| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Incorporate the OpenSMTPD' privsep crypto engine. The idea behind
it is to never load the certificate' private keys in a networked
process, instead they are loaded in a separate process (the `crypto'
one) which signs payloads on the behalf of the server processes.
This way, we greatly reduce the risk of leaking the certificate'
private key should the server process be compromised.
This currently compiles only on LibreSSL (portable fix is in the
way).
|
|
|
|
this avoids having the daemon dieing on SIGHUP with a bad config
file.
|
|
|
|
|
|
while here also make them a list rather than a fixed-size array.
|
|
Was temporarly disabled during the transition to real privsep.
While here, fix a memory leak when using `require client ca'.
Also, avoid leaking info about the parent address space layout to
server processes by not sending pointer values.
|
|
|
|
|
|
set them as global vars; rename foreground -> debug
|
|
|
|
server_configure_done is the code we ran in IMSG_RECONF_END splitted
in a separate functions.
This is all needed for ge.c which doesn't do privsep but needs to
bootstrap the server process.
|
|
so that ge can provide its own log_request without requiring a
separate logger process.
|
|
|
|
|
|
|
|
It uses the 'common' proc.c from various OpenBSD-daemons.
gmid grew organically bit by bit and it was also the first place where I
tried to implement privsep. It wasn't done very well, in fact the
parent process (that retains root privileges) just fork()s a generation
of servers, all sharing *exactly* the same address space. No good!
Now, we fork() and re-exec() ourselves, so that each process has a fresh
address space.
Some features (require client ca for example) are temporarly disabled,
will be fixed in subsequent commits. The "ge" program is also
temporarly disabled as it needs tweaks to do privsep too.
|
|
|
|
|
|
reuse it in ge too.
|
|
|
|
|
|
fatal usually appends the error string. Add 'fatalx' that doesn't.
Fix callers and move the prototypes to log.h
|
|
|
|
|
|
will help in future restructuring to have fixed-size objects.
|
|
spawning programs was a hidden feature used only for testing. It's
gross and when got removed, I forgot to remove the field as well.
|
|
|
|
|
|
ventige of the cgi support (and lack of url rewriting)
|
|
The `env' list is no longer used since CGI scripts were removed
|
|
|
|
|
|
|
|
The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy'
configuration rules: new sockets needs to be opened and it's either
impossible (the former) or a huge pain in the arse (the latter).
The sandbox is still always used in case only static files are served.
|
|
|
|
|
|
I really want to get rid of the `executor' process hack for CGI scripts
and its escalation to allow fastcgi and proxying to work on non-OpenBSD.
This drops the CGI support and the `executor' process entirely and is
the first step towards gmid 2.0. It also allows to have more secure
defaults.
On non-OpenBSD systems this means that the sandbox will be deactivated
as soon as fastcgi or proxying are used: you can't open sockets under
FreeBSD' capsicum(4) and I don't want to go thru the pain of making it
work under linux' seccomp/landlock. Patches are always welcome however.
For folks using CGI scripts (hey, I'm one of you!) not all hope is lost:
fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were
FastCGI applications.
fixes for the documentation and to the non-OpenBSD sandboxes will
follow.
|
|
Spotted the hard way by cage
|
|
|
|
|
|
add_mime nows allocate dinamically copies of the passed strings, so
that we can actually free what we parse from the config file.
This matters a lot especially with lengthy `types' block: strings that
reach the internal mapping are never free'd, so every manual addition
is leaked.
|
|
Long time ago, client->req was a static buffer so the memcpy was safe.
However, it's been since moved to a dynamically allocated string, so
it's very often smaller than sizeof(req.buf) (1024), hence the out of
bound access which results in a SIGSEGV very often on OpenBSD thanks to
Otto' malloc.
The situation with the iri parser, client->req and how the request is
forwarded to the other process needs to be improved: this is just a fix
to address the issue quickly, a better one would be to restructure the
iri parser APIs and rethink how the info is forwarded to the ex process.
|
|
i.e. allow client_by_id to fail and return NULL.
Initially I thought it was a good idea to shut down a server process
if we receive an invalid client id as reply from one of our requests
to the executor process. This turned out not to be correct since a
client can (read: will) disconnect in the delay beteewn we acknowledge
their request and the cgi script execution.
The fastcgi and proxy handler already handled this situation, so
they're unaffected.
This allows an attacker to make gmid unresponsible by just making
enough requests until they hit the right timing.
|
|
add a `sni' option for the `proxy' block: the given name is used instead
of the one extracted by the `relay-to' rule.
|
|
properly release everything when during client_close if the request
was managed by a proxy.
|
|
refactor the code that calls validate_against_ca into an helper
function to reuse it in both apply_require_ca and (optionally) in
apply_reverse_proxy.
|
|
as a side effect the order of the content of a server block is relaxed:
options, location or proxy blocks can be put in any order.
|
|
|
