From 122baaa930e47b07c14b0d911b7469f7f20c44c5 Mon Sep 17 00:00:00 2001 From: single-right-quote <34298117+single-right-quote@users.noreply.github.com> Date: Fri, 14 Aug 2020 19:57:23 +0000 Subject: [PATCH] isolate chroot-exclusive contents also rename several folders in anticipation of further restructuring as a bonus, `supported-hostname-test.execline` no longer needs special cases --- binaries/supported-hostname-test.execline | 54 ------------------- run.template | 2 + .../binaries}/get-line-from-client.execline | 0 .../binaries}/headers.execline | 0 .../binaries}/http-error-response.execline | 8 +-- .../binaries}/http-header-parse.execline | 0 .../binaries}/http-start-line-parse.execline | 0 .../binaries}/httpd.execline | 30 ++++++----- .../binaries}/log.execline | 0 .../binaries/supported-hostname-test.execline | 26 +++++++++ .../configuration}/Content-Type_table/c | 0 .../configuration}/Content-Type_table/css | 0 .../Content-Type_table/execline | 0 .../configuration}/Content-Type_table/html | 0 .../configuration}/Content-Type_table/ico | 0 .../configuration}/Content-Type_table/jpeg | 0 .../configuration}/Content-Type_table/jpg | 0 .../configuration}/Content-Type_table/js | 0 .../configuration}/Content-Type_table/market | 0 .../configuration}/Content-Type_table/png | 0 .../configuration}/Content-Type_table/txt | 0 .../configuration}/Content-Type_table/xhtml | 0 .../default_headers}/default.example | 0 23 files changed, 48 insertions(+), 72 deletions(-) delete mode 100755 binaries/supported-hostname-test.execline rename {binaries => visible-to-httpd/binaries}/get-line-from-client.execline (100%) rename {binaries => visible-to-httpd/binaries}/headers.execline (100%) rename {binaries => visible-to-httpd/binaries}/http-error-response.execline (83%) rename {binaries => visible-to-httpd/binaries}/http-header-parse.execline (100%) rename {binaries => visible-to-httpd/binaries}/http-start-line-parse.execline (100%) rename {binaries => visible-to-httpd/binaries}/httpd.execline (90%) rename {binaries => visible-to-httpd/binaries}/log.execline (100%) create mode 100755 visible-to-httpd/binaries/supported-hostname-test.execline rename {data => visible-to-httpd/configuration}/Content-Type_table/c (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/css (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/execline (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/html (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/ico (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/jpeg (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/jpg (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/js (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/market (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/png (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/txt (100%) rename {data => visible-to-httpd/configuration}/Content-Type_table/xhtml (100%) rename {data/extra_headers => visible-to-httpd/configuration/default_headers}/default.example (100%) diff --git a/binaries/supported-hostname-test.execline b/binaries/supported-hostname-test.execline deleted file mode 100755 index 80a7af9..0000000 --- a/binaries/supported-hostname-test.execline +++ /dev/null @@ -1,54 +0,0 @@ -#!/binaries/execlineb -WS1 -# `supported-hostname-test.execline hostname` -# -# tests if `hostname` is supported by this server, by checking if -# a directory by that exact name exists in the current working directory -# immediately 404s otherwise -# -# hard depends on these external `httpd.execline` subscripts: -# -# + ./http-error-response.execline: and thus, -# + ./log.execline -# - -# protect Special Subdirectories -# -# + `/binaries` is change root--available static binaries and helper scripts -# + `tcp-access-rules` for the pseudo-firewall -# + `.` and `..` are to disallow clients being Naughty -# + the other directories are for process supervision things -# -# note: general policy for this server is to 404 where we "should" 403. -# -ifelse { - s6-test \${1} = binaries -o - \${1} = data -o - \${1} = event -o - \${1} = log -o - \${1} = supervise -o - \${1} = tcp-access-rules -o - \${1} = . -o - \${1} = .. -} -{ - if { - http-error-response.execline - 404 - "not found" - "illegal host: \""${1}\" - } - exit 1 -} -# reject unsupported hostnames -# -ifelse { s6-test ! -d \${1} } -{ - if { - http-error-response.execline - 404 - "not found" - "unsupported host: \""${1}\" - } - exit 1 -} -exit 0 diff --git a/run.template b/run.template index 342814e..b74022d 100755 --- a/run.template +++ b/run.template @@ -21,6 +21,8 @@ export TLS_GID ${YOUR_TLS_USER_GROUP_ID_HERE} # user for ./binaries/httpd.execline (after `chroot(8)`) s6-envuidgid ${YOUR_HTTP_USER_NAME_HERE} +cd visible-to-httpd + # somewhat verbose command line to make the httpd able to log the PID reported by s6-tcpserver # (s6-tcpserver prints the pid of `s6-tlsd`, but `./httpd.execline` is a child of said PID) s6-tcpserver4 diff --git a/binaries/get-line-from-client.execline b/visible-to-httpd/binaries/get-line-from-client.execline similarity index 100% rename from binaries/get-line-from-client.execline rename to visible-to-httpd/binaries/get-line-from-client.execline diff --git a/binaries/headers.execline b/visible-to-httpd/binaries/headers.execline similarity index 100% rename from binaries/headers.execline rename to visible-to-httpd/binaries/headers.execline diff --git a/binaries/http-error-response.execline b/visible-to-httpd/binaries/http-error-response.execline similarity index 83% rename from binaries/http-error-response.execline rename to visible-to-httpd/binaries/http-error-response.execline index 934d716..0fae198 100755 --- a/binaries/http-error-response.execline +++ b/visible-to-httpd/binaries/http-error-response.execline @@ -1,7 +1,7 @@ #!/binaries/execlineb -WS2 # http-error-response.execline STATUS_CODE STATUS_MESSAGE [LOG_MESSAGE] # -# if `data/status-code/table/${hostname}/${STATUS_CODE} exists, `cat(1)` that +# if `configuration/status-code/table/${hostname}/${STATUS_CODE} exists, `cat(1)` that # otherwise, fall back on a very generic error message # # TODO: @@ -28,7 +28,7 @@ backtick -i -n Content-Length { backtick -i -n Date { date -u "+%a, %d %b %Y %T GMT" } -backtick -i -n extra_headers { cat data/extra_headers/default } +backtick -i -n extra_headers { cat configuration/default_headers/default } multisubstitute { # TODO: importas -i -u Content-Length Content-Length @@ -47,10 +47,10 @@ Date: "${Date}"\r } if { - ifelse { s6-test -r data/status-code_table/${hostname}/${1} } + ifelse { s6-test -r configuration/error_response_pages/${hostname}/${1} } { # TODO: support `Content-Types`?? and `Content-Length` - cat data/status-code_table/${hostname}/${1} + cat configuration/error_response_pages/${hostname}/${1} } s6-echo -n -- " diff --git a/binaries/http-header-parse.execline b/visible-to-httpd/binaries/http-header-parse.execline similarity index 100% rename from binaries/http-header-parse.execline rename to visible-to-httpd/binaries/http-header-parse.execline diff --git a/binaries/http-start-line-parse.execline b/visible-to-httpd/binaries/http-start-line-parse.execline similarity index 100% rename from binaries/http-start-line-parse.execline rename to visible-to-httpd/binaries/http-start-line-parse.execline diff --git a/binaries/httpd.execline b/visible-to-httpd/binaries/httpd.execline similarity index 90% rename from binaries/httpd.execline rename to visible-to-httpd/binaries/httpd.execline index cf36075..32fb08d 100755 --- a/binaries/httpd.execline +++ b/visible-to-httpd/binaries/httpd.execline @@ -104,6 +104,8 @@ if -X -n -t { #### 3. process requested resource ### backtick -i -n resource { + cd supported_domains + backtick -i -n candidate_resource { backtick -in with_dot_and_dot_dot { pipeline { s6-echo -n -- ${requested_resource} } @@ -134,7 +136,8 @@ if -X -n -t { s6-echo -n -- ${candidate_resource} } importas -i resource resource - ifelse { s6-test ! -r \${resource} } + + ifelse { s6-test ! -r supported_domains/${resource} } { http-error-response.execline 404 @@ -172,18 +175,18 @@ if -X -n -t { tr := ./ } - # use `./data/Content-Type_table` as a key-value store: files with + # use `./configuration/Content-Type_table` as a key-value store: files with # the name ${extension} map to the `Content-Type` embedded in - # their contents. for example, `./data/Content-Type_table/xhtml` + # their contents. for example, `./configuration/Content-Type_table/xhtml` # contains the text “application/xhtml+xml” (with no newline) # (it is fine if the file contains a single newline at the end) # # if no key exists with the extension’s name, we fall back on # “application/octet-stream”, as we should importas -i -u extension extension - ifelse { s6-test -r \\./data/Content-Type_table/${extension} } + ifelse { s6-test -r configuration/Content-Type_table/${extension} } { - cat ./data/Content-Type_table/${extension} + cat configuration/Content-Type_table/${extension} } s6-echo -n -- application/octet-stream } @@ -192,7 +195,7 @@ if -X -n -t { # TODO: separate this out, ideally make reusable # file length in bytes: SHOULD be provided - backtick -i -n Content-Length { stat -c%s -- ${resource} } + backtick -i -n Content-Length { stat -c%s -- supported_domains/${resource} } # "[weekday], [month-day] [month] [year] [hours:minutes:seconds] GMT" # (example: "Tue, 03 Mar 2020 21:06:08 GMT") @@ -200,7 +203,7 @@ if -X -n -t { # the date the resource was last modified SHOULD be provided backtick -i -n Last-Modified { - backtick -i -n seconds_since_epoch { stat -c%Y -- ${resource} } + backtick -i -n seconds_since_epoch { stat -c %Y -- supported_domains/${resource} } importas -i -u seconds_since_epoch seconds_since_epoch date -d @${seconds_since_epoch} -u ${date_format} } @@ -208,23 +211,22 @@ if -X -n -t { # current time of response: SHOULD be provided (why?) backtick -i -n Date { date -u ${date_format} } - # allow for arbitrary HTTP header and HTTP status code overrides. # for an example where the former might be useful, consider Content # Security Policy; for the latter, consider HTTP 301 redirects # # be warned!! we do not validate these overrides! backtick -i -n extra_headers { - ifelse { s6-test -r \\data/extra_headers/override/${resource} } + ifelse { s6-test -r configuration/default_headers/override/${resource} } { - cat data/extra_headers/override/${resource} + cat configuration/default_headers/override/${resource} } - cat data/extra_headers/default + cat configuration/default_headers/default } backtick -D "200 ok" -n status_code_and_message { - if { s6-test -r \\data/status_override/${resource} } - cat data/status_override/${resource} + if { s6-test -r configuration/overrides/${resource} } + cat configuration/overrides/${resource} } ##### 4.3. send the response ### @@ -248,7 +250,7 @@ Date: "${Date}"\r } foreground { if -t { s6-test \${method} = GET } - cat ${resource} + cat supported_domains/${resource} } # hack: write(3p) does not guarantee that all the # content actually gets written before this process diff --git a/binaries/log.execline b/visible-to-httpd/binaries/log.execline similarity index 100% rename from binaries/log.execline rename to visible-to-httpd/binaries/log.execline diff --git a/visible-to-httpd/binaries/supported-hostname-test.execline b/visible-to-httpd/binaries/supported-hostname-test.execline new file mode 100755 index 0000000..060537e --- /dev/null +++ b/visible-to-httpd/binaries/supported-hostname-test.execline @@ -0,0 +1,26 @@ +#!/binaries/execlineb -WS1 +# `supported-hostname-test.execline hostname` +# +# tests if `hostname` is supported by this server, by checking if +# a directory by that exact name exists in the current working directory +# immediately 404s otherwise +# +# hard depends on these external `httpd.execline` subscripts: +# +# + ./http-error-response.execline: and thus, +# + ./log.execline +# + +# reject unsupported hostnames +# +ifelse { s6-test ! -d \supported_domains/${1} } +{ + if { + http-error-response.execline + 404 + "not found" + "unsupported host: \""${1}\" + } + exit 1 +} +exit 0 diff --git a/data/Content-Type_table/c b/visible-to-httpd/configuration/Content-Type_table/c similarity index 100% rename from data/Content-Type_table/c rename to visible-to-httpd/configuration/Content-Type_table/c diff --git a/data/Content-Type_table/css b/visible-to-httpd/configuration/Content-Type_table/css similarity index 100% rename from data/Content-Type_table/css rename to visible-to-httpd/configuration/Content-Type_table/css diff --git a/data/Content-Type_table/execline b/visible-to-httpd/configuration/Content-Type_table/execline similarity index 100% rename from data/Content-Type_table/execline rename to visible-to-httpd/configuration/Content-Type_table/execline diff --git a/data/Content-Type_table/html b/visible-to-httpd/configuration/Content-Type_table/html similarity index 100% rename from data/Content-Type_table/html rename to visible-to-httpd/configuration/Content-Type_table/html diff --git a/data/Content-Type_table/ico b/visible-to-httpd/configuration/Content-Type_table/ico similarity index 100% rename from data/Content-Type_table/ico rename to visible-to-httpd/configuration/Content-Type_table/ico diff --git a/data/Content-Type_table/jpeg b/visible-to-httpd/configuration/Content-Type_table/jpeg similarity index 100% rename from data/Content-Type_table/jpeg rename to visible-to-httpd/configuration/Content-Type_table/jpeg diff --git a/data/Content-Type_table/jpg b/visible-to-httpd/configuration/Content-Type_table/jpg similarity index 100% rename from data/Content-Type_table/jpg rename to visible-to-httpd/configuration/Content-Type_table/jpg diff --git a/data/Content-Type_table/js b/visible-to-httpd/configuration/Content-Type_table/js similarity index 100% rename from data/Content-Type_table/js rename to visible-to-httpd/configuration/Content-Type_table/js diff --git a/data/Content-Type_table/market b/visible-to-httpd/configuration/Content-Type_table/market similarity index 100% rename from data/Content-Type_table/market rename to visible-to-httpd/configuration/Content-Type_table/market diff --git a/data/Content-Type_table/png b/visible-to-httpd/configuration/Content-Type_table/png similarity index 100% rename from data/Content-Type_table/png rename to visible-to-httpd/configuration/Content-Type_table/png diff --git a/data/Content-Type_table/txt b/visible-to-httpd/configuration/Content-Type_table/txt similarity index 100% rename from data/Content-Type_table/txt rename to visible-to-httpd/configuration/Content-Type_table/txt diff --git a/data/Content-Type_table/xhtml b/visible-to-httpd/configuration/Content-Type_table/xhtml similarity index 100% rename from data/Content-Type_table/xhtml rename to visible-to-httpd/configuration/Content-Type_table/xhtml diff --git a/data/extra_headers/default.example b/visible-to-httpd/configuration/default_headers/default.example similarity index 100% rename from data/extra_headers/default.example rename to visible-to-httpd/configuration/default_headers/default.example -- 2.47.3