diff options
Diffstat (limited to 'git-daemon/git-daemon.pl')
| -rwxr-xr-x[-rw-r--r--] | git-daemon/git-daemon.pl | 95 |
1 files changed, 60 insertions, 35 deletions
diff --git a/git-daemon/git-daemon.pl b/git-daemon/git-daemon.pl index f18f6b9..df753e1 100644..100755 --- a/git-daemon/git-daemon.pl +++ b/git-daemon/git-daemon.pl @@ -1,10 +1,10 @@ #!/usr/bin/perl # -# A very simple userv git-daemon wrapper. +# A git daemon with an added userv security boundary. # # This reads the first packet-line of the protocol, checks the syntax -# of the user, pathname, and hostname, then uses userv to invoke the -# real git daemon as the target user with safe arguments. +# of the pathname and hostname, then uses userv to invoke the +# git-upload-pack as the target user with safe arguments. # # This was written by Tony Finch <dot@dotat.at> # You may do anything with it, at your own risk. @@ -14,49 +14,74 @@ use strict; use warnings; use POSIX; +use Socket; +use Sys::Syslog; -my $USER = qr{[0-9a-z]+}; -my $PATH = qr{[-+,._/0-9A-Za-z]+}; -my $HOST = qr{[-.0-9A-Za-z]+}; +use vars qw{ %vhost_default_user %vhost_user_from_tilde + $TILDE $REPO $HOSTNAME }; + +use lib '/etc/userv'; +require 'git-daemon-vhosts.pl'; + +my $peer = getpeername STDIN; +my ($port,$addr); +if (defined $peer) { + ($port,$addr) = sockaddr_in $peer; + $addr = inet_ntoa $addr; + $peer = "[$addr]:$port"; +} else { + $peer = "[?.?.?.?]:?"; + undef $!; +} + +openlog 'userv-git-daemon', 'pid', 'daemon'; + +sub fail { + syslog 'err', "$peer @_"; + exit; +} sub xread { my $length = shift; my $buffer = ""; my $count = 0; + # simply die if the client takes too long + alarm 30; while ($length > length $buffer) { - my $data; - my $ret = sysread STDIN, $data, $len - while not defined $ret and ($! == EINTR or $! == EAGAIN); - die "read" unless defined $ret; - die "short read: expected $length bytes, got $count\n" if $ret == 0; - $buffer .= $data; - $count += $ret; + my ($data,$ret); + do { + $ret = sysread STDIN, $data, $length + } while not defined $ret and ($! == EINTR or $! == EAGAIN); + fail "read: $!" unless defined $ret; + fail "short read: expected $length bytes, got $count" if $ret == 0; + $buffer .= $data; + $count += $ret; } + alarm 0; return $buffer; } my $len_hex = xread 4; -die "bad packet length" unless $len_hex =~ m{^[0-9a-zA-Z]{4}$}; -my $len = hex $len; +fail "non-hexadecimal packet length" unless $len_hex =~ m{^[0-9a-zA-Z]{4}$}; +my $len = hex $len_hex; my $line = xread $len; -$line =~ m{^git-upload-pack ~($USER)/($PATH[.]git)\0host=($HOST)\0$}; -my ($user,$path,$host) = ($1,$2,$3); - -# child's output will go directly to inetd -open CHILD, '-|', 'userv', $user, - qw(git daemon --inetd --strict-paths - --user-path=public-git --forbid-override=receive-pack) - or die "open pipe to userv: $!\n"; - -# proxy command line to child -syswrite CHILD, $len_hex.$line - or die "write to userv: $!\n"; - -# relay stdin to child -open STDOUT, ">&CHILD" - or die "dup: $!\n"; -exec 'cat' - or die "exec: $!\n"; - -die +unless ($line =~ m{^git-upload-pack (?:~($TILDE)/)?($REPO[.]git)\0host=($HOSTNAME)\0$}) { + $line =~ s/[^ -~]+/ /g; + fail "could not parse \"$line\"" +} +my ($tilde,$repo,$host) = ($1,$2,$3); +my $url = $tilde ? "git://$host/~$tilde/$repo" : "git://$host/$repo"; + +my $user = $vhost_user_from_tilde{$host} ? $tilde : $vhost_default_user{$host}; +fail "no user configuration for $url" unless defined $user; + +syslog 'info', "$peer $user $url"; + +my @opts = ("-DCLIENT=$addr", "-DHOST=$host", "-DREPO=$repo"); +push @opts, "-DTILDE=$tilde" if defined $tilde; + +exec 'userv', @opts, $user, 'git-upload-pack' + or fail "exec userv: $!"; + +# end |