-tools/s6-tcpserver4-socketbinder.lo: src/conn-tools/s6-tcpserver4-socketbinder.c
src/conn-tools/s6-tcpserver4.o src/conn-tools/s6-tcpserver4.lo: src/conn-tools/s6-tcpserver4.c src/include/s6-networking/config.h
@@ -31,22 +19,12 @@ src/conn-tools/s6-tcpserver4d.o src/conn-tools/s6-tcpserver4d.lo: src/conn-tools
src/conn-tools/s6-tcpserver6-socketbinder.o src/conn-tools/s6-tcpserver6-socketbinder.lo: src/conn-tools/s6-tcpserver6-socketbinder.c
src/conn-tools/s6-tcpserver6.o src/conn-tools/s6-tcpserver6.lo: src/conn-tools/s6-tcpserver6.c src/include/s6-networking/config.h
src/conn-tools/s6-tcpserver6d.o src/conn-tools/s6-tcpserver6d.lo: src/conn-tools/s6-tcpserver6d.c
-src/conn-tools/seekablepipe.o src/conn-tools/seekablepipe.lo: src/conn-tools/seekablepipe.c
-src/libs6net/s6net_accessrules_backend_cdb.o src/libs6net/s6net_accessrules_backend_cdb.lo: src/libs6net/s6net_accessrules_backend_cdb.c src/include/s6-networking/accessrules.h
-src/libs6net/s6net_accessrules_backend_fs.o src/libs6net/s6net_accessrules_backend_fs.lo: src/libs6net/s6net_accessrules_backend_fs.c src/include/s6-networking/accessrules.h
-src/libs6net/s6net_accessrules_keycheck_ip4.o src/libs6net/s6net_accessrules_keycheck_ip4.lo: src/libs6net/s6net_accessrules_keycheck_ip4.c src/include/s6-networking/accessrules.h
-src/libs6net/s6net_accessrules_keycheck_ip6.o src/libs6net/s6net_accessrules_keycheck_ip6.lo: src/libs6net/s6net_accessrules_keycheck_ip6.c src/include/s6-networking/accessrules.h
-src/libs6net/s6net_accessrules_keycheck_reversedns.o src/libs6net/s6net_accessrules_keycheck_reversedns.lo: src/libs6net/s6net_accessrules_keycheck_reversedns.c src/include/s6-networking/accessrules.h
-src/libs6net/s6net_accessrules_keycheck_uidgid.o src/libs6net/s6net_accessrules_keycheck_uidgid.lo: src/libs6net/s6net_accessrules_keycheck_uidgid.c src/include/s6-networking/accessrules.h
-src/libs6net/s6net_accessrules_uidgid_cdb.o src/libs6net/s6net_accessrules_uidgid_cdb.lo: src/libs6net/s6net_accessrules_uidgid_cdb.c src/include/s6-networking/accessrules.h
-src/libs6net/s6net_accessrules_uidgid_fs.o src/libs6net/s6net_accessrules_uidgid_fs.lo: src/libs6net/s6net_accessrules_uidgid_fs.c src/include/s6-networking/accessrules.h
src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_client.lo: src/libs6net/s6net_ident_client.c src/include/s6-networking/ident.h
src/libs6net/s6net_ident_error.o src/libs6net/s6net_ident_error.lo: src/libs6net/s6net_ident_error.c src/include/s6-networking/ident.h
src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_get.lo: src/libs6net/s6net_ident_reply_get.c src/include/s6-networking/ident.h
src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_reply_parse.lo: src/libs6net/s6net_ident_reply_parse.c src/include/s6-networking/ident.h
src/minidentd/mgetuid-default.o src/minidentd/mgetuid-default.lo: src/minidentd/mgetuid-default.c src/minidentd/mgetuid.h
src/minidentd/mgetuid-linux.o src/minidentd/mgetuid-linux.lo: src/minidentd/mgetuid-linux.c src/minidentd/mgetuid.h
-src/minidentd/mgetuid.o src/minidentd/mgetuid.lo: src/minidentd/mgetuid.c src/minidentd/mgetuid.h
src/minidentd/minidentd.o src/minidentd/minidentd.lo: src/minidentd/minidentd.c src/minidentd/mgetuid.h
s6-clockadd: private EXTRA_LIBS := ${SYSCLOCK_LIB}
@@ -59,40 +37,16 @@ s6-taiclock: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
s6-taiclock: src/clock/s6-taiclock.o -lskarnet
s6-taiclockd: private EXTRA_LIBS := ${SOCKET_LIB} ${SYSCLOCK_LIB}
s6-taiclockd: src/clock/s6-taiclockd.o -lskarnet
-s6-accessrules-cdb-from-fs: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
-s6-accessrules-cdb-from-fs: src/conn-tools/s6-accessrules-cdb-from-fs.o ${LIBS6NET} -lskarnet
-s6-accessrules-fs-from-cdb: private EXTRA_LIBS :=
-s6-accessrules-fs-from-cdb: src/conn-tools/s6-accessrules-fs-from-cdb.o -lskarnet
-s6-connlimit: private EXTRA_LIBS :=
-s6-connlimit: src/conn-tools/s6-connlimit.o -lskarnet
s6-getservbyname: private EXTRA_LIBS := ${SOCKET_LIB}
s6-getservbyname: src/conn-tools/s6-getservbyname.o -lskarnet
s6-ident-client: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
s6-ident-client: src/conn-tools/s6-ident-client.o ${LIBS6NET} -lskarnet
-s6-ioconnect: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
-s6-ioconnect: src/conn-tools/s6-ioconnect.o -lskarnet
-s6-ipcclient: private EXTRA_LIBS := ${SOCKET_LIB}
-s6-ipcclient: src/conn-tools/s6-ipcclient.o -lskarnet
-s6-ipcserver: private EXTRA_LIBS :=
-s6-ipcserver: src/conn-tools/s6-ipcserver.o -lskarnet
-s6-ipcserver-access: private EXTRA_LIBS := ${SOCKET_LIB}
-s6-ipcserver-access: src/conn-tools/s6-ipcserver-access.o ${LIBS6NET} -lskarnet
-s6-ipcserver-socketbinder: private EXTRA_LIBS := ${SOCKET_LIB}
-s6-ipcserver-socketbinder: src/conn-tools/s6-ipcserver-socketbinder.o -lskarnet
-s6-ipcserverd: private EXTRA_LIBS := ${SOCKET_LIB}
-s6-ipcserverd: src/conn-tools/s6-ipcserverd.o -lskarnet
-s6-sudo: private EXTRA_LIBS :=
-s6-sudo: src/conn-tools/s6-sudo.o -lskarnet
-s6-sudoc: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
-s6-sudoc: src/conn-tools/s6-sudoc.o -lskarnet
-s6-sudod: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
-s6-sudod: src/conn-tools/s6-sudod.o -lskarnet
s6-tcpclient: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
s6-tcpclient: src/conn-tools/s6-tcpclient.o ${LIBS6NET} -ls6dns -lskarnet
s6-tcpserver: private EXTRA_LIBS :=
s6-tcpserver: src/conn-tools/s6-tcpserver.o -lskarnet
s6-tcpserver-access: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
-s6-tcpserver-access: src/conn-tools/s6-tcpserver-access.o ${LIBS6NET} -ls6dns -lskarnet
+s6-tcpserver-access: src/conn-tools/s6-tcpserver-access.o ${LIBS6NET} -ls6dns -ls6 -lskarnet
s6-tcpserver4: private EXTRA_LIBS := ${SOCKET_LIB}
s6-tcpserver4: src/conn-tools/s6-tcpserver4.o -lskarnet
s6-tcpserver4-socketbinder: private EXTRA_LIBS := ${SOCKET_LIB}
@@ -105,9 +59,7 @@ s6-tcpserver6-socketbinder: private EXTRA_LIBS := ${SOCKET_LIB}
s6-tcpserver6-socketbinder: src/conn-tools/s6-tcpserver6-socketbinder.o -lskarnet
s6-tcpserver6d: private EXTRA_LIBS := ${SOCKET_LIB}
s6-tcpserver6d: src/conn-tools/s6-tcpserver6d.o -lskarnet
-seekablepipe: private EXTRA_LIBS :=
-seekablepipe: src/conn-tools/seekablepipe.o -lskarnet
-libs6net.a: src/libs6net/s6net_accessrules_backend_cdb.o src/libs6net/s6net_accessrules_backend_fs.o src/libs6net/s6net_accessrules_keycheck_ip4.o src/libs6net/s6net_accessrules_keycheck_ip6.o src/libs6net/s6net_accessrules_keycheck_reversedns.o src/libs6net/s6net_accessrules_keycheck_uidgid.o src/libs6net/s6net_accessrules_uidgid_cdb.o src/libs6net/s6net_accessrules_uidgid_fs.o src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_error.o
-libs6net.so: src/libs6net/s6net_accessrules_backend_cdb.lo src/libs6net/s6net_accessrules_backend_fs.lo src/libs6net/s6net_accessrules_keycheck_ip4.lo src/libs6net/s6net_accessrules_keycheck_ip6.lo src/libs6net/s6net_accessrules_keycheck_reversedns.lo src/libs6net/s6net_accessrules_keycheck_uidgid.lo src/libs6net/s6net_accessrules_uidgid_cdb.lo src/libs6net/s6net_accessrules_uidgid_fs.lo src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo
+libs6net.a: src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_error.o
+libs6net.so: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo
minidentd: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o -lskarnet
diff --git a/package/modes b/package/modes
index cc7dfa7..4d4cb19 100644
--- a/package/modes
+++ b/package/modes
@@ -1,11 +1,5 @@
-s6-connlimit 0755
s6-getservbyname 0755
-s6-ioconnect 0755
s6-ident-client 0755
-s6-ipcclient 0755
-s6-ipcserver 0755
-s6-ipcserverd 0755
-s6-ipcserver-socketbinder 0755
s6-tcpclient 0755
s6-tcpserver4 0755
s6-tcpserver4d 0755
@@ -14,14 +8,7 @@ s6-tcpserver6 0755
s6-tcpserver6d 0755
s6-tcpserver6-socketbinder 0755
s6-tcpserver 0755
-s6-accessrules-cdb-from-fs 0755
-s6-accessrules-fs-from-cdb 0755
-s6-ipcserver-access 0755
s6-tcpserver-access 0755
-seekablepipe 0755
-s6-sudo 0755
-s6-sudoc 0755
-s6-sudod 0755
s6-clockadd 0700
s6-clockview 0755
s6-sntpclock 0755
diff --git a/package/targets.mak b/package/targets.mak
index 66b61be..1aacad2 100644
--- a/package/targets.mak
+++ b/package/targets.mak
@@ -1,12 +1,6 @@
BIN_TARGETS := \
-s6-connlimit \
s6-getservbyname \
-s6-ioconnect \
s6-ident-client \
-s6-ipcclient \
-s6-ipcserver \
-s6-ipcserverd \
-s6-ipcserver-socketbinder \
s6-tcpclient \
s6-tcpserver \
s6-tcpserver4 \
@@ -15,14 +9,7 @@ s6-tcpserver4-socketbinder \
s6-tcpserver6 \
s6-tcpserver6d \
s6-tcpserver6-socketbinder \
-s6-accessrules-cdb-from-fs \
-s6-accessrules-fs-from-cdb \
-s6-ipcserver-access \
s6-tcpserver-access \
-seekablepipe \
-s6-sudo \
-s6-sudoc \
-s6-sudod \
s6-clockadd \
s6-clockview \
s6-sntpclock \
diff --git a/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs b/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs
deleted file mode 100644
index 407cc2d..0000000
--- a/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs
+++ /dev/null
@@ -1,4 +0,0 @@
-${LIBS6NET}
--lskarnet
-${SOCKET_LIB}
-${TAINNOW_LIB}
diff --git a/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb b/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb
deleted file mode 100644
index e7187fe..0000000
--- a/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb
+++ /dev/null
@@ -1 +0,0 @@
--lskarnet
diff --git a/src/conn-tools/deps-exe/s6-connlimit b/src/conn-tools/deps-exe/s6-connlimit
deleted file mode 100644
index e7187fe..0000000
--- a/src/conn-tools/deps-exe/s6-connlimit
+++ /dev/null
@@ -1 +0,0 @@
--lskarnet
diff --git a/src/conn-tools/deps-exe/s6-ioconnect b/src/conn-tools/deps-exe/s6-ioconnect
deleted file mode 100644
index e027835..0000000
--- a/src/conn-tools/deps-exe/s6-ioconnect
+++ /dev/null
@@ -1,3 +0,0 @@
--lskarnet
-${SOCKET_LIB}
-${TAINNOW_LIB}
diff --git a/src/conn-tools/deps-exe/s6-ipcclient b/src/conn-tools/deps-exe/s6-ipcclient
deleted file mode 100644
index 19869b2..0000000
--- a/src/conn-tools/deps-exe/s6-ipcclient
+++ /dev/null
@@ -1,2 +0,0 @@
--lskarnet
-${SOCKET_LIB}
diff --git a/src/conn-tools/deps-exe/s6-ipcserver b/src/conn-tools/deps-exe/s6-ipcserver
deleted file mode 100644
index e7187fe..0000000
--- a/src/conn-tools/deps-exe/s6-ipcserver
+++ /dev/null
@@ -1 +0,0 @@
--lskarnet
diff --git a/src/conn-tools/deps-exe/s6-ipcserver-access b/src/conn-tools/deps-exe/s6-ipcserver-access
deleted file mode 100644
index f328786..0000000
--- a/src/conn-tools/deps-exe/s6-ipcserver-access
+++ /dev/null
@@ -1,3 +0,0 @@
-${LIBS6NET}
--lskarnet
-${SOCKET_LIB}
diff --git a/src/conn-tools/deps-exe/s6-ipcserver-socketbinder b/src/conn-tools/deps-exe/s6-ipcserver-socketbinder
deleted file mode 100644
index 19869b2..0000000
--- a/src/conn-tools/deps-exe/s6-ipcserver-socketbinder
+++ /dev/null
@@ -1,2 +0,0 @@
--lskarnet
-${SOCKET_LIB}
diff --git a/src/conn-tools/deps-exe/s6-ipcserverd b/src/conn-tools/deps-exe/s6-ipcserverd
deleted file mode 100644
index 19869b2..0000000
--- a/src/conn-tools/deps-exe/s6-ipcserverd
+++ /dev/null
@@ -1,2 +0,0 @@
--lskarnet
-${SOCKET_LIB}
diff --git a/src/conn-tools/deps-exe/s6-sudo b/src/conn-tools/deps-exe/s6-sudo
deleted file mode 100644
index e7187fe..0000000
--- a/src/conn-tools/deps-exe/s6-sudo
+++ /dev/null
@@ -1 +0,0 @@
--lskarnet
diff --git a/src/conn-tools/deps-exe/s6-sudoc b/src/conn-tools/deps-exe/s6-sudoc
deleted file mode 100644
index e027835..0000000
--- a/src/conn-tools/deps-exe/s6-sudoc
+++ /dev/null
@@ -1,3 +0,0 @@
--lskarnet
-${SOCKET_LIB}
-${TAINNOW_LIB}
diff --git a/src/conn-tools/deps-exe/s6-sudod b/src/conn-tools/deps-exe/s6-sudod
deleted file mode 100644
index e027835..0000000
--- a/src/conn-tools/deps-exe/s6-sudod
+++ /dev/null
@@ -1,3 +0,0 @@
--lskarnet
-${SOCKET_LIB}
-${TAINNOW_LIB}
diff --git a/src/conn-tools/deps-exe/s6-tcpserver-access b/src/conn-tools/deps-exe/s6-tcpserver-access
index 661b207..87a105c 100644
--- a/src/conn-tools/deps-exe/s6-tcpserver-access
+++ b/src/conn-tools/deps-exe/s6-tcpserver-access
@@ -1,5 +1,6 @@
${LIBS6NET}
-ls6dns
+-ls6
-lskarnet
${SOCKET_LIB}
${TAINNOW_LIB}
diff --git a/src/conn-tools/deps-exe/seekablepipe b/src/conn-tools/deps-exe/seekablepipe
deleted file mode 100644
index e7187fe..0000000
--- a/src/conn-tools/deps-exe/seekablepipe
+++ /dev/null
@@ -1 +0,0 @@
--lskarnet
diff --git a/src/conn-tools/s6-accessrules-cdb-from-fs.c b/src/conn-tools/s6-accessrules-cdb-from-fs.c
deleted file mode 100644
index 82da64c..0000000
--- a/src/conn-tools/s6-accessrules-cdb-from-fs.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include /* for rename() */
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-accessrules-cdb-from-fs cdbfile dir"
-
-static stralloc tmp = STRALLOC_ZERO ;
-
-static void cleanup (void)
-{
- register int e = errno ;
- unlink(tmp.s) ;
- errno = e ;
-}
-
-static void dienomem (void)
-{
- cleanup() ;
- strerr_diefu1sys(111, "stralloc_catb") ;
-}
-
-static void doit (struct cdb_make *c, stralloc *sa, unsigned int start)
-{
- unsigned int tmpbase = tmp.len ;
- unsigned int k = sa->len ;
- if (!stralloc_readyplus(sa, 10)) dienomem() ;
- stralloc_catb(sa, "/allow", 7) ;
- tmp.s[tmpbase] = 0 ;
- if (access(sa->s, R_OK) < 0)
- {
- if ((errno != ENOENT) && (errno != EACCES))
- {
- cleanup() ;
- strerr_diefu2sys(111, "access ", sa->s) ;
- }
- sa->len = k+1 ;
- stralloc_catb(sa, "deny", 5) ;
- if (access(sa->s, R_OK) < 0)
- if ((errno != ENOENT) && (errno != EACCES))
- {
- cleanup() ;
- strerr_diefu2sys(111, "access ", sa->s) ;
- }
- else return ;
- else if (cdb_make_add(c, sa->s + start, k - start, "D", 1) < 0)
- {
- cleanup() ;
- strerr_diefu1sys(111, "cdb_make_add") ;
- }
- }
- else
- {
- uint16 envlen = 0 ;
- uint16 execlen = 0 ;
- register int r ;
- tmp.s[tmpbase] = 'A' ;
- sa->len = k+1 ;
- stralloc_catb(sa, "env", 4) ;
- tmp.len = tmpbase + 3 ;
- if ((envdir(sa->s, &tmp) < 0) && (errno != ENOENT))
- {
- cleanup() ;
- strerr_diefu2sys(111, "s6_envdir ", sa->s) ;
- }
- if (tmp.len > tmpbase + 4103)
- {
- cleanup() ;
- strerr_diefu2sys(100, sa->s, "too big") ;
- }
- envlen = tmp.len - tmpbase - 3 ;
- tmp.len = tmpbase ;
- uint16_pack_big(tmp.s + tmpbase + 1, envlen) ;
- sa->len = k+1 ;
- stralloc_catb(sa, "exec", 5) ;
- r = openreadnclose(sa->s, tmp.s + tmpbase + 5 + envlen, 4096) ;
- if ((r < 0) && (errno != ENOENT))
- {
- cleanup() ;
- strerr_diefu2sys(111, "openreadnclose ", sa->s) ;
- }
- if (r > 0) execlen = r ;
- uint16_pack_big(tmp.s + tmpbase + 3 + envlen, execlen) ;
- if (cdb_make_add(c, sa->s + start, k - start, tmp.s + tmpbase, 5 + envlen + execlen) < 0)
- {
- cleanup() ;
- strerr_diefu1sys(111, "cdb_make_add") ;
- }
- }
-}
-
-
-int main (int argc, char const *const *argv)
-{
- stralloc sa = STRALLOC_ZERO ;
- struct cdb_make c = CDB_MAKE_ZERO ;
- DIR *dir ;
- unsigned int start ;
- int fd ;
- PROG = "s6-accessrules-cdb-from-fs" ;
- if (argc < 3) strerr_dieusage(100, USAGE) ;
- if (!stralloc_cats(&tmp, argv[1])) return 0 ;
- if (random_sauniquename(&tmp, 8) < 0)
- strerr_diefu1sys(111, "random_sauniquename") ;
- if (!stralloc_readyplus(&tmp, 8210))
- strerr_diefu1sys(111, "stralloc_catb") ;
- stralloc_0(&tmp) ;
- fd = open_trunc(tmp.s) ;
- if (fd < 0) strerr_diefu2sys(111, "open_trunc ", tmp.s) ;
- if (cdb_make_start(&c, fd) < 0)
- {
- cleanup() ;
- strerr_diefu1sys(111, "cdb_make_start") ;
- }
- dir = opendir(argv[2]) ;
- if (!dir)
- {
- cleanup() ;
- strerr_diefu2sys(111, "opendir ", argv[2]) ;
- }
- if (!stralloc_cats(&sa, argv[2]) || !stralloc_catb(&sa, "/", 1)) dienomem() ;
- start = sa.len ;
-
- for (;;)
- {
- DIR *subdir ;
- direntry *d ;
- unsigned int base ;
- errno = 0 ;
- d = readdir(dir) ;
- if (!d) break ;
- if (d->d_name[0] == '.') continue ;
- sa.len = start ;
- if (!stralloc_cats(&sa, d->d_name) || !stralloc_0(&sa)) dienomem() ;
- base = sa.len ;
- subdir = opendir(sa.s) ;
- if (!subdir)
- {
- cleanup() ;
- strerr_diefu2sys(111, "opendir ", sa.s) ;
- }
- sa.s[base-1] = '/' ;
- for (;;)
- {
- errno = 0 ;
- d = readdir(subdir) ;
- if (!d) break ;
- if (d->d_name[0] == '.') continue ;
- sa.len = base ;
- if (!stralloc_cats(&sa, d->d_name)) dienomem() ;
- doit(&c, &sa, start) ;
- }
- if (errno)
- {
- sa.s[base-1] = 0 ;
- cleanup() ;
- strerr_diefu2sys(111, "readdir ", sa.s) ;
- }
- dir_close(subdir) ;
- }
- if (errno)
- {
- cleanup() ;
- strerr_diefu2sys(111, "readdir ", argv[2]) ;
- }
- dir_close(dir) ;
- if (cdb_make_finish(&c) < 0)
- {
- cleanup() ;
- strerr_diefu1sys(111, "cdb_make_finish") ;
- }
- if (fd_sync(fd) < 0)
- {
- cleanup() ;
- strerr_diefu1sys(111, "fd_sync") ;
- }
- fd_close(fd) ;
- if (rename(tmp.s, argv[1]) < 0)
- {
- cleanup() ;
- strerr_diefu4sys(111, "rename ", tmp.s, " to ", argv[1]) ;
- }
- return 0 ;
-}
diff --git a/src/conn-tools/s6-accessrules-fs-from-cdb.c b/src/conn-tools/s6-accessrules-fs-from-cdb.c
deleted file mode 100644
index cbe67ef..0000000
--- a/src/conn-tools/s6-accessrules-fs-from-cdb.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-accessrules-fs-from-cdb dir cdbfile"
-
-static char const *basedir ;
-unsigned int basedirlen ;
-
-static void cleanup ()
-{
- int e = errno ;
- rm_rf(basedir) ;
- errno = e ;
-}
-
-static int domkdir (char const *s)
-{
- return mkdir(s, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH | S_ISGID) < 0 ? (errno == EEXIST) : 1 ;
-}
-
-static void mkdirp (char *s)
-{
- mode_t m = umask(0) ;
- unsigned int len = str_len(s) ;
- register unsigned int i = basedirlen + 1 ;
- for (; i < len ; i++) if (s[i] == '/')
- {
- s[i] = 0 ;
- if (!domkdir(s)) goto err ;
- s[i] = '/' ;
- }
- if (!domkdir(s)) goto err ;
- umask(m) ;
- return ;
-
- err:
- cleanup() ;
- strerr_diefu2sys(111, "mkdir ", s) ;
-}
-
-static void touchtrunc (char const *file)
-{
- register int fd = open_trunc(file) ;
- if (fd < 0) strerr_diefu2sys(111, "open_trunc ", file) ;
- fd_close(fd) ;
-}
-
-static int doenv (char const *dir, unsigned int dirlen, char *env, unsigned int envlen)
-{
- mode_t m = umask(0) ;
- unsigned int i = 0 ;
- if (!domkdir(dir))
- {
- cleanup() ;
- strerr_diefu2sys(111, "mkdir ", dir) ;
- }
- umask(m) ;
- while (i < envlen)
- {
- unsigned int n = byte_chr(env + i, envlen - i, 0) ;
- if (i + n >= envlen) return 0 ;
- {
- unsigned int p = byte_chr(env + i, n, '=') ;
- char tmp[dirlen + p + 2] ;
- byte_copy(tmp, dirlen, dir) ;
- tmp[dirlen] = '/' ;
- byte_copy(tmp + dirlen + 1, p, env + i) ;
- tmp[dirlen + p + 1] = 0 ;
- if (p < n)
- {
- env[i+n] = '\n' ;
- if (!openwritenclose_unsafe(tmp, env + i + p + 1, n - p))
- {
- cleanup() ;
- strerr_diefu2sys(111, "openwritenclose_unsafe ", tmp) ;
- }
- }
- else touchtrunc(tmp) ;
- }
- i += n + 1 ;
- }
- return 1 ;
-}
-
-static int doit (struct cdb *c)
-{
- unsigned int klen = cdb_keylen(c) ;
- unsigned int dlen = cdb_datalen(c) ;
- {
- uint16 envlen, execlen ;
- char name[basedirlen + klen + 8] ;
- char data[dlen] ;
- byte_copy(name, basedirlen, basedir) ;
- name[basedirlen] = '/' ;
- if (!dlen || (dlen > 8201)) return (errno = EINVAL, 0) ;
- if ((cdb_read(c, name+basedirlen+1, klen, cdb_keypos(c)) < 0)
- || (cdb_read(c, data, dlen, cdb_datapos(c)) < 0))
- {
- cleanup() ;
- strerr_diefu1sys(111, "cdb_read") ;
- }
- name[basedirlen + klen + 1] = 0 ;
- mkdirp(name) ;
- name[basedirlen + klen + 1] = '/' ;
- if (data[0] == 'A')
- {
- byte_copy(name + basedirlen + klen + 2, 6, "allow") ;
- touchtrunc(name) ;
- }
- else if (data[0] == 'D')
- {
- byte_copy(name + basedirlen + klen + 2, 5, "deny") ;
- touchtrunc(name) ;
- }
- if (dlen < 3) return 1 ;
- uint16_unpack_big(data + 1, &envlen) ;
- if ((envlen > 4096U) || (3U + envlen > dlen)) return (errno = EINVAL, 0) ;
- uint16_unpack_big(data + 3 + envlen, &execlen) ;
- if ((execlen > 4096U) || (5U + envlen + execlen != dlen)) return (errno = EINVAL, 0) ;
- if (envlen)
- {
- byte_copy(name + basedirlen + klen + 2, 4, "env") ;
- if (!doenv(name, basedirlen + klen + 5, data + 3, envlen)) return (errno = EINVAL, 0) ;
- }
- byte_copy(name + basedirlen + klen + 2, 5, "exec") ;
- if (execlen && !openwritenclose_unsafe(name, data + 5 + envlen, execlen))
- {
- cleanup() ;
- strerr_diefu2sys(111, "openwritenclose_unsafe ", name) ;
- }
- }
- return 1 ;
-}
-
-int main (int argc, char const *const *argv)
-{
- struct cdb c = CDB_ZERO ;
- uint32 kpos ;
- PROG = "s6-accessrules-fs-from-cdb" ;
- if (argc < 3) strerr_dieusage(100, USAGE) ;
- if (cdb_mapfile(&c, argv[2]) < 0) strerr_diefu1sys(111, "cdb_mapfile") ;
- basedir = argv[1] ;
- basedirlen = str_len(argv[1]) ;
- {
- mode_t m = umask(0) ;
- if (mkdir(basedir, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH | S_ISGID) < 0)
- strerr_diefu2sys(111, "mkdir ", basedir) ;
- umask(m) ;
- }
- cdb_traverse_init(&c, &kpos) ;
- for (;;)
- {
- register int r = cdb_nextkey(&c, &kpos) ;
- if (r < 0)
- {
- cleanup() ;
- strerr_diefu1sys(111, "cdb_nextkey") ;
- }
- else if (!r) break ;
- else if (!doit(&c))
- {
- cleanup() ;
- strerr_diefu1sys(111, "handle key") ;
- }
- }
- return 0 ;
-}
diff --git a/src/conn-tools/s6-connlimit.c b/src/conn-tools/s6-connlimit.c
deleted file mode 100644
index 19f4a2d..0000000
--- a/src/conn-tools/s6-connlimit.c
+++ /dev/null
@@ -1,39 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- char const *x ;
- unsigned int protolen ;
- PROG = "s6-connlimit" ;
- x = env_get2(envp, "PROTO") ;
- if (!x) strerr_dienotset(100, "PROTO") ;
- protolen = str_len(x) ;
- if (!protolen) strerr_dief1x(100, "empty PROTO") ;
- {
- unsigned int num ;
- char s[protolen + 8] ;
- byte_copy(s, protolen, x) ;
- byte_copy(s + protolen, 8, "CONNNUM") ;
- x = env_get2(envp, s) ;
- if (!x) strerr_dienotset(100, s) ;
- if (!uint0_scan(x, &num)) strerr_dief2x(100, "invalid ", s) ;
- byte_copy(s + protolen + 4, 4, "MAX") ;
- x = env_get2(envp, s) ;
- if (x)
- {
- unsigned int max ;
- if (!uint0_scan(x, &max)) strerr_dief2x(100, "invalid ", s) ;
- if (num > max)
- strerr_dief2x(1, "number of connections from this client limited to ", x) ;
- }
- }
- pathexec0_run(argv+1, envp) ;
- (void)argc ;
- strerr_dieexec(111, argv[1]) ;
-}
diff --git a/src/conn-tools/s6-ioconnect.c b/src/conn-tools/s6-ioconnect.c
deleted file mode 100644
index a0217bb..0000000
--- a/src/conn-tools/s6-ioconnect.c
+++ /dev/null
@@ -1,187 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-ioconnect [ -t timeout ] [ -r fdr ] [ -w fdw ] [ -0 ] [ -1 ] [ -6 ] [ -7 ]"
-#define dieusage() strerr_dieusage(100, USAGE)
-
-
-typedef struct ioblah_s ioblah_t, *ioblah_t_ref ;
-struct ioblah_s
-{
- unsigned int fd ;
- unsigned int xindex ;
- unsigned int flagsocket : 1 ;
- unsigned int flagopen : 1 ;
-} ;
-
-static ioblah_t a[2][2] = { { { 0, 4, 0, 1 }, { 7, 4, 0, 1 } }, { { 6, 4, 0, 1 }, { 1, 4, 0, 1 } } } ;
-static iobuffer b[2] ;
-static iopause_fd x[5] = { { -1, IOPAUSE_READ, 0 } } ;
-
-static void closeit (unsigned int i, unsigned int j)
-{
- if (a[i][j].flagsocket)
- {
- if ((shutdown(a[i][j].fd, j) < 0) && (errno != ENOTSOCK) && (errno != ENOTCONN))
- strerr_warnwu4sys("shutdown ", i ? "incoming" : "outgoing", " socket for ", j ? "writing" : "reading") ;
- }
- fd_close(a[i][j].fd) ;
- a[i][j].flagopen = 0 ;
- a[i][j].xindex = 5 ;
-}
-
-static inline void finishit (unsigned int i)
-{
- closeit(i, 1) ;
- iobuffer_finish(&b[i]) ;
-}
-
-static void handle_signals (void)
-{
- for (;;)
- {
- char c = selfpipe_read() ;
- switch (c)
- {
- case -1 : strerr_diefu1sys(111, "selfpipe_read") ;
- case 0 : return ;
- case SIGTERM :
- {
- if (a[0][0].xindex < 5) x[a[0][0].xindex].revents |= IOPAUSE_EXCEPT ;
- if (a[1][0].xindex < 5) x[a[1][0].xindex].revents |= IOPAUSE_EXCEPT ;
- break ;
- }
- default :
- strerr_dief1x(101, "internal error: inconsistent signal state. Please submit a bug-report.") ;
- }
- }
-}
-
-int main (int argc, char const *const *argv)
-{
- tain_t tto ;
- register unsigned int i, j ;
- PROG = "s6-ioconnect" ;
- {
- subgetopt_t l = SUBGETOPT_ZERO ;
- unsigned int t = 0 ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "0167t:r:w:", &l) ;
- if (opt < 0) break ;
- switch (opt)
- {
- case '0' : a[0][0].flagsocket = 1 ; break ;
- case '1' : a[1][1].flagsocket = 1 ; break ;
- case '6' : a[1][0].flagsocket = 1 ; break ;
- case '7' : a[0][1].flagsocket = 1 ; break ;
- case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
- case 'r' : if (!uint0_scan(l.arg, &a[1][0].fd)) dieusage() ; break ;
- case 'w' : if (!uint0_scan(l.arg, &a[0][1].fd)) dieusage() ; break ;
- default : dieusage() ;
- }
- }
- if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
- argc -= l.ind ; argv += l.ind ;
- }
- if ((a[0][1].fd < 3) || (a[1][0].fd < 3)) dieusage() ;
- for (i = 0 ; i < 2 ; i++)
- {
- for (j = 0 ; j < 2 ; j++)
- if (ndelay_on(a[i][j].fd) == -1) strerr_diefu1sys(111, "ndelay_on") ;
- if (!iobuffer_init(&b[i], a[i][0].fd, a[i][1].fd) < 0) strerr_diefu1sys(111, "iobuffer_init") ;
- }
- if (sig_ignore(SIGPIPE) == -1) strerr_diefu1sys(111, "sig_ignore") ;
- tain_now_g() ;
- x[0].fd = selfpipe_init() ;
- if (x[0].fd < 0) strerr_diefu1sys(111, "selfpipe_init") ;
- if (selfpipe_trap(SIGTERM) < 0)
- strerr_diefu1sys(111, "trap SIGTERM") ;
-
- for (;;)
- {
- tain_t deadline ;
- unsigned int xlen = 1 ;
- int r ;
-
- tain_add_g(&deadline, iobuffer_isempty(&b[0]) && iobuffer_isempty(&b[1]) ? &tto : &tain_infinite_relative) ;
- for (i = 0 ; i < 2 ; i++)
- {
- a[i][0].xindex = 5 ;
- if (a[i][0].flagopen && iobuffer_isreadable(&b[i]))
- {
- x[xlen].fd = a[i][0].fd ;
- x[xlen].events = IOPAUSE_READ ;
- a[i][0].xindex = xlen++ ;
- }
- a[i][1].xindex = 5 ;
- if (a[i][1].flagopen)
- {
- x[xlen].fd = a[i][1].fd ;
- x[xlen].events = IOPAUSE_EXCEPT | (iobuffer_isempty(&b[i]) ? 0 : IOPAUSE_WRITE) ;
- a[i][1].xindex = xlen++ ;
- }
- }
- if (xlen <= 1) break ;
-
- r = iopause_g(x, xlen, &deadline) ;
- if (r < 0) strerr_diefu1sys(111, "iopause") ;
- else if (!r) return 1 ;
-
- if (x[0].revents & IOPAUSE_READ) handle_signals() ;
-
- for (i = 0 ; i < 2 ; i++) if (a[i][1].xindex < 5)
- {
- if (x[a[i][1].xindex].revents & IOPAUSE_WRITE)
- {
- if (!iobuffer_flush(&b[i]))
- {
- if (!error_isagain(errno)) x[a[i][1].xindex].revents |= IOPAUSE_EXCEPT ;
- }
- else if (!a[i][0].flagopen) finishit(i) ;
- }
- if (x[a[i][1].xindex].revents & IOPAUSE_EXCEPT)
- {
- if (!iobuffer_isempty(&b[i]))
- {
- iobuffer_flush(&b[i]) ; /* sets errno */
- strerr_warnwu3sys("write ", i ? "incoming" : "outgoing", " data") ;
- }
- closeit(i, 0) ; finishit(i) ;
- }
- }
-
- for (i = 0 ; i < 2 ; i++) if (a[i][0].xindex < 5)
- {
- if (x[a[i][0].xindex].revents & IOPAUSE_READ)
- {
- if (sanitize_read(iobuffer_fill(&b[i])) < 0)
- {
- if (errno != EPIPE) strerr_warnwu3sys("read ", i ? "incoming" : "outgoing", " data") ;
- x[a[i][0].xindex].revents |= IOPAUSE_EXCEPT ;
- }
- }
- if (x[a[i][0].xindex].revents & IOPAUSE_EXCEPT)
- {
- closeit(i, 0) ;
- if (iobuffer_isempty(&b[i])) finishit(i) ;
- }
- }
- }
- return 0 ;
-}
diff --git a/src/conn-tools/s6-ipcclient.c b/src/conn-tools/s6-ipcclient.c
deleted file mode 100644
index c9aba1e..0000000
--- a/src/conn-tools/s6-ipcclient.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-ipcclient [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] path prog..."
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- char const *bindpath = 0 ;
- char const *localname = 0 ;
- unsigned int verbosity = 1 ;
- PROG = "s6-ipcclient" ;
- {
- subgetopt_t l = SUBGETOPT_ZERO ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "qQvp:l:", &l) ;
- if (opt == -1) break ;
- switch (opt)
- {
- case 'q' : if (verbosity) verbosity-- ; break ;
- case 'Q' : verbosity = 1 ; break ;
- case 'v' : verbosity++ ; break ;
- case 'p' : bindpath = l.arg ; break ;
- case 'l' : localname = l.arg ; break ;
- default : strerr_dieusage(100, USAGE) ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- }
- if (argc < 2) strerr_dieusage(100, USAGE) ;
- {
- char modif[24 + IPCPATH_MAX] = "PROTO=IPC\0IPCLOCALPATH=" ;
- unsigned int i = 23 ;
- int s = ipc_stream() ;
- if (s == -1) strerr_diefu1sys(111, "create socket") ;
- if (bindpath && (ipc_bind(s, bindpath) == -1))
- strerr_diefu2sys(111, "bind socket to ", bindpath) ;
- if (!ipc_connect(s, argv[0]))
- strerr_diefu2sys(111, "connect to ", argv[0]) ;
- if (verbosity >= 2) strerr_warn3x(PROG, ": connected to ", argv[0]) ;
- if (localname)
- {
- register unsigned int n = str_len(localname) ;
- if (n > IPCPATH_MAX) n = IPCPATH_MAX ;
- byte_copy(modif + i, n, localname) ;
- i += n ; modif[i++] = 0 ;
- }
- else
- {
- int dummy ;
- if (ipc_local(s, modif + i, IPCPATH_MAX, &dummy) < 0) modif[--i] = 0 ;
- else i += str_len(modif + i) + 1 ;
- }
- if (fd_move(6, s) < 0)
- strerr_diefu2sys(111, "set up fd ", "6") ;
- if (fd_copy(7, 6) < 0)
- strerr_diefu2sys(111, "set up fd ", "7") ;
- pathexec_r(argv+1, envp, env_len(envp), modif, i) ;
- }
- strerr_dieexec(111, argv[1]) ;
-}
diff --git a/src/conn-tools/s6-ipcserver-access.c b/src/conn-tools/s6-ipcserver-access.c
deleted file mode 100644
index 183f56c..0000000
--- a/src/conn-tools/s6-ipcserver-access.c
+++ /dev/null
@@ -1,211 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog..."
-
-static unsigned int verbosity = 1 ;
-
- /* Utility functions */
-
-static inline void dieusage (void) gccattr_noreturn ;
-static inline void dieusage ()
-{
- strerr_dieusage(100, USAGE) ;
-}
-
-static inline void dienomem (void) gccattr_noreturn ;
-static inline void dienomem ()
-{
- strerr_diefu1sys(111, "update environment") ;
-}
-
-static inline void X (void) gccattr_noreturn ;
-static inline void X ()
-{
- strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ;
-}
-
-
- /* Logging */
-
-static void logit (unsigned int pid, unsigned int uid, unsigned int gid, int h)
-{
- char fmtpid[UINT_FMT] ;
- char fmtuid[UINT_FMT] ;
- char fmtgid[UINT_FMT] ;
- fmtpid[uint_fmt(fmtpid, pid)] = 0 ;
- fmtuid[uint_fmt(fmtuid, uid)] = 0 ;
- fmtgid[uint_fmt(fmtgid, gid)] = 0 ;
- if (h) strerr_warni7x("allow", " pid ", fmtpid, " uid ", fmtuid, " gid ", fmtgid) ;
- else strerr_warni7sys("deny", " pid ", fmtpid, " uid ", fmtuid, " gid ", fmtgid) ;
-}
-
-static inline void log_accept (unsigned int pid, unsigned int uid, unsigned int gid)
-{
- logit(pid, uid, gid, 1) ;
-}
-
-static inline void log_deny (unsigned int pid, unsigned int uid, unsigned int gid)
-{
- logit(pid, uid, gid, 0) ;
-}
-
-
- /* Checking */
-
-static s6net_accessrules_result_t check_cdb (unsigned int uid, unsigned int gid, char const *file, s6net_accessrules_params_t *params)
-{
- struct cdb c = CDB_ZERO ;
- int fd = open_readb(file) ;
- register s6net_accessrules_result_t r ;
- if (fd < 0) return -1 ;
- if (cdb_init(&c, fd) < 0) strerr_diefu2sys(111, "cdb_init ", file) ;
- r = s6net_accessrules_uidgid_cdb(uid, gid, &c, params) ;
- cdb_free(&c) ;
- fd_close(fd) ;
- return r ;
-}
-
-static inline int check (s6net_accessrules_params_t *params, char const *rules, unsigned int rulestype, unsigned int uid, unsigned int gid)
-{
- char const *x = "" ;
- s6net_accessrules_result_t r ;
- switch (rulestype)
- {
- case 0 :
- if (verbosity >= 2) strerr_warnw1x("invoked without a ruleset!") ;
- return 1 ;
- case 1 :
- r = s6net_accessrules_uidgid_fs(uid, gid, rules, params) ;
- x = "fs" ;
- break ;
- case 2 :
- r = check_cdb(uid, gid, rules, params) ;
- x = "cdb" ;
- break ;
- default : X() ;
- }
- switch (r)
- {
- case S6NET_ACCESSRULES_ERROR : strerr_diefu4sys(111, "check ", x, " ruleset in ", rules) ;
- case S6NET_ACCESSRULES_ALLOW : return 1 ;
- case S6NET_ACCESSRULES_DENY : return (errno = EACCES, 0) ;
- case S6NET_ACCESSRULES_NOTFOUND : return (errno = ENOENT, 0) ;
- default : X() ;
- }
-}
-
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- s6net_accessrules_params_t params = S6NET_ACCESSRULES_PARAMS_ZERO ;
- char const *rules = 0 ;
- char const *localname = 0 ;
- char const *proto ;
- unsigned int protolen ;
- unsigned int uid = 0, gid = 0 ;
- unsigned int rulestype = 0 ;
- int doenv = 1 ;
- PROG = "s6-ipcserver-access" ;
- {
- subgetopt_t l = SUBGETOPT_ZERO ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "v:Eel:i:x:", &l) ;
- if (opt == -1) break ;
- switch (opt)
- {
- case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
- case 'E' : doenv = 0 ; break ;
- case 'e' : doenv = 1 ; break ;
- case 'l' : localname = l.arg ; break ;
- case 'i' : rules = l.arg ; rulestype = 1 ; break ;
- case 'x' : rules = l.arg ; rulestype = 2 ; break ;
- default : dieusage() ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- }
- if (!argc) dieusage() ;
- if (!*argv[0]) dieusage() ;
-
- proto = env_get2(envp, "PROTO") ;
- if (!proto) strerr_dienotset(100, "PROTO") ;
- protolen = str_len(proto) ;
-
- {
- char const *x ;
- char tmp[protolen + 11] ;
- byte_copy(tmp, protolen, proto) ;
- byte_copy(tmp + protolen, 11, "REMOTEEUID") ;
- x = env_get2(envp, tmp) ;
- if (!x) strerr_dienotset(100, tmp) ;
- if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, tmp) ;
- tmp[protolen + 7] = 'G' ;
- x = env_get2(envp, tmp) ;
- if (!x) strerr_dienotset(100, tmp) ;
- if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, tmp) ;
- }
-
- if (!check(¶ms, rules, rulestype, uid, gid))
- {
- if (verbosity >= 2) log_deny(getpid(), uid, gid) ;
- return 1 ;
- }
- if (verbosity) log_accept(getpid(), uid, gid) ;
-
- if (doenv)
- {
- char tmp[protolen + 10] ;
- byte_copy(tmp, protolen, proto) ;
- byte_copy(tmp + protolen, 10, "LOCALPATH") ;
- if (localname)
- {
- if (!env_addmodif(¶ms.env, tmp, localname)) dienomem() ;
- }
- else
- {
- char curname[IPCPATH_MAX+1] ;
- int dummy ;
- if (ipc_local(0, curname, IPCPATH_MAX+1, &dummy) < 0)
- strerr_diefu1sys(111, "ipc_local") ;
- if (!env_addmodif(¶ms.env, tmp, curname)) dienomem() ;
- }
- }
- else
- {
- char tmp[protolen + 11] ;
- byte_copy(tmp, protolen, proto) ;
- byte_copy(tmp + protolen, 11, "REMOTEEUID") ;
- if (!env_addmodif(¶ms.env, "PROTO", 0)) dienomem() ;
- if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ;
- tmp[protolen + 7] = 'G' ;
- if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ;
- byte_copy(tmp + protolen + 6, 5, "PATH") ;
- if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ;
- byte_copy(tmp + protolen, 10, "LOCALPATH") ;
- if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ;
- }
-
- if (params.exec.len)
- {
- char *specialargv[4] = { EXECLINE_EXTBINPREFIX "execlineb", "-c", params.exec.s, 0 } ;
- pathexec_r((char const *const *)specialargv, envp, env_len(envp), params.env.s, params.env.len) ;
- strerr_dieexec(111, specialargv[0]) ;
- }
-
- pathexec_r(argv, envp, env_len(envp), params.env.s, params.env.len) ;
- strerr_dieexec(111, argv[0]) ;
-}
diff --git a/src/conn-tools/s6-ipcserver-socketbinder.c b/src/conn-tools/s6-ipcserver-socketbinder.c
deleted file mode 100644
index b5a32f3..0000000
--- a/src/conn-tools/s6-ipcserver-socketbinder.c
+++ /dev/null
@@ -1,49 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-ipcserver-socketbinder [ -d | -D ] [ -b backlog ] path prog..."
-#define dieusage() strerr_dieusage(100, USAGE)
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- unsigned int backlog = 20 ;
- int flagreuse = 1 ;
- PROG = "s6-ipcserver-socketbinder" ;
- {
- subgetopt_t l = SUBGETOPT_ZERO ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "Ddb:", &l) ;
- if (opt == -1) break ;
- switch (opt)
- {
- case 'D' : flagreuse = 0 ; break ;
- case 'd' : flagreuse = 1 ; break ;
- case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ;
- default : dieusage() ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- }
- if (argc < 2) dieusage() ;
- close(0) ;
- if (ipc_stream()) strerr_diefu1sys(111, "create socket") ;
- {
- mode_t m = umask(0) ;
- if ((flagreuse ? ipc_bind_reuse(0, argv[0]) : ipc_bind(0, argv[0])) < 0)
- strerr_diefu2sys(111, "bind to ", argv[0]) ;
- umask(m) ;
- }
- if (ipc_listen(0, backlog) < 0) strerr_diefu2sys(111, "listen to ", argv[0]) ;
-
- pathexec_run(argv[1], argv + 1, envp) ;
- strerr_dieexec(111, argv[1]) ;
-}
diff --git a/src/conn-tools/s6-ipcserver.c b/src/conn-tools/s6-ipcserver.c
deleted file mode 100644
index b6546f8..0000000
--- a/src/conn-tools/s6-ipcserver.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-ipcserver [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] path prog..."
-#define dieusage() strerr_dieusage(100, USAGE)
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- unsigned int verbosity = 1 ;
- int flag1 = 0 ;
- int flagU = 0 ;
- int flaglookup = 1 ;
- int flagreuse = 1 ;
- unsigned int uid = 0, gid = 0 ;
- gid_t gids[NGROUPS_MAX] ;
- unsigned int gidn = (unsigned int)-1 ;
- unsigned int maxconn = 0 ;
- unsigned int localmaxconn = 0 ;
- unsigned int backlog = (unsigned int)-1 ;
- PROG = "s6-ipcserver" ;
- {
- subgetopt_t l = SUBGETOPT_ZERO ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "qQvDd1UPpc:C:b:u:g:G:", &l) ;
- if (opt == -1) break ;
- switch (opt)
- {
- case 'q' : verbosity = 0 ; break ;
- case 'Q' : verbosity = 1 ; break ;
- case 'v' : verbosity = 2 ; break ;
- case 'D' : flagreuse = 0 ; break ;
- case 'd' : flagreuse = 1 ; break ;
- case 'P' : flaglookup = 0 ; break ;
- case 'p' : flaglookup = 1 ; break ;
- case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ;
- case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ;
- case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ;
- case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ;
- case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ;
- case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ;
- case '1' : flag1 = 1 ; break ;
- case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ;
- default : dieusage() ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- if (argc < 2) dieusage() ;
- }
-
- {
- unsigned int m = 0 ;
- unsigned int pos = 0 ;
- char fmt[UINT_FMT * 5 + GID_FMT * NGROUPS_MAX] ;
- char const *newargv[24 + argc] ;
- newargv[m++] = S6_NETWORKING_BINPREFIX "s6-ipcserver-socketbinder" ;
- if (!flagreuse) newargv[m++] = "-D" ;
- if (backlog != (unsigned int)-1)
- {
- newargv[m++] = "-b" ;
- newargv[m++] = fmt + pos ;
- pos += uint_fmt(fmt + pos, backlog) ;
- fmt[pos++] = 0 ;
- }
- newargv[m++] = "--" ;
- newargv[m++] = *argv++ ;
- if (flagU || uid || gid || gidn != (unsigned int)-1)
- {
- newargv[m++] = S6_EXTBINPREFIX "s6-applyuidgid" ;
- if (flagU) newargv[m++] = "-Uz" ;
- if (uid)
- {
- newargv[m++] = "-u" ;
- newargv[m++] = fmt + pos ;
- pos += uint_fmt(fmt + pos, uid) ;
- fmt[pos++] = 0 ;
- }
- if (gid)
- {
- newargv[m++] = "-g" ;
- newargv[m++] = fmt + pos ;
- pos += uint_fmt(fmt + pos, gid) ;
- fmt[pos++] = 0 ;
- }
- if (gidn != (unsigned int)-1)
- {
- newargv[m++] = "-G" ;
- newargv[m++] = fmt + pos ;
- pos += gid_fmtlist(fmt + pos, gids, gidn) ;
- fmt[pos++] = 0 ;
- }
- newargv[m++] = "--" ;
- }
- newargv[m++] = S6_NETWORKING_BINPREFIX "s6-ipcserverd" ;
- if (!verbosity) newargv[m++] = "-v0" ;
- else if (verbosity == 2) newargv[m++] = "-v2" ;
- if (flag1) newargv[m++] = "-1" ;
- if (!flaglookup) newargv[m++] = "-P" ;
- if (maxconn)
- {
- newargv[m++] = "-c" ;
- newargv[m++] = fmt + pos ;
- pos += uint_fmt(fmt + pos, maxconn) ;
- fmt[pos++] = 0 ;
- }
- if (localmaxconn)
- {
- newargv[m++] = "-C" ;
- newargv[m++] = fmt + pos ;
- pos += uint_fmt(fmt + pos, localmaxconn) ;
- fmt[pos++] = 0 ;
- }
- newargv[m++] = "--" ;
- while (*argv) newargv[m++] = *argv++ ;
- newargv[m++] = 0 ;
- pathexec_run(newargv[0], newargv, envp) ;
- strerr_dieexec(111, newargv[0]) ;
- }
-}
diff --git a/src/conn-tools/s6-ipcserverd.c b/src/conn-tools/s6-ipcserverd.c
deleted file mode 100644
index 4afe5cc..0000000
--- a/src/conn-tools/s6-ipcserverd.c
+++ /dev/null
@@ -1,399 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-ipcserverd [ -v verbosity ] [ -1 ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] prog..."
-
-#define ABSOLUTE_MAXCONN 1000
-
-static unsigned int maxconn = 40 ;
-static unsigned int localmaxconn = 40 ;
-static char fmtmaxconn[UINT_FMT+1] = "/" ;
-static char fmtlocalmaxconn[UINT_FMT+1] = "/" ;
-static int flaglookup = 1 ;
-static unsigned int verbosity = 1 ;
-static int cont = 1 ;
-
-static diuint *piduid ;
-static unsigned int numconn = 0 ;
-static diuint *uidnum ;
-static unsigned int uidlen = 0 ;
-
-
- /* Utility functions */
-
-static inline void dieusage ()
-{
- strerr_dieusage(100, USAGE) ;
-}
-
-static inline void X (void)
-{
- strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ;
-}
-
-
- /* Lookup primitives */
-
-static unsigned int lookup_diuint (diuint const *tab, unsigned int tablen, unsigned int key)
-{
- register unsigned int i = 0 ;
- for (; i < tablen ; i++) if (key == tab[i].left) break ;
- return i ;
-}
-
-static inline unsigned int lookup_pid (unsigned int pid)
-{
- return lookup_diuint(piduid, numconn, pid) ;
-}
-
-static inline unsigned int lookup_uid (unsigned int uid)
-{
- return lookup_diuint(uidnum, uidlen, uid) ;
-}
-
-
- /* Logging */
-
-static inline void log_start (void)
-{
- strerr_warni1x("starting") ;
-}
-
-static inline void log_exit (void)
-{
- strerr_warni1x("exiting") ;
-}
-
-static void log_status (void)
-{
- char fmt[UINT_FMT] ;
- fmt[uint_fmt(fmt, numconn)] = 0 ;
- strerr_warni3x("status: ", fmt, fmtmaxconn) ;
-}
-
-static void log_deny (unsigned int uid, unsigned int gid, unsigned int num)
-{
- char fmtuid[UINT_FMT] = "?" ;
- char fmtgid[UINT_FMT] = "?" ;
- char fmtnum[UINT_FMT] = "?" ;
- if (flaglookup)
- {
- fmtuid[uint_fmt(fmtuid, uid)] = 0 ;
- fmtgid[uint_fmt(fmtgid, gid)] = 0 ;
- fmtnum[uint_fmt(fmtnum, num)] = 0 ;
- }
- strerr_warni7sys("deny ", fmtuid, ":", fmtgid, " count ", fmtnum, fmtlocalmaxconn) ;
-}
-
-static void log_accept (unsigned int pid, unsigned int uid, unsigned int gid, unsigned int num)
-{
- char fmtuidgid[UINT_FMT * 2 + 1] = "?:?" ;
- char fmtpid[UINT_FMT] ;
- char fmtnum[UINT_FMT] = "?" ;
- if (flaglookup)
- {
- register unsigned int n = uint_fmt(fmtuidgid, uid) ;
- fmtuidgid[n++] = ':' ;
- n += uint_fmt(fmtuidgid + n, gid) ;
- fmtuidgid[n] = 0 ;
- fmtnum[uint_fmt(fmtnum, num)] = 0 ;
- }
- fmtpid[uint_fmt(fmtpid, pid)] = 0 ;
- strerr_warni7x("allow ", fmtuidgid, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ;
-}
-
-static void log_close (unsigned int pid, unsigned int uid, int w)
-{
- char fmtpid[UINT_FMT] ;
- char fmtuid[UINT_FMT] = "?" ;
- char fmtw[UINT_FMT] ;
- fmtpid[uint_fmt(fmtpid, pid)] = 0 ;
- if (flaglookup) fmtuid[uint_fmt(fmtuid, uid)] = 0 ;
- fmtw[uint_fmt(fmtw, WIFSIGNALED(w) ? WTERMSIG(w) : WEXITSTATUS(w))] = 0 ;
- strerr_warni6x("end pid ", fmtpid, " uid ", fmtuid, WIFSIGNALED(w) ? " signal " : " exitcode ", fmtw) ;
-}
-
-
- /* Signal handling */
-
-static void killthem (int sig)
-{
- register unsigned int i = 0 ;
- for (; i < numconn ; i++) kill(piduid[i].left, sig) ;
-}
-
-static void wait_children (void)
-{
- for (;;)
- {
- unsigned int i ;
- int w ;
- register pid_t pid = wait_nohang(&w) ;
- if (pid < 0)
- if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ;
- else break ;
- else if (!pid) break ;
- i = lookup_pid(pid) ;
- if (i < numconn)
- {
- unsigned int uid = piduid[i].right ;
- register unsigned int j = lookup_uid(uid) ;
- if (j >= uidlen) X() ;
- if (!--uidnum[j].right) uidnum[j] = uidnum[--uidlen] ;
- piduid[i] = piduid[--numconn] ;
- if (verbosity >= 2)
- {
- log_close(pid, uid, w) ;
- log_status() ;
- }
- }
- }
-}
-
-static void handle_signals (void)
-{
- for (;;) switch (selfpipe_read())
- {
- case -1 : strerr_diefu1sys(111, "read selfpipe") ;
- case 0 : return ;
- case SIGCHLD : wait_children() ; break ;
- case SIGTERM :
- {
- if (verbosity >= 2)
- strerr_warni3x("received ", "SIGTERM,", " quitting") ;
- cont = 0 ;
- break ;
- }
- case SIGHUP :
- {
- if (verbosity >= 2)
- strerr_warni5x("received ", "SIGHUP,", " sending ", "SIGTERM+SIGCONT", " to all connections") ;
- killthem(SIGTERM) ;
- killthem(SIGCONT) ;
- break ;
- }
- case SIGQUIT :
- {
- if (verbosity >= 2)
- strerr_warni6x("received ", "SIGQUIT,", " sending ", "SIGTERM+SIGCONT", " to all connections", " and quitting") ;
- cont = 0 ;
- killthem(SIGTERM) ;
- killthem(SIGCONT) ;
- break ;
- }
- case SIGABRT :
- {
- if (verbosity >= 2)
- strerr_warni6x("received ", "SIGABRT,", " sending ", "SIGKILL", " to all connections", " and quitting") ;
- cont = 0 ;
- killthem(SIGKILL) ;
- break ;
- }
- default : X() ;
- }
-}
-
-
- /* New connection handling */
-
-static void run_child (int, unsigned int, unsigned int, unsigned int, char const *, char const *const *, char const *const *) gccattr_noreturn ;
-static void run_child (int s, unsigned int uid, unsigned int gid, unsigned int num, char const *remotepath, char const *const *argv, char const *const *envp)
-{
- unsigned int rplen = str_len(remotepath) + 1 ;
- unsigned int n = 0 ;
- char fmt[65 + UINT_FMT * 3 + rplen] ;
- PROG = "s6-ipcserver (child)" ;
- if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0))
- strerr_diefu1sys(111, "move fds") ;
- byte_copy(fmt+n, 23, "PROTO=IPC\0IPCREMOTEEUID") ; n += 23 ;
- if (flaglookup)
- {
- fmt[n++] = '=' ;
- n += uint_fmt(fmt+n, uid) ;
- }
- fmt[n++] = 0 ;
- byte_copy(fmt+n, 13, "IPCREMOTEEGID") ; n += 13 ;
- if (flaglookup)
- {
- fmt[n++] = '=' ;
- n += uint_fmt(fmt+n, gid) ;
- }
- fmt[n++] = 0 ;
- byte_copy(fmt+n, 11, "IPCCONNNUM=") ; n += 11 ;
- if (flaglookup) n += uint_fmt(fmt+n, num) ;
- fmt[n++] = 0 ;
- byte_copy(fmt+n, 14, "IPCREMOTEPATH=") ; n += 14 ;
- byte_copy(fmt+n, rplen, remotepath) ; n += rplen ;
- pathexec_r(argv, envp, env_len(envp), fmt, n) ;
- strerr_dieexec(111, argv[0]) ;
-}
-
-static void new_connection (int s, char const *remotepath, char const *const *argv, char const *const *envp)
-{
- unsigned int uid = 0, gid = 0 ;
- unsigned int num, i ;
- register pid_t pid ;
- if (flaglookup && (ipc_eid(s, &uid, &gid) < 0))
- {
- if (verbosity) strerr_warnwu1sys("ipc_eid") ;
- return ;
- }
- i = lookup_uid(uid) ;
- num = (i < uidlen) ? uidnum[i].right : 0 ;
- if (num >= localmaxconn)
- {
- log_deny(uid, gid, num) ;
- return ;
- }
- pid = fork() ;
- if (pid < 0)
- {
- if (verbosity) strerr_warnwu1sys("fork") ;
- return ;
- }
- else if (!pid)
- {
- selfpipe_finish() ;
- run_child(s, uid, gid, num+1, remotepath, argv, envp) ;
- }
-
- if (i < uidlen) uidnum[i].right = num + 1 ;
- else
- {
- uidnum[uidlen].left = uid ;
- uidnum[uidlen++].right = 1 ;
- }
- piduid[numconn].left = (unsigned int)pid ;
- piduid[numconn++].right = uid ;
- if (verbosity >= 2)
- {
- log_accept((unsigned int)pid, uid, gid, uidnum[i].right) ;
- log_status() ;
- }
-}
-
-
- /* And the main */
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- iopause_fd x[2] = { { .events = IOPAUSE_READ }, { .fd = 0, .events = IOPAUSE_READ | IOPAUSE_EXCEPT } } ;
- PROG = "s6-ipcserverd" ;
- {
- subgetopt_t l = SUBGETOPT_ZERO ;
- int flag1 = 0 ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "Pp1c:C:v:", &l) ;
- if (opt == -1) break ;
- switch (opt)
- {
- case 'P' : flaglookup = 0 ; break ;
- case 'p' : flaglookup = 1 ; break ;
- case '1' : flag1 = 1 ; break ;
- case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ;
- case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ;
- case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
- default : dieusage() ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- if (!argc || !*argv[0]) dieusage() ;
- {
- struct stat st ;
- if (fstat(0, &st) < 0) strerr_diefu1sys(111, "fstat stdin") ;
- if (!S_ISSOCK(st.st_mode)) strerr_dief1x(100, "stdin is not a socket") ;
- }
- if (coe(0) < 0) strerr_diefu1sys(111, "make socket close-on-exec") ;
- if (flag1)
- {
- if (fcntl(1, F_GETFD) < 0)
- strerr_dief1sys(100, "called with option -1 but stdout said") ;
- }
- else close(1) ;
- if (!maxconn) maxconn = 1 ;
- if (maxconn > ABSOLUTE_MAXCONN) maxconn = ABSOLUTE_MAXCONN ;
- if (!flaglookup || (localmaxconn > maxconn)) localmaxconn = maxconn ;
-
- x[0].fd = selfpipe_init() ;
- if (x[0].fd == -1) strerr_diefu1sys(111, "create selfpipe") ;
- if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ;
- {
- sigset_t set ;
- sigemptyset(&set) ;
- sigaddset(&set, SIGCHLD) ;
- sigaddset(&set, SIGTERM) ;
- sigaddset(&set, SIGHUP) ;
- sigaddset(&set, SIGQUIT) ;
- sigaddset(&set, SIGABRT) ;
- if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ;
- }
-
- fmtlocalmaxconn[1+uint_fmt(fmtlocalmaxconn+1, localmaxconn)] = 0 ;
- if (verbosity >= 2)
- {
- fmtmaxconn[1+uint_fmt(fmtmaxconn+1, maxconn)] = 0 ;
- log_start() ;
- log_status() ;
- }
- if (flag1)
- {
- fd_write(1, "\n", 1) ;
- fd_close(1) ;
- }
- }
-
- {
- diuint inyostack[maxconn + (flaglookup ? maxconn : 1)] ;
- piduid = inyostack ; uidnum = inyostack + maxconn ;
-
- while (cont)
- {
- if (iopause_g(x, 1 + (numconn < maxconn), 0) < 0)
- strerr_diefu1sys(111, "iopause") ;
-
- if (x[0].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with selfpipe") ;
- if (x[0].revents & IOPAUSE_READ) handle_signals() ;
- if (numconn < maxconn)
- {
- if (x[1].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with socket") ;
- if (x[1].revents & IOPAUSE_READ)
- {
- int dummy ;
- char remotepath[IPCPATH_MAX+1] ;
- register int s = ipc_accept(x[1].fd, remotepath, IPCPATH_MAX+1, &dummy) ;
- if (s < 0)
- {
- if (verbosity) strerr_warnwu1sys("accept") ;
- }
- else
- {
- new_connection(s, remotepath, argv, envp) ;
- fd_close(s) ;
- }
- }
- }
- }
- }
- if (verbosity >= 2) log_exit() ;
- return 0 ;
-}
diff --git a/src/conn-tools/s6-sudo.c b/src/conn-tools/s6-sudo.c
deleted file mode 100644
index 5e91951..0000000
--- a/src/conn-tools/s6-sudo.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-
-#define USAGE "s6-sudo [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] [ -e ] [ -t timeout ] [ -T timeoutrun ] path [ args... ]"
-#define dieusage() strerr_dieusage(100, USAGE)
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- unsigned int verbosity = 1, t = 0, T = 0 ;
- char const *bindpath = 0 ;
- char const *localname = 0 ;
- int nodoenv = 0 ;
- PROG = "s6-sudo" ;
- {
- subgetopt_t l = SUBGETOPT_ZERO ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "qQvp:l:et:T:", &l) ;
- if (opt == -1) break ;
- switch (opt)
- {
- case 'q' : if (verbosity) verbosity-- ; break ;
- case 'Q' : verbosity = 1 ; break ;
- case 'v' : verbosity++ ; break ;
- case 'p' : bindpath = l.arg ; break ;
- case 'l' : localname = l.arg ; break ;
- case 'e' : nodoenv = 1 ; break ;
- case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
- case 'T' : if (!uint0_scan(l.arg, &T)) dieusage() ; break ;
- default : dieusage() ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- }
- if (!argc) dieusage() ;
- {
- char const *eargv[9 + argc + ((verbosity < 2 ? 1 : verbosity-1)) + ((!!bindpath + !!localname) << 1) + nodoenv] ;
- char fmt1[UINT_FMT] ;
- char fmt2[UINT_FMT] ;
- unsigned int n = 0 ;
- eargv[n++] = S6_NETWORKING_BINPREFIX "s6-ipcclient" ;
- if (!verbosity) eargv[n++] = "-Q" ;
- else while (--verbosity) eargv[n++] = "-v" ;
- if (bindpath) { eargv[n++] = "-p" ; eargv[n++] = bindpath ; }
- if (localname) { eargv[n++] = "-l" ; eargv[n++] = localname ; }
- eargv[n++] = "--" ;
- eargv[n++] = *argv++ ; argc-- ;
- eargv[n++] = S6_NETWORKING_BINPREFIX "s6-sudoc" ;
- if (nodoenv) eargv[n++] = "-e" ;
- eargv[n++] = "-t" ;
- fmt1[uint_fmt(fmt1, t)] = 0 ;
- eargv[n++] = fmt1 ;
- eargv[n++] = "-T" ;
- fmt2[uint_fmt(fmt2, T)] = 0 ;
- eargv[n++] = fmt2 ;
- eargv[n++] = "--" ;
- while (argc--) eargv[n++] = *argv++ ;
- eargv[n++] = 0 ;
- pathexec_run(eargv[0], eargv, envp) ;
- }
- strerr_dieexec(111, S6_NETWORKING_BINPREFIX "s6-ipcclient") ;
-}
diff --git a/src/conn-tools/s6-sudo.h b/src/conn-tools/s6-sudo.h
deleted file mode 100644
index 8c5797f..0000000
--- a/src/conn-tools/s6-sudo.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/* ISC license. */
-
-#ifndef S6_SUDO_H
-#define S6_SUDO_H
-
-#define S6_SUDO_BANNERB "s6-sudo b v1.0\n"
-#define S6_SUDO_BANNERB_LEN (sizeof(S6_SUDO_BANNERB) - 1)
-#define S6_SUDO_BANNERA "s6-sudo a v1.0\n"
-#define S6_SUDO_BANNERA_LEN (sizeof(S6_SUDO_BANNERA) - 1)
-
-#endif
diff --git a/src/conn-tools/s6-sudoc.c b/src/conn-tools/s6-sudoc.c
deleted file mode 100644
index 823d7cb..0000000
--- a/src/conn-tools/s6-sudoc.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include "s6-sudo.h"
-
-#define USAGE "s6-sudoc [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] [ args... ]"
-#define dieusage() strerr_dieusage(100, USAGE)
-#define dienomem() strerr_diefu1sys(111, "stralloc_catb")
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- char buf6[64] ;
- buffer b6 = BUFFER_INIT(&buffer_read, 6, buf6, 64) ;
- unixmessage_sender_t b7 = UNIXMESSAGE_SENDER_INIT(7) ;
- subgetopt_t l = SUBGETOPT_ZERO ;
- unsigned int t = 0, T = 0 ;
- int doenv = 1 ;
-
- tain_t deadline = TAIN_INFINITE_RELATIVE ;
- PROG = "s6-sudoc" ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "et:T:", &l) ;
- if (opt < 0) break ;
- switch (opt)
- {
- case 'e' : doenv = 0 ; break ;
- case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
- case 'T' : if (!uint0_scan(l.arg, &T)) dieusage() ; break ;
- default : dieusage() ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- if (t) tain_from_millisecs(&deadline, t) ;
- if ((ndelay_on(6) < 0) || (ndelay_on(7) < 0))
- strerr_diefu1sys(111, "make socket non-blocking") ;
- if (!fd_sanitize() || !fd_ensure_open(2, 1))
- strerr_diefu1sys(111, "sanitize stdin/stdout/stderr") ;
-
- tain_now_g() ;
- tain_add_g(&deadline, &deadline) ;
- {
- char tmp[S6_SUDO_BANNERB_LEN] ;
- if (buffer_timed_get_g(&b6, tmp, S6_SUDO_BANNERB_LEN, &deadline) < S6_SUDO_BANNERB_LEN)
- strerr_diefu1sys(111, "read banner from s6-sudod") ;
- if (str_diffn(tmp, S6_SUDO_BANNERB, S6_SUDO_BANNERB_LEN))
- strerr_dief1x(100, "wrong server banner") ;
- }
- {
- int fds[3] = { 0, 1, 2 } ;
- char pack[16] ;
- siovec_t v[4] = {
- { .s = S6_SUDO_BANNERA, .len = S6_SUDO_BANNERA_LEN },
- { .s = pack, .len = 16 },
- { .s = 0, .len = 0 },
- { .s = 0, .len = 0 } } ;
- unixmessage_v_t mv = { .v = v, .vlen = 4, .fds = fds, .nfds = 3 } ;
- stralloc sa = STRALLOC_ZERO ;
- unsigned int envlen = doenv ? env_len(envp) : 0 ;
- uint32_pack_big(pack, (uint32)argc) ;
- uint32_pack_big(pack + 4, (uint32)envlen) ;
- if (!env_string(&sa, argv, argc)) dienomem() ;
- v[2].len = sa.len ;
- uint32_pack_big(pack + 8, (uint32)v[2].len) ;
- if (doenv)
- {
- if (!env_string(&sa, envp, envlen)) dienomem() ;
- v[3].len = sa.len - v[2].len ;
- }
- uint32_pack_big(pack + 12, (uint32)v[3].len) ;
- v[2].s = sa.s ;
- v[3].s = sa.s + v[2].len ;
- if (!unixmessage_putv_and_close(&b7, &mv, (unsigned char const *)"\003"))
- strerr_diefu1sys(111, "unixmessage_putv") ;
- stralloc_free(&sa) ;
- }
- if (!unixmessage_sender_timed_flush_g(&b7, &deadline))
- strerr_diefu1sys(111, "send args to server") ;
- unixmessage_sender_free(&b7) ;
- {
- char c ;
- if (buffer_timed_get_g(&b6, &c, 1, &deadline) < 1)
- strerr_diefu1sys(111, "get confirmation from server") ;
- if (c)
- {
- errno = c ;
- strerr_diefu1sys(111, "start privileged program: server answered: ") ;
- }
- }
-
- if (T) tain_from_millisecs(&deadline, T) ; else deadline = tain_infinite_relative ;
- tain_add_g(&deadline, &deadline) ;
- {
- char pack[UINT_PACK] ;
- if (buffer_timed_get_g(&b6, pack, UINT_PACK, &deadline) < UINT_PACK)
- strerr_diefu1sys(111, "get exit status from server") ;
- uint_unpack_big(pack, &t) ;
- }
- if (WIFSIGNALED(t)) raise(WTERMSIG(t)) ;
- return WEXITSTATUS(t) ;
-}
diff --git a/src/conn-tools/s6-sudod.c b/src/conn-tools/s6-sudod.c
deleted file mode 100644
index 8c52bb9..0000000
--- a/src/conn-tools/s6-sudod.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include "s6-sudo.h"
-
-#define USAGE "s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -t timeout ] args..."
-#define dieusage() strerr_dieusage(100, USAGE)
-#define dienomem() strerr_diefu1sys(111, "stralloc_catb")
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- subgetopt_t l = SUBGETOPT_ZERO ;
- unixmessage_t m ;
- unsigned int nullfds = 0, t = 2000 ;
- pid_t pid ;
- uint32 envc = env_len(envp) ;
- uint32 cargc, cenvc, carglen, cenvlen ;
- int spfd ;
- tain_t deadline = TAIN_INFINITE_RELATIVE ;
- PROG = "s6-sudod" ;
- for (;;)
- {
- register int opt = subgetopt_r(argc, argv, "012t:", &l) ;
- if (opt < 0) break ;
- switch (opt)
- {
- case '0' : nullfds |= 1 ; break ;
- case '1' : nullfds |= 2 ; break ;
- case '2' : nullfds |= 4 ; break ;
- case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
- default : dieusage() ;
- }
- }
- argc -= l.ind ; argv += l.ind ;
- if (t) tain_from_millisecs(&deadline, t) ;
- if ((ndelay_on(0) < 0) || (ndelay_on(1) < 0))
- strerr_diefu1sys(111, "make socket non-blocking") ;
-
- tain_now_g() ;
- tain_add_g(&deadline, &deadline) ;
- buffer_putnoflush(buffer_1small, S6_SUDO_BANNERB, S6_SUDO_BANNERB_LEN) ;
- if (!buffer_timed_flush_g(buffer_1small, &deadline))
- strerr_diefu1sys(111, "write banner to client") ;
- if (unixmessage_timed_receive_g(unixmessage_receiver_0, &m, &deadline) <= 0)
- strerr_diefu1sys(111, "read message from client") ;
- if (m.nfds != 3)
- strerr_dief1x(100, "client did not send 3 fds") ;
- if (m.len < 16 + S6_SUDO_BANNERA_LEN)
- strerr_dief1x(100, "wrong client message") ;
- if (str_diffn(m.s, S6_SUDO_BANNERA, S6_SUDO_BANNERA_LEN))
- strerr_dief1x(100, "wrong client banner") ;
- uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN, &cargc) ;
- uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 4, &cenvc) ;
- uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 8, &carglen) ;
- uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 12, &cenvlen) ;
- if (S6_SUDO_BANNERA_LEN + 16 + carglen + cenvlen != m.len)
- strerr_dief1x(100, "wrong client argc/envlen") ;
- if ((cargc > 131072) || (cenvc > 131072))
- strerr_dief1x(100, "too many args/envvars from client") ;
-
- if (nullfds & 1)
- {
- close(m.fds[0]) ;
- m.fds[0] = open2("/dev/null", O_RDONLY) ;
- if (m.fds[0] < 0) strerr_diefu2sys(111, "open /dev/null for ", "reading") ;
- }
- if (nullfds & 2)
- {
- close(m.fds[1]) ;
- m.fds[1] = open2("/dev/null", O_WRONLY) ;
- if (m.fds[1] < 0) strerr_diefu2sys(111, "open /dev/null for ", "writing") ;
- }
- if (nullfds & 4)
- {
- close(m.fds[2]) ;
- m.fds[2] = 2 ;
- }
-
- {
- char const *targv[argc + 1 + cargc] ;
- char const *tenvp[envc + 1 + cenvc] ;
- int p[2] ;
- register unsigned int i = 0 ;
- for (; i < (unsigned int)argc ; i++) targv[i] = argv[i] ;
- for (i = 0 ; i <= envc ; i++) tenvp[i] = envp[i] ;
- if (!env_make(targv + argc, cargc, m.s + S6_SUDO_BANNERA_LEN + 16, carglen))
- {
- char c = errno ;
- buffer_putnoflush(buffer_1small, &c, 1) ;
- buffer_timed_flush_g(buffer_1small, &deadline) ;
- errno = c ;
- strerr_diefu1sys(111, "make child argv") ;
- }
- if (!env_make(tenvp + envc + 1, cenvc, m.s + S6_SUDO_BANNERA_LEN + 16 + carglen, cenvlen))
- {
- char c = errno ;
- buffer_putnoflush(buffer_1small, &c, 1) ;
- buffer_timed_flush_g(buffer_1small, &deadline) ;
- errno = c ;
- strerr_diefu1sys(111, "make child envp") ;
- }
- targv[argc + cargc] = 0 ;
-
- for (i = 0 ; i < cenvc ; i++)
- {
- char const *var = tenvp[envc + 1 + i] ;
- register unsigned int j = 0 ;
- register unsigned int len = str_chr(var, '=') ;
- if (!var[len])
- {
- char c = EINVAL ;
- buffer_putnoflush(buffer_1small, &c, 1) ;
- buffer_timed_flush_g(buffer_1small, &deadline) ;
- strerr_dief1x(100, "bad environment from client") ;
- }
- for (; j < envc ; j++) if (!str_diffn(var, tenvp[j], len+1)) break ;
- if ((j < envc) && !tenvp[j][len+1]) tenvp[j] = var ;
- }
-
- spfd = selfpipe_init() ;
- if (spfd < 0) strerr_diefu1sys(111, "selfpipe_init") ;
- if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ;
- if (pipe(p) < 0) strerr_diefu1sys(111, "pipe") ;
- if (coe(p[1]) < 0) strerr_diefu1sys(111, "coe pipe") ;
- pid = fork() ;
- if (pid < 0) strerr_diefu1sys(111, "fork") ;
- if (!pid)
- {
- PROG = "s6-sudod (child)" ;
- fd_close(p[0]) ;
- if ((fd_move(2, m.fds[2]) < 0)
- || (fd_move(1, m.fds[1]) < 0)
- || (fd_move(0, m.fds[0]) < 0))
- {
- char c = errno ;
- fd_write(p[1], &c, 1) ;
- strerr_diefu1sys(111, "move fds") ;
- }
- selfpipe_finish() ;
- pathexec0_run(targv, tenvp) ;
- {
- char c = errno ;
- fd_write(p[1], &c, 1) ;
- }
- strerr_dieexec(111, targv[0]) ;
- }
- fd_close(p[1]) ;
- {
- char c ;
- register int r = fd_read(p[0], &c, 1) ;
- if (r < 0) strerr_diefu1sys(111, "read from child") ;
- if (r)
- {
- buffer_putnoflush(buffer_1small, &c, 1) ;
- buffer_timed_flush_g(buffer_1small, &deadline) ;
- return 111 ;
- }
- }
- fd_close(p[0]) ;
- }
-
- fd_close(m.fds[0]) ;
- fd_close(m.fds[1]) ;
- if (!(nullfds & 4)) fd_close(m.fds[2]) ;
- unixmessage_receiver_free(unixmessage_receiver_0) ;
- buffer_putnoflush(buffer_1small, "", 1) ;
- if (!buffer_timed_flush_g(buffer_1small, &deadline))
- strerr_diefu1sys(111, "send confirmation to client") ;
-
- {
- iopause_fd x[2] = { { .fd = 0, .events = 0 }, { .fd = spfd, .events = IOPAUSE_READ } } ;
- int cont = 1 ;
- while (cont)
- {
- if (iopause_g(x, 2, 0) < 0) strerr_diefu1sys(111, "iopause") ;
- if (x[1].revents)
- {
- for (;;)
- {
- int c = selfpipe_read() ;
- if (c < 0) strerr_diefu1sys(111, "read from selfpipe") ;
- else if (!c) break ;
- else if (c == SIGCHLD)
- {
- int wstat ;
- register int r = wait_pid_nohang(pid, &wstat) ;
- if ((r < 0) && (errno != ECHILD))
- strerr_diefu1sys(111, "wait_pid_nohang") ;
- else if (r > 0)
- {
- char pack[UINT_PACK] ;
- uint_pack_big(pack, (unsigned int)wstat) ;
- buffer_putnoflush(buffer_1small, pack, UINT_PACK) ;
- cont = 0 ;
- }
- }
- else
- strerr_dief1sys(101, "internal inconsistency, please submit a bug-report") ;
- }
- }
- if (x[0].revents && cont)
- {
- kill(pid, SIGTERM) ;
- kill(pid, SIGCONT) ;
- x[0].fd = -1 ;
- return 1 ;
- }
- }
- }
- if (ndelay_off(1) < 0)
- strerr_diefu1sys(111, "set stdout blocking") ;
- if (!buffer_flush(buffer_1small))
- strerr_diefu1sys(111, "write status to client") ;
- return 0 ;
-}
diff --git a/src/conn-tools/s6-tcpserver-access.c b/src/conn-tools/s6-tcpserver-access.c
index ef2771b..db2e2a5 100644
--- a/src/conn-tools/s6-tcpserver-access.c
+++ b/src/conn-tools/s6-tcpserver-access.c
@@ -18,8 +18,9 @@
#include
#include
#include
+#include
#include
-#include
+#include
#define USAGE "s6-tcpserver-access [ -v verbosity ] [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ] prog..."
#define dieusage() strerr_dieusage(100, USAGE)
@@ -50,7 +51,7 @@ static inline void log_deny (unsigned int pid, ip46_t const *ip)
int main (int argc, char const *const *argv, char const *const *envp)
{
- s6net_accessrules_params_t params = S6NET_ACCESSRULES_PARAMS_ZERO ;
+ s6_accessrules_params_t params = S6_ACCESSRULES_PARAMS_ZERO ;
stralloc modifs = STRALLOC_ZERO ;
tain_t deadline, tto ;
char const *rulestypestr[3] = { "no", "fs", "cdb" } ;
@@ -62,7 +63,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int rulestype = 0 ;
unsigned int verbosity = 1 ;
unsigned int protolen ;
- s6net_accessrules_result_t accepted ;
+ s6_accessrules_result_t accepted ;
ip46_t remoteip, localip ;
int flagfatal = 1, flagnodelay = 0, flagdnslookup = 1,
flagident = 0, flagparanoid = 0, e = 0 ;
@@ -140,17 +141,17 @@ int main (int argc, char const *const *argv, char const *const *envp)
{
case 0 :
if (verbosity >= 2) strerr_warnw1x("invoked without a ruleset!") ;
- accepted = S6NET_ACCESSRULES_ALLOW ;
+ accepted = S6_ACCESSRULES_ALLOW ;
break ;
case 1 :
- accepted = s6net_accessrules_ip46_fs(&remoteip, (void *)rules, ¶ms) ;
+ accepted = s6_accessrules_ip46_fs(&remoteip, (void *)rules, ¶ms) ;
break ;
case 2 :
cdbfd = open_readb(rules) ;
if (cdbfd < 0) strerr_diefu2sys(111, "open_readb ", rules) ;
if (cdb_init(&c, cdbfd) < 0) strerr_diefu2sys(111, "cdb_init ", rules) ;
- accepted = s6net_accessrules_ip46_cdb(&remoteip, &c, ¶ms) ;
- if (accepted == S6NET_ACCESSRULES_ALLOW)
+ accepted = s6_accessrules_ip46_cdb(&remoteip, &c, ¶ms) ;
+ if (accepted == S6_ACCESSRULES_ALLOW)
{
cdb_free(&c) ;
fd_close(cdbfd) ;
@@ -160,13 +161,13 @@ int main (int argc, char const *const *argv, char const *const *envp)
}
switch (accepted)
{
- case S6NET_ACCESSRULES_ERROR :
+ case S6_ACCESSRULES_ERROR :
strerr_diefu6sys(111, "check ", rulestypestr[rulestype], " ruleset for ", "IP", " in ", rules) ;
- case S6NET_ACCESSRULES_ALLOW : break ;
- case S6NET_ACCESSRULES_DENY :
+ case S6_ACCESSRULES_ALLOW : break ;
+ case S6_ACCESSRULES_DENY :
if (verbosity >= 2) { errno = EACCES ; log_deny(getpid(), &remoteip) ; }
return 1 ;
- case S6NET_ACCESSRULES_NOTFOUND :
+ case S6_ACCESSRULES_NOTFOUND :
if (flagdnslookup) break ;
if (verbosity >= 2) { errno = ENOENT ; log_deny(getpid(), &remoteip) ; }
return 1 ;
@@ -326,21 +327,21 @@ int main (int argc, char const *const *argv, char const *const *envp)
}
}
if (!env_addmodif(&modifs, tcpremotehost, remotelen ? remotebuf : 0)) dienomem() ;
- if (remotelen && (accepted == S6NET_ACCESSRULES_NOTFOUND))
+ if (remotelen && (accepted == S6_ACCESSRULES_NOTFOUND))
{
switch (rulestype)
{
case 1 :
- accepted = s6net_accessrules_reversedns_fs(remotebuf, (void *)rules, ¶ms) ;
+ accepted = s6_accessrules_reversedns_fs(remotebuf, (void *)rules, ¶ms) ;
break ;
case 2 :
- accepted = s6net_accessrules_reversedns_cdb(remotebuf, &c, ¶ms) ;
+ accepted = s6_accessrules_reversedns_cdb(remotebuf, &c, ¶ms) ;
break ;
default : X() ;
}
}
- if ((rulestype == 2) && (accepted != S6NET_ACCESSRULES_ALLOW))
+ if ((rulestype == 2) && (accepted != S6_ACCESSRULES_ALLOW))
{
cdb_free(&c) ;
fd_close(cdbfd) ;
@@ -348,13 +349,13 @@ int main (int argc, char const *const *argv, char const *const *envp)
switch (accepted)
{
- case S6NET_ACCESSRULES_ERROR :
+ case S6_ACCESSRULES_ERROR :
strerr_diefu6sys(111, "check ", rulestypestr[rulestype], " ruleset for ", "reverse DNS", " in ", rules) ;
- case S6NET_ACCESSRULES_ALLOW : break ;
- case S6NET_ACCESSRULES_DENY :
+ case S6_ACCESSRULES_ALLOW : break ;
+ case S6_ACCESSRULES_DENY :
if (verbosity >= 2) { errno = EACCES ; log_deny(getpid(), &remoteip) ; }
return 1 ;
- case S6NET_ACCESSRULES_NOTFOUND :
+ case S6_ACCESSRULES_NOTFOUND :
if (verbosity >= 2) { errno = ENOENT ; log_deny(getpid(), &remoteip) ; }
return 1 ;
default : X() ;
diff --git a/src/conn-tools/seekablepipe.c b/src/conn-tools/seekablepipe.c
deleted file mode 100644
index 611f227..0000000
--- a/src/conn-tools/seekablepipe.c
+++ /dev/null
@@ -1,41 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-
-#define USAGE "seekablepipe tempfile prog..."
-
-#define N 8192
-
-int main (int argc, char const *const *argv, char const *const *envp)
-{
- iobuffer b ;
- int fdr, fdw ;
- int r ;
- PROG = "seekablepipe" ;
- if (argc < 3) strerr_dieusage(100, USAGE) ;
- fdw = open_trunc(argv[1]) ;
- if (fdw < 0)
- strerr_diefu2sys(111, "create temporary ", argv[1]) ;
- fdr = open_readb(argv[1]) ;
- if (fdr < 0)
- strerr_diefu3sys(111, "open ", argv[1], " for reading") ;
- if (unlink(argv[1]) < 0)
- strerr_diefu2sys(111, "unlink ", argv[1]) ;
- if (ndelay_off(fdw) < 0)
- strerr_diefu1sys(111, "set fdw blocking") ;
- if (!iobuffer_init(&b, 0, fdw))
- strerr_diefu1sys(111, "iobuffer_init") ;
- while ((r = iobuffer_fill(&b)) > 0)
- if (!iobuffer_flush(&b))
- strerr_diefu2sys(111, "write to ", argv[1]) ;
- if (r < 0) strerr_diefu1sys(111, "read from stdin") ;
- iobuffer_finish(&b) ;
- fd_close(fdw) ;
- if (fd_move(0, fdr) < 0)
- strerr_diefu1sys(111, "move fdr to stdin") ;
- pathexec_run(argv[2], argv+2, envp) ;
- strerr_dieexec(111, argv[2]) ;
-}
diff --git a/src/include/s6-networking/accessrules.h b/src/include/s6-networking/accessrules.h
deleted file mode 100644
index ec7a0d5..0000000
--- a/src/include/s6-networking/accessrules.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* ISC license. */
-
-#ifndef S6NET_ACCESSRULES_H
-#define S6NET_ACCESSRULES_H
-
-#include
-#include
-#include
-
-typedef struct s6net_accessrules_params_s s6net_accessrules_params_t, *s6net_accessrules_params_t_ref ;
-struct s6net_accessrules_params_s
-{
- stralloc env ;
- stralloc exec ;
-} ;
-#define S6NET_ACCESSRULES_PARAMS_ZERO { STRALLOC_ZERO, STRALLOC_ZERO }
-
-typedef enum s6net_accessrules_result_e s6net_accessrules_result_t, *s6net_accessrules_result_t_ref ;
-enum s6net_accessrules_result_e
-{
- S6NET_ACCESSRULES_ERROR = -1,
- S6NET_ACCESSRULES_DENY = 0,
- S6NET_ACCESSRULES_ALLOW = 1,
- S6NET_ACCESSRULES_NOTFOUND = 2
-} ;
-
-typedef s6net_accessrules_result_t s6net_accessrules_backend_func_t (char const *, unsigned int, void *, s6net_accessrules_params_t *) ;
-typedef s6net_accessrules_backend_func_t *s6net_accessrules_backend_func_t_ref ;
-
-extern s6net_accessrules_backend_func_t s6net_accessrules_backend_fs ;
-extern s6net_accessrules_backend_func_t s6net_accessrules_backend_cdb ;
-
-typedef s6net_accessrules_result_t s6net_accessrules_keycheck_func_t (void const *, void *, s6net_accessrules_params_t *, s6net_accessrules_backend_func_t_ref) ;
-typedef s6net_accessrules_keycheck_func_t *s6net_accessrules_keycheck_func_t_ref ;
-
-extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_uidgid ;
-extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_ip4 ;
-extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_ip6 ;
-extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_reversedns ;
-#define s6net_accessrules_keycheck_ip46(key, data, params, f) (ip46_is6((ip46_t const *)(key)) ? s6net_accessrules_keycheck_ip6(((ip46_t const *)(key))->ip, data, params, f) : s6net_accessrules_keycheck_ip4(((ip46_t const *)(key))->ip, data, params, f))
-
-extern s6net_accessrules_result_t s6net_accessrules_uidgid_cdb (unsigned int, unsigned int, struct cdb *, s6net_accessrules_params_t *) ;
-extern s6net_accessrules_result_t s6net_accessrules_uidgid_fs (unsigned int, unsigned int, char const *, s6net_accessrules_params_t *) ;
-#define s6net_accessrules_ip4_cdb(ip4, c, params) s6net_accessrules_keycheck_ip4(ip4, c, (params), &s6net_accessrules_backend_cdb)
-#define s6net_accessrules_ip4_fs(ip4, rulesdir, params) s6net_accessrules_keycheck_ip4(ip4, rulesdir, (params), &s6net_accessrules_backend_fs)
-#define s6net_accessrules_ip6_cdb(ip6, c, params) s6net_accessrules_keycheck_ip6(ip6, c, (params), &s6net_accessrules_backend_cdb)
-#define s6net_accessrules_ip6_fs(ip6, rulesdir, params) s6net_accessrules_keycheck_ip6(ip6, rulesdir, (params), &s6net_accessrules_backend_fs)
-#define s6net_accessrules_ip46_cdb(ip, c, params) s6net_accessrules_keycheck_ip46(ip, c, (params), &s6net_accessrules_backend_cdb)
-#define s6net_accessrules_ip46_fs(ip, rulesdir, params) s6net_accessrules_keycheck_ip46(ip, rulesdir, (params), &s6net_accessrules_backend_fs)
-#define s6net_accessrules_reversedns_cdb(name, c, params) s6net_accessrules_keycheck_reversedns(name, c, (params), &s6net_accessrules_backend_cdb)
-#define s6net_accessrules_reversedns_fs(name, c, params) s6net_accessrules_keycheck_reversedns(name, c, (params), &s6net_accessrules_backend_fs)
-
-#endif
diff --git a/src/include/s6-networking/s6net.h b/src/include/s6-networking/s6net.h
index 81d804e..8778527 100644
--- a/src/include/s6-networking/s6net.h
+++ b/src/include/s6-networking/s6net.h
@@ -3,7 +3,6 @@
#ifndef S6NET_H
#define S6NET_H
-#include
#include
#endif
diff --git a/src/libs6net/deps-lib/s6net b/src/libs6net/deps-lib/s6net
index 7b497ac..1b15735 100644
--- a/src/libs6net/deps-lib/s6net
+++ b/src/libs6net/deps-lib/s6net
@@ -1,11 +1,3 @@
-s6net_accessrules_backend_cdb.o
-s6net_accessrules_backend_fs.o
-s6net_accessrules_keycheck_ip4.o
-s6net_accessrules_keycheck_ip6.o
-s6net_accessrules_keycheck_reversedns.o
-s6net_accessrules_keycheck_uidgid.o
-s6net_accessrules_uidgid_cdb.o
-s6net_accessrules_uidgid_fs.o
s6net_ident_client.o
s6net_ident_reply_get.o
s6net_ident_reply_parse.o
diff --git a/src/libs6net/s6net_accessrules_backend_cdb.c b/src/libs6net/s6net_accessrules_backend_cdb.c
deleted file mode 100644
index e75f755..0000000
--- a/src/libs6net/s6net_accessrules_backend_cdb.c
+++ /dev/null
@@ -1,38 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_backend_cdb (char const *key, unsigned int keylen, void *data, s6net_accessrules_params_t *params)
-{
- struct cdb *c = data ;
- unsigned int execbase, n ;
- uint16 envlen, execlen ;
- register int r = cdb_find(c, key, keylen) ;
- if (r < 0) return S6NET_ACCESSRULES_ERROR ;
- else if (!r) return S6NET_ACCESSRULES_NOTFOUND ;
- n = cdb_datalen(c) ;
- if ((n < 5U) || (n > 8197U)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ;
- if (!stralloc_readyplus(¶ms->exec, n)) return S6NET_ACCESSRULES_ERROR ;
- execbase = params->exec.len ;
- if (cdb_read(c, params->exec.s + execbase, n, cdb_datapos(c)) < 0) return S6NET_ACCESSRULES_ERROR ;
- if (params->exec.s[execbase] == 'D') return S6NET_ACCESSRULES_DENY ;
- else if (params->exec.s[execbase] != 'A') return S6NET_ACCESSRULES_NOTFOUND ;
- uint16_unpack_big(params->exec.s + execbase + 1U, &envlen) ;
- if ((envlen > 4096U) || (envlen+5U > n)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ;
- uint16_unpack_big(params->exec.s + execbase + 3 + envlen, &execlen) ;
- if ((execlen > 4096U) || (5U + envlen + execlen != n)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ;
- if (!stralloc_catb(¶ms->env, params->exec.s + execbase + 3U, envlen)) return S6NET_ACCESSRULES_ERROR ;
- byte_copy(params->exec.s + execbase, execlen, params->exec.s + execbase + 5U + envlen) ;
- if (execlen)
- {
- params->exec.len += execlen ;
- params->exec.s[params->exec.len++] = 0 ;
- }
- return S6NET_ACCESSRULES_ALLOW ;
-}
diff --git a/src/libs6net/s6net_accessrules_backend_fs.c b/src/libs6net/s6net_accessrules_backend_fs.c
deleted file mode 100644
index d609285..0000000
--- a/src/libs6net/s6net_accessrules_backend_fs.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_backend_fs (char const *key, unsigned int keylen, void *data, s6net_accessrules_params_t *params)
-{
- char *dir = data ;
- unsigned int dirlen = str_len(dir) ;
- unsigned int envbase = params->env.len ;
- int wasnull = !params->env.s ;
- {
- char tmp[dirlen + keylen + 10] ;
- byte_copy(tmp, dirlen, dir) ;
- tmp[dirlen] = '/' ;
- byte_copy(tmp + dirlen + 1, keylen, key) ;
- byte_copy(tmp + dirlen + keylen + 1, 7, "/allow") ;
- if (access(tmp, R_OK) < 0)
- {
- if ((errno != EACCES) && (errno != ENOENT))
- return S6NET_ACCESSRULES_ERROR ;
- byte_copy(tmp + dirlen + keylen + 2, 5, "deny") ;
- return (access(tmp, R_OK) == 0) ? S6NET_ACCESSRULES_DENY :
- (errno != EACCES) && (errno != ENOENT) ? S6NET_ACCESSRULES_ERROR :
- S6NET_ACCESSRULES_NOTFOUND ;
- }
- byte_copy(tmp + dirlen + keylen + 2, 4, "env") ;
- if ((envdir(tmp, ¶ms->env) < 0) && (errno != ENOENT))
- return S6NET_ACCESSRULES_ERROR ;
- if (!stralloc_readyplus(¶ms->exec, 4097))
- {
- if (wasnull) stralloc_free(¶ms->env) ;
- else params->env.len = envbase ;
- return S6NET_ACCESSRULES_ERROR ;
- }
- byte_copy(tmp + dirlen + keylen + 2, 5, "exec") ;
- {
- register int r = openreadnclose(tmp, params->exec.s + params->exec.len, 4096) ;
- if ((r < 0) && (errno != EACCES) && (errno != ENOENT))
- {
- if (wasnull) stralloc_free(¶ms->env) ;
- else params->env.len = envbase ;
- return S6NET_ACCESSRULES_ERROR ;
- }
- if (r > 0)
- {
- params->exec.len += r ;
- params->exec.s[params->exec.len++] = 0 ;
- }
- }
- }
- return S6NET_ACCESSRULES_ALLOW ;
-}
diff --git a/src/libs6net/s6net_accessrules_keycheck_ip4.c b/src/libs6net/s6net_accessrules_keycheck_ip4.c
deleted file mode 100644
index 1f96bd8..0000000
--- a/src/libs6net/s6net_accessrules_keycheck_ip4.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_keycheck_ip4 (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1)
-{
- char fmt[IP4_FMT + UINT_FMT + 6] = "ip4/" ;
- uint32 ip ;
- unsigned int i = 0 ;
- uint32_unpack_big((char const *)key, &ip) ;
- for (; i <= 32 ; i++)
- {
- register s6net_accessrules_result_t r ;
- register unsigned int len = 4 + ip4_fmtu32(fmt+4, (i == 32) ? 0 : ip & ~((1U << i) - 1)) ;
- fmt[len++] = '_' ;
- len += uint_fmt(fmt + len, 32 - i) ;
- r = (*check1)(fmt, len, data, params) ;
- if (r != S6NET_ACCESSRULES_NOTFOUND) return r ;
- }
- return S6NET_ACCESSRULES_NOTFOUND ;
-}
diff --git a/src/libs6net/s6net_accessrules_keycheck_ip6.c b/src/libs6net/s6net_accessrules_keycheck_ip6.c
deleted file mode 100644
index c2ee5ae..0000000
--- a/src/libs6net/s6net_accessrules_keycheck_ip6.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_keycheck_ip6 (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1)
-{
- char fmt[IP6_FMT + UINT_FMT + 6] = "ip6/" ;
- char ip6[16] ;
- unsigned int i = 0 ;
- byte_copy(ip6, 16, (char const *)key) ;
- for (; i <= 128 ; i++)
- {
- unsigned int len ;
- register s6net_accessrules_result_t r ;
- if (i) bitarray_clear(ip6, 128 - i) ;
- len = 4 + ip6_fmt(fmt+4, ip6) ;
- fmt[len++] = '_' ;
- len += uint_fmt(fmt + len, 128 - i) ;
- r = (*check1)(fmt, len, data, params) ;
- if (r != S6NET_ACCESSRULES_NOTFOUND) return r ;
- }
- return S6NET_ACCESSRULES_NOTFOUND ;
-}
diff --git a/src/libs6net/s6net_accessrules_keycheck_reversedns.c b/src/libs6net/s6net_accessrules_keycheck_reversedns.c
deleted file mode 100644
index f4c0213..0000000
--- a/src/libs6net/s6net_accessrules_keycheck_reversedns.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_keycheck_reversedns (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1)
-{
- char const *name = key ;
- unsigned int len = str_len(name) ;
- if (!len) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ;
- if (name[len-1] == '.') len-- ;
- {
- unsigned int i = 0 ;
- char tmp[len + 11] ;
- byte_copy(tmp, 11, "reversedns/") ;
- while (i < len)
- {
- register s6net_accessrules_result_t r ;
- byte_copy(tmp+11, len-i, name+i) ;
- r = (*check1)(tmp, 11+len-i, data, params) ;
- if (r != S6NET_ACCESSRULES_NOTFOUND) return r ;
- i += byte_chr(name+i, len-i, '.') + 1 ;
- }
- }
- return (*check1)("reversedns/@", 12, data, params) ;
-}
diff --git a/src/libs6net/s6net_accessrules_keycheck_uidgid.c b/src/libs6net/s6net_accessrules_keycheck_uidgid.c
deleted file mode 100644
index a7e2200..0000000
--- a/src/libs6net/s6net_accessrules_keycheck_uidgid.c
+++ /dev/null
@@ -1,16 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_keycheck_uidgid (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1)
-{
- char fmt[4 + UINT_FMT] = "uid/" ;
- register s6net_accessrules_result_t r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->left), data, params) ;
- if (r != S6NET_ACCESSRULES_NOTFOUND) return r ;
- fmt[0] = 'g' ;
- r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->right), data, params) ;
- return (r != S6NET_ACCESSRULES_NOTFOUND) ? r :
- (*check1)("uid/default", 11, data, params) ;
-}
diff --git a/src/libs6net/s6net_accessrules_uidgid_cdb.c b/src/libs6net/s6net_accessrules_uidgid_cdb.c
deleted file mode 100644
index 1836389..0000000
--- a/src/libs6net/s6net_accessrules_uidgid_cdb.c
+++ /dev/null
@@ -1,11 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_uidgid_cdb (unsigned int uid, unsigned int gid, struct cdb *c, s6net_accessrules_params_t *params)
-{
- diuint uidgid = { uid, gid } ;
- return s6net_accessrules_keycheck_uidgid(&uidgid, c, params, &s6net_accessrules_backend_cdb) ;
-}
diff --git a/src/libs6net/s6net_accessrules_uidgid_fs.c b/src/libs6net/s6net_accessrules_uidgid_fs.c
deleted file mode 100644
index db2e909..0000000
--- a/src/libs6net/s6net_accessrules_uidgid_fs.c
+++ /dev/null
@@ -1,10 +0,0 @@
-/* ISC license. */
-
-#include
-#include
-
-s6net_accessrules_result_t s6net_accessrules_uidgid_fs (unsigned int uid, unsigned int gid, char const *rulesdir, s6net_accessrules_params_t *params)
-{
- diuint uidgid = { uid, gid } ;
- return s6net_accessrules_keycheck_uidgid(&uidgid, (void *)rulesdir, params, &s6net_accessrules_backend_fs) ;
-}
--
cgit v1.2.3