From 22a8744476dff7763cd94954bd8f96fbdfc0d251 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Mon, 1 Apr 2024 21:38:21 +0200 Subject: [PATCH 01/16] Test suite: simplify and enhance getpid.sh - Try to only search for processes of the current user. - Prefer using pgrep (in addition to pidof) when available. - Streamline system overrides. - Get rid of HEAD_FLAGS: all systems so far support "-1". - Use "ps -o pid,comm" as the default, which is POSIX.1. - Use "sort -r" to hopefully get the newest (=highest) PID, which is the case on older systems not using randomized PIDs at least. --- src/testsuite/getpid.sh | 69 ++++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 29 deletions(-) diff --git a/src/testsuite/getpid.sh b/src/testsuite/getpid.sh index 55997ad8..465def64 100755 --- a/src/testsuite/getpid.sh +++ b/src/testsuite/getpid.sh @@ -1,46 +1,57 @@ #!/bin/sh # ngIRCd Test Suite +# +# Try to detect the PID of a running process of the current user. +# set -u # did we get a name? -[ $# -ne 1 ] && exit 1 - -[ -x /bin/pidof ] && exec /bin/pidof -s "$1" +if [ $# -ne 1 ]; then + echo "Usage: $0 " >&2 + exit 1 +fi -# detect flags for "ps" and "head" UNAME=`uname` -if [ $UNAME = "FreeBSD" ]; then - PS_FLAGS="-a"; PS_PIDCOL="1"; HEAD_FLAGS="-n 1" -elif [ $UNAME = "A/UX" ]; then - PS_FLAGS="-af"; PS_PIDCOL="2"; HEAD_FLAGS="-1" -elif [ $UNAME = "GNU" ]; then - PS_FLAGS="-ax"; PS_PIDCOL="2"; HEAD_FLAGS="-n 1" -elif [ $UNAME = "Haiku" ]; then - PS_FLAGS="-o Id -o Team"; PS_PIDCOL="1"; HEAD_FLAGS="-1" -elif [ $UNAME = "Linux" ]; then - PS_FLAGS="ax"; PS_PIDCOL="1"; HEAD_FLAGS="-n 1" -elif [ $UNAME = "SunOS" ]; then - PS_FLAGS="-af"; PS_PIDCOL=2; HEAD_FLAGS="-n 1" -else - PS_FLAGS="-af"; PS_PIDCOL="2"; HEAD_FLAGS="-n 1" - ps $PS_FLAGS >/dev/null 2>&1 - if [ $? -ne 0 ]; then PS_FLAGS="a"; PS_PIDCOL="1"; fi + +# Use pgrep(1) whenever possible +if [ -x /usr/bin/pgrep ]; then + case "$UNAME" in + "FreeBSD") + PGREP_FLAGS="-a" + ;; + *) + PGREP_FLAGS="" + esac + exec /usr/bin/pgrep $PGREP_FLAGS -n -u "$LOGNAME" "$1" fi -# debug output -#echo "$0: UNAME=$UNAME" -#echo "$0: PS_FLAGS=$PS_FLAGS" -#echo "$0: PS_PIDCOL=$PS_PIDCOL" -#echo "$0: HEAD_FLAGS=$HEAD_FLAGS" +# pidof(1) could be a good alternative on elder Linux systems +if [ -x /bin/pidof ]; then + exec /bin/pidof -s "$1" +fi + +# fall back to ps(1) and parse its output: +# detect flags for "ps" and "head" +PS_PIDCOL=1 +case "$UNAME" in + "A/UX"|"GNU"|"SunOS") + PS_FLAGS="-a"; PS_PIDCOL=2 + ;; + "Haiku") + PS_FLAGS="-o Id -o Team" + ;; + *) + # Linux (GNU coreutils), Free/Net/OpenBSD, ... + PS_FLAGS="-o pid,comm" +esac # search PID ps $PS_FLAGS >procs.tmp -cat procs.tmp | \ - grep -v "$0" | grep "$1" | \ +grep -v "$$" procs.tmp | grep "$1" | \ awk "{print \$$PS_PIDCOL}" | \ - sort -n >pids.tmp -pid=`head $HEAD_FLAGS pids.tmp` + sort -nr >pids.tmp +pid=`head -1 pids.tmp` rm -rf procs.tmp pids.tmp # validate PID -- 2.39.2 From a8a37b681e54cb236f0547961d87bf271db8d536 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Tue, 2 Apr 2024 22:01:00 +0200 Subject: [PATCH 02/16] Test suite: wait for ERROR message on QUIT Wait for the "ERROR :Closing connection" message sent by ngIRCd when handling the QUIT command, do not wait for "Connection closed" which is actually output by the telnet(1) command and is implementation dependant! For example, on Haiku OS, this is not always(!) echoed (the command seems to hang sometimes?) which results in unpredictable failures in the test suite ... --- src/testsuite/channel-test.e | 2 +- src/testsuite/check-idle.e | 2 +- src/testsuite/connect-ssl-cert1-test.e | 2 +- src/testsuite/connect-ssl-cert2-test.e | 3 +-- src/testsuite/connect-test.e | 2 +- src/testsuite/invite-test.e | 2 +- src/testsuite/join-test.e | 2 +- src/testsuite/kick-test.e | 2 +- src/testsuite/message-test.e | 2 +- src/testsuite/misc-test.e | 2 +- src/testsuite/mode-test.e | 2 +- src/testsuite/opless-channel-test.e | 2 +- src/testsuite/server-link-test.e | 2 +- src/testsuite/stress-B.e | 2 +- src/testsuite/who-test.e | 2 +- src/testsuite/whois-test.e | 2 +- 16 files changed, 16 insertions(+), 17 deletions(-) diff --git a/src/testsuite/channel-test.e b/src/testsuite/channel-test.e index f65c5196..5e0afab3 100644 --- a/src/testsuite/channel-test.e +++ b/src/testsuite/channel-test.e @@ -103,5 +103,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/check-idle.e b/src/testsuite/check-idle.e index ad112b25..3c37e80b 100644 --- a/src/testsuite/check-idle.e +++ b/src/testsuite/check-idle.e @@ -25,7 +25,7 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } exit $r diff --git a/src/testsuite/connect-ssl-cert1-test.e b/src/testsuite/connect-ssl-cert1-test.e index 5eb998b3..37abb762 100644 --- a/src/testsuite/connect-ssl-cert1-test.e +++ b/src/testsuite/connect-ssl-cert1-test.e @@ -17,5 +17,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/connect-ssl-cert2-test.e b/src/testsuite/connect-ssl-cert2-test.e index cc10a1ed..0e67d75b 100644 --- a/src/testsuite/connect-ssl-cert2-test.e +++ b/src/testsuite/connect-ssl-cert2-test.e @@ -17,6 +17,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } - diff --git a/src/testsuite/connect-test.e b/src/testsuite/connect-test.e index b51be0db..f3015d8a 100644 --- a/src/testsuite/connect-test.e +++ b/src/testsuite/connect-test.e @@ -16,5 +16,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/invite-test.e b/src/testsuite/invite-test.e index b9e0c3f9..f3115a3d 100644 --- a/src/testsuite/invite-test.e +++ b/src/testsuite/invite-test.e @@ -110,5 +110,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/join-test.e b/src/testsuite/join-test.e index 643dde42..7e6a29a3 100644 --- a/src/testsuite/join-test.e +++ b/src/testsuite/join-test.e @@ -108,5 +108,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/kick-test.e b/src/testsuite/kick-test.e index 89da611d..a8038796 100644 --- a/src/testsuite/kick-test.e +++ b/src/testsuite/kick-test.e @@ -109,5 +109,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/message-test.e b/src/testsuite/message-test.e index 9eb22e77..28d4a93f 100644 --- a/src/testsuite/message-test.e +++ b/src/testsuite/message-test.e @@ -148,5 +148,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/misc-test.e b/src/testsuite/misc-test.e index f69e7c3c..8896624b 100644 --- a/src/testsuite/misc-test.e +++ b/src/testsuite/misc-test.e @@ -160,5 +160,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "ERROR" + "ERROR :Closing connection" } diff --git a/src/testsuite/mode-test.e b/src/testsuite/mode-test.e index 86e4f2df..668e57c6 100644 --- a/src/testsuite/mode-test.e +++ b/src/testsuite/mode-test.e @@ -171,5 +171,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/opless-channel-test.e b/src/testsuite/opless-channel-test.e index 4611fe17..cd4f9a0b 100644 --- a/src/testsuite/opless-channel-test.e +++ b/src/testsuite/opless-channel-test.e @@ -29,5 +29,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/server-link-test.e b/src/testsuite/server-link-test.e index 910f8c84..48230afe 100644 --- a/src/testsuite/server-link-test.e +++ b/src/testsuite/server-link-test.e @@ -46,5 +46,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "ERROR" + "ERROR :Closing connection" } diff --git a/src/testsuite/stress-B.e b/src/testsuite/stress-B.e index 95156cbb..53c75a04 100644 --- a/src/testsuite/stress-B.e +++ b/src/testsuite/stress-B.e @@ -72,5 +72,5 @@ sleep 1 send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/who-test.e b/src/testsuite/who-test.e index 39e3a2f1..55c65702 100644 --- a/src/testsuite/who-test.e +++ b/src/testsuite/who-test.e @@ -199,5 +199,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "Connection closed" + "ERROR :Closing connection" } diff --git a/src/testsuite/whois-test.e b/src/testsuite/whois-test.e index 44eee668..74442ed4 100644 --- a/src/testsuite/whois-test.e +++ b/src/testsuite/whois-test.e @@ -73,5 +73,5 @@ expect { send "quit\r" expect { timeout { exit 1 } - "ERROR" + "ERROR :Closing connection" } -- 2.39.2 From 3e535a295523853963438eb94f9cfa24c998b52f Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Fri, 5 Apr 2024 14:35:26 +0200 Subject: [PATCH 03/16] Add ".trunk" to .gitignore file --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index a6778591..94957798 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .*.swp .deps +.trunk .vscode *.a *.e_ -- 2.39.2 From e4873b4d63d0bcd4914a1cee82599a13cfd77e47 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Fri, 5 Apr 2024 22:38:22 +0200 Subject: [PATCH 04/16] Add support for the "sd_notify" protocol This allows the "ngircd.service" systemd(8) unit to use the "notify" service type, which allows for better status tracking by the service manager. --- configure.ng | 1 + contrib/ngircd.service | 4 +- src/ngircd/conn.c | 9 +++- src/ngircd/sighandlers.c | 100 +++++++++++++++++++++++++++++++++++++-- src/ngircd/sighandlers.h | 3 ++ 5 files changed, 110 insertions(+), 7 deletions(-) diff --git a/configure.ng b/configure.ng index ec7b6c35..0dccfbc5 100644 --- a/configure.ng +++ b/configure.ng @@ -193,6 +193,7 @@ AC_CHECK_HEADERS_ONCE([ \ stddef.h \ stdint.h \ sys/resource.h \ + sys/un.h \ varargs.h \ ]) diff --git a/contrib/ngircd.service b/contrib/ngircd.service index fb3cf8a1..215f5052 100644 --- a/contrib/ngircd.service +++ b/contrib/ngircd.service @@ -11,7 +11,7 @@ Before=anope.service atheme.service irc-services.service Before=bopm.service hopm.service [Service] -Type=forking +Type=notify User=irc Group=irc # Settings & limits: @@ -35,7 +35,7 @@ EnvironmentFile=-/etc/default/ngircd EnvironmentFile=-/etc/default/ngircd-full EnvironmentFile=-/etc/default/ngircd-full-dbg # Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here! -ExecStart=/usr/sbin/ngircd $PARAMS +ExecStart=/usr/sbin/ngircd --nodaemon --syslog $PARAMS ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 10042943..61f296ab 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -66,6 +66,7 @@ #include "ng_ipaddr.h" #include "parse.h" #include "resolve.h" +#include "sighandlers.h" #define SERVER_WAIT (NONE - 1) /** "Wait for outgoing connection" flag */ @@ -673,6 +674,7 @@ Conn_Handler(void) Log(LOG_NOTICE, "Server \"%s\" (on \"%s\") ready.", Client_ID(Client_ThisServer()), Client_Hostname(Client_ThisServer())); + Signal_NotifySvcMgr("READY=1\n"); while (!NGIRCd_SignalQuit && !NGIRCd_SignalRestart) { t = time(NULL); @@ -791,10 +793,13 @@ Conn_Handler(void) } } - if (NGIRCd_SignalQuit) + if (NGIRCd_SignalQuit) { Log(LOG_NOTICE | LOG_snotice, "Server going down NOW!"); - else if (NGIRCd_SignalRestart) + Signal_NotifySvcMgr("STOPPING=1\n"); + } else if (NGIRCd_SignalRestart) { Log(LOG_NOTICE | LOG_snotice, "Server restarting NOW!"); + Signal_NotifySvcMgr("RELOADING=1\n"); + } } /* Conn_Handler */ /** diff --git a/src/ngircd/sighandlers.c b/src/ngircd/sighandlers.c index 4ed1a125..56fd8aea 100644 --- a/src/ngircd/sighandlers.c +++ b/src/ngircd/sighandlers.c @@ -1,6 +1,6 @@ /* * ngIRCd -- The Next Generation IRC Daemon - * Copyright (c)2001-2015 Alexander Barton (alex@barton.de) and Contributors. + * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -26,6 +26,11 @@ #include #include +#ifdef HAVE_SYS_UN_H +# include +# include +#endif + #include "conn.h" #include "channel.h" #include "conf.h" @@ -100,14 +105,17 @@ Rehash(void) unsigned old_nicklen; Log( LOG_NOTICE|LOG_snotice, "Re-reading configuration NOW!" ); + Signal_NotifySvcMgr("RELOADING=1\n"); /* Remember old server name and nickname length */ strlcpy( old_name, Conf_ServerName, sizeof old_name ); old_nicklen = Conf_MaxNickLength; /* Re-read configuration ... */ - if (!Conf_Rehash( )) + if (!Conf_Rehash()) { + Signal_NotifySvcMgr("READY=1\n"); return; + } /* Close down all listening sockets */ Conn_ExitListeners( ); @@ -139,6 +147,7 @@ Rehash(void) Conn_SyncServerStruct( ); Log( LOG_NOTICE|LOG_snotice, "Re-reading of configuration done." ); + Signal_NotifySvcMgr("READY=1\n"); } /* Rehash */ /** @@ -339,4 +348,89 @@ Signals_Exit(void) signalpipe[0] = signalpipe[1] = 0; } -/* -eof- */ +/** + * Notify the service manager using the "sd_notify" protocol. + * + * This function is based on the example notify() function shown in the + * sd_notify(3) manual page, with one significant difference: we keep the file + * descriptor open to reduce overhead when called multiple times. + * + * @param message: The message to pass to the service manager including "\n". + */ +GLOBAL void +#if !defined(HAVE_SYS_UN_H) || !defined(SOCK_CLOEXEC) +Signal_NotifySvcMgr(UNUSED const char *message) +{ + return; +#else +Signal_NotifySvcMgr(const char *message) +{ + struct sockaddr_un socket_addr; + const char *socket_path; + size_t path_length, message_length; + static int fd = NONE; + + assert(message != NULL); + assert(message[0] != '\0'); + + if (fd == NONE) { + /* No socket to the service manager open: Check if a path name + * is given in the environment and try to open it! */ + socket_path = getenv("NOTIFY_SOCKET"); + if (!socket_path) + return; /* No socket specified, nothing to do. */ + + /* Only AF_UNIX is supported, with path or abstract sockets */ + if (socket_path[0] != '/' && socket_path[0] != '@') { + Log(LOG_CRIT, + "Failed to notify service manager: Unsupported socket path!"); + return; + } + + path_length = strlen(socket_path); + + /* Ensure there is room for NUL byte */ + if (path_length >= sizeof(socket_addr.sun_path)) { + Log(LOG_CRIT, + "Failed to notify service manager: Socket path too long!"); + return; + } + + memset(&socket_addr, 0, sizeof(struct sockaddr_un)); + socket_addr.sun_family = AF_UNIX; + memcpy(socket_addr.sun_path, socket_path, path_length); + + /* Support for abstract socket */ + if (socket_addr.sun_path[0] == '@') + socket_addr.sun_path[0] = 0; + + fd = socket(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd < 0) { + Log(LOG_CRIT, + "Failed to notify service manager: %s [socket()]", + strerror(errno)); + return; + } + + if (connect(fd, (struct sockaddr *)&socket_addr, + sizeof(struct sockaddr_un)) != 0) { + Log(LOG_CRIT, + "Failed to notify service manager: %s [connect()]", + strerror(errno)); + close(fd); + fd = NONE; + return; + } + } + + message_length = strlen(message); + ssize_t written = write(fd, message, message_length); + if (written != (ssize_t)message_length) { + Log(LOG_CRIT, + "Failed to notify service manager: %s [write()]", + strerror(errno)); + close(fd); + fd = NONE; + } +#endif +} diff --git a/src/ngircd/sighandlers.h b/src/ngircd/sighandlers.h index 68491d94..e03864a3 100644 --- a/src/ngircd/sighandlers.h +++ b/src/ngircd/sighandlers.h @@ -1,5 +1,6 @@ /* * ngIRCd -- The Next Generation IRC Daemon + * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -21,6 +22,8 @@ bool Signals_Init PARAMS((void)); void Signals_Exit PARAMS((void)); +GLOBAL void Signal_NotifySvcMgr PARAMS((const char *message)); + #endif /* -eof- */ -- 2.39.2 From 791778d7b6e2f0e92c67e6812f85445171c24572 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Fri, 5 Apr 2024 22:48:22 +0200 Subject: [PATCH 05/16] Ping the service manager and set a status message Periodically "ping" the service manager (every 3 seconds) and set a status message showing connection statistics. This enables using the systemd(8) watchdog functionality for the "ngircd.service" unit. --- contrib/ngircd.service | 3 +++ src/ngircd/conn.c | 18 +++++++++++++++--- src/ngircd/sighandlers.c | 15 +++++++++++++++ src/ngircd/sighandlers.h | 1 + 4 files changed, 34 insertions(+), 3 deletions(-) diff --git a/contrib/ngircd.service b/contrib/ngircd.service index 215f5052..5ab73553 100644 --- a/contrib/ngircd.service +++ b/contrib/ngircd.service @@ -37,6 +37,9 @@ EnvironmentFile=-/etc/default/ngircd-full-dbg # Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here! ExecStart=/usr/sbin/ngircd --nodaemon --syslog $PARAMS ExecReload=/bin/kill -HUP $MAINPID +# Error handling: +# ngIRCd tries to "ping" the service manager every 3 seconds. +WatchdogSec=10 Restart=on-failure [Install] diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 61f296ab..b7838ea8 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -669,8 +669,9 @@ Conn_Handler(void) int i; size_t wdatalen; struct timeval tv; - time_t t; + time_t t, notify_t = 0; bool command_available; + char status[200]; Log(LOG_NOTICE, "Server \"%s\" (on \"%s\") ready.", Client_ID(Client_ThisServer()), Client_Hostname(Client_ThisServer())); @@ -783,13 +784,24 @@ Conn_Handler(void) exit(1); } - /* Should ngIRCd timeout when idle? */ + t = time(NULL); if (Conf_IdleTimeout > 0 && NumConnectionsAccepted > 0 - && idle_t > 0 && time(NULL) - idle_t >= Conf_IdleTimeout) { + && idle_t > 0 && t - idle_t >= Conf_IdleTimeout) { + /* Should ngIRCd timeout when idle? */ LogDebug("Server idle timeout reached: %d second%s. Initiating shutdown ...", Conf_IdleTimeout, Conf_IdleTimeout == 1 ? "" : "s"); NGIRCd_SignalQuit = true; + } else if (Signal_NotifySvcMgr_Possible() && t - notify_t > 3) { + /* Send the current status to the service manager. */ + snprintf(status, sizeof(status), + "WATCHDOG=1\nSTATUS=%ld connection%s established (%ld user%s, %ld server%s), %ld maximum. %ld accepted in total.\n", + NumConnections, NumConnections == 1 ? "" : "s", + Client_MyUserCount(), Client_MyUserCount() == 1 ? "" : "s", + Client_MyServerCount(), Client_MyServerCount() == 1 ? "" : "s", + NumConnectionsMax, NumConnectionsAccepted); + Signal_NotifySvcMgr(status); + notify_t = t; } } diff --git a/src/ngircd/sighandlers.c b/src/ngircd/sighandlers.c index 56fd8aea..00f5ae85 100644 --- a/src/ngircd/sighandlers.c +++ b/src/ngircd/sighandlers.c @@ -348,6 +348,21 @@ Signals_Exit(void) signalpipe[0] = signalpipe[1] = 0; } +/** + * Check if the service manager of the system can be notified. + * + * @returns true if notifying the service manager is theoretically possible. + */ +GLOBAL bool +Signal_NotifySvcMgr_Possible(void) +{ +#if !defined(HAVE_SYS_UN_H) || !defined(SOCK_CLOEXEC) + return false; +#else + return getenv("NOTIFY_SOCKET") != NULL; +#endif +} + /** * Notify the service manager using the "sd_notify" protocol. * diff --git a/src/ngircd/sighandlers.h b/src/ngircd/sighandlers.h index e03864a3..a7cafd1f 100644 --- a/src/ngircd/sighandlers.h +++ b/src/ngircd/sighandlers.h @@ -22,6 +22,7 @@ bool Signals_Init PARAMS((void)); void Signals_Exit PARAMS((void)); +GLOBAL bool Signal_NotifySvcMgr_Possible PARAMS((void)); GLOBAL void Signal_NotifySvcMgr PARAMS((const char *message)); #endif -- 2.39.2 From ff0a9b9c2a4312a37ca115e8d72d7a7a3b9ce26e Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Tue, 16 Jan 2024 23:09:05 +0100 Subject: [PATCH 06/16] Prepare documentation for ngIRCd 27~rc1 --- AUTHORS.md | 1 + ChangeLog | 114 +++++++++++++++++++++++++++++++-------- NEWS | 104 ++++++++++++++++++++++++++++++++++- contrib/Debian/changelog | 6 +++ 4 files changed, 203 insertions(+), 22 deletions(-) diff --git a/AUTHORS.md b/AUTHORS.md index 1eaeab5e..184fbd57 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -61,6 +61,7 @@ Or join the "#ngircd" channel in IRC on irc.barton.de: - Sam James - Scott Perry - Sean Reifschneider +- Sebastian Andrzej Siewior - Sebastian Köhler - shankari - Tassilo Schweyer diff --git a/ChangeLog b/ChangeLog index 1472e98b..d3d66db6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,51 @@ ngIRCd 27 + ngIRCd 27~rc1 + - Validate certificates on server links. Up to now, ngIRCd optionally used + SSL/TLS encrypted server-server links but never checked and validated any + certificates. Now ngIRCd validates SSL/TLS certificates on outgoing + server-server links by default and drops(!) connections when the remote + certificate is invalid (for example self-signed, expired, not matching the + host name, ...). Therefore you have to make sure that all relevant + *certificates are valid* (or to disable certificate validation on this + connection using the new `SSLVerify = false` setting in the affected + `[Server]` block, where the remote certificate is not valid and you can not + fix this issue). + The original patch for OpenSSL dates back to 2009 and was written by Florian + Westphal and was extended for GnuTLS in 2014 by Christoph Biedl. But it took + us another 10 years to bring it to life ... oh my! Many thanks to both + Florian and Christoph! + Closes #120. + - Add support for the "sd_notify" protocol of systemd(8): Periodically + "ping" the service manager (every 3 seconds) and set a status message + showing current connection statistics which then is included in "systemctl + status ngircd.service" output. In addition, this enables using the + systemd(8) watchdog functionality ("WatchdogSec") for the "ngircd.service" + unit and allows it to use the "notify" service type, which results in + better status tracking by the service manager. + - Try to set file descriptor limit to its maximum and show info on startup: + The number of possible parallel connections is limited by the file + descriptor limit of the process (among other things). Therefore try to + upgrade the current "soft" limit to its "hard" maximum (but limited to + 100000 instead of "infinite"), and show an information or even warning when + the limit is still less than the configured "MaxConnections" setting. Please + note that ngIRCd and its linked libraries (like PAM) need file descriptors + not only for incoming and outgoing IRC connections, but for reading files + and inter-process communication, too! Therefore the actual connection limit + is less(!) than the file descriptor limit! + - Update and fix the logcheck(8) rules file. + - METADATA: Fix unsetting the "cloakhost" hostname, which did not result in + the original hostname being restored, but actually resulted in an empty + string being used as the client hostname -- which is a protocol violation. + - Update the "rpm" make target to use the rpmbuild(8) command. + - Add a "Docker file" (contrib/Dockerfile) and corresponding documentation + (doc/Container.md) to the project. The resulting container is based on the + latest Debian "stable-slim" container and built using a "build container". + - Remove outdated, unsupported and broken support for splint(1). + - Don't show the default config file name on config errors: The configuration + can be set in drop-in files in the include directory, too, so it is not + clear in which file it is actually missing. - No longer use a default built-in value for the "IncludeDir" directive when a configuration file was explicitly specified on the command line using "--config"/"-f": This way no default include directory is scanned when a @@ -18,13 +63,15 @@ ngIRCd 27 for checking all built-in defaults, regardless of any local configuration files in the default drop-in directory (which would have been read in until this change). + - No longer log channel keys ("passwords") for predefined channels. - The server "Name" in the "[Global]" section of the configuration file no longer needs to be set: When not set (or empty), ngIRCd now tries to deduce a valid IRC server name from the local host name ("node name"), possibly adding a ".host" extension when the host name does not contain a dot (".") which is required in an IRC server name ("ID"). - This new behaviour, with all configuration parameters now being optional, + This new behavior, with all configuration parameters now being optional, allows running ngIRCd without any configuration file at all. + - Silence some compiler warnings. - autogen.sh: Prefer automake 1.11 over other releases because this is the last release supporting "de-ANSI-fication" using the included ansi2knr tool. And because we _want_ to support old K&R platforms, we try hard to use this @@ -34,14 +81,25 @@ ngIRCd 27 by default, which seems a bit outdated in 2024. Note: You still can pass "--enable-ipv6"/"--disable-ipv6" to the ./configure script to forcefully activate or deactivate IPv6 support. - - Update config.guess and config.sub to recent versions + - Do IDENT requests even when DNS lookups are disabled: Up to now disabling + DNS in the configuration disabled IDENT lookups as well (for no good + reason). Now you can activate/deactivate DNS lookups and IDENT requests + completely separately. Thanks for reporting this, Miniontoby! + Closes #291. + - Update config.guess (2023-08-22) and config.sub (2023-09-19) files. + - Fix Channel Admins being able to to set Channel Owner status! "Sarah" + reported this back in April 2021 and proposed a patch, thanks a lot! + - Test suite: Update for OpenSSL 3.x, some command outputs changed, clean up + shell scripts and make the getpid.sh script more robust. + - Allow SSL client-only configurations without keys/certificates: You don't + need to configure certificates/keys as long as you don't configure + SSL-enabled listening ports. This can make sense when you want to only link + your local daemon to an uplink server using SSL and only have clients on + your local host or in your fully trusted network, where SSL is not required. - Remove the unmaintained contrib/MacOSX/ folder: this includes the Xcode project as well as the outdated macOS "Package Maker" configuration. The sample launchd(8) configuration properties list file was moved to "contrib/de.barton.ngircd.plist" and kept. - - Fix Channel Admins being able to to set Channel Owner status! "Sarah" - reported this back in April 2021 and proposed a patch, thanks a lot! - - Test suite: Update for OpenSSL 3.x, some command outputs changed. - Fix showing the "Ident" option in "--configtest" output which was never shown because of a coding error. Whoops! - Change GnuTLS "slot handling" messages to debug level: Those messages are @@ -49,25 +107,33 @@ ngIRCd 27 of ngIRCd. - Enlarge buffer for log messages: For example, SSL/TLS certificate information can easily get longer than 256 characters. So enlarge the log - buffer to 1 KB. + buffer to 1 KB to avoid cutting off relevant information. - Respect "SSLConnect" option for incoming connections and do not accept incoming plain-text ("non SSL") server connections for servers configured with "SSLConnect" enabled. This change prevents an authenticated client-server being able to force the server-server to send its password on a plain-text connection when SSL/TLS was intended. + - Always try to close a connection with errors immediately, but try hard + to avoid too much recursion. Without this patch, an outgoing server + connection could get stuck in an "endless" state trying to write out data + over and over again. - Add "hopm.service" to "Wants" and "Before" dependencies in the sample systemd unit file (Hopm is the successor of Bopm). + - Update Debian package configuration using current "dh_make", package + dependencies and build rules. And no longer build 3 different versions, + only build "ngircd" which now includes support for IDENT, PAM (disabled in + the ngircd.conf installed by the package), SSL (OpenSSL), ZLib and IPv6. - Return ERR_NOTEXTTOSEND on empty PRIVMSG content, which matches the - behaviour of other servers. + behavior of other servers. - Add a new option "Autojoin" to [Channel] blocks: When it is set, ngIRCd automatically joins all local users to this channel on connect. Note: The users must have permissions to access the channel, otherwise joining them will fail! Thanks Ivan Agarkov for the initial patch! - - Hide +i users on "WHOIS ": Let's behave like most(?) other IRC - daemons (at least ircd2.11) and hide all +i users when WHOIS is used with a - pattern. Otherwise privacy of this users is not guaranteed and the +i mode - a bit useless ... + - Hide invisible (+i) users on "WHOIS ": Let's behave like most(?) + other IRC daemons (at least ircd2.11) and hide all +i users when WHOIS is + used with a pattern. Otherwise privacy of this users is not guaranteed and + the +i mode a bit useless ... Reported by Cahata on #ngircd, thanks! - Update the final "closing connection" message: Add some more information like nick name, user name, host name and bring it in line with some other @@ -77,15 +143,18 @@ ngIRCd 27 Closes #307. - Enhance some log messages, for example for errors when accepting new connections. - - Add "+DEBUG" to the version "feature string" only when the daemon is - ./configure'd and build with "--enable-debug". + - Make the debug log level ("--debug"/-"d" command line option) always + available, not only when ./configure'd with "--enable-debug": the latter + now only enables additional checks (like the tests done using assert(2)) + and is signalled by adding "+DEBUG" to the version "feature string". This + change enables everyone to get even more detailed logging when required. - Always report an error when a parameter is missing in a channel "MODE +k" or "MODE +l" command, and better validate their parameters: return the new numeric ERR_INVALIDMODEPARAM_MSG(696) on errors. - Thanks Val Lorentz for reporting it! + Thanks Val Lorentz for reporting this! Closes #290. - Allow IRC Operators to use the WHO command on any channel. - - No longer use Travis-CI, add configuration for "ngIRCd CI" GitHub Action. + - Add configuration for "ngIRCd CI" GitHub Action, no longer use Travis-CI. - Send the NAMES list and channel topic to users "forcefully" joined to a channel using NJOIN, like they joined on their own using JOIN, and streamline the order of NAMES list and channel topic messages. @@ -93,14 +162,17 @@ ngIRCd 27 - Fix (invalid) error messages when setting modes on local channels which are defined in the configuration file. - Fix handling of G-Lines/K-Lines with cloaked host names. - - Add new "-y"/"--syslog" command line option to allow logging to syslog to - be enabled/disabled separately from running on the console ("--nodaemon") - or in the background. + - Streamline logging of debug messages. + - Added a new command line option "-y"/"--syslog", with which logging to + syslog can be activated/deactivated separately from running on the console + (using "--nodaemon") or in the background. Thanks Katherine Peeters for the patch and pull request! Closes #294. - Fix a possible race condition while introducing new clients in the network. - - Update and enhance our documentation a bit (README.md, INSTALL.md), add - doc/QuickStart.md, convert some more files to Markdown (SSL.md, FAQ.md). + - Update, enhance and extend our documentation in README.md, INSTALL.md, + doc/HowToRelease.txt and the manual pages ngircd(8) and ngircd.conf(5), add + a new doc/QuickStart.md document, and convert some more documentation files + to Markdown (AUTHORS.md, contrib/README.md, doc/FAQ.md, doc/SSL.md). ngIRCd 26.1 (2021-01-02) @@ -216,7 +288,7 @@ ngIRCd 26 (2020-06-20) "error" before). Exit with code 2 ("command line error") for all other invalid command line options, and show the error message itself on stderr (instead of stdout and exit code 1, "generic error", as before). - This new behaviour is more in line with the GNU "coding standards", + This new behavior is more in line with the GNU "coding standards", see . - Fix and update Xcode project: Reference correct contrib/Makefile.am file, correctly sort contrib/nglog.sh and add "ORGANIZATIONNAME" setting. diff --git a/NEWS b/NEWS index 1fbe1d1e..dc09f0ec 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,108 @@ -- NEWS -- +ngIRCd 27 + + ngIRCd 27~rc1 + - Validate certificates on server links. Up to now, ngIRCd optionally used + SSL/TLS encrypted server-server links but never checked and validated any + certificates. Now ngIRCd validates SSL/TLS certificates on outgoing + server-server links by default and drops(!) connections when the remote + certificate is invalid (for example self-signed, expired, not matching the + host name, ...). Therefore you have to make sure that all relevant + *certificates are valid* (or to disable certificate validation on this + connection using the new `SSLVerify = false` setting in the affected + `[Server]` block, where the remote certificate is not valid and you can not + fix this issue). + The original patch for OpenSSL dates back to 2009 and was written by Florian + Westphal and was extended for GnuTLS in 2014 by Christoph Biedl. But it took + us another 10 years to bring it to life ... oh my! Many thanks to both + Florian and Christoph! + Closes #120. + - Add support for the "sd_notify" protocol of systemd(8): Periodically + "ping" the service manager (every 3 seconds) and set a status message + showing current connection statistics which then is included in "systemctl + status ngircd.service" output. In addition, this enables using the + systemd(8) watchdog functionality ("WatchdogSec") for the "ngircd.service" + unit and allows it to use the "notify" service type, which results in + better status tracking by the service manager. + - Try to set file descriptor limit to its maximum and show info on startup: + The number of possible parallel connections is limited by the file + descriptor limit of the process (among other things). Therefore try to + upgrade the current "soft" limit to its "hard" maximum (but limited to + 100000 instead of "infinite"), and show an information or even warning when + the limit is still less than the configured "MaxConnections" setting. Please + note that ngIRCd and its linked libraries (like PAM) need file descriptors + not only for incoming and outgoing IRC connections, but for reading files + and inter-process communication, too! Therefore the actual connection limit + is less(!) than the file descriptor limit! + - Add a "Docker file" (contrib/Dockerfile) and corresponding documentation + (doc/Container.md) to the project. The resulting container is based on the + latest Debian "stable-slim" container and built using a "build container". + - No longer use a default built-in value for the "IncludeDir" directive when + a configuration file was explicitly specified on the command line using + "--config"/"-f": This way no default include directory is scanned when a + possibly non-default configuration file is used which (intentionally) did + not specify an "IncludeDir" directive. So now you can use "-f /dev/null" + for checking all built-in defaults, regardless of any local configuration + files in the default drop-in directory (which would have been read in + until this change). + - The server "Name" in the "[Global]" section of the configuration file no + longer needs to be set: When not set (or empty), ngIRCd now tries to + deduce a valid IRC server name from the local host name ("node name"), + possibly adding a ".host" extension when the host name does not contain a + dot (".") which is required in an IRC server name ("ID"). + This new behavior, with all configuration parameters now being optional, + allows running ngIRCd without any configuration file at all. + - Autodetect support for IPv6 by default: Until now, IPv6 support was disabled + by default, which seems a bit outdated in 2024. Note: You still can pass + "--enable-ipv6"/"--disable-ipv6" to the ./configure script to forcefully + activate or deactivate IPv6 support. + - Do IDENT requests even when DNS lookups are disabled: Up to now disabling + DNS in the configuration disabled IDENT lookups as well (for no good + reason). Now you can activate/deactivate DNS lookups and IDENT requests + completely separately. Thanks for reporting this, Miniontoby! + Closes #291. + - Allow SSL client-only configurations without keys/certificates: You don't + need to configure certificates/keys as long as you don't configure + SSL-enabled listening ports. This can make sense when you want to only link + your local daemon to an uplink server using SSL and only have clients on + your local host or in your fully trusted network, where SSL is not required. + - Respect "SSLConnect" option for incoming connections and do not accept + incoming plain-text ("non SSL") server connections for servers configured + with "SSLConnect" enabled. This change prevents an authenticated + client-server being able to force the server-server to send its password + on a plain-text connection when SSL/TLS was intended. + - Add a new option "Autojoin" to [Channel] blocks: When it is set, ngIRCd + automatically joins all local users to this channel on connect. Note: The + users must have permissions to access the channel, otherwise joining them + will fail! + Thanks Ivan Agarkov for the initial patch! + - Hide invisible (+i) users on "WHOIS ": Let's behave like most(?) + other IRC daemons (at least ircd2.11) and hide all +i users when WHOIS is + used with a pattern. Otherwise privacy of this users is not guaranteed and + the +i mode a bit useless ... + Reported by Cahata on #ngircd, thanks! + - Make the debug log level ("--debug"/-"d" command line option) always + available, not only when ./configure'd with "--enable-debug": the latter + now only enables additional checks (like the tests done using assert(2)) + and is signalled by adding "+DEBUG" to the version "feature string". This + change enables everyone to get even more detailed logging when required. + - Allow IRC Operators to use the WHO command on any channel. + - Send the NAMES list and channel topic to users "forcefully" joined to a + channel using NJOIN, like they joined on their own using JOIN, and + streamline the order of NAMES list and channel topic messages. + Closes #288. + - Added a new command line option "-y"/"--syslog", with which logging to + syslog can be activated/deactivated separately from running on the console + (using "--nodaemon") or in the background. + Thanks Katherine Peeters for the patch and pull request! + Closes #294. + - Update, enhance and extend our documentation in README.md, INSTALL.md, + doc/HowToRelease.txt and the manual pages ngircd(8) and ngircd.conf(5), add + a new doc/QuickStart.md document, and convert some more documentation files + to Markdown (AUTHORS.md, contrib/README.md, doc/FAQ.md, doc/SSL.md). + ngIRCd 26.1 (2021-01-02) - This release is a bugfix release only, without new features. @@ -51,7 +153,7 @@ ngIRCd 26 (2020-06-20) "error" before). Exit with code 2 ("command line error") for all other invalid command line options, and show the error message itself on stderr (instead of stdout and exit code 1, "generic error", as before). - This new behaviour is more in line with the GNU "coding standards", + This new behavior is more in line with the GNU "coding standards", see . - Add ./contrib/nglog.sh: This script parses the log output of ngircd(8), and colorizes the messages according to their log level. Example usage: diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog index 73a70ff7..d4814ee6 100644 --- a/contrib/Debian/changelog +++ b/contrib/Debian/changelog @@ -1,3 +1,9 @@ +ngircd (27~rc1-0ab1) UNRELEASED; urgency=medium + + * New "upstream" release candidate 1 for ngIRCd Release 27. + + -- Alexander Barton Tue, 26 Mar 2024 22:30:41 +0100 + ngircd (26.1-0ab1) unstable; urgency=medium * New "upstream" release: ngIRCd 26.1. -- 2.39.2 From 4b1eb0e3ee203819b0d8c5d890f7edd55e50eac0 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Thu, 11 Apr 2024 21:57:51 +0200 Subject: [PATCH 07/16] ngircd.service: Redirect stdout and stderr to the journal --- contrib/ngircd.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/ngircd.service b/contrib/ngircd.service index 5ab73553..311bc0d8 100644 --- a/contrib/ngircd.service +++ b/contrib/ngircd.service @@ -29,6 +29,8 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=yes RuntimeDirectory=ircd RuntimeDirectoryMode=750 +StandardError=journal +StandardOutput=journal # Try to load "default files" from any Debian package variant to keep this # unit generic. EnvironmentFile=-/etc/default/ngircd -- 2.39.2 From 0d42ea7709c786cd9c405cf04395afd0091e580e Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Tue, 2 Apr 2024 22:33:50 +0200 Subject: [PATCH 08/16] Update doc/Platforms.txt --- doc/Platforms.txt | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/doc/Platforms.txt b/doc/Platforms.txt index 56ac7322..a69bf097 100644 --- a/doc/Platforms.txt +++ b/doc/Platforms.txt @@ -26,7 +26,8 @@ for inclusion here. Thanks for your help! | | | | Platform Compiler ngIRCd Date Tester C M T R * --------------------------- ------------ ---------- -------- -------- - - - - - -aarch64/apple/darwin A-clang 12.0.0 26 20-12-10 goetz N Y Y Y 3 +aarch64/apple/darwin A-clang 12.0 26 20-12-10 goetz N Y Y Y 3 +aarch64/apple/darwin23.4.0 A-clang 15.0 26.1~131 24-04-01 alex Y Y Y Y 3 alpha/unknown/netbsd3.0 gcc 3.3.3 CVSHEAD 06-05-07 fw Y Y Y Y 3 armv6l/unk./linux-gnueabi gcc 4.7.2 20.2 13-03-08 goetz Y Y Y Y 5 armv6l/unk./linux-gnueabihf gcc 4.6.3 21~rc2 13-10-26 pi Y Y Y Y 5 @@ -72,6 +73,7 @@ i686/pc/linux-gnu gcc 4.3.2 14.1 09-08-04 alex Y Y Y Y 1 i686/pc/minix gcc 4.4.6 21~rc2 13-10-27 alex Y Y N N i686/unknown/gnu0.3 gcc 4.4.5 19 12-02-29 alex Y Y Y Y i686/unknown/gnu0.5 gcc 4.9.1 22~rc1-3 14-10-11 alex Y Y Y Y +i686/unknown/gnu0.9 gcc 12.2.0 26.1~131-g 24-04-01 alex Y Y Y Y i686/unkn./kfreebsd7.2-gnu gcc 4.3.4 15 09-12-02 alex Y Y Y Y 3 m68k/apple/aux3.0.1 gcc 2.7.2 17 10-11-07 alex Y Y N Y m68k/apple/aux3.0.1 Orig. A/UX 17 10-11-07 alex Y Y N Y 2 @@ -103,16 +105,19 @@ x86_64/apple/darwin16.5.0 A-clang 8.1 25~rc1-7-g 18-11-04 alex Y Y Y Y 3 x86_64/apple/darwin17.7.0 A-clang 10.0 25~rc1 18-11-04 alex Y Y Y Y 3 x86_64/apple/darwin18.2.0 A-clang 10.0 25~rc1-11 19-01-23 alex Y Y Y Y 3 x86_64/apple/darwin19.4.0 A-clang 11.0 26~rc1 20-05-10 alex Y Y Y Y 3 -x86_64/apple/darwin19.6.0 A-clang 12.0.0 26 20-10-20 alex Y Y Y Y 3 -x86_64/apple/darwin20.1.0 A-clang 12.0.0 26 21-01-01 alex Y Y Y Y 3 +x86_64/apple/darwin19.6.0 A-clang 12.0 26 20-10-20 alex Y Y Y Y 3 +x86_64/apple/darwin20.1.0 A-clang 12.0 26 21-01-01 alex Y Y Y Y 3 +x86_64/apple/darwin23.4.0 A-clang 15.0 26.1~133-g 24-04-03 alex Y Y Y Y 3 x86_64/unknown/dragonfly3.4 gcc 4.7.2 21 13-11-12 goetz Y Y N Y 3 x86_64/unkn./freebsd8.1-gnu gcc 4.4.5 19 12-02-26 alex Y Y Y Y 3 x86_64/unknown/freebsd8.4 gcc 4.2.1 24~rc1-7 17-01-20 alex Y Y Y Y 3 x86_64/unknown/freebsd9.2 gcc 4.2.1 22~rc1-3 14-10-10 alex Y Y Y Y 3 x86_64/unknown/freebsd10.3 F-clang 3.4 24 17-01-20 goetz Y Y Y Y 3 x86_64/unknown/freebsd11.0 F-clang 3.8 24 17-01-21 goetz Y Y Y Y 3 -x86_64/unknown/freebsd12.1 F-clang 8.0.1 26 20-08-28 alex Y Y Y Y 3 +x86_64/unknown/freebsd12.1 F-clang 8.0 26 20-08-28 alex Y Y Y Y 3 +x86_64/unknown/freebsd14.0 F-clang 16.0 26.1~131 24-04-01 alex Y Y Y Y 3 x86_64/unknown/haiku gcc 7.3.0 25~rc1-11 19-01-06 alex Y Y N Y +x86_64/unknown/haiku gcc 13.2.0 26.1~132-g 24-04-02 alex Y Y Y Y x86_64/unknown/linux-gnu clang 3.3 21 14-01-07 alex Y Y Y Y 1 x86_64/unknown/linux-gnu clang 3.4 22~rc1-3 14-10-11 alex Y Y Y Y 1 x86_64/pc/linux-gnu gcc 4.4.5 24~rc1-7 17-01-20 alex Y Y Y Y 1 @@ -124,18 +129,22 @@ x86_64/pc/linux-gnu [WSL] gcc 5.4.0 24 18-03-07 goetz Y Y y Y 7 x86_64/pc/linux-gnu gcc 6.2.1 24~rc1-7 17-01-20 alex Y Y Y Y 1 x86_64/pc/linux-gnu gcc 6.3.0 25~rc1-11 19-01-23 alex Y Y Y Y 1 x86_64/pc/linux-gnu gcc 8.3.0 26 20-08-28 alex Y Y Y Y 1 +x86_64/pc/linux-gnu gcc 11.4.0 26.1~133-g 24-04-03 alex Y Y Y Y 1 +x86_64/pc/linux-gnu gcc 12.2.0 26.1~132-g 24-04-02 alex Y Y Y Y 1 x86_64/unknown/linux-gnu icc 16 23 16-01-13 goetz Y Y Y Y 1 x86_64/unknown/linux-gnu nwcc 0.8.2 21 13-12-01 goetz Y Y Y Y 1 x86_64/unknown/linux-gnu Open64 21.1 14-03-27 goetz Y Y Y Y 1 x86_64/unknown/linux-gnu Sun C 5.12 21.1 14-03-27 goetz Y Y Y Y 1 x86_64/unknown/netbsd9.0 gcc 7.4.0 26 20-08-28 alex Y Y y Y 3 +x86_64/unknown/netbsd10.0 gcc 10.5.0 26.1~131-g 24-04-01 alex Y Y Y Y 3 x86_64/unknown/openbsd4.7 gcc 3.3.5 20~rc1 12-02-26 alex Y Y Y Y 3 x86_64/unknown/openbsd4.8 gcc 4.2.1 22~rc1-3 14-10-10 alex Y Y y Y 3 x86_64/unknown/openbsd5.1 gcc 4.2.1 21 13-12-28 alex Y Y Y Y 3 x86_64/unknown/openbsd5.5 gcc 4.2.1 22~rc1-3 14-10-10 alex Y Y Y Y 3 x86_64/unknown/openbsd6.6 gcc 4.2.1 26 20-08-28 alex Y Y Y Y 3 -x86_64/unknown/openbsd6.6 O-clang 8.0.1 26 20-08-28 alex Y Y Y Y 3 +x86_64/unknown/openbsd6.6 O-clang 8.0 26 20-08-28 alex Y Y Y Y 3 x86_64/unknown/openbsd6.7 gcc 4.2.1 26 20-09-26 goetz Y Y y Y 3 +x86_64/unknown/openbsd7.4 O-clang 13.0 26.1~131-g 24-04-01 alex Y Y Y Y 3 * Notes -- 2.39.2 From e3f96d446dd88241a94de51b676fd118d47ab7d7 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sat, 13 Apr 2024 12:00:49 +0200 Subject: [PATCH 09/16] Test suite: Use $USER in getpid.sh when $LOGNAME is not set The LOGNAME environment variable is not set in GitHub "actions", for example ... --- src/testsuite/getpid.sh | 2 +- src/testsuite/start-server.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/testsuite/getpid.sh b/src/testsuite/getpid.sh index 465def64..85059142 100755 --- a/src/testsuite/getpid.sh +++ b/src/testsuite/getpid.sh @@ -23,7 +23,7 @@ if [ -x /usr/bin/pgrep ]; then *) PGREP_FLAGS="" esac - exec /usr/bin/pgrep $PGREP_FLAGS -n -u "$LOGNAME" "$1" + exec /usr/bin/pgrep $PGREP_FLAGS -n -u "${LOGNAME:-$USER}" "$1" fi # pidof(1) could be a good alternative on elder Linux systems diff --git a/src/testsuite/start-server.sh b/src/testsuite/start-server.sh index 599bf3ad..bc6eb7ea 100755 --- a/src/testsuite/start-server.sh +++ b/src/testsuite/start-server.sh @@ -20,7 +20,7 @@ echo_n "starting server ${id} ..." # check weather getpid.sh returns valid PIDs. If not, don't start up the # test-server, because we won't be able to kill it at the end of the test. -./getpid.sh sh >/dev/null 2>&1 +./getpid.sh sh >/dev/null if [ $? -ne 0 ]; then echo " getpid.sh failed!" exit 1 -- 2.39.2 From b362b5a94554a3f4818c90bf54f8715b58ab923b Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sat, 13 Apr 2024 12:26:55 +0200 Subject: [PATCH 10/16] ngIRCd Release 27~rc1 --- ChangeLog | 2 +- NEWS | 2 +- contrib/Debian/changelog | 4 ++-- contrib/de.barton.ngircd.metainfo.xml | 1 + contrib/ngircd.spec | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index d3d66db6..7c962196 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,7 +10,7 @@ ngIRCd 27 - ngIRCd 27~rc1 + ngIRCd 27~rc1 (2024-04-13) - Validate certificates on server links. Up to now, ngIRCd optionally used SSL/TLS encrypted server-server links but never checked and validated any certificates. Now ngIRCd validates SSL/TLS certificates on outgoing diff --git a/NEWS b/NEWS index dc09f0ec..a1a56e6a 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,7 @@ ngIRCd 27 - ngIRCd 27~rc1 + ngIRCd 27~rc1 (2024-04-13) - Validate certificates on server links. Up to now, ngIRCd optionally used SSL/TLS encrypted server-server links but never checked and validated any certificates. Now ngIRCd validates SSL/TLS certificates on outgoing diff --git a/contrib/Debian/changelog b/contrib/Debian/changelog index d4814ee6..ef1b5e44 100644 --- a/contrib/Debian/changelog +++ b/contrib/Debian/changelog @@ -1,8 +1,8 @@ -ngircd (27~rc1-0ab1) UNRELEASED; urgency=medium +ngircd (27~rc1-0ab1) unstable; urgency=medium * New "upstream" release candidate 1 for ngIRCd Release 27. - -- Alexander Barton Tue, 26 Mar 2024 22:30:41 +0100 + -- Alexander Barton Sat, 13 Apr 2024 12:26:35 +0200 ngircd (26.1-0ab1) unstable; urgency=medium diff --git a/contrib/de.barton.ngircd.metainfo.xml b/contrib/de.barton.ngircd.metainfo.xml index 15f6b478..23ccbcc8 100644 --- a/contrib/de.barton.ngircd.metainfo.xml +++ b/contrib/de.barton.ngircd.metainfo.xml @@ -24,6 +24,7 @@ ngircd + diff --git a/contrib/ngircd.spec b/contrib/ngircd.spec index f4cc0242..28bef189 100644 --- a/contrib/ngircd.spec +++ b/contrib/ngircd.spec @@ -1,5 +1,5 @@ %define name ngircd -%define version 26.1 +%define version 27~rc1 %define release 1 %define prefix %{_prefix} -- 2.39.2 From a33d15751b3e3910bd06125efbeae6569844f313 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sat, 13 Apr 2024 15:52:33 +0200 Subject: [PATCH 11/16] Test suite: Don't use "pgrep -u" when LOGNAME and USER are not set Thanks for reporting this on IRC, luca! --- src/testsuite/getpid.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/testsuite/getpid.sh b/src/testsuite/getpid.sh index 85059142..3cc186e1 100755 --- a/src/testsuite/getpid.sh +++ b/src/testsuite/getpid.sh @@ -23,7 +23,13 @@ if [ -x /usr/bin/pgrep ]; then *) PGREP_FLAGS="" esac - exec /usr/bin/pgrep $PGREP_FLAGS -n -u "${LOGNAME:-$USER}" "$1" + if [ -n "$LOGNAME" ] || [ -n "$USER" ]; then + # Try to narrow the search down to the current user ... + exec /usr/bin/pgrep $PGREP_FLAGS -n -u "${LOGNAME:-$USER}" "$1" + else + # ... but neither LOGNAME nor USER were set! + exec /usr/bin/pgrep $PGREP_FLAGS -n "$1" + fi fi # pidof(1) could be a good alternative on elder Linux systems -- 2.39.2 From b77b9432c45d6f38c0ad6d9021afb4dd91f163e4 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sat, 13 Apr 2024 16:04:29 +0200 Subject: [PATCH 12/16] Test suite: Correctly test for LOGNAME and USER --- src/testsuite/getpid.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/testsuite/getpid.sh b/src/testsuite/getpid.sh index 3cc186e1..7a3dbe37 100755 --- a/src/testsuite/getpid.sh +++ b/src/testsuite/getpid.sh @@ -23,7 +23,7 @@ if [ -x /usr/bin/pgrep ]; then *) PGREP_FLAGS="" esac - if [ -n "$LOGNAME" ] || [ -n "$USER" ]; then + if [ -n "${LOGNAME:-}" ] || [ -n "${USER:-}" ]; then # Try to narrow the search down to the current user ... exec /usr/bin/pgrep $PGREP_FLAGS -n -u "${LOGNAME:-$USER}" "$1" else -- 2.39.2 From 90fb3cf0a2b980acc1958bff315838a50fa4ccbe Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sat, 13 Apr 2024 19:43:54 +0200 Subject: [PATCH 13/16] Don't abort startup when setgid/setuid() fails with EINVAL Both setgid(2) as well as setuid(2) can fail with EINVAL in addition to EPERM, their manual pages state "EINVAL: The user/group ID specified in uid/gid is not valid in this user namespace ". So not only treat EPERM as an "acceptable error" and continue with logging the error, but do the same for EINVAL. This was triggered by the Void Linux xbps-uunshare(1) tool used for building "XBPS source packages" and reported by luca in #ngircd. Thanks! --- src/ngircd/ngircd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ngircd/ngircd.c b/src/ngircd/ngircd.c index b0610392..c2169c43 100644 --- a/src/ngircd/ngircd.c +++ b/src/ngircd/ngircd.c @@ -722,7 +722,7 @@ NGIRCd_Init(bool NGIRCd_NoDaemon) Log(LOG_ERR, "Can't change group ID to %s(%u): %s!", grp ? grp->gr_name : "?", Conf_GID, strerror(real_errno)); - if (real_errno != EPERM) + if (real_errno != EPERM && real_errno != EINVAL) goto out; } #ifdef HAVE_SETGROUPS @@ -748,7 +748,7 @@ NGIRCd_Init(bool NGIRCd_NoDaemon) Log(LOG_ERR, "Can't change user ID to %s(%u): %s!", pwd ? pwd->pw_name : "?", Conf_UID, strerror(real_errno)); - if (real_errno != EPERM) + if (real_errno != EPERM && real_errno != EINVAL) goto out; } } -- 2.39.2 From d4fb21f3542ee2a42aecdddc73a76a6ff41fcacd Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Fri, 19 Apr 2024 23:00:20 +0200 Subject: [PATCH 14/16] Fix channel symbol returned by RPL_NAMREPLY for secret channels References: - https://modern.ircdocs.horse/#rplnamreply-353 - https://datatracker.ietf.org/doc/html/rfc2812#page-47 - (RFC 1459 is irrelevant here, as https://datatracker.ietf.org/doc/html/rfc1459#page-51 uses a different format) Closes #313. --- src/ngircd/irc-info.c | 17 +++++++++++------ src/ngircd/messages.h | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/ngircd/irc-info.c b/src/ngircd/irc-info.c index 9a531bb0..7287f3ca 100644 --- a/src/ngircd/irc-info.c +++ b/src/ngircd/irc-info.c @@ -818,7 +818,7 @@ IRC_NAMES( CLIENT *Client, REQUEST *Req ) /* Now print all clients which are not in any channel */ c = Client_First(); - snprintf(rpl, sizeof(rpl), RPL_NAMREPLY_MSG, Client_ID(from), "*", "*"); + snprintf(rpl, sizeof(rpl), RPL_NAMREPLY_MSG, Client_ID(from), '*', "*"); while (c) { if (Client_Type(c) == CLIENT_USER && Channel_FirstChannelOf(c) == NULL @@ -830,11 +830,11 @@ IRC_NAMES( CLIENT *Client, REQUEST *Req ) strlcat(rpl, Client_ID(c), sizeof(rpl)); if (strlen(rpl) > COMMAND_LEN - CLIENT_NICK_LEN - 4) { - /* Line is gwoing too long, send now */ + /* Line is going too long, send now */ if (!IRC_WriteStrClient(from, "%s", rpl)) return DISCONNECTED; snprintf(rpl, sizeof(rpl), RPL_NAMREPLY_MSG, - Client_ID(from), "*", "*"); + Client_ID(from), '*', "*"); } } c = Client_Next(c); @@ -1500,6 +1500,8 @@ IRC_Send_NAMES(CLIENT * Client, CHANNEL * Chan) char str[COMMAND_LEN]; CL2CHAN *cl2chan; CLIENT *cl; + bool secret_channel; + char chan_symbol; assert(Client != NULL); assert(Chan != NULL); @@ -1514,10 +1516,13 @@ IRC_Send_NAMES(CLIENT * Client, CHANNEL * Chan) return CONNECTED; /* Secret channel? */ - if (!is_member && Channel_HasMode(Chan, 's')) + secret_channel = Channel_HasMode(Chan, 's'); + if (!is_member && secret_channel) return CONNECTED; - snprintf(str, sizeof(str), RPL_NAMREPLY_MSG, Client_ID(Client), "=", + chan_symbol = secret_channel ? '@' : '='; + + snprintf(str, sizeof(str), RPL_NAMREPLY_MSG, Client_ID(Client), chan_symbol, Channel_Name(Chan)); cl2chan = Channel_FirstMember(Chan); while (cl2chan) { @@ -1540,7 +1545,7 @@ IRC_Send_NAMES(CLIENT * Client, CHANNEL * Chan) if (!IRC_WriteStrClient(Client, "%s", str)) return DISCONNECTED; snprintf(str, sizeof(str), RPL_NAMREPLY_MSG, - Client_ID(Client), "=", + Client_ID(Client), chan_symbol, Channel_Name(Chan)); } } diff --git a/src/ngircd/messages.h b/src/ngircd/messages.h index 1bbfa699..5c33b35d 100644 --- a/src/ngircd/messages.h +++ b/src/ngircd/messages.h @@ -84,7 +84,7 @@ #define RPL_ENDOFEXCEPTLIST_MSG "349 %s %s :End of channel exception list" #define RPL_VERSION_MSG "351 %s %s-%s.%s %s :%s" #define RPL_WHOREPLY_MSG "352 %s %s %s %s %s %s %s :%d %s" -#define RPL_NAMREPLY_MSG "353 %s %s %s :" +#define RPL_NAMREPLY_MSG "353 %s %c %s :" #define RPL_LINKS_MSG "364 %s %s %s :%d %s" #define RPL_ENDOFLINKS_MSG "365 %s %s :End of LINKS list" #define RPL_ENDOFNAMES_MSG "366 %s %s :End of NAMES list" -- 2.39.2 From 75ef4e14e0a3e08eec9ec454a2749711ccaa6c2e Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Fri, 19 Apr 2024 23:28:34 +0200 Subject: [PATCH 15/16] Add am example filter file for "Fail2Ban" --- contrib/Debian/rules | 5 +++++ contrib/Makefile.am | 1 + contrib/README.md | 2 ++ contrib/ngircd-fail2ban.conf | 25 +++++++++++++++++++++++++ 4 files changed, 33 insertions(+) create mode 100644 contrib/ngircd-fail2ban.conf diff --git a/contrib/Debian/rules b/contrib/Debian/rules index 25e27872..561f765c 100755 --- a/contrib/Debian/rules +++ b/contrib/Debian/rules @@ -53,6 +53,11 @@ execute_after_dh_auto_install: $(CURDIR)/contrib/ngircd.logcheck \ $(CURDIR)/debian/ngircd/etc/logcheck/ignore.d.paranoid/ngircd +# Install the fail2ban configuration. + install -o root -g root -m 0644 -D \ + $(CURDIR)/contrib/ngircd-fail2ban.conf \ + $(CURDIR)/debian/ngircd/etc/fail2ban/filter.d/ngircd.conf + # Make lintian happy :-) rm $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/COPYING mv $(CURDIR)/debian/ngircd/usr/share/doc/ngircd/ChangeLog \ diff --git a/contrib/Makefile.am b/contrib/Makefile.am index f2d99012..cd2eb05e 100644 --- a/contrib/Makefile.am +++ b/contrib/Makefile.am @@ -17,6 +17,7 @@ EXTRA_DIST = README.md \ Dockerfile \ ngindent.sh \ ngircd-bsd.sh \ + ngircd-fail2ban.conf \ ngIRCd-Logo.gif \ ngircd-redhat.init \ ngircd.logcheck \ diff --git a/contrib/README.md b/contrib/README.md index fdd46495..5ab57690 100644 --- a/contrib/README.md +++ b/contrib/README.md @@ -16,6 +16,8 @@ This `contrib/` directory contains the following sub-folders and files: - `ngircd-bsd.sh`: Start/stop script for FreeBSD. +- `ngircd-fail2ban.conf`: fail2ban(1) filter configuration for ngIRCd. + - `ngircd-redhat.init`: Start/stop script for old(er) RedHat-based distributions (like CentOS and Fedora), which did _not_ use systemd(8). diff --git a/contrib/ngircd-fail2ban.conf b/contrib/ngircd-fail2ban.conf new file mode 100644 index 00000000..c9903e0c --- /dev/null +++ b/contrib/ngircd-fail2ban.conf @@ -0,0 +1,25 @@ +# Fail2ban filter for ngIRCd +# +# Put into /etc/fail2ban/filter.d/ngircd.conf and enable in your jail.local +# configuration like this: +# +# [ngircd] +# enabled = true +# backend = systemd +# + +[INCLUDES] + +before = common.conf + +[DEFAULT] + +_daemon = ngircd + +[Definition] + +failregex = ^%(__prefix_line)sRefused connection from on socket \d+: + +[Init] + +journalmatch = _SYSTEMD_UNIT=ngircd.service + _COMM=ngircd -- 2.39.2 From 3e3f6cbeceefd9357b53b27c2386bb39306ab353 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Fri, 19 Apr 2024 23:49:59 +0200 Subject: [PATCH 16/16] Clarify that "CAFile" is not set by default --- doc/sample-ngircd.conf.tmpl | 3 ++- man/ngircd.conf.5.tmpl | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index 5f9cb9eb..2a08bb43 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -273,7 +273,8 @@ # is only available when ngIRCd is compiled with support for SSL! # So don't forget to remove the ";" above if this is the case ... - # SSL Trusted CA Certificates File (for verifying peer certificates) + # SSL Trusted CA Certificates File for verifying peer certificates. + # (Default: not set; so no certificates are trusted) ;CAFile = /etc/ssl/CA/cacert.pem # Certificate Revocation File (for marking otherwise valid diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index 66d3598d..68ee9093 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -399,7 +399,7 @@ when it is compiled with support for SSL using OpenSSL or GnuTLS! .TP \fBCAFile\fR (string) Filename pointing to the Trusted CA Certificates. This is required for -verifying peer certificates. +verifying peer certificates. Default: not set, so no certificates are trusted. .TP \fBCertFile\fR (string) SSL Certificate file of the private server key. -- 2.39.2