From ebfd0ba17e0d4b220725018d16e294e8e22a1745 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Thu, 15 Jan 2015 20:51:39 +0000 Subject: Move Unix domain socket and access control stuff to s6. Move seekablepipe to s6-portable-utils. Version: 2.0.1.0, release candidate --- doc/index.html | 26 +- doc/libs6net/accessrules.html | 331 ----------------- doc/libs6net/index.html | 2 - doc/localservice.html | 151 -------- doc/s6-accessrules-cdb-from-fs.html | 141 -------- doc/s6-accessrules-fs-from-cdb.html | 60 ---- doc/s6-connlimit.html | 96 ----- doc/s6-ioconnect.html | 84 ----- doc/s6-ipcclient.html | 65 ---- doc/s6-ipcserver-access.html | 172 --------- doc/s6-ipcserver-socketbinder.html | 72 ---- doc/s6-ipcserver.html | 173 --------- doc/s6-ipcserverd.html | 131 ------- doc/s6-sudo.html | 59 --- doc/s6-sudoc.html | 80 ----- doc/s6-sudod.html | 165 --------- doc/s6-tcpserver-access.html | 18 +- doc/seekablepipe.html | 36 -- package/deps.mak | 58 +-- package/modes | 13 - package/targets.mak | 13 - src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs | 4 - src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb | 1 - src/conn-tools/deps-exe/s6-connlimit | 1 - src/conn-tools/deps-exe/s6-ioconnect | 3 - src/conn-tools/deps-exe/s6-ipcclient | 2 - src/conn-tools/deps-exe/s6-ipcserver | 1 - src/conn-tools/deps-exe/s6-ipcserver-access | 3 - src/conn-tools/deps-exe/s6-ipcserver-socketbinder | 2 - src/conn-tools/deps-exe/s6-ipcserverd | 2 - src/conn-tools/deps-exe/s6-sudo | 1 - src/conn-tools/deps-exe/s6-sudoc | 3 - src/conn-tools/deps-exe/s6-sudod | 3 - src/conn-tools/deps-exe/s6-tcpserver-access | 1 + src/conn-tools/deps-exe/seekablepipe | 1 - src/conn-tools/s6-accessrules-cdb-from-fs.c | 195 ---------- src/conn-tools/s6-accessrules-fs-from-cdb.c | 177 --------- src/conn-tools/s6-connlimit.c | 39 -- src/conn-tools/s6-ioconnect.c | 187 ---------- src/conn-tools/s6-ipcclient.c | 66 ---- src/conn-tools/s6-ipcserver-access.c | 211 ----------- src/conn-tools/s6-ipcserver-socketbinder.c | 49 --- src/conn-tools/s6-ipcserver.c | 128 ------- src/conn-tools/s6-ipcserverd.c | 399 --------------------- src/conn-tools/s6-sudo.c | 67 ---- src/conn-tools/s6-sudo.h | 11 - src/conn-tools/s6-sudoc.c | 115 ------ src/conn-tools/s6-sudod.c | 233 ------------ src/conn-tools/s6-tcpserver-access.c | 39 +- src/conn-tools/seekablepipe.c | 41 --- src/include/s6-networking/accessrules.h | 53 --- src/include/s6-networking/s6net.h | 1 - src/libs6net/deps-lib/s6net | 8 - src/libs6net/s6net_accessrules_backend_cdb.c | 38 -- src/libs6net/s6net_accessrules_backend_fs.c | 58 --- src/libs6net/s6net_accessrules_keycheck_ip4.c | 24 -- src/libs6net/s6net_accessrules_keycheck_ip6.c | 27 -- .../s6net_accessrules_keycheck_reversedns.c | 27 -- src/libs6net/s6net_accessrules_keycheck_uidgid.c | 16 - src/libs6net/s6net_accessrules_uidgid_cdb.c | 11 - src/libs6net/s6net_accessrules_uidgid_fs.c | 10 - 61 files changed, 39 insertions(+), 4165 deletions(-) delete mode 100644 doc/libs6net/accessrules.html delete mode 100644 doc/localservice.html delete mode 100644 doc/s6-accessrules-cdb-from-fs.html delete mode 100644 doc/s6-accessrules-fs-from-cdb.html delete mode 100644 doc/s6-connlimit.html delete mode 100644 doc/s6-ioconnect.html delete mode 100644 doc/s6-ipcclient.html delete mode 100644 doc/s6-ipcserver-access.html delete mode 100644 doc/s6-ipcserver-socketbinder.html delete mode 100644 doc/s6-ipcserver.html delete mode 100644 doc/s6-ipcserverd.html delete mode 100644 doc/s6-sudo.html delete mode 100644 doc/s6-sudoc.html delete mode 100644 doc/s6-sudod.html delete mode 100644 doc/seekablepipe.html delete mode 100644 src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs delete mode 100644 src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb delete mode 100644 src/conn-tools/deps-exe/s6-connlimit delete mode 100644 src/conn-tools/deps-exe/s6-ioconnect delete mode 100644 src/conn-tools/deps-exe/s6-ipcclient delete mode 100644 src/conn-tools/deps-exe/s6-ipcserver delete mode 100644 src/conn-tools/deps-exe/s6-ipcserver-access delete mode 100644 src/conn-tools/deps-exe/s6-ipcserver-socketbinder delete mode 100644 src/conn-tools/deps-exe/s6-ipcserverd delete mode 100644 src/conn-tools/deps-exe/s6-sudo delete mode 100644 src/conn-tools/deps-exe/s6-sudoc delete mode 100644 src/conn-tools/deps-exe/s6-sudod delete mode 100644 src/conn-tools/deps-exe/seekablepipe delete mode 100644 src/conn-tools/s6-accessrules-cdb-from-fs.c delete mode 100644 src/conn-tools/s6-accessrules-fs-from-cdb.c delete mode 100644 src/conn-tools/s6-connlimit.c delete mode 100644 src/conn-tools/s6-ioconnect.c delete mode 100644 src/conn-tools/s6-ipcclient.c delete mode 100644 src/conn-tools/s6-ipcserver-access.c delete mode 100644 src/conn-tools/s6-ipcserver-socketbinder.c delete mode 100644 src/conn-tools/s6-ipcserver.c delete mode 100644 src/conn-tools/s6-ipcserverd.c delete mode 100644 src/conn-tools/s6-sudo.c delete mode 100644 src/conn-tools/s6-sudo.h delete mode 100644 src/conn-tools/s6-sudoc.c delete mode 100644 src/conn-tools/s6-sudod.c delete mode 100644 src/conn-tools/seekablepipe.c delete mode 100644 src/include/s6-networking/accessrules.h delete mode 100644 src/libs6net/s6net_accessrules_backend_cdb.c delete mode 100644 src/libs6net/s6net_accessrules_backend_fs.c delete mode 100644 src/libs6net/s6net_accessrules_keycheck_ip4.c delete mode 100644 src/libs6net/s6net_accessrules_keycheck_ip6.c delete mode 100644 src/libs6net/s6net_accessrules_keycheck_reversedns.c delete mode 100644 src/libs6net/s6net_accessrules_keycheck_uidgid.c delete mode 100644 src/libs6net/s6net_accessrules_uidgid_cdb.c delete mode 100644 src/libs6net/s6net_accessrules_uidgid_fs.c diff --git a/doc/index.html b/doc/index.html index 3b65640..c6d61fa 100644 --- a/doc/index.html +++ b/doc/index.html @@ -45,7 +45,7 @@ compiled with IPv6 support, s6-networking is IPv6-ready.
  • execline version 2.0.1.1 or later
  • s6 version -2.0.1.0 or later
  • +2.0.2.0 or later
  • s6-dns version 2.0.0.2 or later
  • @@ -60,7 +60,7 @@ compiled with IPv6 support, s6-networking is IPv6-ready.

    Download

    @@ -102,7 +102,7 @@ relevant page.
  • The s6-taiclockd program
  • -

    UCSPI implementation

    +

    UCSPI TCP implementation

    -

    TCP and Unix access control

    +

    TCP access control

    - -

    suidless privilege gain

    - -

    IDENT protocol implementation

    @@ -148,7 +132,6 @@ relevant page.

    Miscellaneous utilities

    @@ -157,7 +140,6 @@ relevant page.
    diff --git a/doc/libs6net/accessrules.html b/doc/libs6net/accessrules.html deleted file mode 100644 index ea996b7..0000000 --- a/doc/libs6net/accessrules.html +++ /dev/null @@ -1,331 +0,0 @@ - - - - - s6-networking: the accessrules library interface - - - - - - -

    -libs6net
    -s6-networking
    -Software
    -skarnet.org -

    - -

    The accessrules library interface

    - -

    - The following functions and structures are declared in the s6-networking/accessrules.h header, -and implemented in the libs6net.a or libs6net.so library. -

    - -

    General information

    - -

    - s6net_accessrules is an access control library. It looks up -a key in a user-specified database, then returns a code depending on -whether the database allows access (in which case additional information -can also be returned), denies access, or does not contain the key. -

    - -

    - accessrules has been designed to be easily extensible to any -database format and any key format. -

    - -

    - Check the s6-networking/accessrules.h header for the exact definitions. -

    - -

    Data structures

    - - - -

    Function types

    - -

    Backend lookups

    - -

    - A s6net_accessrules_backend_func_t is the type of a function -that takes a single key, looks it up in a database, and returns the result. -Namely: -

    - -

    -s6net_accessrules_result_t f (char const *key, unsigned int keylen, void *handle, s6net_accessrules_params_t *params) -

    - -

    - f looks up key key of length keylen in the database -represented by handle in an implementation-defined way. It returns a -number that says the key has been allowed, denied or not found, or an error -occurred. If the key has been allowed, f stores additional information -from the database into *params. -

    - -

    - Two s6net_accessrules_backend_func_t functions are natively implemented: -

    - - - -

    Frontend key checking

    - -

    - A s6net_accessrules_keycheck_func_t is the type of a function that -takes a user-level key, makes a list of corresponding backend-level keys and -calls a s6net_accessrules_backend_func_t function until it finds -a match. Namely: -

    - -

    -s6net_accessrules_result_t f (void const *key, void *handle, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t *backend) -

    - -

    - f derives a list of low-level keys to check from key. -Then, for each key k of length klen in this list, it calls -(*backend)(k, klen, handle, params), returning *backend's result if it -is not S6NET_ACCESSRULES_NOTFOUND. If no match can be found in the whole list, -f finally returns S6NET_ACCESSRULES_NOTFOUND. -

    - -

    - Five s6net_accessrules_keycheck_func_t functions are natively implemented: -

    - - - -

    Ready-to-use functions

    - - Those functions are mostly macros; they're built by associating a frontend -function with a backend function. - -

    - s6net_accessrules_result_t s6net_accessrules_uidgid_cdb -(unsigned int u, unsigned int g, struct cdb *c, -s6net_accessrules_params_t *params)
    -Checks the *c CDB database for an authorization for uid u -and gid g. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_uidgid_fs -(unsigned int u, unsigned int g, char const *dir, -s6net_accessrules_params_t *params)
    -Checks the dir base directory for an authorization for uid u -and gid g. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_reversedns_cdb -(char const *name, struct cdb *c, -s6net_accessrules_params_t *params)
    -Checks the *c CDB database for an authorization for the -name FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_reversedns_fs -(char const *name, char const *dir, -s6net_accessrules_params_t *params)
    -Checks the dir base directory for an authorization for the -name FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_ip4_cdb -(char const *ip4, struct cdb *c, -s6net_accessrules_params_t *params)
    -Checks the *c CDB database for an authorization for the -ip4 IPv4 address (4 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_ip4_fs -(char const *ip4, char const *dir, -s6net_accessrules_params_t *params)
    -Checks the dir base directory for an authorization for the -ip4 IPv4 address (4 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_ip6_cdb -(char const *ip6, struct cdb *c, -s6net_accessrules_params_t *params)
    -Checks the *c CDB database for an authorization for the -ip6 IPv6 address (16 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_ip6_fs -(char const *ip6, char const *dir, -s6net_accessrules_params_t *params)
    -Checks the dir base directory for an authorization for the -ip6 IPv6 address (16 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_ip46_cdb -(ip46_t *ip, struct cdb *c, -s6net_accessrules_params_t *params)
    -Checks the *c CDB database for an authorization for the -ip IP address. -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - -

    - s6net_accessrules_result_t s6net_accessrules_ip46_fs -(ip46_t const *ip, char const *dir, -s6net_accessrules_params_t *params)
    -Checks the dir base directory for an authorization for the -ip IP address. -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

    - - - diff --git a/doc/libs6net/index.html b/doc/libs6net/index.html index 4fb35ff..36440ac 100644 --- a/doc/libs6net/index.html +++ b/doc/libs6net/index.html @@ -53,8 +53,6 @@ own header.

    diff --git a/doc/localservice.html b/doc/localservice.html deleted file mode 100644 index af7aafb..0000000 --- a/doc/localservice.html +++ /dev/null @@ -1,151 +0,0 @@ - - - - - s6-networking: what is a local service - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    Local services

    - -

    - A local service is a daemon that listens to incoming connections -on a Unix domain socket. Clients of the service are programs connecting to -this socket: the daemon performs operations on their behalf. -

    - -

    - The service is called local because it is not accessible to -clients from the network. -

    - -

    - A widely known example of a local service is the syslogd daemon. -On most implementations, it listens to the /dev/log socket. -Its clients connect to it and send their logs via the socket. The -openlog() function is just a wrapper arround the connect() -system call, the syslog() function a wrapper around write(), -and so on. -

    - -

    Benefits

    - -

    Privileges

    - -

    - The most important benefit of a local service is that it permits -controlled privilege gains without using setuid programs. -The daemon is run as user S; a client running as user C and connecting to -the daemon asks it to perform operations: those will be done as user S. -

    - -

    - Standard Unix permissions on the listening socket can be used to implement -some basic access control: to restrict access to clients belonging to group -G, change the socket to user S and group G, and give it 0420 permissions. -This is functionally equivalent to the basic access control for setuid -programs: a program having user S, group G and permissions 4750 will be -executable by group G and run with S rights. -

    - -

    - But modern systems implement the -getpeereid() -system call or library function. This function allows the server to know the -client's credentials: so fine-grained access control is possible. On those -systems, local services can do as much authentication as setuid programs, -in a much more controlled environment. -

    - -

    fd-passing

    - -

    - The most obvious difference between a local service and a network service -is that a local service does not serve network clients. But local services -have another nice perk: while network services usually only provide you -with a single channel (a TCP or UDP socket) of communication between the -client and the server, forcing you to multiplex your data into that -channel, local services allow you to have as many -communication channels as you want. -

    - -

    -(The SCTP transport layer provides a way for network services to use -several communication channels. Unfortunately, it is not widely deployed -yet, and a lot of network services still depend on TCP.) -

    - -

    - The fd-passing mechanism is Unix domain socket black magic -that allows one peer of the socket to send open file descriptors to -the other peer. So, if the server opens a pipe and sends one end of -this pipe to a client via this mechanism, there is effectively a -socket and a pipe between the client and the server. -

    - -

    UCSPI

    - -

    - The UCSPI protocol -is an easy way of abstracting clients and servers from the network. -A server written as a UCSPI server, just as it can be run -under inetd or s6-tcpserver, can be run under -s6-ipcserver: choose a socket -location and you have a local service. -

    - -

    - Fine-grained access control can be added by inserting -s6-ipcserver-access in -your server command line after s6-ipcserver. -

    - -

    - A client written as an UCSPI client, i.e. assuming it has descriptor -6 (resp. 7) open and reading from (resp. writing to) the server socket, -can be run under s6-ipcclient. -

    - -

    Use in skarnet.org software

    - -

    - skarnet.org libraries often use a separate process to handle -asynchronicity and background work in a way that's invisible to -the user. Among them are: -

    - - - -

    - Those processes are usually spawned from a client, via the corresponding -*_startf*() library call. But they can also be spawned from a -s6-ipcserver program in a local service configuration. In both cases, they -need an additional control channel to be passed from the server to -the client: the main socket is used for synchronous commands from the client -to the server and their answers, whereas the additional channel, which is -now implemented as a socket as well (but created by the server on-demand -and not bound to a local path), is used for asynchronous -notifications from the server to the client. The fd-passing mechanism -is used to transfer the additional channel from the server to the client. -

    - - - diff --git a/doc/s6-accessrules-cdb-from-fs.html b/doc/s6-accessrules-cdb-from-fs.html deleted file mode 100644 index 26105b1..0000000 --- a/doc/s6-accessrules-cdb-from-fs.html +++ /dev/null @@ -1,141 +0,0 @@ - - - - - s6-networking: the s6-accessrules-cdb-from-fs program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-accessrules-cdb-from-fs program

    - -

    -s6-accessrules-cdb-from-fs compiles a directory -containing a ruleset suitable for -s6-ipcserver-access or -s6-tcpserver-access into a -CDB file. -

    - -

    Interface

    - -
    -     s6-accessrules-cdb-from-fs cdbfile dir
    -
    - - - -

    Ruleset directory format

    - -

    - To be understood by s6-accessrules-cdb-from-fs, -s6-ipcserver-access, or -s6-tcpserver-access, -dir must have a specific format. -

    - -

    - dir contains a series of directories: -

    - - - -

    -Depending on the application, other directories can appear in dir -and be compiled into cdbfile, but -s6-tcpserver-access only -uses the first three, and -s6-ipcserver-access only -uses the last two. -

    - -

    - Each of those directories contains a set of rules. A rule is -a subdirectory named after the set of keys it matches, and containing -actions that will be executed if the rule is the first matching rule -for the tested key. -

    - -

    - The syntax for the rule name is dependent on the nature of keys, and -fully documented on the -accessrules -library page. For instance, a subdirectory named 192.168.0.0_27 -in the ip4 directory will match every IPv4 address in the -192.168.0.0/27 network that does not match a more precise rule. -

    - -

    - The syntax for the actions, however, is the same for every type of key. -A rule subdirectory can contain the following elements: -

    - - - -

    Notes

    - - - - - diff --git a/doc/s6-accessrules-fs-from-cdb.html b/doc/s6-accessrules-fs-from-cdb.html deleted file mode 100644 index 91ec98e..0000000 --- a/doc/s6-accessrules-fs-from-cdb.html +++ /dev/null @@ -1,60 +0,0 @@ - - - - - s6-networking: the s6-accessrules-fs-from-cdb program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-accessrules-fs-from-cdb program

    - -

    -s6-accessrules-fs-from-cdb decompiles a CDB database -containing a ruleset suitable for -s6-ipcserver-access or -s6-tcpserver-access and -that has been compiled with -s6-accessrules-cdb-from-fs. -

    - -

    Interface

    - -
    -     s6-accessrules-fs-from-cdb dir cdbfile
    -
    - -
    - -

    Notes

    - - - - - diff --git a/doc/s6-connlimit.html b/doc/s6-connlimit.html deleted file mode 100644 index 5008b4d..0000000 --- a/doc/s6-connlimit.html +++ /dev/null @@ -1,96 +0,0 @@ - - - - - s6-networking: the s6-connlimit program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-connlimit program

    - -

    -s6-connlimit is a small utility to perform IP-based -control on the number of client connections to a TCP socket, and -uid-based control on the number of client connections to a Unix -domain socket. -

    - -

    Interface

    - -
    -     s6-connlimit prog...
    -
    - - - -

    Usage

    - -

    - The s6-tcpserver4 and -s6-tcpserver6 define the PROTO environment -variable to "TCP", and spawn every child server with the TCPCONNNUM environment -variable set to the number of connections from the same IP address. - The s6-tcpserver-access program -can set environment variables depending on the client's IP address. If the -s6-tcpserver-access database is configured to set the TCPCONNMAX environment -variable for a given set of IP addresses, and s6-tcpserver-access execs into -s6-connlimit, then s6-connlimit will drop connections if there already are -${TCPCONNMAX} connections from the same client IP address. -

    - -

    - The s6-ipcserver and -s6-ipcserver-access programs can -be used the same way, with "IPC" instead of "TCP", to limit the number -of client connections by UID. -

    - -

    Example

    - -

    - The following command line: -

    - -
    -     s6-tcpserver4 -v2 -c1000 -C40 1.2.3.4 80 \
    -     s6-tcpserver-access -v2 -RHl0 -i dir \
    -     s6-connlimit \
    -     prog...
    -
    - -

    - will run a server listening to IPv4 address 1.2.3.4, on port 80, -serving up to 1000 concurrent connections, and up to 40 concurrent -connections from the same IP address, no matter what the IP address. -For every client connection, it will look up the database set up -in dir; if the connection is accepted, it will run prog.... -

    - -

    - If the dir/ip4/5.6.7.8_32/env/TCPCONNMAX file -exists and contains the string 30, then at most 30 concurrent -connections from 5.6.7.8 will execute prog..., instead of the -default of 40. -

    - - - diff --git a/doc/s6-ioconnect.html b/doc/s6-ioconnect.html deleted file mode 100644 index 5e2b6c6..0000000 --- a/doc/s6-ioconnect.html +++ /dev/null @@ -1,84 +0,0 @@ - - - - - s6-networking: the s6-ioconnect program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-ioconnect program

    - -

    -s6-ioconnect performs full-duplex data transmission -between two sets of open file descriptors. -

    - -

    Interface

    - -
    -     s6-ioconnect [ -t millisecs ] [ -r fdr ] [ -w fdw ] [ -0 ] [ -1 ] [ -6 ] [ -7 ]
    -
    - - - -

    Options

    - - - -

    Notes

    - - - - - diff --git a/doc/s6-ipcclient.html b/doc/s6-ipcclient.html deleted file mode 100644 index 2bb66aa..0000000 --- a/doc/s6-ipcclient.html +++ /dev/null @@ -1,65 +0,0 @@ - - - - - s6-networking: the s6-ipcclient program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-ipcclient program

    - -

    -s6-ipcclient is an -UCSPI client tool for -Unix domain sockets. It connects to a socket, then executes into -a program. -

    - -

    Interface

    - -
    -     s6-ipcclient [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] path prog...
    -
    - - - -

    Environment variables

    - -

    - prog... is run with -the following variables set: -

    - - - -

    Options

    - - - - - diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html deleted file mode 100644 index 515138c..0000000 --- a/doc/s6-ipcserver-access.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - s6-networking: the s6-ipcserver-access program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-ipcserver-access program

    - -

    -s6-ipcserver-access is a command-line access -control tool for Unix domain sockets on systems where the -getpeereid() system call can be implemented. -It is meant to be run after -s6-ipcserverd and before -the application program on the s6-ipcserver command line. -

    - -

    Interface

    - -
    -     s6-ipcserver-access [ -v verbosity ] [ -E | -e ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog...
    -
    - - - -

    Environment variables

    - -

    -s6-ipcserver-access expects to inherit some environment variables from -its parent: -

    - - - -

    - Additionally, it exports the following variables before executing into -prog...: -

    - - - -

    - Also, the access rules database can instruct s6-ipcserver-access to set -up, or unset, more environment variables, depending on the client address. -

    - -

    Options

    - - - -

    Access rule checking

    - -

    - s6-ipcserver-access checks its client connection against -a ruleset. This ruleset can be implemented: -

    - - - -

    - The exact format of the ruleset is described on the -s6-accessrules-cdb-from-fs page. -

    - -

    -s6-ipcserver-access first reads the client UID uid and -GID gid from the -${PROTO}REMOTEEUID and ${PROTO}REMOTEEGID environment variables, and checks -them with the -s6net_accessrules_keycheck_uidgid() -function. In other words, it tries to match: - -

    - -

    - in that order. If no S6NET_ACCESSRULES_ALLOW result can be obtained, -the connection is denied. -

    - -

    Environment and executable modifications

    - -

    - s6-ipcserver-access interprets non-empty env subdirectories -and exec files -it finds in the first matching rule of the ruleset, as explained -in the s6-accessrules-cdb-from-fs -page. -

    - - - - - diff --git a/doc/s6-ipcserver-socketbinder.html b/doc/s6-ipcserver-socketbinder.html deleted file mode 100644 index 2c8d993..0000000 --- a/doc/s6-ipcserver-socketbinder.html +++ /dev/null @@ -1,72 +0,0 @@ - - - - - s6-networking: the s6-ipcserver-socketbinder program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-ipcserver-socketbinder program

    - -

    -s6-ipcserver-socketbinder binds a Unix domain -socket, then executes a program. -

    - -

    Interface

    - -
    -     s6-ipcserver-socketbinder [ -d | -D ] [ -b backlog ] path prog...
    -
    - - - -

    Options

    - - - -

    Notes

    - - - - - diff --git a/doc/s6-ipcserver.html b/doc/s6-ipcserver.html deleted file mode 100644 index 4b52888..0000000 --- a/doc/s6-ipcserver.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - s6-networking: the s6-ipcserver program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-ipcserver program

    - -

    -s6-ipcserver is an -UCSPI server tool for -Unix domain sockets, i.e. a super-server. -It accepts connections from clients, and forks a -program to handle each connection. -

    - -

    Interface

    - -
    -     s6-ipcserver [ -1 ] [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ] path prog...
    -
    - - - -

    Implementation

    - - - - -

    Options

    - - - -

    Implementation

    - - - -

    Notes

    - - - - - diff --git a/doc/s6-ipcserverd.html b/doc/s6-ipcserverd.html deleted file mode 100644 index 916de12..0000000 --- a/doc/s6-ipcserverd.html +++ /dev/null @@ -1,131 +0,0 @@ - - - - - s6-networking: the s6-ipcserverd program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-ipcserverd program

    - -

    -s6-ipcserverd is the serving part of the -s6-ipcserver super-server. -It assumes that its stdin is a bound and listening Unix -domain socket, and -it accepts connections from clients connecting to it, forking a -program to handle each connection. -

    - -

    Interface

    - -
    -     s6-ipcserverd [ -1 ] [ -v verbosity ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] prog...
    -
    - - - -

    Environment variables

    - -

    - For each connection, an instance of prog... is spawned with -the following variables set: -

    - - - -

    - If client credentials lookup has been disabled, IPCREMOTEEUID and -IPCREMOTEEUID will be set, but empty. -

    - - -

    Options

    - - - -

    Signals

    - - - -

    Notes

    - - - - - diff --git a/doc/s6-sudo.html b/doc/s6-sudo.html deleted file mode 100644 index 603ad8a..0000000 --- a/doc/s6-sudo.html +++ /dev/null @@ -1,59 +0,0 @@ - - - - - s6-networking: the s6-sudo program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-sudo program

    - -

    -s6-sudo connects to a Unix domain socket and passes -its standard file descriptors, command-line arguments and -environment to a program running on the server side, potentially -with different privileges. -

    - -

    Interface

    - -
    -     s6-sudo [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] path [ args... ]
    -
    - - - -

    Options

    - - - - - diff --git a/doc/s6-sudoc.html b/doc/s6-sudoc.html deleted file mode 100644 index def09a9..0000000 --- a/doc/s6-sudoc.html +++ /dev/null @@ -1,80 +0,0 @@ - - - - - s6-networking: the s6-sudoc program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-sudoc program

    - -

    -s6-sudoc talks to a peer s6-sudod -program over a Unix socket, passing it command-line arguments, environment -variables and standard descriptors. -

    - -

    Interface

    - -
    -     s6-sudoc [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] [ args... ]
    -
    - - - -

    Options

    - - - -

    Notes

    - - - - - diff --git a/doc/s6-sudod.html b/doc/s6-sudod.html deleted file mode 100644 index c783736..0000000 --- a/doc/s6-sudod.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - s6-networking: the s6-sudod program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The s6-sudod program

    - -

    -s6-sudod receives command-line arguments, environment variables -and standard descriptors from a peer s6-sudoc -program over a Unix socket, then forks another program. -

    - -

    Interface

    - -
    -     s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -s ] [ -t timeout ] [ sargv... ]
    -
    - - - -

    Environment

    - -

    -s6-sudod transmits its own environment to its child, plus the environment sent -by s6-sudoc, filtered in the following manner: -for every variable sent by s6-sudoc, if the -variable is present but empty in s6-sudod's environment, then -its value is overriden by the value given by s6-sudoc. A variable that is -already nonempty, or that doesn't exist, in s6-sudod's environment, will not -be transmitted to the child. -

    - -

    Options

    - - - -

    Usage example

    - -

    - The typical use of s6-sudod is in a -local service with a -s6-ipcserver process listening on a Unix -socket, a s6-ipcserver-access process -performing client authentication and access control, and possibly a -s6-envdir -process setting up the environment variables that will be accepted by -s6-sudod. The following script, meant to be a run script in a -service directory, -will set up a privileged program: -

    - -
    -#!/command/execlineb -P
    -fdmove -c 2 1
    -s6-envuidgid serveruser
    -s6-ipcserver -U -- serversocket
    -s6-ipcserver-access -v2 -l0 -i rules --
    -exec -c
    -s6-envdir env
    -s6-sudod
    -sargv
    -
    - - - -

    - This means that user clientuser running -s6-sudo serversocket cargv will be -able, if authorized by the configuration in rules, to run -sargv cargv as user serveruser, with stdin, -stdout, stderr and the environment variables properly listed in env -transmitted to sargv. -

    - -

    Notes

    - - - - - diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html index a89d9e3..435c92d 100644 --- a/doc/s6-tcpserver-access.html +++ b/doc/s6-tcpserver-access.html @@ -163,13 +163,13 @@ needed to perform searches in a CDB than in the filesystem.

    The exact format of the ruleset is described on the -s6-accessrules-cdb-from-fs page. +s6-accessrules-cdb-from-fs page.

    s6-tcpserver-access first gets the remote address ip of the client and converts it to canonical form. Then it checks it with the -s6net_accessrules_keycheck_ip46() +s6_accessrules_keycheck_ip46() function. In other words, it tries to match broader and broader network prefixes of ip, from ip4/ip_32 to ip4/0.0.0.0_0 if ip is v4, or from @@ -177,10 +177,10 @@ prefixes of ip, from ip4/ip_32 to is v6. If the result is:

    -
  • S6NET_ACCESSRULES_ERROR: it immediately exits 111.
  • -
  • S6NET_ACCESSRULES_DENY: it immediately exits 1.
  • -
  • S6NET_ACCESSRULES_ALLOW: it grants access.
  • -
  • S6NET_ACCESSRULES_NOTFOUND: more information is needed.
  • +
  • S6_ACCESSRULES_ERROR: it immediately exits 111.
  • +
  • S6_ACCESSRULES_DENY: it immediately exits 1.
  • +
  • S6_ACCESSRULES_ALLOW: it grants access.
  • +
  • S6_ACCESSRULES_NOTFOUND: more information is needed.
  • @@ -188,12 +188,12 @@ is v6. If the result is: is denied. But if s6-tcpserver-access is authorized to perform DNS lookups, then it gets the remote name of the client, remotehost, and checks it with the -s6net_accessrules_keycheck_reversedns() +s6_accessrules_keycheck_reversedns() function. In other words, it tries to match shorter and shorter suffixes of remotehost, from reversedns/remotehost to reversedns/@. This time, the connection is denied is the result is anything else than -S6NET_ACCESSRULES_ALLOW. +S6_ACCESSRULES_ALLOW.

    @@ -208,7 +208,7 @@ query on remotehost does not match ip. s6-tcpserver-access interprets non-empty env subdirectories and exec files it finds in the matching rule of the ruleset, as explained -in the s6-accessrules-cdb-from-fs +in the s6-accessrules-cdb-from-fs page.

    diff --git a/doc/seekablepipe.html b/doc/seekablepipe.html deleted file mode 100644 index cd17b2e..0000000 --- a/doc/seekablepipe.html +++ /dev/null @@ -1,36 +0,0 @@ - - - - - s6-networking: the seekablepipe program - - - - - - -

    -s6-networking
    -Software
    -skarnet.org -

    - -

    The seekablepipe program

    - -seekablepipe turns the reading end of a pipe into a seekable -file descriptor, using a temporary file. - -

    Interface

    - -
    -     writer | seekablepipe tmpfile reader [ args ... ]
    -
    - -

    -seekablepipe writes writer's output to tmpfile, -which is unlinked as soon as it is created. Then it execs into -reader, reading from a file descriptor on tmpfile. -

    - - - diff --git a/package/deps.mak b/package/deps.mak index ab24798..b0f8835 100644 --- a/package/deps.mak +++ b/package/deps.mak @@ -2,28 +2,16 @@ # This file has been generated by tools/gen-deps.sh # -src/include/s6-networking/s6net.h: src/include/s6-networking/accessrules.h src/include/s6-networking/ident.h +src/include/s6-networking/s6net.h: src/include/s6-networking/ident.h src/clock/s6-clockadd.o src/clock/s6-clockadd.lo: src/clock/s6-clockadd.c src/clock/s6-clockview.o src/clock/s6-clockview.lo: src/clock/s6-clockview.c src/clock/s6-sntpclock.o src/clock/s6-sntpclock.lo: src/clock/s6-sntpclock.c src/clock/s6-taiclock.o src/clock/s6-taiclock.lo: src/clock/s6-taiclock.c src/clock/s6-taiclockd.o src/clock/s6-taiclockd.lo: src/clock/s6-taiclockd.c -src/conn-tools/s6-accessrules-cdb-from-fs.o src/conn-tools/s6-accessrules-cdb-from-fs.lo: src/conn-tools/s6-accessrules-cdb-from-fs.c -src/conn-tools/s6-accessrules-fs-from-cdb.o src/conn-tools/s6-accessrules-fs-from-cdb.lo: src/conn-tools/s6-accessrules-fs-from-cdb.c -src/conn-tools/s6-connlimit.o src/conn-tools/s6-connlimit.lo: src/conn-tools/s6-connlimit.c src/conn-tools/s6-getservbyname.o src/conn-tools/s6-getservbyname.lo: src/conn-tools/s6-getservbyname.c src/conn-tools/s6-ident-client.o src/conn-tools/s6-ident-client.lo: src/conn-tools/s6-ident-client.c src/include/s6-networking/ident.h -src/conn-tools/s6-ioconnect.o src/conn-tools/s6-ioconnect.lo: src/conn-tools/s6-ioconnect.c -src/conn-tools/s6-ipcclient.o src/conn-tools/s6-ipcclient.lo: src/conn-tools/s6-ipcclient.c -src/conn-tools/s6-ipcserver-access.o src/conn-tools/s6-ipcserver-access.lo: src/conn-tools/s6-ipcserver-access.c src/include/s6-networking/accessrules.h -src/conn-tools/s6-ipcserver-socketbinder.o src/conn-tools/s6-ipcserver-socketbinder.lo: src/conn-tools/s6-ipcserver-socketbinder.c -src/conn-tools/s6-ipcserver.o src/conn-tools/s6-ipcserver.lo: src/conn-tools/s6-ipcserver.c src/include/s6-networking/config.h -src/conn-tools/s6-ipcserverd.o src/conn-tools/s6-ipcserverd.lo: src/conn-tools/s6-ipcserverd.c -src/conn-tools/s6-sudo.o src/conn-tools/s6-sudo.lo: src/conn-tools/s6-sudo.c src/include/s6-networking/config.h -src/conn-tools/s6-sudoc.o src/conn-tools/s6-sudoc.lo: src/conn-tools/s6-sudoc.c src/conn-tools/s6-sudo.h -src/conn-tools/s6-sudod.o src/conn-tools/s6-sudod.lo: src/conn-tools/s6-sudod.c src/conn-tools/s6-sudo.h src/conn-tools/s6-tcpclient.o src/conn-tools/s6-tcpclient.lo: src/conn-tools/s6-tcpclient.c src/include/s6-networking/ident.h -src/conn-tools/s6-tcpserver-access.o src/conn-tools/s6-tcpserver-access.lo: src/conn-tools/s6-tcpserver-access.c src/include/s6-networking/s6net.h +src/conn-tools/s6-tcpserver-access.o src/conn-tools/s6-tcpserver-access.lo: src/conn-tools/s6-tcpserver-access.c src/include/s6-networking/ident.h src/conn-tools/s6-tcpserver.o src/conn-tools/s6-tcpserver.lo: src/conn-tools/s6-tcpserver.c src/include/s6-networking/config.h src/conn-tools/s6-tcpserver4-socketbinder.o src/conn-tools/s6-tcpserver4-socketbinder.lo: src/conn-tools/s6-tcpserver4-socketbinder.c src/conn-tools/s6-tcpserver4.o src/conn-tools/s6-tcpserver4.lo: src/conn-tools/s6-tcpserver4.c src/include/s6-networking/config.h @@ -31,22 +19,12 @@ src/conn-tools/s6-tcpserver4d.o src/conn-tools/s6-tcpserver4d.lo: src/conn-tools src/conn-tools/s6-tcpserver6-socketbinder.o src/conn-tools/s6-tcpserver6-socketbinder.lo: src/conn-tools/s6-tcpserver6-socketbinder.c src/conn-tools/s6-tcpserver6.o src/conn-tools/s6-tcpserver6.lo: src/conn-tools/s6-tcpserver6.c src/include/s6-networking/config.h src/conn-tools/s6-tcpserver6d.o src/conn-tools/s6-tcpserver6d.lo: src/conn-tools/s6-tcpserver6d.c -src/conn-tools/seekablepipe.o src/conn-tools/seekablepipe.lo: src/conn-tools/seekablepipe.c -src/libs6net/s6net_accessrules_backend_cdb.o src/libs6net/s6net_accessrules_backend_cdb.lo: src/libs6net/s6net_accessrules_backend_cdb.c src/include/s6-networking/accessrules.h -src/libs6net/s6net_accessrules_backend_fs.o src/libs6net/s6net_accessrules_backend_fs.lo: src/libs6net/s6net_accessrules_backend_fs.c src/include/s6-networking/accessrules.h -src/libs6net/s6net_accessrules_keycheck_ip4.o src/libs6net/s6net_accessrules_keycheck_ip4.lo: src/libs6net/s6net_accessrules_keycheck_ip4.c src/include/s6-networking/accessrules.h -src/libs6net/s6net_accessrules_keycheck_ip6.o src/libs6net/s6net_accessrules_keycheck_ip6.lo: src/libs6net/s6net_accessrules_keycheck_ip6.c src/include/s6-networking/accessrules.h -src/libs6net/s6net_accessrules_keycheck_reversedns.o src/libs6net/s6net_accessrules_keycheck_reversedns.lo: src/libs6net/s6net_accessrules_keycheck_reversedns.c src/include/s6-networking/accessrules.h -src/libs6net/s6net_accessrules_keycheck_uidgid.o src/libs6net/s6net_accessrules_keycheck_uidgid.lo: src/libs6net/s6net_accessrules_keycheck_uidgid.c src/include/s6-networking/accessrules.h -src/libs6net/s6net_accessrules_uidgid_cdb.o src/libs6net/s6net_accessrules_uidgid_cdb.lo: src/libs6net/s6net_accessrules_uidgid_cdb.c src/include/s6-networking/accessrules.h -src/libs6net/s6net_accessrules_uidgid_fs.o src/libs6net/s6net_accessrules_uidgid_fs.lo: src/libs6net/s6net_accessrules_uidgid_fs.c src/include/s6-networking/accessrules.h src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_client.lo: src/libs6net/s6net_ident_client.c src/include/s6-networking/ident.h src/libs6net/s6net_ident_error.o src/libs6net/s6net_ident_error.lo: src/libs6net/s6net_ident_error.c src/include/s6-networking/ident.h src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_get.lo: src/libs6net/s6net_ident_reply_get.c src/include/s6-networking/ident.h src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_reply_parse.lo: src/libs6net/s6net_ident_reply_parse.c src/include/s6-networking/ident.h src/minidentd/mgetuid-default.o src/minidentd/mgetuid-default.lo: src/minidentd/mgetuid-default.c src/minidentd/mgetuid.h src/minidentd/mgetuid-linux.o src/minidentd/mgetuid-linux.lo: src/minidentd/mgetuid-linux.c src/minidentd/mgetuid.h -src/minidentd/mgetuid.o src/minidentd/mgetuid.lo: src/minidentd/mgetuid.c src/minidentd/mgetuid.h src/minidentd/minidentd.o src/minidentd/minidentd.lo: src/minidentd/minidentd.c src/minidentd/mgetuid.h s6-clockadd: private EXTRA_LIBS := ${SYSCLOCK_LIB} @@ -59,40 +37,16 @@ s6-taiclock: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} s6-taiclock: src/clock/s6-taiclock.o -lskarnet s6-taiclockd: private EXTRA_LIBS := ${SOCKET_LIB} ${SYSCLOCK_LIB} s6-taiclockd: src/clock/s6-taiclockd.o -lskarnet -s6-accessrules-cdb-from-fs: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} -s6-accessrules-cdb-from-fs: src/conn-tools/s6-accessrules-cdb-from-fs.o ${LIBS6NET} -lskarnet -s6-accessrules-fs-from-cdb: private EXTRA_LIBS := -s6-accessrules-fs-from-cdb: src/conn-tools/s6-accessrules-fs-from-cdb.o -lskarnet -s6-connlimit: private EXTRA_LIBS := -s6-connlimit: src/conn-tools/s6-connlimit.o -lskarnet s6-getservbyname: private EXTRA_LIBS := ${SOCKET_LIB} s6-getservbyname: src/conn-tools/s6-getservbyname.o -lskarnet s6-ident-client: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} s6-ident-client: src/conn-tools/s6-ident-client.o ${LIBS6NET} -lskarnet -s6-ioconnect: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} -s6-ioconnect: src/conn-tools/s6-ioconnect.o -lskarnet -s6-ipcclient: private EXTRA_LIBS := ${SOCKET_LIB} -s6-ipcclient: src/conn-tools/s6-ipcclient.o -lskarnet -s6-ipcserver: private EXTRA_LIBS := -s6-ipcserver: src/conn-tools/s6-ipcserver.o -lskarnet -s6-ipcserver-access: private EXTRA_LIBS := ${SOCKET_LIB} -s6-ipcserver-access: src/conn-tools/s6-ipcserver-access.o ${LIBS6NET} -lskarnet -s6-ipcserver-socketbinder: private EXTRA_LIBS := ${SOCKET_LIB} -s6-ipcserver-socketbinder: src/conn-tools/s6-ipcserver-socketbinder.o -lskarnet -s6-ipcserverd: private EXTRA_LIBS := ${SOCKET_LIB} -s6-ipcserverd: src/conn-tools/s6-ipcserverd.o -lskarnet -s6-sudo: private EXTRA_LIBS := -s6-sudo: src/conn-tools/s6-sudo.o -lskarnet -s6-sudoc: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} -s6-sudoc: src/conn-tools/s6-sudoc.o -lskarnet -s6-sudod: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} -s6-sudod: src/conn-tools/s6-sudod.o -lskarnet s6-tcpclient: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} s6-tcpclient: src/conn-tools/s6-tcpclient.o ${LIBS6NET} -ls6dns -lskarnet s6-tcpserver: private EXTRA_LIBS := s6-tcpserver: src/conn-tools/s6-tcpserver.o -lskarnet s6-tcpserver-access: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} -s6-tcpserver-access: src/conn-tools/s6-tcpserver-access.o ${LIBS6NET} -ls6dns -lskarnet +s6-tcpserver-access: src/conn-tools/s6-tcpserver-access.o ${LIBS6NET} -ls6dns -ls6 -lskarnet s6-tcpserver4: private EXTRA_LIBS := ${SOCKET_LIB} s6-tcpserver4: src/conn-tools/s6-tcpserver4.o -lskarnet s6-tcpserver4-socketbinder: private EXTRA_LIBS := ${SOCKET_LIB} @@ -105,9 +59,7 @@ s6-tcpserver6-socketbinder: private EXTRA_LIBS := ${SOCKET_LIB} s6-tcpserver6-socketbinder: src/conn-tools/s6-tcpserver6-socketbinder.o -lskarnet s6-tcpserver6d: private EXTRA_LIBS := ${SOCKET_LIB} s6-tcpserver6d: src/conn-tools/s6-tcpserver6d.o -lskarnet -seekablepipe: private EXTRA_LIBS := -seekablepipe: src/conn-tools/seekablepipe.o -lskarnet -libs6net.a: src/libs6net/s6net_accessrules_backend_cdb.o src/libs6net/s6net_accessrules_backend_fs.o src/libs6net/s6net_accessrules_keycheck_ip4.o src/libs6net/s6net_accessrules_keycheck_ip6.o src/libs6net/s6net_accessrules_keycheck_reversedns.o src/libs6net/s6net_accessrules_keycheck_uidgid.o src/libs6net/s6net_accessrules_uidgid_cdb.o src/libs6net/s6net_accessrules_uidgid_fs.o src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_error.o -libs6net.so: src/libs6net/s6net_accessrules_backend_cdb.lo src/libs6net/s6net_accessrules_backend_fs.lo src/libs6net/s6net_accessrules_keycheck_ip4.lo src/libs6net/s6net_accessrules_keycheck_ip6.lo src/libs6net/s6net_accessrules_keycheck_reversedns.lo src/libs6net/s6net_accessrules_keycheck_uidgid.lo src/libs6net/s6net_accessrules_uidgid_cdb.lo src/libs6net/s6net_accessrules_uidgid_fs.lo src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo +libs6net.a: src/libs6net/s6net_ident_client.o src/libs6net/s6net_ident_reply_get.o src/libs6net/s6net_ident_reply_parse.o src/libs6net/s6net_ident_error.o +libs6net.so: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo minidentd: private EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o -lskarnet diff --git a/package/modes b/package/modes index cc7dfa7..4d4cb19 100644 --- a/package/modes +++ b/package/modes @@ -1,11 +1,5 @@ -s6-connlimit 0755 s6-getservbyname 0755 -s6-ioconnect 0755 s6-ident-client 0755 -s6-ipcclient 0755 -s6-ipcserver 0755 -s6-ipcserverd 0755 -s6-ipcserver-socketbinder 0755 s6-tcpclient 0755 s6-tcpserver4 0755 s6-tcpserver4d 0755 @@ -14,14 +8,7 @@ s6-tcpserver6 0755 s6-tcpserver6d 0755 s6-tcpserver6-socketbinder 0755 s6-tcpserver 0755 -s6-accessrules-cdb-from-fs 0755 -s6-accessrules-fs-from-cdb 0755 -s6-ipcserver-access 0755 s6-tcpserver-access 0755 -seekablepipe 0755 -s6-sudo 0755 -s6-sudoc 0755 -s6-sudod 0755 s6-clockadd 0700 s6-clockview 0755 s6-sntpclock 0755 diff --git a/package/targets.mak b/package/targets.mak index 66b61be..1aacad2 100644 --- a/package/targets.mak +++ b/package/targets.mak @@ -1,12 +1,6 @@ BIN_TARGETS := \ -s6-connlimit \ s6-getservbyname \ -s6-ioconnect \ s6-ident-client \ -s6-ipcclient \ -s6-ipcserver \ -s6-ipcserverd \ -s6-ipcserver-socketbinder \ s6-tcpclient \ s6-tcpserver \ s6-tcpserver4 \ @@ -15,14 +9,7 @@ s6-tcpserver4-socketbinder \ s6-tcpserver6 \ s6-tcpserver6d \ s6-tcpserver6-socketbinder \ -s6-accessrules-cdb-from-fs \ -s6-accessrules-fs-from-cdb \ -s6-ipcserver-access \ s6-tcpserver-access \ -seekablepipe \ -s6-sudo \ -s6-sudoc \ -s6-sudod \ s6-clockadd \ s6-clockview \ s6-sntpclock \ diff --git a/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs b/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs deleted file mode 100644 index 407cc2d..0000000 --- a/src/conn-tools/deps-exe/s6-accessrules-cdb-from-fs +++ /dev/null @@ -1,4 +0,0 @@ -${LIBS6NET} --lskarnet -${SOCKET_LIB} -${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb b/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb deleted file mode 100644 index e7187fe..0000000 --- a/src/conn-tools/deps-exe/s6-accessrules-fs-from-cdb +++ /dev/null @@ -1 +0,0 @@ --lskarnet diff --git a/src/conn-tools/deps-exe/s6-connlimit b/src/conn-tools/deps-exe/s6-connlimit deleted file mode 100644 index e7187fe..0000000 --- a/src/conn-tools/deps-exe/s6-connlimit +++ /dev/null @@ -1 +0,0 @@ --lskarnet diff --git a/src/conn-tools/deps-exe/s6-ioconnect b/src/conn-tools/deps-exe/s6-ioconnect deleted file mode 100644 index e027835..0000000 --- a/src/conn-tools/deps-exe/s6-ioconnect +++ /dev/null @@ -1,3 +0,0 @@ --lskarnet -${SOCKET_LIB} -${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-ipcclient b/src/conn-tools/deps-exe/s6-ipcclient deleted file mode 100644 index 19869b2..0000000 --- a/src/conn-tools/deps-exe/s6-ipcclient +++ /dev/null @@ -1,2 +0,0 @@ --lskarnet -${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-ipcserver b/src/conn-tools/deps-exe/s6-ipcserver deleted file mode 100644 index e7187fe..0000000 --- a/src/conn-tools/deps-exe/s6-ipcserver +++ /dev/null @@ -1 +0,0 @@ --lskarnet diff --git a/src/conn-tools/deps-exe/s6-ipcserver-access b/src/conn-tools/deps-exe/s6-ipcserver-access deleted file mode 100644 index f328786..0000000 --- a/src/conn-tools/deps-exe/s6-ipcserver-access +++ /dev/null @@ -1,3 +0,0 @@ -${LIBS6NET} --lskarnet -${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-ipcserver-socketbinder b/src/conn-tools/deps-exe/s6-ipcserver-socketbinder deleted file mode 100644 index 19869b2..0000000 --- a/src/conn-tools/deps-exe/s6-ipcserver-socketbinder +++ /dev/null @@ -1,2 +0,0 @@ --lskarnet -${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-ipcserverd b/src/conn-tools/deps-exe/s6-ipcserverd deleted file mode 100644 index 19869b2..0000000 --- a/src/conn-tools/deps-exe/s6-ipcserverd +++ /dev/null @@ -1,2 +0,0 @@ --lskarnet -${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-sudo b/src/conn-tools/deps-exe/s6-sudo deleted file mode 100644 index e7187fe..0000000 --- a/src/conn-tools/deps-exe/s6-sudo +++ /dev/null @@ -1 +0,0 @@ --lskarnet diff --git a/src/conn-tools/deps-exe/s6-sudoc b/src/conn-tools/deps-exe/s6-sudoc deleted file mode 100644 index e027835..0000000 --- a/src/conn-tools/deps-exe/s6-sudoc +++ /dev/null @@ -1,3 +0,0 @@ --lskarnet -${SOCKET_LIB} -${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-sudod b/src/conn-tools/deps-exe/s6-sudod deleted file mode 100644 index e027835..0000000 --- a/src/conn-tools/deps-exe/s6-sudod +++ /dev/null @@ -1,3 +0,0 @@ --lskarnet -${SOCKET_LIB} -${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-tcpserver-access b/src/conn-tools/deps-exe/s6-tcpserver-access index 661b207..87a105c 100644 --- a/src/conn-tools/deps-exe/s6-tcpserver-access +++ b/src/conn-tools/deps-exe/s6-tcpserver-access @@ -1,5 +1,6 @@ ${LIBS6NET} -ls6dns +-ls6 -lskarnet ${SOCKET_LIB} ${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/seekablepipe b/src/conn-tools/deps-exe/seekablepipe deleted file mode 100644 index e7187fe..0000000 --- a/src/conn-tools/deps-exe/seekablepipe +++ /dev/null @@ -1 +0,0 @@ --lskarnet diff --git a/src/conn-tools/s6-accessrules-cdb-from-fs.c b/src/conn-tools/s6-accessrules-cdb-from-fs.c deleted file mode 100644 index 82da64c..0000000 --- a/src/conn-tools/s6-accessrules-cdb-from-fs.c +++ /dev/null @@ -1,195 +0,0 @@ -/* ISC license. */ - -#include -#include -#include /* for rename() */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define USAGE "s6-accessrules-cdb-from-fs cdbfile dir" - -static stralloc tmp = STRALLOC_ZERO ; - -static void cleanup (void) -{ - register int e = errno ; - unlink(tmp.s) ; - errno = e ; -} - -static void dienomem (void) -{ - cleanup() ; - strerr_diefu1sys(111, "stralloc_catb") ; -} - -static void doit (struct cdb_make *c, stralloc *sa, unsigned int start) -{ - unsigned int tmpbase = tmp.len ; - unsigned int k = sa->len ; - if (!stralloc_readyplus(sa, 10)) dienomem() ; - stralloc_catb(sa, "/allow", 7) ; - tmp.s[tmpbase] = 0 ; - if (access(sa->s, R_OK) < 0) - { - if ((errno != ENOENT) && (errno != EACCES)) - { - cleanup() ; - strerr_diefu2sys(111, "access ", sa->s) ; - } - sa->len = k+1 ; - stralloc_catb(sa, "deny", 5) ; - if (access(sa->s, R_OK) < 0) - if ((errno != ENOENT) && (errno != EACCES)) - { - cleanup() ; - strerr_diefu2sys(111, "access ", sa->s) ; - } - else return ; - else if (cdb_make_add(c, sa->s + start, k - start, "D", 1) < 0) - { - cleanup() ; - strerr_diefu1sys(111, "cdb_make_add") ; - } - } - else - { - uint16 envlen = 0 ; - uint16 execlen = 0 ; - register int r ; - tmp.s[tmpbase] = 'A' ; - sa->len = k+1 ; - stralloc_catb(sa, "env", 4) ; - tmp.len = tmpbase + 3 ; - if ((envdir(sa->s, &tmp) < 0) && (errno != ENOENT)) - { - cleanup() ; - strerr_diefu2sys(111, "s6_envdir ", sa->s) ; - } - if (tmp.len > tmpbase + 4103) - { - cleanup() ; - strerr_diefu2sys(100, sa->s, "too big") ; - } - envlen = tmp.len - tmpbase - 3 ; - tmp.len = tmpbase ; - uint16_pack_big(tmp.s + tmpbase + 1, envlen) ; - sa->len = k+1 ; - stralloc_catb(sa, "exec", 5) ; - r = openreadnclose(sa->s, tmp.s + tmpbase + 5 + envlen, 4096) ; - if ((r < 0) && (errno != ENOENT)) - { - cleanup() ; - strerr_diefu2sys(111, "openreadnclose ", sa->s) ; - } - if (r > 0) execlen = r ; - uint16_pack_big(tmp.s + tmpbase + 3 + envlen, execlen) ; - if (cdb_make_add(c, sa->s + start, k - start, tmp.s + tmpbase, 5 + envlen + execlen) < 0) - { - cleanup() ; - strerr_diefu1sys(111, "cdb_make_add") ; - } - } -} - - -int main (int argc, char const *const *argv) -{ - stralloc sa = STRALLOC_ZERO ; - struct cdb_make c = CDB_MAKE_ZERO ; - DIR *dir ; - unsigned int start ; - int fd ; - PROG = "s6-accessrules-cdb-from-fs" ; - if (argc < 3) strerr_dieusage(100, USAGE) ; - if (!stralloc_cats(&tmp, argv[1])) return 0 ; - if (random_sauniquename(&tmp, 8) < 0) - strerr_diefu1sys(111, "random_sauniquename") ; - if (!stralloc_readyplus(&tmp, 8210)) - strerr_diefu1sys(111, "stralloc_catb") ; - stralloc_0(&tmp) ; - fd = open_trunc(tmp.s) ; - if (fd < 0) strerr_diefu2sys(111, "open_trunc ", tmp.s) ; - if (cdb_make_start(&c, fd) < 0) - { - cleanup() ; - strerr_diefu1sys(111, "cdb_make_start") ; - } - dir = opendir(argv[2]) ; - if (!dir) - { - cleanup() ; - strerr_diefu2sys(111, "opendir ", argv[2]) ; - } - if (!stralloc_cats(&sa, argv[2]) || !stralloc_catb(&sa, "/", 1)) dienomem() ; - start = sa.len ; - - for (;;) - { - DIR *subdir ; - direntry *d ; - unsigned int base ; - errno = 0 ; - d = readdir(dir) ; - if (!d) break ; - if (d->d_name[0] == '.') continue ; - sa.len = start ; - if (!stralloc_cats(&sa, d->d_name) || !stralloc_0(&sa)) dienomem() ; - base = sa.len ; - subdir = opendir(sa.s) ; - if (!subdir) - { - cleanup() ; - strerr_diefu2sys(111, "opendir ", sa.s) ; - } - sa.s[base-1] = '/' ; - for (;;) - { - errno = 0 ; - d = readdir(subdir) ; - if (!d) break ; - if (d->d_name[0] == '.') continue ; - sa.len = base ; - if (!stralloc_cats(&sa, d->d_name)) dienomem() ; - doit(&c, &sa, start) ; - } - if (errno) - { - sa.s[base-1] = 0 ; - cleanup() ; - strerr_diefu2sys(111, "readdir ", sa.s) ; - } - dir_close(subdir) ; - } - if (errno) - { - cleanup() ; - strerr_diefu2sys(111, "readdir ", argv[2]) ; - } - dir_close(dir) ; - if (cdb_make_finish(&c) < 0) - { - cleanup() ; - strerr_diefu1sys(111, "cdb_make_finish") ; - } - if (fd_sync(fd) < 0) - { - cleanup() ; - strerr_diefu1sys(111, "fd_sync") ; - } - fd_close(fd) ; - if (rename(tmp.s, argv[1]) < 0) - { - cleanup() ; - strerr_diefu4sys(111, "rename ", tmp.s, " to ", argv[1]) ; - } - return 0 ; -} diff --git a/src/conn-tools/s6-accessrules-fs-from-cdb.c b/src/conn-tools/s6-accessrules-fs-from-cdb.c deleted file mode 100644 index cbe67ef..0000000 --- a/src/conn-tools/s6-accessrules-fs-from-cdb.c +++ /dev/null @@ -1,177 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define USAGE "s6-accessrules-fs-from-cdb dir cdbfile" - -static char const *basedir ; -unsigned int basedirlen ; - -static void cleanup () -{ - int e = errno ; - rm_rf(basedir) ; - errno = e ; -} - -static int domkdir (char const *s) -{ - return mkdir(s, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH | S_ISGID) < 0 ? (errno == EEXIST) : 1 ; -} - -static void mkdirp (char *s) -{ - mode_t m = umask(0) ; - unsigned int len = str_len(s) ; - register unsigned int i = basedirlen + 1 ; - for (; i < len ; i++) if (s[i] == '/') - { - s[i] = 0 ; - if (!domkdir(s)) goto err ; - s[i] = '/' ; - } - if (!domkdir(s)) goto err ; - umask(m) ; - return ; - - err: - cleanup() ; - strerr_diefu2sys(111, "mkdir ", s) ; -} - -static void touchtrunc (char const *file) -{ - register int fd = open_trunc(file) ; - if (fd < 0) strerr_diefu2sys(111, "open_trunc ", file) ; - fd_close(fd) ; -} - -static int doenv (char const *dir, unsigned int dirlen, char *env, unsigned int envlen) -{ - mode_t m = umask(0) ; - unsigned int i = 0 ; - if (!domkdir(dir)) - { - cleanup() ; - strerr_diefu2sys(111, "mkdir ", dir) ; - } - umask(m) ; - while (i < envlen) - { - unsigned int n = byte_chr(env + i, envlen - i, 0) ; - if (i + n >= envlen) return 0 ; - { - unsigned int p = byte_chr(env + i, n, '=') ; - char tmp[dirlen + p + 2] ; - byte_copy(tmp, dirlen, dir) ; - tmp[dirlen] = '/' ; - byte_copy(tmp + dirlen + 1, p, env + i) ; - tmp[dirlen + p + 1] = 0 ; - if (p < n) - { - env[i+n] = '\n' ; - if (!openwritenclose_unsafe(tmp, env + i + p + 1, n - p)) - { - cleanup() ; - strerr_diefu2sys(111, "openwritenclose_unsafe ", tmp) ; - } - } - else touchtrunc(tmp) ; - } - i += n + 1 ; - } - return 1 ; -} - -static int doit (struct cdb *c) -{ - unsigned int klen = cdb_keylen(c) ; - unsigned int dlen = cdb_datalen(c) ; - { - uint16 envlen, execlen ; - char name[basedirlen + klen + 8] ; - char data[dlen] ; - byte_copy(name, basedirlen, basedir) ; - name[basedirlen] = '/' ; - if (!dlen || (dlen > 8201)) return (errno = EINVAL, 0) ; - if ((cdb_read(c, name+basedirlen+1, klen, cdb_keypos(c)) < 0) - || (cdb_read(c, data, dlen, cdb_datapos(c)) < 0)) - { - cleanup() ; - strerr_diefu1sys(111, "cdb_read") ; - } - name[basedirlen + klen + 1] = 0 ; - mkdirp(name) ; - name[basedirlen + klen + 1] = '/' ; - if (data[0] == 'A') - { - byte_copy(name + basedirlen + klen + 2, 6, "allow") ; - touchtrunc(name) ; - } - else if (data[0] == 'D') - { - byte_copy(name + basedirlen + klen + 2, 5, "deny") ; - touchtrunc(name) ; - } - if (dlen < 3) return 1 ; - uint16_unpack_big(data + 1, &envlen) ; - if ((envlen > 4096U) || (3U + envlen > dlen)) return (errno = EINVAL, 0) ; - uint16_unpack_big(data + 3 + envlen, &execlen) ; - if ((execlen > 4096U) || (5U + envlen + execlen != dlen)) return (errno = EINVAL, 0) ; - if (envlen) - { - byte_copy(name + basedirlen + klen + 2, 4, "env") ; - if (!doenv(name, basedirlen + klen + 5, data + 3, envlen)) return (errno = EINVAL, 0) ; - } - byte_copy(name + basedirlen + klen + 2, 5, "exec") ; - if (execlen && !openwritenclose_unsafe(name, data + 5 + envlen, execlen)) - { - cleanup() ; - strerr_diefu2sys(111, "openwritenclose_unsafe ", name) ; - } - } - return 1 ; -} - -int main (int argc, char const *const *argv) -{ - struct cdb c = CDB_ZERO ; - uint32 kpos ; - PROG = "s6-accessrules-fs-from-cdb" ; - if (argc < 3) strerr_dieusage(100, USAGE) ; - if (cdb_mapfile(&c, argv[2]) < 0) strerr_diefu1sys(111, "cdb_mapfile") ; - basedir = argv[1] ; - basedirlen = str_len(argv[1]) ; - { - mode_t m = umask(0) ; - if (mkdir(basedir, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH | S_ISGID) < 0) - strerr_diefu2sys(111, "mkdir ", basedir) ; - umask(m) ; - } - cdb_traverse_init(&c, &kpos) ; - for (;;) - { - register int r = cdb_nextkey(&c, &kpos) ; - if (r < 0) - { - cleanup() ; - strerr_diefu1sys(111, "cdb_nextkey") ; - } - else if (!r) break ; - else if (!doit(&c)) - { - cleanup() ; - strerr_diefu1sys(111, "handle key") ; - } - } - return 0 ; -} diff --git a/src/conn-tools/s6-connlimit.c b/src/conn-tools/s6-connlimit.c deleted file mode 100644 index 19f4a2d..0000000 --- a/src/conn-tools/s6-connlimit.c +++ /dev/null @@ -1,39 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include - -int main (int argc, char const *const *argv, char const *const *envp) -{ - char const *x ; - unsigned int protolen ; - PROG = "s6-connlimit" ; - x = env_get2(envp, "PROTO") ; - if (!x) strerr_dienotset(100, "PROTO") ; - protolen = str_len(x) ; - if (!protolen) strerr_dief1x(100, "empty PROTO") ; - { - unsigned int num ; - char s[protolen + 8] ; - byte_copy(s, protolen, x) ; - byte_copy(s + protolen, 8, "CONNNUM") ; - x = env_get2(envp, s) ; - if (!x) strerr_dienotset(100, s) ; - if (!uint0_scan(x, &num)) strerr_dief2x(100, "invalid ", s) ; - byte_copy(s + protolen + 4, 4, "MAX") ; - x = env_get2(envp, s) ; - if (x) - { - unsigned int max ; - if (!uint0_scan(x, &max)) strerr_dief2x(100, "invalid ", s) ; - if (num > max) - strerr_dief2x(1, "number of connections from this client limited to ", x) ; - } - } - pathexec0_run(argv+1, envp) ; - (void)argc ; - strerr_dieexec(111, argv[1]) ; -} diff --git a/src/conn-tools/s6-ioconnect.c b/src/conn-tools/s6-ioconnect.c deleted file mode 100644 index a0217bb..0000000 --- a/src/conn-tools/s6-ioconnect.c +++ /dev/null @@ -1,187 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define USAGE "s6-ioconnect [ -t timeout ] [ -r fdr ] [ -w fdw ] [ -0 ] [ -1 ] [ -6 ] [ -7 ]" -#define dieusage() strerr_dieusage(100, USAGE) - - -typedef struct ioblah_s ioblah_t, *ioblah_t_ref ; -struct ioblah_s -{ - unsigned int fd ; - unsigned int xindex ; - unsigned int flagsocket : 1 ; - unsigned int flagopen : 1 ; -} ; - -static ioblah_t a[2][2] = { { { 0, 4, 0, 1 }, { 7, 4, 0, 1 } }, { { 6, 4, 0, 1 }, { 1, 4, 0, 1 } } } ; -static iobuffer b[2] ; -static iopause_fd x[5] = { { -1, IOPAUSE_READ, 0 } } ; - -static void closeit (unsigned int i, unsigned int j) -{ - if (a[i][j].flagsocket) - { - if ((shutdown(a[i][j].fd, j) < 0) && (errno != ENOTSOCK) && (errno != ENOTCONN)) - strerr_warnwu4sys("shutdown ", i ? "incoming" : "outgoing", " socket for ", j ? "writing" : "reading") ; - } - fd_close(a[i][j].fd) ; - a[i][j].flagopen = 0 ; - a[i][j].xindex = 5 ; -} - -static inline void finishit (unsigned int i) -{ - closeit(i, 1) ; - iobuffer_finish(&b[i]) ; -} - -static void handle_signals (void) -{ - for (;;) - { - char c = selfpipe_read() ; - switch (c) - { - case -1 : strerr_diefu1sys(111, "selfpipe_read") ; - case 0 : return ; - case SIGTERM : - { - if (a[0][0].xindex < 5) x[a[0][0].xindex].revents |= IOPAUSE_EXCEPT ; - if (a[1][0].xindex < 5) x[a[1][0].xindex].revents |= IOPAUSE_EXCEPT ; - break ; - } - default : - strerr_dief1x(101, "internal error: inconsistent signal state. Please submit a bug-report.") ; - } - } -} - -int main (int argc, char const *const *argv) -{ - tain_t tto ; - register unsigned int i, j ; - PROG = "s6-ioconnect" ; - { - subgetopt_t l = SUBGETOPT_ZERO ; - unsigned int t = 0 ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "0167t:r:w:", &l) ; - if (opt < 0) break ; - switch (opt) - { - case '0' : a[0][0].flagsocket = 1 ; break ; - case '1' : a[1][1].flagsocket = 1 ; break ; - case '6' : a[1][0].flagsocket = 1 ; break ; - case '7' : a[0][1].flagsocket = 1 ; break ; - case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; - case 'r' : if (!uint0_scan(l.arg, &a[1][0].fd)) dieusage() ; break ; - case 'w' : if (!uint0_scan(l.arg, &a[0][1].fd)) dieusage() ; break ; - default : dieusage() ; - } - } - if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ; - argc -= l.ind ; argv += l.ind ; - } - if ((a[0][1].fd < 3) || (a[1][0].fd < 3)) dieusage() ; - for (i = 0 ; i < 2 ; i++) - { - for (j = 0 ; j < 2 ; j++) - if (ndelay_on(a[i][j].fd) == -1) strerr_diefu1sys(111, "ndelay_on") ; - if (!iobuffer_init(&b[i], a[i][0].fd, a[i][1].fd) < 0) strerr_diefu1sys(111, "iobuffer_init") ; - } - if (sig_ignore(SIGPIPE) == -1) strerr_diefu1sys(111, "sig_ignore") ; - tain_now_g() ; - x[0].fd = selfpipe_init() ; - if (x[0].fd < 0) strerr_diefu1sys(111, "selfpipe_init") ; - if (selfpipe_trap(SIGTERM) < 0) - strerr_diefu1sys(111, "trap SIGTERM") ; - - for (;;) - { - tain_t deadline ; - unsigned int xlen = 1 ; - int r ; - - tain_add_g(&deadline, iobuffer_isempty(&b[0]) && iobuffer_isempty(&b[1]) ? &tto : &tain_infinite_relative) ; - for (i = 0 ; i < 2 ; i++) - { - a[i][0].xindex = 5 ; - if (a[i][0].flagopen && iobuffer_isreadable(&b[i])) - { - x[xlen].fd = a[i][0].fd ; - x[xlen].events = IOPAUSE_READ ; - a[i][0].xindex = xlen++ ; - } - a[i][1].xindex = 5 ; - if (a[i][1].flagopen) - { - x[xlen].fd = a[i][1].fd ; - x[xlen].events = IOPAUSE_EXCEPT | (iobuffer_isempty(&b[i]) ? 0 : IOPAUSE_WRITE) ; - a[i][1].xindex = xlen++ ; - } - } - if (xlen <= 1) break ; - - r = iopause_g(x, xlen, &deadline) ; - if (r < 0) strerr_diefu1sys(111, "iopause") ; - else if (!r) return 1 ; - - if (x[0].revents & IOPAUSE_READ) handle_signals() ; - - for (i = 0 ; i < 2 ; i++) if (a[i][1].xindex < 5) - { - if (x[a[i][1].xindex].revents & IOPAUSE_WRITE) - { - if (!iobuffer_flush(&b[i])) - { - if (!error_isagain(errno)) x[a[i][1].xindex].revents |= IOPAUSE_EXCEPT ; - } - else if (!a[i][0].flagopen) finishit(i) ; - } - if (x[a[i][1].xindex].revents & IOPAUSE_EXCEPT) - { - if (!iobuffer_isempty(&b[i])) - { - iobuffer_flush(&b[i]) ; /* sets errno */ - strerr_warnwu3sys("write ", i ? "incoming" : "outgoing", " data") ; - } - closeit(i, 0) ; finishit(i) ; - } - } - - for (i = 0 ; i < 2 ; i++) if (a[i][0].xindex < 5) - { - if (x[a[i][0].xindex].revents & IOPAUSE_READ) - { - if (sanitize_read(iobuffer_fill(&b[i])) < 0) - { - if (errno != EPIPE) strerr_warnwu3sys("read ", i ? "incoming" : "outgoing", " data") ; - x[a[i][0].xindex].revents |= IOPAUSE_EXCEPT ; - } - } - if (x[a[i][0].xindex].revents & IOPAUSE_EXCEPT) - { - closeit(i, 0) ; - if (iobuffer_isempty(&b[i])) finishit(i) ; - } - } - } - return 0 ; -} diff --git a/src/conn-tools/s6-ipcclient.c b/src/conn-tools/s6-ipcclient.c deleted file mode 100644 index c9aba1e..0000000 --- a/src/conn-tools/s6-ipcclient.c +++ /dev/null @@ -1,66 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include - -#define USAGE "s6-ipcclient [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] path prog..." - -int main (int argc, char const *const *argv, char const *const *envp) -{ - char const *bindpath = 0 ; - char const *localname = 0 ; - unsigned int verbosity = 1 ; - PROG = "s6-ipcclient" ; - { - subgetopt_t l = SUBGETOPT_ZERO ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "qQvp:l:", &l) ; - if (opt == -1) break ; - switch (opt) - { - case 'q' : if (verbosity) verbosity-- ; break ; - case 'Q' : verbosity = 1 ; break ; - case 'v' : verbosity++ ; break ; - case 'p' : bindpath = l.arg ; break ; - case 'l' : localname = l.arg ; break ; - default : strerr_dieusage(100, USAGE) ; - } - } - argc -= l.ind ; argv += l.ind ; - } - if (argc < 2) strerr_dieusage(100, USAGE) ; - { - char modif[24 + IPCPATH_MAX] = "PROTO=IPC\0IPCLOCALPATH=" ; - unsigned int i = 23 ; - int s = ipc_stream() ; - if (s == -1) strerr_diefu1sys(111, "create socket") ; - if (bindpath && (ipc_bind(s, bindpath) == -1)) - strerr_diefu2sys(111, "bind socket to ", bindpath) ; - if (!ipc_connect(s, argv[0])) - strerr_diefu2sys(111, "connect to ", argv[0]) ; - if (verbosity >= 2) strerr_warn3x(PROG, ": connected to ", argv[0]) ; - if (localname) - { - register unsigned int n = str_len(localname) ; - if (n > IPCPATH_MAX) n = IPCPATH_MAX ; - byte_copy(modif + i, n, localname) ; - i += n ; modif[i++] = 0 ; - } - else - { - int dummy ; - if (ipc_local(s, modif + i, IPCPATH_MAX, &dummy) < 0) modif[--i] = 0 ; - else i += str_len(modif + i) + 1 ; - } - if (fd_move(6, s) < 0) - strerr_diefu2sys(111, "set up fd ", "6") ; - if (fd_copy(7, 6) < 0) - strerr_diefu2sys(111, "set up fd ", "7") ; - pathexec_r(argv+1, envp, env_len(envp), modif, i) ; - } - strerr_dieexec(111, argv[1]) ; -} diff --git a/src/conn-tools/s6-ipcserver-access.c b/src/conn-tools/s6-ipcserver-access.c deleted file mode 100644 index 183f56c..0000000 --- a/src/conn-tools/s6-ipcserver-access.c +++ /dev/null @@ -1,211 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog..." - -static unsigned int verbosity = 1 ; - - /* Utility functions */ - -static inline void dieusage (void) gccattr_noreturn ; -static inline void dieusage () -{ - strerr_dieusage(100, USAGE) ; -} - -static inline void dienomem (void) gccattr_noreturn ; -static inline void dienomem () -{ - strerr_diefu1sys(111, "update environment") ; -} - -static inline void X (void) gccattr_noreturn ; -static inline void X () -{ - strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; -} - - - /* Logging */ - -static void logit (unsigned int pid, unsigned int uid, unsigned int gid, int h) -{ - char fmtpid[UINT_FMT] ; - char fmtuid[UINT_FMT] ; - char fmtgid[UINT_FMT] ; - fmtpid[uint_fmt(fmtpid, pid)] = 0 ; - fmtuid[uint_fmt(fmtuid, uid)] = 0 ; - fmtgid[uint_fmt(fmtgid, gid)] = 0 ; - if (h) strerr_warni7x("allow", " pid ", fmtpid, " uid ", fmtuid, " gid ", fmtgid) ; - else strerr_warni7sys("deny", " pid ", fmtpid, " uid ", fmtuid, " gid ", fmtgid) ; -} - -static inline void log_accept (unsigned int pid, unsigned int uid, unsigned int gid) -{ - logit(pid, uid, gid, 1) ; -} - -static inline void log_deny (unsigned int pid, unsigned int uid, unsigned int gid) -{ - logit(pid, uid, gid, 0) ; -} - - - /* Checking */ - -static s6net_accessrules_result_t check_cdb (unsigned int uid, unsigned int gid, char const *file, s6net_accessrules_params_t *params) -{ - struct cdb c = CDB_ZERO ; - int fd = open_readb(file) ; - register s6net_accessrules_result_t r ; - if (fd < 0) return -1 ; - if (cdb_init(&c, fd) < 0) strerr_diefu2sys(111, "cdb_init ", file) ; - r = s6net_accessrules_uidgid_cdb(uid, gid, &c, params) ; - cdb_free(&c) ; - fd_close(fd) ; - return r ; -} - -static inline int check (s6net_accessrules_params_t *params, char const *rules, unsigned int rulestype, unsigned int uid, unsigned int gid) -{ - char const *x = "" ; - s6net_accessrules_result_t r ; - switch (rulestype) - { - case 0 : - if (verbosity >= 2) strerr_warnw1x("invoked without a ruleset!") ; - return 1 ; - case 1 : - r = s6net_accessrules_uidgid_fs(uid, gid, rules, params) ; - x = "fs" ; - break ; - case 2 : - r = check_cdb(uid, gid, rules, params) ; - x = "cdb" ; - break ; - default : X() ; - } - switch (r) - { - case S6NET_ACCESSRULES_ERROR : strerr_diefu4sys(111, "check ", x, " ruleset in ", rules) ; - case S6NET_ACCESSRULES_ALLOW : return 1 ; - case S6NET_ACCESSRULES_DENY : return (errno = EACCES, 0) ; - case S6NET_ACCESSRULES_NOTFOUND : return (errno = ENOENT, 0) ; - default : X() ; - } -} - - -int main (int argc, char const *const *argv, char const *const *envp) -{ - s6net_accessrules_params_t params = S6NET_ACCESSRULES_PARAMS_ZERO ; - char const *rules = 0 ; - char const *localname = 0 ; - char const *proto ; - unsigned int protolen ; - unsigned int uid = 0, gid = 0 ; - unsigned int rulestype = 0 ; - int doenv = 1 ; - PROG = "s6-ipcserver-access" ; - { - subgetopt_t l = SUBGETOPT_ZERO ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "v:Eel:i:x:", &l) ; - if (opt == -1) break ; - switch (opt) - { - case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; - case 'E' : doenv = 0 ; break ; - case 'e' : doenv = 1 ; break ; - case 'l' : localname = l.arg ; break ; - case 'i' : rules = l.arg ; rulestype = 1 ; break ; - case 'x' : rules = l.arg ; rulestype = 2 ; break ; - default : dieusage() ; - } - } - argc -= l.ind ; argv += l.ind ; - } - if (!argc) dieusage() ; - if (!*argv[0]) dieusage() ; - - proto = env_get2(envp, "PROTO") ; - if (!proto) strerr_dienotset(100, "PROTO") ; - protolen = str_len(proto) ; - - { - char const *x ; - char tmp[protolen + 11] ; - byte_copy(tmp, protolen, proto) ; - byte_copy(tmp + protolen, 11, "REMOTEEUID") ; - x = env_get2(envp, tmp) ; - if (!x) strerr_dienotset(100, tmp) ; - if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, tmp) ; - tmp[protolen + 7] = 'G' ; - x = env_get2(envp, tmp) ; - if (!x) strerr_dienotset(100, tmp) ; - if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, tmp) ; - } - - if (!check(¶ms, rules, rulestype, uid, gid)) - { - if (verbosity >= 2) log_deny(getpid(), uid, gid) ; - return 1 ; - } - if (verbosity) log_accept(getpid(), uid, gid) ; - - if (doenv) - { - char tmp[protolen + 10] ; - byte_copy(tmp, protolen, proto) ; - byte_copy(tmp + protolen, 10, "LOCALPATH") ; - if (localname) - { - if (!env_addmodif(¶ms.env, tmp, localname)) dienomem() ; - } - else - { - char curname[IPCPATH_MAX+1] ; - int dummy ; - if (ipc_local(0, curname, IPCPATH_MAX+1, &dummy) < 0) - strerr_diefu1sys(111, "ipc_local") ; - if (!env_addmodif(¶ms.env, tmp, curname)) dienomem() ; - } - } - else - { - char tmp[protolen + 11] ; - byte_copy(tmp, protolen, proto) ; - byte_copy(tmp + protolen, 11, "REMOTEEUID") ; - if (!env_addmodif(¶ms.env, "PROTO", 0)) dienomem() ; - if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; - tmp[protolen + 7] = 'G' ; - if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; - byte_copy(tmp + protolen + 6, 5, "PATH") ; - if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; - byte_copy(tmp + protolen, 10, "LOCALPATH") ; - if (!env_addmodif(¶ms.env, tmp, 0)) dienomem() ; - } - - if (params.exec.len) - { - char *specialargv[4] = { EXECLINE_EXTBINPREFIX "execlineb", "-c", params.exec.s, 0 } ; - pathexec_r((char const *const *)specialargv, envp, env_len(envp), params.env.s, params.env.len) ; - strerr_dieexec(111, specialargv[0]) ; - } - - pathexec_r(argv, envp, env_len(envp), params.env.s, params.env.len) ; - strerr_dieexec(111, argv[0]) ; -} diff --git a/src/conn-tools/s6-ipcserver-socketbinder.c b/src/conn-tools/s6-ipcserver-socketbinder.c deleted file mode 100644 index b5a32f3..0000000 --- a/src/conn-tools/s6-ipcserver-socketbinder.c +++ /dev/null @@ -1,49 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define USAGE "s6-ipcserver-socketbinder [ -d | -D ] [ -b backlog ] path prog..." -#define dieusage() strerr_dieusage(100, USAGE) - -int main (int argc, char const *const *argv, char const *const *envp) -{ - unsigned int backlog = 20 ; - int flagreuse = 1 ; - PROG = "s6-ipcserver-socketbinder" ; - { - subgetopt_t l = SUBGETOPT_ZERO ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "Ddb:", &l) ; - if (opt == -1) break ; - switch (opt) - { - case 'D' : flagreuse = 0 ; break ; - case 'd' : flagreuse = 1 ; break ; - case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; - default : dieusage() ; - } - } - argc -= l.ind ; argv += l.ind ; - } - if (argc < 2) dieusage() ; - close(0) ; - if (ipc_stream()) strerr_diefu1sys(111, "create socket") ; - { - mode_t m = umask(0) ; - if ((flagreuse ? ipc_bind_reuse(0, argv[0]) : ipc_bind(0, argv[0])) < 0) - strerr_diefu2sys(111, "bind to ", argv[0]) ; - umask(m) ; - } - if (ipc_listen(0, backlog) < 0) strerr_diefu2sys(111, "listen to ", argv[0]) ; - - pathexec_run(argv[1], argv + 1, envp) ; - strerr_dieexec(111, argv[1]) ; -} diff --git a/src/conn-tools/s6-ipcserver.c b/src/conn-tools/s6-ipcserver.c deleted file mode 100644 index b6546f8..0000000 --- a/src/conn-tools/s6-ipcserver.c +++ /dev/null @@ -1,128 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define USAGE "s6-ipcserver [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] path prog..." -#define dieusage() strerr_dieusage(100, USAGE) - -int main (int argc, char const *const *argv, char const *const *envp) -{ - unsigned int verbosity = 1 ; - int flag1 = 0 ; - int flagU = 0 ; - int flaglookup = 1 ; - int flagreuse = 1 ; - unsigned int uid = 0, gid = 0 ; - gid_t gids[NGROUPS_MAX] ; - unsigned int gidn = (unsigned int)-1 ; - unsigned int maxconn = 0 ; - unsigned int localmaxconn = 0 ; - unsigned int backlog = (unsigned int)-1 ; - PROG = "s6-ipcserver" ; - { - subgetopt_t l = SUBGETOPT_ZERO ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "qQvDd1UPpc:C:b:u:g:G:", &l) ; - if (opt == -1) break ; - switch (opt) - { - case 'q' : verbosity = 0 ; break ; - case 'Q' : verbosity = 1 ; break ; - case 'v' : verbosity = 2 ; break ; - case 'D' : flagreuse = 0 ; break ; - case 'd' : flagreuse = 1 ; break ; - case 'P' : flaglookup = 0 ; break ; - case 'p' : flaglookup = 1 ; break ; - case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; - case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; - case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; - case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; - case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; - case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; - case '1' : flag1 = 1 ; break ; - case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ; - default : dieusage() ; - } - } - argc -= l.ind ; argv += l.ind ; - if (argc < 2) dieusage() ; - } - - { - unsigned int m = 0 ; - unsigned int pos = 0 ; - char fmt[UINT_FMT * 5 + GID_FMT * NGROUPS_MAX] ; - char const *newargv[24 + argc] ; - newargv[m++] = S6_NETWORKING_BINPREFIX "s6-ipcserver-socketbinder" ; - if (!flagreuse) newargv[m++] = "-D" ; - if (backlog != (unsigned int)-1) - { - newargv[m++] = "-b" ; - newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, backlog) ; - fmt[pos++] = 0 ; - } - newargv[m++] = "--" ; - newargv[m++] = *argv++ ; - if (flagU || uid || gid || gidn != (unsigned int)-1) - { - newargv[m++] = S6_EXTBINPREFIX "s6-applyuidgid" ; - if (flagU) newargv[m++] = "-Uz" ; - if (uid) - { - newargv[m++] = "-u" ; - newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, uid) ; - fmt[pos++] = 0 ; - } - if (gid) - { - newargv[m++] = "-g" ; - newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, gid) ; - fmt[pos++] = 0 ; - } - if (gidn != (unsigned int)-1) - { - newargv[m++] = "-G" ; - newargv[m++] = fmt + pos ; - pos += gid_fmtlist(fmt + pos, gids, gidn) ; - fmt[pos++] = 0 ; - } - newargv[m++] = "--" ; - } - newargv[m++] = S6_NETWORKING_BINPREFIX "s6-ipcserverd" ; - if (!verbosity) newargv[m++] = "-v0" ; - else if (verbosity == 2) newargv[m++] = "-v2" ; - if (flag1) newargv[m++] = "-1" ; - if (!flaglookup) newargv[m++] = "-P" ; - if (maxconn) - { - newargv[m++] = "-c" ; - newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, maxconn) ; - fmt[pos++] = 0 ; - } - if (localmaxconn) - { - newargv[m++] = "-C" ; - newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, localmaxconn) ; - fmt[pos++] = 0 ; - } - newargv[m++] = "--" ; - while (*argv) newargv[m++] = *argv++ ; - newargv[m++] = 0 ; - pathexec_run(newargv[0], newargv, envp) ; - strerr_dieexec(111, newargv[0]) ; - } -} diff --git a/src/conn-tools/s6-ipcserverd.c b/src/conn-tools/s6-ipcserverd.c deleted file mode 100644 index 4afe5cc..0000000 --- a/src/conn-tools/s6-ipcserverd.c +++ /dev/null @@ -1,399 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define USAGE "s6-ipcserverd [ -v verbosity ] [ -1 ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] prog..." - -#define ABSOLUTE_MAXCONN 1000 - -static unsigned int maxconn = 40 ; -static unsigned int localmaxconn = 40 ; -static char fmtmaxconn[UINT_FMT+1] = "/" ; -static char fmtlocalmaxconn[UINT_FMT+1] = "/" ; -static int flaglookup = 1 ; -static unsigned int verbosity = 1 ; -static int cont = 1 ; - -static diuint *piduid ; -static unsigned int numconn = 0 ; -static diuint *uidnum ; -static unsigned int uidlen = 0 ; - - - /* Utility functions */ - -static inline void dieusage () -{ - strerr_dieusage(100, USAGE) ; -} - -static inline void X (void) -{ - strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; -} - - - /* Lookup primitives */ - -static unsigned int lookup_diuint (diuint const *tab, unsigned int tablen, unsigned int key) -{ - register unsigned int i = 0 ; - for (; i < tablen ; i++) if (key == tab[i].left) break ; - return i ; -} - -static inline unsigned int lookup_pid (unsigned int pid) -{ - return lookup_diuint(piduid, numconn, pid) ; -} - -static inline unsigned int lookup_uid (unsigned int uid) -{ - return lookup_diuint(uidnum, uidlen, uid) ; -} - - - /* Logging */ - -static inline void log_start (void) -{ - strerr_warni1x("starting") ; -} - -static inline void log_exit (void) -{ - strerr_warni1x("exiting") ; -} - -static void log_status (void) -{ - char fmt[UINT_FMT] ; - fmt[uint_fmt(fmt, numconn)] = 0 ; - strerr_warni3x("status: ", fmt, fmtmaxconn) ; -} - -static void log_deny (unsigned int uid, unsigned int gid, unsigned int num) -{ - char fmtuid[UINT_FMT] = "?" ; - char fmtgid[UINT_FMT] = "?" ; - char fmtnum[UINT_FMT] = "?" ; - if (flaglookup) - { - fmtuid[uint_fmt(fmtuid, uid)] = 0 ; - fmtgid[uint_fmt(fmtgid, gid)] = 0 ; - fmtnum[uint_fmt(fmtnum, num)] = 0 ; - } - strerr_warni7sys("deny ", fmtuid, ":", fmtgid, " count ", fmtnum, fmtlocalmaxconn) ; -} - -static void log_accept (unsigned int pid, unsigned int uid, unsigned int gid, unsigned int num) -{ - char fmtuidgid[UINT_FMT * 2 + 1] = "?:?" ; - char fmtpid[UINT_FMT] ; - char fmtnum[UINT_FMT] = "?" ; - if (flaglookup) - { - register unsigned int n = uint_fmt(fmtuidgid, uid) ; - fmtuidgid[n++] = ':' ; - n += uint_fmt(fmtuidgid + n, gid) ; - fmtuidgid[n] = 0 ; - fmtnum[uint_fmt(fmtnum, num)] = 0 ; - } - fmtpid[uint_fmt(fmtpid, pid)] = 0 ; - strerr_warni7x("allow ", fmtuidgid, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ; -} - -static void log_close (unsigned int pid, unsigned int uid, int w) -{ - char fmtpid[UINT_FMT] ; - char fmtuid[UINT_FMT] = "?" ; - char fmtw[UINT_FMT] ; - fmtpid[uint_fmt(fmtpid, pid)] = 0 ; - if (flaglookup) fmtuid[uint_fmt(fmtuid, uid)] = 0 ; - fmtw[uint_fmt(fmtw, WIFSIGNALED(w) ? WTERMSIG(w) : WEXITSTATUS(w))] = 0 ; - strerr_warni6x("end pid ", fmtpid, " uid ", fmtuid, WIFSIGNALED(w) ? " signal " : " exitcode ", fmtw) ; -} - - - /* Signal handling */ - -static void killthem (int sig) -{ - register unsigned int i = 0 ; - for (; i < numconn ; i++) kill(piduid[i].left, sig) ; -} - -static void wait_children (void) -{ - for (;;) - { - unsigned int i ; - int w ; - register pid_t pid = wait_nohang(&w) ; - if (pid < 0) - if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ; - else break ; - else if (!pid) break ; - i = lookup_pid(pid) ; - if (i < numconn) - { - unsigned int uid = piduid[i].right ; - register unsigned int j = lookup_uid(uid) ; - if (j >= uidlen) X() ; - if (!--uidnum[j].right) uidnum[j] = uidnum[--uidlen] ; - piduid[i] = piduid[--numconn] ; - if (verbosity >= 2) - { - log_close(pid, uid, w) ; - log_status() ; - } - } - } -} - -static void handle_signals (void) -{ - for (;;) switch (selfpipe_read()) - { - case -1 : strerr_diefu1sys(111, "read selfpipe") ; - case 0 : return ; - case SIGCHLD : wait_children() ; break ; - case SIGTERM : - { - if (verbosity >= 2) - strerr_warni3x("received ", "SIGTERM,", " quitting") ; - cont = 0 ; - break ; - } - case SIGHUP : - { - if (verbosity >= 2) - strerr_warni5x("received ", "SIGHUP,", " sending ", "SIGTERM+SIGCONT", " to all connections") ; - killthem(SIGTERM) ; - killthem(SIGCONT) ; - break ; - } - case SIGQUIT : - { - if (verbosity >= 2) - strerr_warni6x("received ", "SIGQUIT,", " sending ", "SIGTERM+SIGCONT", " to all connections", " and quitting") ; - cont = 0 ; - killthem(SIGTERM) ; - killthem(SIGCONT) ; - break ; - } - case SIGABRT : - { - if (verbosity >= 2) - strerr_warni6x("received ", "SIGABRT,", " sending ", "SIGKILL", " to all connections", " and quitting") ; - cont = 0 ; - killthem(SIGKILL) ; - break ; - } - default : X() ; - } -} - - - /* New connection handling */ - -static void run_child (int, unsigned int, unsigned int, unsigned int, char const *, char const *const *, char const *const *) gccattr_noreturn ; -static void run_child (int s, unsigned int uid, unsigned int gid, unsigned int num, char const *remotepath, char const *const *argv, char const *const *envp) -{ - unsigned int rplen = str_len(remotepath) + 1 ; - unsigned int n = 0 ; - char fmt[65 + UINT_FMT * 3 + rplen] ; - PROG = "s6-ipcserver (child)" ; - if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) - strerr_diefu1sys(111, "move fds") ; - byte_copy(fmt+n, 23, "PROTO=IPC\0IPCREMOTEEUID") ; n += 23 ; - if (flaglookup) - { - fmt[n++] = '=' ; - n += uint_fmt(fmt+n, uid) ; - } - fmt[n++] = 0 ; - byte_copy(fmt+n, 13, "IPCREMOTEEGID") ; n += 13 ; - if (flaglookup) - { - fmt[n++] = '=' ; - n += uint_fmt(fmt+n, gid) ; - } - fmt[n++] = 0 ; - byte_copy(fmt+n, 11, "IPCCONNNUM=") ; n += 11 ; - if (flaglookup) n += uint_fmt(fmt+n, num) ; - fmt[n++] = 0 ; - byte_copy(fmt+n, 14, "IPCREMOTEPATH=") ; n += 14 ; - byte_copy(fmt+n, rplen, remotepath) ; n += rplen ; - pathexec_r(argv, envp, env_len(envp), fmt, n) ; - strerr_dieexec(111, argv[0]) ; -} - -static void new_connection (int s, char const *remotepath, char const *const *argv, char const *const *envp) -{ - unsigned int uid = 0, gid = 0 ; - unsigned int num, i ; - register pid_t pid ; - if (flaglookup && (ipc_eid(s, &uid, &gid) < 0)) - { - if (verbosity) strerr_warnwu1sys("ipc_eid") ; - return ; - } - i = lookup_uid(uid) ; - num = (i < uidlen) ? uidnum[i].right : 0 ; - if (num >= localmaxconn) - { - log_deny(uid, gid, num) ; - return ; - } - pid = fork() ; - if (pid < 0) - { - if (verbosity) strerr_warnwu1sys("fork") ; - return ; - } - else if (!pid) - { - selfpipe_finish() ; - run_child(s, uid, gid, num+1, remotepath, argv, envp) ; - } - - if (i < uidlen) uidnum[i].right = num + 1 ; - else - { - uidnum[uidlen].left = uid ; - uidnum[uidlen++].right = 1 ; - } - piduid[numconn].left = (unsigned int)pid ; - piduid[numconn++].right = uid ; - if (verbosity >= 2) - { - log_accept((unsigned int)pid, uid, gid, uidnum[i].right) ; - log_status() ; - } -} - - - /* And the main */ - -int main (int argc, char const *const *argv, char const *const *envp) -{ - iopause_fd x[2] = { { .events = IOPAUSE_READ }, { .fd = 0, .events = IOPAUSE_READ | IOPAUSE_EXCEPT } } ; - PROG = "s6-ipcserverd" ; - { - subgetopt_t l = SUBGETOPT_ZERO ; - int flag1 = 0 ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "Pp1c:C:v:", &l) ; - if (opt == -1) break ; - switch (opt) - { - case 'P' : flaglookup = 0 ; break ; - case 'p' : flaglookup = 1 ; break ; - case '1' : flag1 = 1 ; break ; - case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ; - case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ; - case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; - default : dieusage() ; - } - } - argc -= l.ind ; argv += l.ind ; - if (!argc || !*argv[0]) dieusage() ; - { - struct stat st ; - if (fstat(0, &st) < 0) strerr_diefu1sys(111, "fstat stdin") ; - if (!S_ISSOCK(st.st_mode)) strerr_dief1x(100, "stdin is not a socket") ; - } - if (coe(0) < 0) strerr_diefu1sys(111, "make socket close-on-exec") ; - if (flag1) - { - if (fcntl(1, F_GETFD) < 0) - strerr_dief1sys(100, "called with option -1 but stdout said") ; - } - else close(1) ; - if (!maxconn) maxconn = 1 ; - if (maxconn > ABSOLUTE_MAXCONN) maxconn = ABSOLUTE_MAXCONN ; - if (!flaglookup || (localmaxconn > maxconn)) localmaxconn = maxconn ; - - x[0].fd = selfpipe_init() ; - if (x[0].fd == -1) strerr_diefu1sys(111, "create selfpipe") ; - if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; - { - sigset_t set ; - sigemptyset(&set) ; - sigaddset(&set, SIGCHLD) ; - sigaddset(&set, SIGTERM) ; - sigaddset(&set, SIGHUP) ; - sigaddset(&set, SIGQUIT) ; - sigaddset(&set, SIGABRT) ; - if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; - } - - fmtlocalmaxconn[1+uint_fmt(fmtlocalmaxconn+1, localmaxconn)] = 0 ; - if (verbosity >= 2) - { - fmtmaxconn[1+uint_fmt(fmtmaxconn+1, maxconn)] = 0 ; - log_start() ; - log_status() ; - } - if (flag1) - { - fd_write(1, "\n", 1) ; - fd_close(1) ; - } - } - - { - diuint inyostack[maxconn + (flaglookup ? maxconn : 1)] ; - piduid = inyostack ; uidnum = inyostack + maxconn ; - - while (cont) - { - if (iopause_g(x, 1 + (numconn < maxconn), 0) < 0) - strerr_diefu1sys(111, "iopause") ; - - if (x[0].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with selfpipe") ; - if (x[0].revents & IOPAUSE_READ) handle_signals() ; - if (numconn < maxconn) - { - if (x[1].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with socket") ; - if (x[1].revents & IOPAUSE_READ) - { - int dummy ; - char remotepath[IPCPATH_MAX+1] ; - register int s = ipc_accept(x[1].fd, remotepath, IPCPATH_MAX+1, &dummy) ; - if (s < 0) - { - if (verbosity) strerr_warnwu1sys("accept") ; - } - else - { - new_connection(s, remotepath, argv, envp) ; - fd_close(s) ; - } - } - } - } - } - if (verbosity >= 2) log_exit() ; - return 0 ; -} diff --git a/src/conn-tools/s6-sudo.c b/src/conn-tools/s6-sudo.c deleted file mode 100644 index 5e91951..0000000 --- a/src/conn-tools/s6-sudo.c +++ /dev/null @@ -1,67 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include - -#define USAGE "s6-sudo [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] [ -e ] [ -t timeout ] [ -T timeoutrun ] path [ args... ]" -#define dieusage() strerr_dieusage(100, USAGE) - -int main (int argc, char const *const *argv, char const *const *envp) -{ - unsigned int verbosity = 1, t = 0, T = 0 ; - char const *bindpath = 0 ; - char const *localname = 0 ; - int nodoenv = 0 ; - PROG = "s6-sudo" ; - { - subgetopt_t l = SUBGETOPT_ZERO ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "qQvp:l:et:T:", &l) ; - if (opt == -1) break ; - switch (opt) - { - case 'q' : if (verbosity) verbosity-- ; break ; - case 'Q' : verbosity = 1 ; break ; - case 'v' : verbosity++ ; break ; - case 'p' : bindpath = l.arg ; break ; - case 'l' : localname = l.arg ; break ; - case 'e' : nodoenv = 1 ; break ; - case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; - case 'T' : if (!uint0_scan(l.arg, &T)) dieusage() ; break ; - default : dieusage() ; - } - } - argc -= l.ind ; argv += l.ind ; - } - if (!argc) dieusage() ; - { - char const *eargv[9 + argc + ((verbosity < 2 ? 1 : verbosity-1)) + ((!!bindpath + !!localname) << 1) + nodoenv] ; - char fmt1[UINT_FMT] ; - char fmt2[UINT_FMT] ; - unsigned int n = 0 ; - eargv[n++] = S6_NETWORKING_BINPREFIX "s6-ipcclient" ; - if (!verbosity) eargv[n++] = "-Q" ; - else while (--verbosity) eargv[n++] = "-v" ; - if (bindpath) { eargv[n++] = "-p" ; eargv[n++] = bindpath ; } - if (localname) { eargv[n++] = "-l" ; eargv[n++] = localname ; } - eargv[n++] = "--" ; - eargv[n++] = *argv++ ; argc-- ; - eargv[n++] = S6_NETWORKING_BINPREFIX "s6-sudoc" ; - if (nodoenv) eargv[n++] = "-e" ; - eargv[n++] = "-t" ; - fmt1[uint_fmt(fmt1, t)] = 0 ; - eargv[n++] = fmt1 ; - eargv[n++] = "-T" ; - fmt2[uint_fmt(fmt2, T)] = 0 ; - eargv[n++] = fmt2 ; - eargv[n++] = "--" ; - while (argc--) eargv[n++] = *argv++ ; - eargv[n++] = 0 ; - pathexec_run(eargv[0], eargv, envp) ; - } - strerr_dieexec(111, S6_NETWORKING_BINPREFIX "s6-ipcclient") ; -} diff --git a/src/conn-tools/s6-sudo.h b/src/conn-tools/s6-sudo.h deleted file mode 100644 index 8c5797f..0000000 --- a/src/conn-tools/s6-sudo.h +++ /dev/null @@ -1,11 +0,0 @@ -/* ISC license. */ - -#ifndef S6_SUDO_H -#define S6_SUDO_H - -#define S6_SUDO_BANNERB "s6-sudo b v1.0\n" -#define S6_SUDO_BANNERB_LEN (sizeof(S6_SUDO_BANNERB) - 1) -#define S6_SUDO_BANNERA "s6-sudo a v1.0\n" -#define S6_SUDO_BANNERA_LEN (sizeof(S6_SUDO_BANNERA) - 1) - -#endif diff --git a/src/conn-tools/s6-sudoc.c b/src/conn-tools/s6-sudoc.c deleted file mode 100644 index 823d7cb..0000000 --- a/src/conn-tools/s6-sudoc.c +++ /dev/null @@ -1,115 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "s6-sudo.h" - -#define USAGE "s6-sudoc [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] [ args... ]" -#define dieusage() strerr_dieusage(100, USAGE) -#define dienomem() strerr_diefu1sys(111, "stralloc_catb") - -int main (int argc, char const *const *argv, char const *const *envp) -{ - char buf6[64] ; - buffer b6 = BUFFER_INIT(&buffer_read, 6, buf6, 64) ; - unixmessage_sender_t b7 = UNIXMESSAGE_SENDER_INIT(7) ; - subgetopt_t l = SUBGETOPT_ZERO ; - unsigned int t = 0, T = 0 ; - int doenv = 1 ; - - tain_t deadline = TAIN_INFINITE_RELATIVE ; - PROG = "s6-sudoc" ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "et:T:", &l) ; - if (opt < 0) break ; - switch (opt) - { - case 'e' : doenv = 0 ; break ; - case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; - case 'T' : if (!uint0_scan(l.arg, &T)) dieusage() ; break ; - default : dieusage() ; - } - } - argc -= l.ind ; argv += l.ind ; - if (t) tain_from_millisecs(&deadline, t) ; - if ((ndelay_on(6) < 0) || (ndelay_on(7) < 0)) - strerr_diefu1sys(111, "make socket non-blocking") ; - if (!fd_sanitize() || !fd_ensure_open(2, 1)) - strerr_diefu1sys(111, "sanitize stdin/stdout/stderr") ; - - tain_now_g() ; - tain_add_g(&deadline, &deadline) ; - { - char tmp[S6_SUDO_BANNERB_LEN] ; - if (buffer_timed_get_g(&b6, tmp, S6_SUDO_BANNERB_LEN, &deadline) < S6_SUDO_BANNERB_LEN) - strerr_diefu1sys(111, "read banner from s6-sudod") ; - if (str_diffn(tmp, S6_SUDO_BANNERB, S6_SUDO_BANNERB_LEN)) - strerr_dief1x(100, "wrong server banner") ; - } - { - int fds[3] = { 0, 1, 2 } ; - char pack[16] ; - siovec_t v[4] = { - { .s = S6_SUDO_BANNERA, .len = S6_SUDO_BANNERA_LEN }, - { .s = pack, .len = 16 }, - { .s = 0, .len = 0 }, - { .s = 0, .len = 0 } } ; - unixmessage_v_t mv = { .v = v, .vlen = 4, .fds = fds, .nfds = 3 } ; - stralloc sa = STRALLOC_ZERO ; - unsigned int envlen = doenv ? env_len(envp) : 0 ; - uint32_pack_big(pack, (uint32)argc) ; - uint32_pack_big(pack + 4, (uint32)envlen) ; - if (!env_string(&sa, argv, argc)) dienomem() ; - v[2].len = sa.len ; - uint32_pack_big(pack + 8, (uint32)v[2].len) ; - if (doenv) - { - if (!env_string(&sa, envp, envlen)) dienomem() ; - v[3].len = sa.len - v[2].len ; - } - uint32_pack_big(pack + 12, (uint32)v[3].len) ; - v[2].s = sa.s ; - v[3].s = sa.s + v[2].len ; - if (!unixmessage_putv_and_close(&b7, &mv, (unsigned char const *)"\003")) - strerr_diefu1sys(111, "unixmessage_putv") ; - stralloc_free(&sa) ; - } - if (!unixmessage_sender_timed_flush_g(&b7, &deadline)) - strerr_diefu1sys(111, "send args to server") ; - unixmessage_sender_free(&b7) ; - { - char c ; - if (buffer_timed_get_g(&b6, &c, 1, &deadline) < 1) - strerr_diefu1sys(111, "get confirmation from server") ; - if (c) - { - errno = c ; - strerr_diefu1sys(111, "start privileged program: server answered: ") ; - } - } - - if (T) tain_from_millisecs(&deadline, T) ; else deadline = tain_infinite_relative ; - tain_add_g(&deadline, &deadline) ; - { - char pack[UINT_PACK] ; - if (buffer_timed_get_g(&b6, pack, UINT_PACK, &deadline) < UINT_PACK) - strerr_diefu1sys(111, "get exit status from server") ; - uint_unpack_big(pack, &t) ; - } - if (WIFSIGNALED(t)) raise(WTERMSIG(t)) ; - return WEXITSTATUS(t) ; -} diff --git a/src/conn-tools/s6-sudod.c b/src/conn-tools/s6-sudod.c deleted file mode 100644 index 8c52bb9..0000000 --- a/src/conn-tools/s6-sudod.c +++ /dev/null @@ -1,233 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "s6-sudo.h" - -#define USAGE "s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -t timeout ] args..." -#define dieusage() strerr_dieusage(100, USAGE) -#define dienomem() strerr_diefu1sys(111, "stralloc_catb") - -int main (int argc, char const *const *argv, char const *const *envp) -{ - subgetopt_t l = SUBGETOPT_ZERO ; - unixmessage_t m ; - unsigned int nullfds = 0, t = 2000 ; - pid_t pid ; - uint32 envc = env_len(envp) ; - uint32 cargc, cenvc, carglen, cenvlen ; - int spfd ; - tain_t deadline = TAIN_INFINITE_RELATIVE ; - PROG = "s6-sudod" ; - for (;;) - { - register int opt = subgetopt_r(argc, argv, "012t:", &l) ; - if (opt < 0) break ; - switch (opt) - { - case '0' : nullfds |= 1 ; break ; - case '1' : nullfds |= 2 ; break ; - case '2' : nullfds |= 4 ; break ; - case 't' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; - default : dieusage() ; - } - } - argc -= l.ind ; argv += l.ind ; - if (t) tain_from_millisecs(&deadline, t) ; - if ((ndelay_on(0) < 0) || (ndelay_on(1) < 0)) - strerr_diefu1sys(111, "make socket non-blocking") ; - - tain_now_g() ; - tain_add_g(&deadline, &deadline) ; - buffer_putnoflush(buffer_1small, S6_SUDO_BANNERB, S6_SUDO_BANNERB_LEN) ; - if (!buffer_timed_flush_g(buffer_1small, &deadline)) - strerr_diefu1sys(111, "write banner to client") ; - if (unixmessage_timed_receive_g(unixmessage_receiver_0, &m, &deadline) <= 0) - strerr_diefu1sys(111, "read message from client") ; - if (m.nfds != 3) - strerr_dief1x(100, "client did not send 3 fds") ; - if (m.len < 16 + S6_SUDO_BANNERA_LEN) - strerr_dief1x(100, "wrong client message") ; - if (str_diffn(m.s, S6_SUDO_BANNERA, S6_SUDO_BANNERA_LEN)) - strerr_dief1x(100, "wrong client banner") ; - uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN, &cargc) ; - uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 4, &cenvc) ; - uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 8, &carglen) ; - uint32_unpack_big(m.s + S6_SUDO_BANNERA_LEN + 12, &cenvlen) ; - if (S6_SUDO_BANNERA_LEN + 16 + carglen + cenvlen != m.len) - strerr_dief1x(100, "wrong client argc/envlen") ; - if ((cargc > 131072) || (cenvc > 131072)) - strerr_dief1x(100, "too many args/envvars from client") ; - - if (nullfds & 1) - { - close(m.fds[0]) ; - m.fds[0] = open2("/dev/null", O_RDONLY) ; - if (m.fds[0] < 0) strerr_diefu2sys(111, "open /dev/null for ", "reading") ; - } - if (nullfds & 2) - { - close(m.fds[1]) ; - m.fds[1] = open2("/dev/null", O_WRONLY) ; - if (m.fds[1] < 0) strerr_diefu2sys(111, "open /dev/null for ", "writing") ; - } - if (nullfds & 4) - { - close(m.fds[2]) ; - m.fds[2] = 2 ; - } - - { - char const *targv[argc + 1 + cargc] ; - char const *tenvp[envc + 1 + cenvc] ; - int p[2] ; - register unsigned int i = 0 ; - for (; i < (unsigned int)argc ; i++) targv[i] = argv[i] ; - for (i = 0 ; i <= envc ; i++) tenvp[i] = envp[i] ; - if (!env_make(targv + argc, cargc, m.s + S6_SUDO_BANNERA_LEN + 16, carglen)) - { - char c = errno ; - buffer_putnoflush(buffer_1small, &c, 1) ; - buffer_timed_flush_g(buffer_1small, &deadline) ; - errno = c ; - strerr_diefu1sys(111, "make child argv") ; - } - if (!env_make(tenvp + envc + 1, cenvc, m.s + S6_SUDO_BANNERA_LEN + 16 + carglen, cenvlen)) - { - char c = errno ; - buffer_putnoflush(buffer_1small, &c, 1) ; - buffer_timed_flush_g(buffer_1small, &deadline) ; - errno = c ; - strerr_diefu1sys(111, "make child envp") ; - } - targv[argc + cargc] = 0 ; - - for (i = 0 ; i < cenvc ; i++) - { - char const *var = tenvp[envc + 1 + i] ; - register unsigned int j = 0 ; - register unsigned int len = str_chr(var, '=') ; - if (!var[len]) - { - char c = EINVAL ; - buffer_putnoflush(buffer_1small, &c, 1) ; - buffer_timed_flush_g(buffer_1small, &deadline) ; - strerr_dief1x(100, "bad environment from client") ; - } - for (; j < envc ; j++) if (!str_diffn(var, tenvp[j], len+1)) break ; - if ((j < envc) && !tenvp[j][len+1]) tenvp[j] = var ; - } - - spfd = selfpipe_init() ; - if (spfd < 0) strerr_diefu1sys(111, "selfpipe_init") ; - if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ; - if (pipe(p) < 0) strerr_diefu1sys(111, "pipe") ; - if (coe(p[1]) < 0) strerr_diefu1sys(111, "coe pipe") ; - pid = fork() ; - if (pid < 0) strerr_diefu1sys(111, "fork") ; - if (!pid) - { - PROG = "s6-sudod (child)" ; - fd_close(p[0]) ; - if ((fd_move(2, m.fds[2]) < 0) - || (fd_move(1, m.fds[1]) < 0) - || (fd_move(0, m.fds[0]) < 0)) - { - char c = errno ; - fd_write(p[1], &c, 1) ; - strerr_diefu1sys(111, "move fds") ; - } - selfpipe_finish() ; - pathexec0_run(targv, tenvp) ; - { - char c = errno ; - fd_write(p[1], &c, 1) ; - } - strerr_dieexec(111, targv[0]) ; - } - fd_close(p[1]) ; - { - char c ; - register int r = fd_read(p[0], &c, 1) ; - if (r < 0) strerr_diefu1sys(111, "read from child") ; - if (r) - { - buffer_putnoflush(buffer_1small, &c, 1) ; - buffer_timed_flush_g(buffer_1small, &deadline) ; - return 111 ; - } - } - fd_close(p[0]) ; - } - - fd_close(m.fds[0]) ; - fd_close(m.fds[1]) ; - if (!(nullfds & 4)) fd_close(m.fds[2]) ; - unixmessage_receiver_free(unixmessage_receiver_0) ; - buffer_putnoflush(buffer_1small, "", 1) ; - if (!buffer_timed_flush_g(buffer_1small, &deadline)) - strerr_diefu1sys(111, "send confirmation to client") ; - - { - iopause_fd x[2] = { { .fd = 0, .events = 0 }, { .fd = spfd, .events = IOPAUSE_READ } } ; - int cont = 1 ; - while (cont) - { - if (iopause_g(x, 2, 0) < 0) strerr_diefu1sys(111, "iopause") ; - if (x[1].revents) - { - for (;;) - { - int c = selfpipe_read() ; - if (c < 0) strerr_diefu1sys(111, "read from selfpipe") ; - else if (!c) break ; - else if (c == SIGCHLD) - { - int wstat ; - register int r = wait_pid_nohang(pid, &wstat) ; - if ((r < 0) && (errno != ECHILD)) - strerr_diefu1sys(111, "wait_pid_nohang") ; - else if (r > 0) - { - char pack[UINT_PACK] ; - uint_pack_big(pack, (unsigned int)wstat) ; - buffer_putnoflush(buffer_1small, pack, UINT_PACK) ; - cont = 0 ; - } - } - else - strerr_dief1sys(101, "internal inconsistency, please submit a bug-report") ; - } - } - if (x[0].revents && cont) - { - kill(pid, SIGTERM) ; - kill(pid, SIGCONT) ; - x[0].fd = -1 ; - return 1 ; - } - } - } - if (ndelay_off(1) < 0) - strerr_diefu1sys(111, "set stdout blocking") ; - if (!buffer_flush(buffer_1small)) - strerr_diefu1sys(111, "write status to client") ; - return 0 ; -} diff --git a/src/conn-tools/s6-tcpserver-access.c b/src/conn-tools/s6-tcpserver-access.c index ef2771b..db2e2a5 100644 --- a/src/conn-tools/s6-tcpserver-access.c +++ b/src/conn-tools/s6-tcpserver-access.c @@ -18,8 +18,9 @@ #include #include #include +#include #include -#include +#include #define USAGE "s6-tcpserver-access [ -v verbosity ] [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ] prog..." #define dieusage() strerr_dieusage(100, USAGE) @@ -50,7 +51,7 @@ static inline void log_deny (unsigned int pid, ip46_t const *ip) int main (int argc, char const *const *argv, char const *const *envp) { - s6net_accessrules_params_t params = S6NET_ACCESSRULES_PARAMS_ZERO ; + s6_accessrules_params_t params = S6_ACCESSRULES_PARAMS_ZERO ; stralloc modifs = STRALLOC_ZERO ; tain_t deadline, tto ; char const *rulestypestr[3] = { "no", "fs", "cdb" } ; @@ -62,7 +63,7 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int rulestype = 0 ; unsigned int verbosity = 1 ; unsigned int protolen ; - s6net_accessrules_result_t accepted ; + s6_accessrules_result_t accepted ; ip46_t remoteip, localip ; int flagfatal = 1, flagnodelay = 0, flagdnslookup = 1, flagident = 0, flagparanoid = 0, e = 0 ; @@ -140,17 +141,17 @@ int main (int argc, char const *const *argv, char const *const *envp) { case 0 : if (verbosity >= 2) strerr_warnw1x("invoked without a ruleset!") ; - accepted = S6NET_ACCESSRULES_ALLOW ; + accepted = S6_ACCESSRULES_ALLOW ; break ; case 1 : - accepted = s6net_accessrules_ip46_fs(&remoteip, (void *)rules, ¶ms) ; + accepted = s6_accessrules_ip46_fs(&remoteip, (void *)rules, ¶ms) ; break ; case 2 : cdbfd = open_readb(rules) ; if (cdbfd < 0) strerr_diefu2sys(111, "open_readb ", rules) ; if (cdb_init(&c, cdbfd) < 0) strerr_diefu2sys(111, "cdb_init ", rules) ; - accepted = s6net_accessrules_ip46_cdb(&remoteip, &c, ¶ms) ; - if (accepted == S6NET_ACCESSRULES_ALLOW) + accepted = s6_accessrules_ip46_cdb(&remoteip, &c, ¶ms) ; + if (accepted == S6_ACCESSRULES_ALLOW) { cdb_free(&c) ; fd_close(cdbfd) ; @@ -160,13 +161,13 @@ int main (int argc, char const *const *argv, char const *const *envp) } switch (accepted) { - case S6NET_ACCESSRULES_ERROR : + case S6_ACCESSRULES_ERROR : strerr_diefu6sys(111, "check ", rulestypestr[rulestype], " ruleset for ", "IP", " in ", rules) ; - case S6NET_ACCESSRULES_ALLOW : break ; - case S6NET_ACCESSRULES_DENY : + case S6_ACCESSRULES_ALLOW : break ; + case S6_ACCESSRULES_DENY : if (verbosity >= 2) { errno = EACCES ; log_deny(getpid(), &remoteip) ; } return 1 ; - case S6NET_ACCESSRULES_NOTFOUND : + case S6_ACCESSRULES_NOTFOUND : if (flagdnslookup) break ; if (verbosity >= 2) { errno = ENOENT ; log_deny(getpid(), &remoteip) ; } return 1 ; @@ -326,21 +327,21 @@ int main (int argc, char const *const *argv, char const *const *envp) } } if (!env_addmodif(&modifs, tcpremotehost, remotelen ? remotebuf : 0)) dienomem() ; - if (remotelen && (accepted == S6NET_ACCESSRULES_NOTFOUND)) + if (remotelen && (accepted == S6_ACCESSRULES_NOTFOUND)) { switch (rulestype) { case 1 : - accepted = s6net_accessrules_reversedns_fs(remotebuf, (void *)rules, ¶ms) ; + accepted = s6_accessrules_reversedns_fs(remotebuf, (void *)rules, ¶ms) ; break ; case 2 : - accepted = s6net_accessrules_reversedns_cdb(remotebuf, &c, ¶ms) ; + accepted = s6_accessrules_reversedns_cdb(remotebuf, &c, ¶ms) ; break ; default : X() ; } } - if ((rulestype == 2) && (accepted != S6NET_ACCESSRULES_ALLOW)) + if ((rulestype == 2) && (accepted != S6_ACCESSRULES_ALLOW)) { cdb_free(&c) ; fd_close(cdbfd) ; @@ -348,13 +349,13 @@ int main (int argc, char const *const *argv, char const *const *envp) switch (accepted) { - case S6NET_ACCESSRULES_ERROR : + case S6_ACCESSRULES_ERROR : strerr_diefu6sys(111, "check ", rulestypestr[rulestype], " ruleset for ", "reverse DNS", " in ", rules) ; - case S6NET_ACCESSRULES_ALLOW : break ; - case S6NET_ACCESSRULES_DENY : + case S6_ACCESSRULES_ALLOW : break ; + case S6_ACCESSRULES_DENY : if (verbosity >= 2) { errno = EACCES ; log_deny(getpid(), &remoteip) ; } return 1 ; - case S6NET_ACCESSRULES_NOTFOUND : + case S6_ACCESSRULES_NOTFOUND : if (verbosity >= 2) { errno = ENOENT ; log_deny(getpid(), &remoteip) ; } return 1 ; default : X() ; diff --git a/src/conn-tools/seekablepipe.c b/src/conn-tools/seekablepipe.c deleted file mode 100644 index 611f227..0000000 --- a/src/conn-tools/seekablepipe.c +++ /dev/null @@ -1,41 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include - -#define USAGE "seekablepipe tempfile prog..." - -#define N 8192 - -int main (int argc, char const *const *argv, char const *const *envp) -{ - iobuffer b ; - int fdr, fdw ; - int r ; - PROG = "seekablepipe" ; - if (argc < 3) strerr_dieusage(100, USAGE) ; - fdw = open_trunc(argv[1]) ; - if (fdw < 0) - strerr_diefu2sys(111, "create temporary ", argv[1]) ; - fdr = open_readb(argv[1]) ; - if (fdr < 0) - strerr_diefu3sys(111, "open ", argv[1], " for reading") ; - if (unlink(argv[1]) < 0) - strerr_diefu2sys(111, "unlink ", argv[1]) ; - if (ndelay_off(fdw) < 0) - strerr_diefu1sys(111, "set fdw blocking") ; - if (!iobuffer_init(&b, 0, fdw)) - strerr_diefu1sys(111, "iobuffer_init") ; - while ((r = iobuffer_fill(&b)) > 0) - if (!iobuffer_flush(&b)) - strerr_diefu2sys(111, "write to ", argv[1]) ; - if (r < 0) strerr_diefu1sys(111, "read from stdin") ; - iobuffer_finish(&b) ; - fd_close(fdw) ; - if (fd_move(0, fdr) < 0) - strerr_diefu1sys(111, "move fdr to stdin") ; - pathexec_run(argv[2], argv+2, envp) ; - strerr_dieexec(111, argv[2]) ; -} diff --git a/src/include/s6-networking/accessrules.h b/src/include/s6-networking/accessrules.h deleted file mode 100644 index ec7a0d5..0000000 --- a/src/include/s6-networking/accessrules.h +++ /dev/null @@ -1,53 +0,0 @@ -/* ISC license. */ - -#ifndef S6NET_ACCESSRULES_H -#define S6NET_ACCESSRULES_H - -#include -#include -#include - -typedef struct s6net_accessrules_params_s s6net_accessrules_params_t, *s6net_accessrules_params_t_ref ; -struct s6net_accessrules_params_s -{ - stralloc env ; - stralloc exec ; -} ; -#define S6NET_ACCESSRULES_PARAMS_ZERO { STRALLOC_ZERO, STRALLOC_ZERO } - -typedef enum s6net_accessrules_result_e s6net_accessrules_result_t, *s6net_accessrules_result_t_ref ; -enum s6net_accessrules_result_e -{ - S6NET_ACCESSRULES_ERROR = -1, - S6NET_ACCESSRULES_DENY = 0, - S6NET_ACCESSRULES_ALLOW = 1, - S6NET_ACCESSRULES_NOTFOUND = 2 -} ; - -typedef s6net_accessrules_result_t s6net_accessrules_backend_func_t (char const *, unsigned int, void *, s6net_accessrules_params_t *) ; -typedef s6net_accessrules_backend_func_t *s6net_accessrules_backend_func_t_ref ; - -extern s6net_accessrules_backend_func_t s6net_accessrules_backend_fs ; -extern s6net_accessrules_backend_func_t s6net_accessrules_backend_cdb ; - -typedef s6net_accessrules_result_t s6net_accessrules_keycheck_func_t (void const *, void *, s6net_accessrules_params_t *, s6net_accessrules_backend_func_t_ref) ; -typedef s6net_accessrules_keycheck_func_t *s6net_accessrules_keycheck_func_t_ref ; - -extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_uidgid ; -extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_ip4 ; -extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_ip6 ; -extern s6net_accessrules_keycheck_func_t s6net_accessrules_keycheck_reversedns ; -#define s6net_accessrules_keycheck_ip46(key, data, params, f) (ip46_is6((ip46_t const *)(key)) ? s6net_accessrules_keycheck_ip6(((ip46_t const *)(key))->ip, data, params, f) : s6net_accessrules_keycheck_ip4(((ip46_t const *)(key))->ip, data, params, f)) - -extern s6net_accessrules_result_t s6net_accessrules_uidgid_cdb (unsigned int, unsigned int, struct cdb *, s6net_accessrules_params_t *) ; -extern s6net_accessrules_result_t s6net_accessrules_uidgid_fs (unsigned int, unsigned int, char const *, s6net_accessrules_params_t *) ; -#define s6net_accessrules_ip4_cdb(ip4, c, params) s6net_accessrules_keycheck_ip4(ip4, c, (params), &s6net_accessrules_backend_cdb) -#define s6net_accessrules_ip4_fs(ip4, rulesdir, params) s6net_accessrules_keycheck_ip4(ip4, rulesdir, (params), &s6net_accessrules_backend_fs) -#define s6net_accessrules_ip6_cdb(ip6, c, params) s6net_accessrules_keycheck_ip6(ip6, c, (params), &s6net_accessrules_backend_cdb) -#define s6net_accessrules_ip6_fs(ip6, rulesdir, params) s6net_accessrules_keycheck_ip6(ip6, rulesdir, (params), &s6net_accessrules_backend_fs) -#define s6net_accessrules_ip46_cdb(ip, c, params) s6net_accessrules_keycheck_ip46(ip, c, (params), &s6net_accessrules_backend_cdb) -#define s6net_accessrules_ip46_fs(ip, rulesdir, params) s6net_accessrules_keycheck_ip46(ip, rulesdir, (params), &s6net_accessrules_backend_fs) -#define s6net_accessrules_reversedns_cdb(name, c, params) s6net_accessrules_keycheck_reversedns(name, c, (params), &s6net_accessrules_backend_cdb) -#define s6net_accessrules_reversedns_fs(name, c, params) s6net_accessrules_keycheck_reversedns(name, c, (params), &s6net_accessrules_backend_fs) - -#endif diff --git a/src/include/s6-networking/s6net.h b/src/include/s6-networking/s6net.h index 81d804e..8778527 100644 --- a/src/include/s6-networking/s6net.h +++ b/src/include/s6-networking/s6net.h @@ -3,7 +3,6 @@ #ifndef S6NET_H #define S6NET_H -#include #include #endif diff --git a/src/libs6net/deps-lib/s6net b/src/libs6net/deps-lib/s6net index 7b497ac..1b15735 100644 --- a/src/libs6net/deps-lib/s6net +++ b/src/libs6net/deps-lib/s6net @@ -1,11 +1,3 @@ -s6net_accessrules_backend_cdb.o -s6net_accessrules_backend_fs.o -s6net_accessrules_keycheck_ip4.o -s6net_accessrules_keycheck_ip6.o -s6net_accessrules_keycheck_reversedns.o -s6net_accessrules_keycheck_uidgid.o -s6net_accessrules_uidgid_cdb.o -s6net_accessrules_uidgid_fs.o s6net_ident_client.o s6net_ident_reply_get.o s6net_ident_reply_parse.o diff --git a/src/libs6net/s6net_accessrules_backend_cdb.c b/src/libs6net/s6net_accessrules_backend_cdb.c deleted file mode 100644 index e75f755..0000000 --- a/src/libs6net/s6net_accessrules_backend_cdb.c +++ /dev/null @@ -1,38 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include - -s6net_accessrules_result_t s6net_accessrules_backend_cdb (char const *key, unsigned int keylen, void *data, s6net_accessrules_params_t *params) -{ - struct cdb *c = data ; - unsigned int execbase, n ; - uint16 envlen, execlen ; - register int r = cdb_find(c, key, keylen) ; - if (r < 0) return S6NET_ACCESSRULES_ERROR ; - else if (!r) return S6NET_ACCESSRULES_NOTFOUND ; - n = cdb_datalen(c) ; - if ((n < 5U) || (n > 8197U)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; - if (!stralloc_readyplus(¶ms->exec, n)) return S6NET_ACCESSRULES_ERROR ; - execbase = params->exec.len ; - if (cdb_read(c, params->exec.s + execbase, n, cdb_datapos(c)) < 0) return S6NET_ACCESSRULES_ERROR ; - if (params->exec.s[execbase] == 'D') return S6NET_ACCESSRULES_DENY ; - else if (params->exec.s[execbase] != 'A') return S6NET_ACCESSRULES_NOTFOUND ; - uint16_unpack_big(params->exec.s + execbase + 1U, &envlen) ; - if ((envlen > 4096U) || (envlen+5U > n)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; - uint16_unpack_big(params->exec.s + execbase + 3 + envlen, &execlen) ; - if ((execlen > 4096U) || (5U + envlen + execlen != n)) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; - if (!stralloc_catb(¶ms->env, params->exec.s + execbase + 3U, envlen)) return S6NET_ACCESSRULES_ERROR ; - byte_copy(params->exec.s + execbase, execlen, params->exec.s + execbase + 5U + envlen) ; - if (execlen) - { - params->exec.len += execlen ; - params->exec.s[params->exec.len++] = 0 ; - } - return S6NET_ACCESSRULES_ALLOW ; -} diff --git a/src/libs6net/s6net_accessrules_backend_fs.c b/src/libs6net/s6net_accessrules_backend_fs.c deleted file mode 100644 index d609285..0000000 --- a/src/libs6net/s6net_accessrules_backend_fs.c +++ /dev/null @@ -1,58 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include - -s6net_accessrules_result_t s6net_accessrules_backend_fs (char const *key, unsigned int keylen, void *data, s6net_accessrules_params_t *params) -{ - char *dir = data ; - unsigned int dirlen = str_len(dir) ; - unsigned int envbase = params->env.len ; - int wasnull = !params->env.s ; - { - char tmp[dirlen + keylen + 10] ; - byte_copy(tmp, dirlen, dir) ; - tmp[dirlen] = '/' ; - byte_copy(tmp + dirlen + 1, keylen, key) ; - byte_copy(tmp + dirlen + keylen + 1, 7, "/allow") ; - if (access(tmp, R_OK) < 0) - { - if ((errno != EACCES) && (errno != ENOENT)) - return S6NET_ACCESSRULES_ERROR ; - byte_copy(tmp + dirlen + keylen + 2, 5, "deny") ; - return (access(tmp, R_OK) == 0) ? S6NET_ACCESSRULES_DENY : - (errno != EACCES) && (errno != ENOENT) ? S6NET_ACCESSRULES_ERROR : - S6NET_ACCESSRULES_NOTFOUND ; - } - byte_copy(tmp + dirlen + keylen + 2, 4, "env") ; - if ((envdir(tmp, ¶ms->env) < 0) && (errno != ENOENT)) - return S6NET_ACCESSRULES_ERROR ; - if (!stralloc_readyplus(¶ms->exec, 4097)) - { - if (wasnull) stralloc_free(¶ms->env) ; - else params->env.len = envbase ; - return S6NET_ACCESSRULES_ERROR ; - } - byte_copy(tmp + dirlen + keylen + 2, 5, "exec") ; - { - register int r = openreadnclose(tmp, params->exec.s + params->exec.len, 4096) ; - if ((r < 0) && (errno != EACCES) && (errno != ENOENT)) - { - if (wasnull) stralloc_free(¶ms->env) ; - else params->env.len = envbase ; - return S6NET_ACCESSRULES_ERROR ; - } - if (r > 0) - { - params->exec.len += r ; - params->exec.s[params->exec.len++] = 0 ; - } - } - } - return S6NET_ACCESSRULES_ALLOW ; -} diff --git a/src/libs6net/s6net_accessrules_keycheck_ip4.c b/src/libs6net/s6net_accessrules_keycheck_ip4.c deleted file mode 100644 index 1f96bd8..0000000 --- a/src/libs6net/s6net_accessrules_keycheck_ip4.c +++ /dev/null @@ -1,24 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include - -s6net_accessrules_result_t s6net_accessrules_keycheck_ip4 (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) -{ - char fmt[IP4_FMT + UINT_FMT + 6] = "ip4/" ; - uint32 ip ; - unsigned int i = 0 ; - uint32_unpack_big((char const *)key, &ip) ; - for (; i <= 32 ; i++) - { - register s6net_accessrules_result_t r ; - register unsigned int len = 4 + ip4_fmtu32(fmt+4, (i == 32) ? 0 : ip & ~((1U << i) - 1)) ; - fmt[len++] = '_' ; - len += uint_fmt(fmt + len, 32 - i) ; - r = (*check1)(fmt, len, data, params) ; - if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; - } - return S6NET_ACCESSRULES_NOTFOUND ; -} diff --git a/src/libs6net/s6net_accessrules_keycheck_ip6.c b/src/libs6net/s6net_accessrules_keycheck_ip6.c deleted file mode 100644 index c2ee5ae..0000000 --- a/src/libs6net/s6net_accessrules_keycheck_ip6.c +++ /dev/null @@ -1,27 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include - -s6net_accessrules_result_t s6net_accessrules_keycheck_ip6 (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) -{ - char fmt[IP6_FMT + UINT_FMT + 6] = "ip6/" ; - char ip6[16] ; - unsigned int i = 0 ; - byte_copy(ip6, 16, (char const *)key) ; - for (; i <= 128 ; i++) - { - unsigned int len ; - register s6net_accessrules_result_t r ; - if (i) bitarray_clear(ip6, 128 - i) ; - len = 4 + ip6_fmt(fmt+4, ip6) ; - fmt[len++] = '_' ; - len += uint_fmt(fmt + len, 128 - i) ; - r = (*check1)(fmt, len, data, params) ; - if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; - } - return S6NET_ACCESSRULES_NOTFOUND ; -} diff --git a/src/libs6net/s6net_accessrules_keycheck_reversedns.c b/src/libs6net/s6net_accessrules_keycheck_reversedns.c deleted file mode 100644 index f4c0213..0000000 --- a/src/libs6net/s6net_accessrules_keycheck_reversedns.c +++ /dev/null @@ -1,27 +0,0 @@ -/* ISC license. */ - -#include -#include -#include - -s6net_accessrules_result_t s6net_accessrules_keycheck_reversedns (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) -{ - char const *name = key ; - unsigned int len = str_len(name) ; - if (!len) return (errno = EINVAL, S6NET_ACCESSRULES_ERROR) ; - if (name[len-1] == '.') len-- ; - { - unsigned int i = 0 ; - char tmp[len + 11] ; - byte_copy(tmp, 11, "reversedns/") ; - while (i < len) - { - register s6net_accessrules_result_t r ; - byte_copy(tmp+11, len-i, name+i) ; - r = (*check1)(tmp, 11+len-i, data, params) ; - if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; - i += byte_chr(name+i, len-i, '.') + 1 ; - } - } - return (*check1)("reversedns/@", 12, data, params) ; -} diff --git a/src/libs6net/s6net_accessrules_keycheck_uidgid.c b/src/libs6net/s6net_accessrules_keycheck_uidgid.c deleted file mode 100644 index a7e2200..0000000 --- a/src/libs6net/s6net_accessrules_keycheck_uidgid.c +++ /dev/null @@ -1,16 +0,0 @@ -/* ISC license. */ - -#include -#include -#include - -s6net_accessrules_result_t s6net_accessrules_keycheck_uidgid (void const *key, void *data, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t_ref check1) -{ - char fmt[4 + UINT_FMT] = "uid/" ; - register s6net_accessrules_result_t r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->left), data, params) ; - if (r != S6NET_ACCESSRULES_NOTFOUND) return r ; - fmt[0] = 'g' ; - r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->right), data, params) ; - return (r != S6NET_ACCESSRULES_NOTFOUND) ? r : - (*check1)("uid/default", 11, data, params) ; -} diff --git a/src/libs6net/s6net_accessrules_uidgid_cdb.c b/src/libs6net/s6net_accessrules_uidgid_cdb.c deleted file mode 100644 index 1836389..0000000 --- a/src/libs6net/s6net_accessrules_uidgid_cdb.c +++ /dev/null @@ -1,11 +0,0 @@ -/* ISC license. */ - -#include -#include -#include - -s6net_accessrules_result_t s6net_accessrules_uidgid_cdb (unsigned int uid, unsigned int gid, struct cdb *c, s6net_accessrules_params_t *params) -{ - diuint uidgid = { uid, gid } ; - return s6net_accessrules_keycheck_uidgid(&uidgid, c, params, &s6net_accessrules_backend_cdb) ; -} diff --git a/src/libs6net/s6net_accessrules_uidgid_fs.c b/src/libs6net/s6net_accessrules_uidgid_fs.c deleted file mode 100644 index db2e909..0000000 --- a/src/libs6net/s6net_accessrules_uidgid_fs.c +++ /dev/null @@ -1,10 +0,0 @@ -/* ISC license. */ - -#include -#include - -s6net_accessrules_result_t s6net_accessrules_uidgid_fs (unsigned int uid, unsigned int gid, char const *rulesdir, s6net_accessrules_params_t *params) -{ - diuint uidgid = { uid, gid } ; - return s6net_accessrules_keycheck_uidgid(&uidgid, (void *)rulesdir, params, &s6net_accessrules_backend_fs) ; -} -- cgit v1.2.3