| Age | Commit message (Collapse) | Author |
|---|
|
|
|
some CI envs don't like `listen on localhost' but tolerate INADDR_ANY
or IN6ADDR_ANY_INIT.
|
|
Listening by default on all the addresses is so bad I don't know
why I haven't changed this before. Anyway.
Add a `listen on $hostname port $port' syntax to the config file
and deprecate the old "port" and "ipv6" global setting. Still try
to honour them when no "listen on" directive is used for backward
compatibily, but this will go away in the next next version hopefully.
At the moment the `listen on' in server context don't filter the
host, i.e. one can still reach a host from a address not specified
in the corresponding `liste on', this will be added later.
|
|
This time with a temporary variable to avoid not to trigger
-Wpointer-sign, sigh.
|
|
now it resembles less oconfigure and more the configure scripts I'm
using in my recent projects. I'd argue it's more easy to use it.
|
|
we can use cmp to tell if two files are different, which also has
the benefit of being available everywhere and reporting the byte
offset of the first difference. Reduces the test dependencies on
some systems.
|
|
|
|
|
|
|
|
|
|
|
|
still not re-enabled.
|
|
Was temporarly disabled during the transition to real privsep.
While here, fix a memory leak when using `require client ca'.
Also, avoid leaking info about the parent address space layout to
server processes by not sending pointer values.
|
|
|
|
It uses the 'common' proc.c from various OpenBSD-daemons.
gmid grew organically bit by bit and it was also the first place where I
tried to implement privsep. It wasn't done very well, in fact the
parent process (that retains root privileges) just fork()s a generation
of servers, all sharing *exactly* the same address space. No good!
Now, we fork() and re-exec() ourselves, so that each process has a fresh
address space.
Some features (require client ca for example) are temporarly disabled,
will be fixed in subsequent commits. The "ge" program is also
temporarly disabled as it needs tweaks to do privsep too.
|
|
|
|
|
|
it's just not worth it to inflict this breaking change to the users.
|
|
breaks on some distro and needs further investigations; it's not that
interesting fortunately.
|
|
|
|
will help in future restructuring to have fixed-size objects.
|
|
|
|
-d is `debug' (run in the foreground)
-f to load the configuration file
adjust regress and contrib accordingly
|
|
|
|
I really want to get rid of the `executor' process hack for CGI scripts
and its escalation to allow fastcgi and proxying to work on non-OpenBSD.
This drops the CGI support and the `executor' process entirely and is
the first step towards gmid 2.0. It also allows to have more secure
defaults.
On non-OpenBSD systems this means that the sandbox will be deactivated
as soon as fastcgi or proxying are used: you can't open sockets under
FreeBSD' capsicum(4) and I don't want to go thru the pain of making it
work under linux' seccomp/landlock. Patches are always welcome however.
For folks using CGI scripts (hey, I'm one of you!) not all hope is lost:
fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were
FastCGI applications.
fixes for the documentation and to the non-OpenBSD sandboxes will
follow.
|
|
|
|
|
|
steal more (good) stuff from mandoc-portable :)
|
|
|
|
|
|
not just the number of lines, check the full page!
|
|
gmid would disallow the '@' and ':' characters in paths (unless
percent-encoded.) Issue reported by freezr.
|
|
and remove the explicit mapping from the documentation and test files.
|
|
|
|
|
|
it's not a problem when we have only one check_reply at then end,
since $? is kept across function boundaries, but when we have multiple
checks we need to quit on the first error.
|
|
matches found with
% grep -R '=[ ]*{' . | fgrep -v const
|
|
it's specified by POSIX AFAIK and requires less redirections.
|
|
|
|
|
|
IRI and Punycode tests don't run gmid binary and can be safely executed.
|
|
|
|
|
|
libevent2 can still somehowe call client_read even in code paths
that never enable reading from the evbuffer. Can't reproduce on
the libevent in base on OpenBSD. It's a bit ugly, but it's a small
workaround for something that otherwise *always* make gmid crash
when linked against libevent2. (client_read works under the
assumption that c->host != NULL, matched_proxy crashes otherwise.)
|
|
|
|
|
|
|
|
|
|
|
|
|
