ALT Linux Team development discussions
 help / color / mirror / Atom feed
* [devel] [PATCH hasher-priv v3 0/7] hasher-privd
@ 2021-08-24  8:24 Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 1/7] Turn hasher-priv into a daemon Arseny Maslennikov
                   ` (6 more replies)
  0 siblings, 7 replies; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov

This is an effort to make hasher-priv a privileged daemon which operates
in response to requests from unprivileged client processes. In short, we
want this to clear the set-uid root privilege from
/usr/libexec/hasher-priv/hasher-priv for the tool to be compatible with
no_new_privs environments, among other benefits.

The cgroup patch[3]] is not yet ready for submission, so it's dropped
for now.

See also: devel@ discussion of v1[1], v2[2], commit message of 1/7.

[1] https://lore.altlinux.org/devel/cover.1576183643.git.legion@altlinux.org/
[2] https://lore.altlinux.org/devel/20201022114343.1810141-1-arseny@altlinux.org/
[3] https://lore.altlinux.org/devel/20201022114343.1810141-7-arseny@altlinux.org/

Alexey Gladkov (1):
  Add systemd and sysvinit service files

Arseny Maslennikov (6):
  Turn hasher-priv into a daemon
  sockets: xsendmsg: get rid of SIGPIPE on socket writes
  chrootuid: explicitly reset signal mask before forking off payload
  Link with libsetproctitle by Dmitry V. Levin
  daemon: set titles for subprocesses
  Install hasher-priv without set ugids

 hasher-priv/.gitignore            |   1 +
 hasher-priv/DESIGN                | 281 ++++++++++++-------
 hasher-priv/Makefile              |  35 ++-
 hasher-priv/caller.c              |  81 +++---
 hasher-priv/caller_server.c       | 350 ++++++++++++++++++++++++
 hasher-priv/caller_task.c         | 225 +++++++++++++++
 hasher-priv/chrootuid.c           |   5 +
 hasher-priv/cmdline.c             |  27 +-
 hasher-priv/communication.c       | 394 +++++++++++++++++++++++++++
 hasher-priv/communication.h       |  80 ++++++
 hasher-priv/config.c              | 147 +++++++++-
 hasher-priv/daemon.conf           |  13 +
 hasher-priv/epoll.c               |  39 +++
 hasher-priv/epoll.h               |  18 ++
 hasher-priv/hasher-priv.c         |  78 ++++++
 hasher-priv/hasher-priv.spec      |  12 +-
 hasher-priv/hasher-privd.c        | 439 ++++++++++++++++++++++++++++++
 hasher-priv/hasher-privd.service  |  14 +
 hasher-priv/hasher-privd.sysvinit | 103 +++++++
 hasher-priv/io_log.c              |   2 +-
 hasher-priv/io_x11.c              |   2 +-
 hasher-priv/killuid.c             |   2 +-
 hasher-priv/logging.c             |  71 +++++
 hasher-priv/logging.h             |  55 ++++
 hasher-priv/main.c                |  75 -----
 hasher-priv/pass.c                | 117 +++++++-
 hasher-priv/pidfile.c             | 129 +++++++++
 hasher-priv/pidfile.h             |  44 +++
 hasher-priv/priv.h                |  57 +++-
 hasher-priv/sockets.c             | 180 ++++++++++++
 hasher-priv/sockets.h             |  32 +++
 hasher-priv/x11.c                 |   1 +
 32 files changed, 2859 insertions(+), 250 deletions(-)
 create mode 100644 hasher-priv/caller_server.c
 create mode 100644 hasher-priv/caller_task.c
 create mode 100644 hasher-priv/communication.c
 create mode 100644 hasher-priv/communication.h
 create mode 100644 hasher-priv/daemon.conf
 create mode 100644 hasher-priv/epoll.c
 create mode 100644 hasher-priv/epoll.h
 create mode 100644 hasher-priv/hasher-priv.c
 create mode 100644 hasher-priv/hasher-privd.c
 create mode 100644 hasher-priv/hasher-privd.service
 create mode 100755 hasher-priv/hasher-privd.sysvinit
 create mode 100644 hasher-priv/logging.c
 create mode 100644 hasher-priv/logging.h
 delete mode 100644 hasher-priv/main.c
 create mode 100644 hasher-priv/pidfile.c
 create mode 100644 hasher-priv/pidfile.h
 create mode 100644 hasher-priv/sockets.c
 create mode 100644 hasher-priv/sockets.h

-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [devel] [PATCH hasher-priv v3 1/7] Turn hasher-priv into a daemon
  2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
@ 2021-08-24  8:24 ` Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 2/7] sockets: xsendmsg: get rid of SIGPIPE on socket writes Arseny Maslennikov
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov, Alexey Gladkov

All the privileged operations are now performed by a daemonised system
service. The daemon accepts IPC commands via a Unix domain socket,
fulfills the request and sends back a response.
The kernel provides a reliable way to obtain the sender's credentials,
which are then verified.
This allows to install hasher-privd without SUID bit to reduce attack
surface and facilitate NO_NEW_PRIVS environments.

When contacted by a client of user X, the daemon creates a separate
session process that handles requests only from user X. This session
process ends after a certain period of inactivity.

Co-authored-by: Alexey Gladkov <legion@altlinux.org>
Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
---
 hasher-priv/.gitignore       |   1 +
 hasher-priv/DESIGN           | 281 ++++++++++++++--------
 hasher-priv/Makefile         |  28 ++-
 hasher-priv/caller.c         |  81 ++++---
 hasher-priv/caller_server.c  | 350 ++++++++++++++++++++++++++++
 hasher-priv/caller_task.c    | 219 ++++++++++++++++++
 hasher-priv/cmdline.c        |  27 ++-
 hasher-priv/communication.c  | 394 +++++++++++++++++++++++++++++++
 hasher-priv/communication.h  |  80 +++++++
 hasher-priv/config.c         | 147 +++++++++++-
 hasher-priv/daemon.conf      |  13 ++
 hasher-priv/epoll.c          |  39 ++++
 hasher-priv/epoll.h          |  18 ++
 hasher-priv/hasher-priv.c    |  78 +++++++
 hasher-priv/hasher-priv.spec |   3 +
 hasher-priv/hasher-privd.c   | 437 +++++++++++++++++++++++++++++++++++
 hasher-priv/io_log.c         |   2 +-
 hasher-priv/io_x11.c         |   2 +-
 hasher-priv/killuid.c        |   2 +-
 hasher-priv/logging.c        |  71 ++++++
 hasher-priv/logging.h        |  55 +++++
 hasher-priv/main.c           |  75 ------
 hasher-priv/pass.c           | 117 +++++++++-
 hasher-priv/pidfile.c        | 129 +++++++++++
 hasher-priv/pidfile.h        |  44 ++++
 hasher-priv/priv.h           |  57 ++++-
 hasher-priv/sockets.c        | 180 +++++++++++++++
 hasher-priv/sockets.h        |  32 +++
 hasher-priv/x11.c            |   1 +
 29 files changed, 2715 insertions(+), 248 deletions(-)
 create mode 100644 hasher-priv/caller_server.c
 create mode 100644 hasher-priv/caller_task.c
 create mode 100644 hasher-priv/communication.c
 create mode 100644 hasher-priv/communication.h
 create mode 100644 hasher-priv/daemon.conf
 create mode 100644 hasher-priv/epoll.c
 create mode 100644 hasher-priv/epoll.h
 create mode 100644 hasher-priv/hasher-priv.c
 create mode 100644 hasher-priv/hasher-privd.c
 create mode 100644 hasher-priv/logging.c
 create mode 100644 hasher-priv/logging.h
 delete mode 100644 hasher-priv/main.c
 create mode 100644 hasher-priv/pidfile.c
 create mode 100644 hasher-priv/pidfile.h
 create mode 100644 hasher-priv/sockets.c
 create mode 100644 hasher-priv/sockets.h

diff --git a/hasher-priv/.gitignore b/hasher-priv/.gitignore
index 5ca24b0..8f0f658 100644
--- a/hasher-priv/.gitignore
+++ b/hasher-priv/.gitignore
@@ -4,6 +4,7 @@ getconf.sh
 getugid1.sh
 getugid2.sh
 hasher-priv
+hasher-privd
 hasher-priv.8
 hasher-priv.conf.5
 hasher-useradd
diff --git a/hasher-priv/DESIGN b/hasher-priv/DESIGN
index 1470ce7..0fa6e1d 100644
--- a/hasher-priv/DESIGN
+++ b/hasher-priv/DESIGN
@@ -1,35 +1,63 @@
 
-Here is a hasher-priv (euid=root,egid=hashman,gid!=egid) control flow:
+Here is the control flow of hasher-priv (euid=user,egid=hashman,gid!=egid):
 + sanitize file descriptors
   + set safe umask
   + ensure 0,1,2 are valid file descriptors
   + close all the rest
 + parse command line arguments
-  + check for non-zero argument list
-  + parse -h, --help and -number options
-    + caller_num initialized here
-  + parse arguments, abort if wrong
-    + chroot_path and chroot_argv are initialized here
-    + valid arguments are:
-      getconf
-      killuid
-      getugid1
-      chrootuid1 <chroot path> <program> [program args]
-      getugid2
-      chrootuid2 <chroot path> <program> [program args]
++ connect to $XDG_RUNTIME_DIR/hasher-priv socket
+  + wait for the creation of a session server
+  + close socket
++ connect to session server by $XDG_RUNTIME_DIR/hasher-priv-UID socket
++ send command to start new task
+  + receive a result code from the server
++ send current stdout and stderr to server
+  + receive a result code from the server
++ send task arguments
+  + receive a result code from the server
++ send environment variables
+  + receive a result code from the server
++ send command to run task
+  + receive a task result code from the server
+
+Here is the control flow of hasher-privd (euid=root,egid=hashman,gid==egid):
++ parse command line arguments
+  + parse -h and --help options
++ set safe umask
++ check pidfile, abort if server already running
++ if not a daemon already, daemonize
+  + change current working directory to "/"
+  + close all file descriptors
++ initialize logger
++ create pidfile
++ examine and change blocked signals
++ I/O event notification and add file descriptors
+  + create a file descriptor for accepting signals
+  + create and listen server socket
++ wait for incoming caller connections
+  + handle signal if signal is received
+    + close caller's session
+  + handle connection if the caller opened a new connection
+    + get connection credentials
+    + fork new process for caller if don't have any
+    + notify the client if the session server already running
+    + close caller connection
++ close all descriptors in notification poll
++ close and remove pidfile
+
+Here is control flow for session server:
 + initialize data related to caller
-  + caller_uid initialized here from getuid()
+  + caller_uid initialized here by uid received via the socket
     + caller_uid must be valid uid
-  + caller_gid initialized here from getgid()
+  + caller_gid initialized here by uid received via the socket
     + caller_gid must be valid gid
-  + caller_user initialized here from getpwnam(LOGNAME)->pw_name or
-    getpwuid(caller_uid)->pw_name
+  + caller_user initialized here from getpwuid(caller_uid)->pw_name
     + must be true: caller_uid == pw->pw_uid
     + must be true: caller_gid == pw->pw_gid
   + caller_home initialized here
     + caller_user's home directory must exist
-+ read work limit hints from environment variables
-+ drop all environment variables
++ set safe umask
++ open a caller-specific socket
 + load configuration
   + safe chdir to /etc/hasher-priv
   + safe load "system" file
@@ -40,7 +68,7 @@ Here is a hasher-priv (euid=root,egid=hashman,gid!=egid) control flow:
       prefix
       umask
       nice
-      allowed_devices
+      allow_ttydev
       allowed_mountpoints
       rlimit_(hard|soft)_*
       wlimit_(time_elapsed|time_idle|bytes_written)
@@ -53,85 +81,136 @@ Here is a hasher-priv (euid=root,egid=hashman,gid!=egid) control flow:
       + change_user1 and change_user2 should be initialized here
   + change_uid1 and change_gid1 initialized from change_user1
   + change_uid2 and change_gid2 initialized from change_user2
-+ execute choosen task
-  + getconf: print config file /etc/hasher-priv/user.d/caller_user[:caller_num]
-  + getugid1: print change_uid1:change_gid1 pair
-  + getugid2: print change_uid2:change_gid2 pair
-  + killuid
-    + check for valid uids specified
-    + drop dumpable flag (just in case - not required)
-    + setuid to specified uid pair
-    + kill (-1, SIGKILL)
-    + purge all SYSV IPC objects belonging to specified uid pair
-  + chrootuid1/chrootuid2
-    + check for valid uid specified
-    + setup mounts and devices
-      + unshare mount namespace
-      + safe chdir to chroot_path
-      + safe chdir to dev
-      + mount dev
-      + create devices available to all users: null, zero, full, random, urandom
-      + if makedev_console environment variable is true,
-        create devices available to root only: console, tty0, fb0
-      + mount /dev/shm
-      + mount all mountpoints specified by requested_mountpoints environment variable
-      + if /dev/pts was mounted, create devices: tty, ptmx
-    + safe chdir to chroot_path
-    + sanitize file descriptors again
-    + if use_pty is disabled, create pipe to handle child's stdout and stderr
-    + if X11 forwarding is requested, create socketpair and
-      open /tmp/.X11-unix directory readonly for later use with fchdir()
-    + unless share_ipc is enabled, isolate System V IPC namespace
-    + unless share_uts is enabled, unshare UTS namespace
-    + if X11 forwarding to a tcp address was not requested,
-      unless share_network is enabled, unshare network
-    + clear supplementary group access list
-    + create pty:
-      + temporarily switch to called_uid:caller_gid
-      + open /dev/ptmx
-      + fetch pts number
-      + unlock pts pair
-      + open pts slave
-      + switch uid:gid back
-    + chroot to "."
-    + create another pty if possible:
-      + temporarily switch to called_uid:caller_gid
-      + safely chdir to "dev"
-      + if "pts/ptmx" is available with right permissions:
-        + replace "ptmx" with a symlink to "pts/ptmx"
-        + open "ptmx"
-        + fetch pts number
-        + unlock pts pair
-        + open pts slave
-      + chdir back to "/"
-      + switch uid:gid back
-      + if another pty was crated, close pts pair that was opened earlier
-    + set rlimits
-    + set close-on-exec flag on all non-standard descriptors
-    + fork
-      + in parent:
-        + setgid/setuid to caller user
-        + install CHLD signal handler
-        + unblock master pty and pipe descriptors
-        + if use_pty is enabled, initialize tty and install WINCH signal handler
-        + listen to "/dev/log"
-        + while work limits are not exceeded, handle child input/output
-        + close master pty descriptor, thus sending HUP to child session
-        + wait for child process termination
-        + remove CHLD signal handler
-        + return child proccess exit code
-      + in child:
-        + if X11 forwarding to a tcp address was requested,
++ I/O event notification and add file descriptors
+  + create a file descriptor for accepting signals
+  + create and listen the session socket
++ notify the client that the session server is ready
++ wait for incomming caller connections
+  + handle signal if signal is received
+  + handle connection if the caller opened a new connection
+    + task handler
+    + reset timeout timer
+  + finish the server if the task doesn't arrive from the caller
+    for more than a minute.
+
+Here is control flow for the task handler:
++ receive task header
+  + receive client's stdin, stdout and stderr
+  + check number of arguments
++ receive task arguments if we expect them
++ receive environment variables if client want to send them
++ fork process to handle task
+  + in parent:
+    + wait exit status
+  + in child:
+    + replace stdin, stdout and stderr with those that were received
+    + drop all environment variables
+    + apply the client's environment variables
+    + sanitize file descriptors
+      + set safe umask
+      + ensure 0,1,2 are valid file descriptors
+      + close all the rest
+    + parse task arguments
+    + check for non-zero argument list
+    + parse -h, --help and -number options
+      + caller_num initialized here
+    + parse arguments, abort if wrong
+      + chroot_path and chroot_argv are initialized here
+      + valid arguments are:
+        getconf
+        killuid
+        getugid1
+        chrootuid1 <chroot path> <program> [program args]
+        getugid2
+        chrootuid2 <chroot path> <program> [program args]
+    + caller_num initialized from task
+    + chroot_path and chroot_argv are initialized here
+    + read work limit hints from environment variables
+    + drop all environment variables
+    + execute choosen task
+      + getconf: print config file /etc/hasher-priv/user.d/caller_user[:caller_num]
+      + getugid1: print change_uid1:change_gid1 pair
+      + getugid2: print change_uid2:change_gid2 pair
+      + killuid
+        + check for valid uids specified
+        + drop dumpable flag (just in case - not required)
+        + setuid to specified uid pair
+        + kill (-1, SIGKILL)
+        + purge all SYSV IPC objects belonging to specified uid pair
+      + chrootuid1/chrootuid2
+        + fork to kill the processes that were left from the previous chrootuid call
+          + in parent:
+            + wait exit status
+          + in child:
+            + killuid
+        + check for valid uid specified
+        + setup mounts and devices
+          + unshare mount namespace
+          + safe chdir to chroot_path
+          + safe chdir to dev
+          + mount dev
+          + create devices available to all users: null, zero, full, random, urandom
+          + if makedev_console environment variable is true,
+            create devices available to root only: console, tty0, fb0
+          + mount /dev/shm
+          + mount all mountpoints specified by requested_mountpoints environment variable
+          + if /dev/pts was mounted, create devices: tty, ptmx
+        + safe chdir to chroot_path
+        + sanitize file descriptors again
+        + if use_pty is disabled, create pipe to handle child's stdout and stderr
+        + if X11 forwarding is requested, create socketpair and
+          open /tmp/.X11-unix directory readonly for later use with fchdir()
+        + unless share_ipc is enabled, isolate System V IPC namespace
+        + unless share_uts is enabled, unshare UTS namespace
+        + if X11 forwarding to a tcp address was not requested,
           unless share_network is enabled, unshare network
-        + setgid/setuid to specified user
-        + setsid
-        + change controlling terminal to pty
-        + redirect stdin if required, either to null or to pty
-        + redirect stdout and stderr either to pipe or to pty
-        + set nice
-        + if X11 forwarding is requested,
-          + add X11 auth entry using xauth utility
-          + create and bind unix socket for X11 forwarding
-          + send listening descriptor and fake auth data to the parent
-        + set umask
-        + execute specified program
+        + clear supplementary group access list
+        + create pty:
+          + temporarily switch to called_uid:caller_gid
+          + open /dev/ptmx
+          + fetch pts number
+          + unlock pts pair
+          + open pts slave
+          + switch uid:gid back
+        + chroot to "."
+        + create another pty if possible:
+          + temporarily switch to called_uid:caller_gid
+          + safely chdir to "dev"
+          + if "pts/ptmx" is available with right permissions:
+            + replace "ptmx" with a symlink to "pts/ptmx"
+            + open "ptmx"
+            + fetch pts number
+            + unlock pts pair
+            + open pts slave
+          + chdir back to "/"
+          + switch uid:gid back
+          + if another pty was crated, close pts pair that was opened earlier
+        + set rlimits
+        + set close-on-exec flag on all non-standard descriptors
+        + fork
+          + in parent:
+            + setgid/setuid to caller user
+            + install CHLD signal handler
+            + unblock master pty and pipe descriptors
+            + if use_pty is enabled, initialize tty and install WINCH signal handler
+            + listen to "/dev/log"
+            + while work limits are not exceeded, handle child input/output
+            + close master pty descriptor, thus sending HUP to child session
+            + wait for child process termination
+            + remove CHLD signal handler
+            + return child proccess exit code
+          + in child:
+            + if X11 forwarding to a tcp address was requested,
+              unless share_network is enabled, unshare network
+            + setgid/setuid to specified user
+            + setsid
+            + change controlling terminal to pty
+            + redirect stdin if required, either to null or to pty
+            + redirect stdout and stderr either to pipe or to pty
+            + set nice
+            + if X11 forwarding is requested,
+              + add X11 auth entry using xauth utility
+              + create and bind unix socket for X11 forwarding
+              + send listening descriptor and fake auth data to the parent
+            + set umask
+            + execute specified program
diff --git a/hasher-priv/Makefile b/hasher-priv/Makefile
index a029a63..8ccf99d 100644
--- a/hasher-priv/Makefile
+++ b/hasher-priv/Makefile
@@ -11,7 +11,7 @@ VERSION = $(shell sed '/^Version: */!d;s///;q' hasher-priv.spec)
 HELPERS = getconf.sh getugid1.sh chrootuid1.sh getugid2.sh chrootuid2.sh
 MAN5PAGES = $(PROJECT).conf.5
 MAN8PAGES = $(PROJECT).8 hasher-useradd.8
-TARGETS = $(PROJECT) hasher-useradd $(HELPERS) $(MAN5PAGES) $(MAN8PAGES)
+TARGETS = $(PROJECT) hasher-privd hasher-useradd $(HELPERS) $(MAN5PAGES) $(MAN8PAGES)
 
 have-cc-function = $(shell echo 'extern void $(1)(void); int main () { $(1)(); return 0; }' |$(CC) -o /dev/null -xc - > /dev/null 2>&1 && echo "-D$(2)")
 
@@ -23,6 +23,7 @@ man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 configdir = $(sysconfdir)/$(PROJECT)
 helperdir = $(libexecdir)/$(PROJECT)
+socketdir = /run/hasher-priv
 DESTDIR =
 
 MKDIR_P = mkdir -p
@@ -36,17 +37,25 @@ WARNINGS = -Wall -W -Wshadow -Wpointer-arith -Wwrite-strings \
 	-Wmissing-format-attribute -Wredundant-decls -Wdisabled-optimization
 CPPFLAGS = -std=gnu99 -D_GNU_SOURCE $(CHDIRUID_FLAGS) \
 	$(call have-cc-function,close_range,HAVE_CLOSE_RANGE) \
-	$(LFS_CFLAGS) -DPROJECT_VERSION=\"$(VERSION)\"
+	$(LFS_CFLAGS) -DPROJECT_VERSION=\"$(VERSION)\" \
+	-DSOCKETDIR=\"$(socketdir)\" -DPROJECT=\"$(PROJECT)\"
 CFLAGS = -pipe -O2
 override CFLAGS += $(WARNINGS)
 LDLIBS =
 
-SRC = caller.c chdir.c chdiruid.c chid.c child.c chrootuid.c cmdline.c \
+SRC = hasher-priv.c cmdline.c fds.c sockets.c logging.c communication.c xmalloc.c pass.c
+OBJ = $(SRC:.c=.o)
+
+server_SRC = hasher-privd.c \
+	communication.c epoll.c pidfile.c logging.c sockets.c \
+	caller.c caller_server.c caller_task.c \
+	chdir.c chdiruid.c chid.c child.c chrootuid.c cmdline.c \
 	config.c fds.c getconf.c getugid.c ipc.c killuid.c io_log.c io_x11.c \
-	main.c makedev.c mount.c net.c parent.c pass.c pty.c signal.c tty.c \
+	makedev.c mount.c net.c parent.c pass.c pty.c signal.c tty.c \
 	unshare.c xmalloc.c x11.c
-OBJ = $(SRC:.c=.o)
-DEP = $(SRC:.c=.d)
+server_OBJ = $(server_SRC:.c=.o)
+
+DEP = $(SRC:.c=.d) $(server_SRC:.c=.d)
 
 .PHONY:	all install clean indent
 
@@ -55,14 +64,19 @@ all: $(TARGETS)
 $(PROJECT): $(OBJ)
 	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@
 
+hasher-privd: $(server_OBJ)
+	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@
+
 install: all
 	$(MKDIR_P) -m710 $(DESTDIR)$(configdir)/user.d
 	$(INSTALL) -p -m640 fstab $(DESTDIR)$(configdir)/fstab
 	$(INSTALL) -p -m640 system.conf $(DESTDIR)$(configdir)/system
+	$(INSTALL) -p -m640 daemon.conf $(DESTDIR)$(configdir)/daemon.conf
 	$(MKDIR_P) -m750 $(DESTDIR)$(helperdir)
 	$(INSTALL) -p -m700 $(PROJECT) $(DESTDIR)$(helperdir)/
 	$(INSTALL) -p -m755 $(HELPERS) $(DESTDIR)$(helperdir)/
 	$(MKDIR_P) -m755 $(DESTDIR)$(sbindir)
+	$(INSTALL) -p -m755 hasher-privd $(DESTDIR)$(sbindir)/
 	$(INSTALL) -p -m755 hasher-useradd $(DESTDIR)$(sbindir)/
 	$(MKDIR_P) -m755 $(DESTDIR)$(man5dir)
 	$(INSTALL) -p -m644 $(MAN5PAGES) $(DESTDIR)$(man5dir)/
@@ -70,7 +84,7 @@ install: all
 	$(INSTALL) -p -m644 $(MAN8PAGES) $(DESTDIR)$(man8dir)/
 
 clean:
-	$(RM) $(TARGETS) $(DEP) $(OBJ) core *~
+	$(RM) $(TARGETS) $(DEP) $(OBJ) $(server_OBJ) core *~
 
 indent:
 	indent *.h *.c
diff --git a/hasher-priv/caller.c b/hasher-priv/caller.c
index e83084a..29f141c 100644
--- a/hasher-priv/caller.c
+++ b/hasher-priv/caller.c
@@ -19,62 +19,67 @@
 
 #include "priv.h"
 #include "xmalloc.h"
+#include "logging.h"
 
-const char *caller_user, *caller_home;
-uid_t   caller_uid;
-gid_t   caller_gid;
+char *caller_user = NULL;
+char *caller_home = NULL;
+uid_t caller_uid;
+gid_t caller_gid;
 
 /*
  * Initialize caller_user, caller_uid, caller_gid and caller_home.
  */
-void
-init_caller_data(void)
+int
+init_caller_data(uid_t uid, gid_t gid)
 {
-	const char *logname;
 	struct passwd *pw = 0;
 
-	caller_uid = getuid();
-	if (caller_uid < MIN_CHANGE_UID)
-		error(EXIT_FAILURE, 0, "caller has invalid uid: %u",
-		      caller_uid);
-
-	caller_gid = getgid();
-	if (caller_gid < MIN_CHANGE_GID)
-		error(EXIT_FAILURE, 0, "caller has invalid gid: %u",
-		      caller_gid);
-
-	if ((logname = getenv("LOGNAME")))
-		if (!*logname || strchr(logname, ':'))
-			logname = 0;
-
-	if (logname)
-	{
-		pw = getpwnam(logname);
-		if (caller_uid != pw->pw_uid || caller_gid != pw->pw_gid)
-			pw = 0;
+	caller_uid = uid;
+	if (caller_uid < MIN_CHANGE_UID) {
+		err("caller has invalid uid: %u", caller_uid);
+		return -1;
+	}
+
+	caller_gid = gid;
+	if (caller_gid < MIN_CHANGE_GID) {
+		err("caller has invalid gid: %u", caller_gid);
+		return -1;
 	}
 
-	if (!pw)
-		pw = getpwuid(caller_uid);
+	pw = getpwuid(caller_uid);
 
-	if (!pw || !pw->pw_name)
-		error(EXIT_FAILURE, 0, "caller lookup failure");
+	if (!pw || !pw->pw_name) {
+		err("caller pwent lookup failure");
+		return -1;
+	}
 
 	caller_user = xstrdup(pw->pw_name);
 
-	if (caller_uid != pw->pw_uid)
-		error(EXIT_FAILURE, 0, "caller %s: uid mismatch",
-		      caller_user);
+	if (caller_uid != pw->pw_uid) {
+		err("caller %s: uid does not match pwent", caller_user);
+		return -1;
+	}
 
-	if (caller_gid != pw->pw_gid)
-		error(EXIT_FAILURE, 0, "caller %s: gid mismatch",
-		      caller_user);
+	if (caller_gid != pw->pw_gid) {
+		err("caller %s: gid does not match pwent", caller_user);
+		return -1;
+	}
 
 	errno = 0;
 	if (pw->pw_dir && *pw->pw_dir)
 		caller_home = canonicalize_file_name(pw->pw_dir);
 
-	if (!caller_home || !*caller_home)
-		error(EXIT_FAILURE, errno, "caller %s: invalid home",
-		      caller_user);
+	if (!caller_home || !*caller_home) {
+		err("caller %s has invalid home: %m", caller_user);
+		return -1;
+	}
+
+	return 0;
+}
+
+void
+free_caller_data(void)
+{
+	free(caller_user);
+	free(caller_home);
 }
diff --git a/hasher-priv/caller_server.c b/hasher-priv/caller_server.c
new file mode 100644
index 0000000..2e9ef9c
--- /dev/null
+++ b/hasher-priv/caller_server.c
@@ -0,0 +1,350 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  The per-calling-user server part of the hasher-privd program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+/* Code in this file may be executed with root privileges. */
+
+#include <linux/un.h>
+
+#include <sys/socket.h> /* SOCK_CLOEXEC */
+#include <sys/prctl.h>
+#include <sys/signalfd.h>
+#include <sys/wait.h>
+
+#include <stdio.h>
+#include <errno.h>
+#include <unistd.h>
+#include <grp.h>
+
+#include "priv.h"
+#include "xmalloc.h"
+#include "sockets.h"
+#include "logging.h"
+#include "epoll.h"
+#include "communication.h"
+
+static char socketpath[UNIX_PATH_MAX];
+
+static int
+validate_arguments(task_t task, char **argv)
+{
+	int required_args = 0, more_args = 0;
+	int rc = -1;
+	int argc = 0;
+
+	while (argv && argv[argc])
+		argc++;
+
+	switch (task) {
+	case TASK_GETCONF:
+	case TASK_KILLUID:
+	case TASK_GETUGID1:
+	case TASK_GETUGID2:
+		required_args = 0;
+		break;
+	case TASK_CHROOTUID1:
+	case TASK_CHROOTUID2:
+		more_args = 1;
+		required_args = 2;
+		break;
+	default:
+		err("unknown task type: %u", task);
+		return rc;
+	}
+
+	if (argc < 0)
+		err("number of arguments must be a positive but got %d", argc);
+
+	else if (argc < required_args)
+		err("%s task requires at least %d arguments but got %d",
+		    task2str(task), required_args, argc);
+
+	else if (argc > required_args && !more_args)
+		err("%s task requires exactly %d arguments but got %d",
+		    task2str(task), required_args, argc);
+
+	else
+		rc = 0;
+
+	return rc;
+}
+
+static void
+free_task(struct task *task)
+{
+	if (task->stdin > 0)
+		close(task->stdin);
+	if (task->stdout > 0)
+		close(task->stdout);
+	if (task->stderr > 0)
+		close(task->stderr);
+
+	if (task->env) {
+		free(task->env[0]);
+		free(task->env);
+	}
+
+	if (task->argv) {
+		free(task->argv[0]);
+		free(task->argv);
+	}
+}
+
+static int
+cancel_task(int conn, struct task *task)
+{
+	free_task(task);
+	send_command_response(conn, CMD_STATUS_FAILED, "command failed");
+	return 0;
+}
+
+static int
+receive_task_request(struct hadaemon* d, int conn)
+{
+	uid_t uid;
+	gid_t gid;
+
+	if (get_peercred(conn, NULL, &uid, &gid) < 0)
+		return -1;
+
+	if (caller_uid != uid || caller_gid != gid) {
+		err("user (uid=%d) has no permission to send commands"
+		    " to the session of another user (uid=%d)",
+		    uid, caller_uid);
+		return -1;
+	}
+
+	struct task task = { 0 };
+	int fds[3];
+
+	while (1) {
+		task_t type = TASK_NONE;
+		struct cmd hdr = { 0 };
+
+		if (xrecvmsg(conn, &hdr, sizeof(hdr)) < 0)
+			return cancel_task(conn, &task);
+
+		switch (hdr.type) {
+		case CMD_TASK_BEGIN:
+			if (hdr.datalen != sizeof(type))
+				return cancel_task(conn, &task);
+
+			if (xrecvmsg(conn, &type, hdr.datalen) < 0)
+				return cancel_task(conn, &task);
+
+			task.type = type;
+
+			break;
+
+		case CMD_TASK_FDS:
+			if (hdr.datalen != sizeof(int) * 3)
+				return cancel_task(conn, &task);
+
+			if (task.stdin)
+				close(task.stdin);
+
+			if (task.stdout)
+				close(task.stdout);
+
+			if (task.stderr)
+				close(task.stderr);
+
+			if (fds_recv(conn, fds, 3) < 0)
+				return cancel_task(conn, &task);
+
+			task.stdin = fds[0];
+			task.stdout = fds[1];
+			task.stderr = fds[2];
+
+			break;
+
+		case CMD_TASK_ARGUMENTS:
+			if (task.argv) {
+				free(task.argv[0]);
+				free(task.argv);
+			}
+
+			if (recv_list(conn, &task.argv, hdr.datalen) < 0)
+				return cancel_task(conn, &task);
+
+			if (validate_arguments(task.type, task.argv) < 0)
+				return cancel_task(conn, &task);
+
+			break;
+
+		case CMD_TASK_ENVIRON:
+			if (task.env) {
+				free(task.env[0]);
+				free(task.env);
+			}
+
+			if (recv_list(conn, &task.env, hdr.datalen) < 0)
+				return cancel_task(conn, &task);
+
+			break;
+
+		case CMD_TASK_RUN:
+			process_cmd_task_run(d, conn, &task);
+			free_task(&task);
+			/* process_caller_task() sends a response by itself. */
+			return 0;
+
+		default:
+			err("unsupported command: %d", hdr.type);
+		}
+
+		send_command_response(conn, CMD_STATUS_DONE, NULL);
+	}
+
+	return 0;
+}
+
+int
+caller_server_listener_init(struct hadaemon* sdae)
+{
+	int ret = 0;
+	sdae->fd_ep = -1;
+	sdae->fd_signal = -1;
+	sdae->fd_conn = -1;
+
+	umask(077);
+
+	snprintf(socketpath, sizeof(socketpath),
+		"%s/%d:%u",
+		SOCKETDIR, caller_uid, caller_num);
+
+	if ((sdae->fd_conn = srv_listen(socketpath)) < 0)
+		return -1;
+
+	if (chown(socketpath, caller_uid, caller_gid)) {
+		err("fchown: %s: %m", socketpath);
+		ret = -1;
+		goto fail;
+	}
+
+	/* Load config according to caller information. */
+	configure();
+
+	sigset_t mask;
+
+	sigfillset(&mask);
+	sigprocmask(SIG_SETMASK, &mask, NULL);
+
+	if ((sdae->fd_signal = signalfd(-1, &mask, SFD_NONBLOCK | SFD_CLOEXEC)) < 0) {
+		err("signalfd: %m");
+		ret = -1;
+		goto fail;
+	}
+
+	if ((sdae->fd_ep = epoll_create1(EPOLL_CLOEXEC)) < 0) {
+		err("epoll_create1: %m");
+		ret = -1;
+		goto fail;
+	}
+
+	if (epollin_add(sdae->fd_ep, sdae->fd_signal) < 0 || epollin_add(sdae->fd_ep, sdae->fd_conn) < 0) {
+		err("epollin_add: failed");
+		ret = -1;
+		goto fail;
+	}
+
+	return ret;
+
+fail:
+	epollin_remove(sdae->fd_ep, sdae->fd_signal);
+	epollin_remove(sdae->fd_ep, sdae->fd_conn);
+
+	if (sdae->fd_ep >= 0)
+		close(sdae->fd_ep);
+	if (sdae->fd_signal >= 0)
+		close(sdae->fd_signal);
+
+	unlink(socketpath);
+
+	return ret;
+}
+
+int
+caller_server(struct hadaemon* sdae)
+{
+	int ret = 0;
+
+	unsigned long nsec = 0;
+	int finish_server = 0;
+
+	while (!finish_server) {
+		struct epoll_event ev[42];
+		int fdcount;
+
+		errno = 0;
+		if ((fdcount = epoll_wait(sdae->fd_ep, ev, ARRAY_SIZE(ev), 1000)) < 0) {
+			if (errno == EINTR)
+				continue;
+			err("epoll_wait: %m");
+			break;
+		}
+
+		if (fdcount == 0) {
+			nsec++;
+
+			if (nsec >= server_session_timeout)
+				break;
+
+		} else for (int i = 0; i < fdcount; i++) {
+			if (!(ev[i].events & EPOLLIN)) {
+				continue;
+
+			} else if (ev[i].data.fd == sdae->fd_signal) {
+				struct signalfd_siginfo fdsi;
+				ssize_t size;
+
+				size = read_retry(sdae->fd_signal, &fdsi, sizeof(fdsi));
+
+				if (size != sizeof(fdsi)) {
+					err("unable to read signal info from signalfd");
+					continue;
+				}
+
+				int status;
+
+				switch (fdsi.ssi_signo) {
+					case SIGINT:
+					case SIGTERM:
+						finish_server = 1;
+						break;
+					case SIGCHLD:
+						if (waitpid(-1, &status, 0) < 0)
+							err("waitpid: %m");
+						break;
+				}
+
+			} else if (ev[i].data.fd == sdae->fd_conn) {
+				int conn;
+
+				if ((conn = accept4(sdae->fd_conn, NULL, 0, SOCK_CLOEXEC)) < 0) {
+					err("accept4: %m");
+					continue;
+				}
+
+				if (set_recv_timeout(conn, 3) < 0) {
+					close(conn);
+					continue;
+				}
+
+				if (!receive_task_request(sdae, conn)) {
+					/* reset timer */
+					nsec = 0;
+				}
+
+				close(conn);
+			}
+		}
+	}
+
+	return ret;
+}
diff --git a/hasher-priv/caller_task.c b/hasher-priv/caller_task.c
new file mode 100644
index 0000000..7a9fc98
--- /dev/null
+++ b/hasher-priv/caller_task.c
@@ -0,0 +1,219 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  The task handling part of the hasher-privd program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/param.h>
+#include <sys/wait.h>
+
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdint.h>
+
+#include "communication.h"
+#include "xmalloc.h"
+#include "logging.h"
+#include "sockets.h"
+#include "priv.h"
+
+/* Code in this function may be executed with root privileges. */
+static int
+killprevious(void)
+{
+	int rc = 0;
+	pid_t pid = fork();
+
+	if (pid < 0) {
+		err("fork: %m");
+		return -1;
+	}
+
+	if (!pid)
+		exit(do_killuid());
+
+	while (1) {
+		int wstatus;
+
+		if (waitpid(pid, &wstatus, WUNTRACED | WCONTINUED) < 0) {
+			err("waitpid: %m");
+			rc = -1;
+			break;
+		}
+
+		if (WIFEXITED(wstatus)) {
+			rc = WEXITSTATUS(wstatus);
+			break;
+		}
+	}
+
+	return rc;
+}
+
+/* Code in this function may be executed with root privileges. */
+static int
+reopen_fd(int oldfd, int newfd)
+{
+	if (oldfd < 0)
+		return 0;
+
+	close(newfd);
+
+	if (dup2(oldfd, newfd) < 0) {
+		err("dup2: %m");
+		return -1;
+	}
+
+	close(oldfd);
+
+	return 0;
+}
+
+/* Code in this function may be executed with root privileges. */
+static int
+reopen_iostreams(int stdin, int stdout, int stderr)
+{
+	return (reopen_fd(stdin, STDIN_FILENO) < 0 ||
+	    reopen_fd(stdout, STDOUT_FILENO) < 0 ||
+	    reopen_fd(stderr, STDERR_FILENO) < 0) ? -1 : 0;
+}
+
+/* Code in this function may be executed with root privileges. */
+static int
+spawn_caller_task(struct task *task)
+{
+	int rc = EXIT_FAILURE;
+	int i = 0;
+	pid_t pid;
+
+	pid = fork();
+	if (pid < 0) {
+		err("fork: %m");
+		return -1;
+	}
+	if (pid != 0) {
+		return pid;
+	}
+
+	if ((rc = reopen_iostreams(task->stdin, task->stdout, task->stderr)) < 0)
+		exit(rc);
+
+	/* clean up environment to avoid side effects. */
+	if (clearenv() != 0)
+		fatal("clearenv: %m");
+
+	while (task->env && task->env[i]) {
+		if (putenv(task->env[i++]) != 0)
+			fatal("putenv: %m");
+	}
+
+	/* First, check and sanitize file descriptors. */
+	sanitize_fds();
+
+	/* Second, parse task arguments. */
+	parse_task_args(task->type, (const char **)task->argv);
+
+	/* Third, ensure correctness of chroot path. */
+	if (chroot_path && *chroot_path != '/')
+		fatal("%s: invalid chroot path", chroot_path);
+
+	/* Fourth, parse environment for config options. */
+	parse_env();
+
+	/* We won't need environment variables any longer. */
+	if (clearenv() != 0)
+		fatal("clearenv: %m");
+
+	/* Finally, execute the requested task. */
+	switch (task->type) {
+		case TASK_GETCONF:
+			rc = do_getconf();
+			break;
+		case TASK_KILLUID:
+			rc = do_killuid();
+			break;
+		case TASK_GETUGID1:
+			rc = do_getugid1();
+			break;
+		case TASK_CHROOTUID1:
+			rc = !killprevious()
+				? do_chrootuid1()
+				: EXIT_FAILURE;
+			break;
+		case TASK_GETUGID2:
+			rc = do_getugid2();
+			break;
+		case TASK_CHROOTUID2:
+			rc = !killprevious()
+				? do_chrootuid2()
+				: EXIT_FAILURE;
+			break;
+		default:
+			fatal("unknown task %d", task->type);
+	}
+
+	/* Write out all the user-space-buffered data */
+	fflush(stdout);
+	fflush(stderr);
+
+	exit(rc);
+}
+
+/* Code in this function may be executed with root privileges. */
+pid_t
+process_cmd_task_run(struct hadaemon* d, int conn, struct task *task)
+{
+	int rc = EXIT_FAILURE;
+	pid_t pid, cpid;
+
+	pid = fork();
+	if (pid < 0) {
+		err("fork: %m");
+		return -1;
+	}
+	if (pid > 0) {
+		return pid;
+	}
+
+	if (d->fd_ep >= 0)
+		close(d->fd_ep);
+	if (d->fd_signal >= 0)
+		close(d->fd_signal);
+	if (d->fd_conn >= 0)
+		close(d->fd_conn);
+
+	if ((cpid = spawn_caller_task(task)) > 0) {
+		while (1) {
+			pid_t w;
+			int wstatus;
+
+			if ((w = waitpid(cpid, &wstatus, WUNTRACED | WCONTINUED)) < 0) {
+				err("waitpid: %m");
+				break;
+			}
+
+			if (WIFEXITED(wstatus)) {
+				rc = WEXITSTATUS(wstatus);
+				info("%s: process %d exited, status=%d", task2str(task->type), cpid, WEXITSTATUS(wstatus));
+				break;
+			}
+
+			if (WIFSIGNALED(wstatus)) {
+				info("%s: process %d killed by signal %d", task2str(task->type), cpid, WTERMSIG(wstatus));
+				break;
+			}
+		}
+	}
+
+	/* Notify the client about the results. */
+	(rc == EXIT_FAILURE)
+		? send_command_response(conn, CMD_STATUS_FAILED, "command failed")
+		: send_command_response(conn, CMD_STATUS_DONE, NULL);
+
+	exit(rc);
+}
diff --git a/hasher-priv/cmdline.c b/hasher-priv/cmdline.c
index 1cdfe23..aba802f 100644
--- a/hasher-priv/cmdline.c
+++ b/hasher-priv/cmdline.c
@@ -80,6 +80,8 @@ const char *chroot_path;
 const char **chroot_argv;
 unsigned caller_num;
 
+const char **task_args;
+
 static unsigned
 get_caller_num(const char *str)
 {
@@ -126,40 +128,57 @@ parse_cmdline(int argc, const char *argv[])
 	if (ac < 1)
 		show_usage("insufficient arguments");
 
+	task_args = NULL;
+
 	if (!strcmp("getconf", av[0]))
 	{
 		if (ac != 1)
 			show_usage("%s: invalid usage", av[0]);
+		task_args = av + 1;
 		return TASK_GETCONF;
 	} else if (!strcmp("killuid", av[0]))
 	{
 		if (ac != 1)
 			show_usage("%s: invalid usage", av[0]);
+		task_args = av + 1;
 		return TASK_KILLUID;
 	} else if (!strcmp("getugid1", av[0]))
 	{
 		if (ac != 1)
 			show_usage("%s: invalid usage", av[0]);
+		task_args = av + 1;
 		return TASK_GETUGID1;
 	} else if (!strcmp("chrootuid1", av[0]))
 	{
 		if (ac < 3)
 			show_usage("%s: invalid usage", av[0]);
-		chroot_path = av[1];
-		chroot_argv = av + 2;
+		task_args = av + 1;
 		return TASK_CHROOTUID1;
 	} else if (!strcmp("getugid2", av[0]))
 	{
 		if (ac != 1)
 			show_usage("%s: invalid usage", av[0]);
+		task_args = av + 1;
 		return TASK_GETUGID2;
 	} else if (!strcmp("chrootuid2", av[0]))
 	{
 		if (ac < 3)
 			show_usage("%s: invalid usage", av[0]);
-		chroot_path = av[1];
-		chroot_argv = av + 2;
+		task_args = av + 1;
 		return TASK_CHROOTUID2;
 	} else
 		show_usage("%s: invalid argument", av[0]);
 }
+
+void
+parse_task_args(task_t task, const char *argv[])
+{
+	switch (task) {
+		case TASK_CHROOTUID1:
+		case TASK_CHROOTUID2:
+			chroot_path = argv[0];
+			chroot_argv = (const char **)argv + 1;
+		default:
+			break;
+	}
+}
diff --git a/hasher-priv/communication.c b/hasher-priv/communication.c
new file mode 100644
index 0000000..982a527
--- /dev/null
+++ b/hasher-priv/communication.c
@@ -0,0 +1,394 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  This file offers some helper functions for client-server communication.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "priv.h"
+#include "logging.h"
+#include "xmalloc.h"
+#include "sockets.h"
+#include "communication.h"
+
+struct cmd_resp {
+	cmd_status_t status;
+	size_t msglen;
+};
+
+#define taskbuflen 20
+static char taskbuf[taskbuflen];
+
+static const struct cm {
+	const char *name;
+	task_t value;
+} taskmap[] = {
+	{ "none",        TASK_NONE },
+	{ "getconf",     TASK_GETCONF },
+	{ "killuid",     TASK_KILLUID },
+	{ "getugid1",    TASK_GETUGID1 },
+	{ "getugid2",    TASK_GETUGID2 },
+	{ "chrootuid1",  TASK_CHROOTUID1 },
+	{ "chrootuid2",  TASK_CHROOTUID2 }
+};
+
+static const size_t taskmap_size = ARRAY_SIZE(taskmap);
+
+const char *main_socket_base_name = "daemon";
+
+char *
+task2str(task_t type)
+{
+	size_t i;
+
+	for (i = 0; i < taskmap_size; i++) {
+		if (taskmap[i].value == type)
+			return strncpy(taskbuf, taskmap[i].name, taskbuflen - 1);
+	}
+	return NULL;
+}
+
+task_t
+str2task(char *s)
+{
+	size_t i;
+
+	for (i = 0; i < taskmap_size; i++) {
+		if (!strcmp(taskmap[i].name, s))
+			return taskmap[i].value;
+	}
+	return TASK_NONE;
+}
+
+static int
+send_list(int conn, cmd_t cmd, const char **argv)
+{
+	int i = 0;
+	struct cmd hdr = { .type = cmd };
+
+	while (argv && argv[i])
+		hdr.datalen += strlen(argv[i++]) + 1;
+
+	if (xsendmsg(conn, &hdr, sizeof(hdr)) < 0)
+		return -1;
+
+	i = 0;
+	while (argv && argv[i]) {
+		if (xsendmsg(conn, (char *)argv[i], strlen(argv[i]) + 1) < 0)
+			return -1;
+		i++;
+	}
+
+	return 0;
+}
+
+int
+recv_list(int conn, char ***argv, size_t datalen)
+{
+	char *args = calloc(1UL, datalen);
+	if (!args) {
+		err("calloc: %m");
+		return -1;
+	}
+
+	if (datalen > 0 && xrecvmsg(conn, args, datalen) < 0) {
+		free(args);
+		return -1;
+	}
+
+	if (!argv) {
+		free(args);
+		return 0;
+	}
+
+	size_t i = 0, n = 0;
+
+	while (args && n < datalen) {
+		i++;
+		n += strnlen(args + n, datalen - n) + 1;
+	}
+
+	char **av = malloc(sizeof(char *) * (i + 1));
+	if (!av) {
+		err("malloc: %m");
+		return -1;
+	}
+	av[i] = NULL;
+
+	i = n = 0;
+
+	while (args && n < datalen) {
+		av[i++] = args + n;
+		n += strnlen(args + n, datalen - n) + 1;
+	}
+
+	*argv = av;
+
+	return 0;
+}
+
+long int
+send_command_response(int conn, cmd_status_t retcode, const char *fmt, ...)
+{
+	va_list ap;
+
+	struct cmd_resp rs = { 0 };
+	struct iovec iov = { 0 };
+	struct msghdr msg = { 0 };
+
+	rs.status = retcode;
+	rs.msglen = 0;
+
+	if (fmt && *fmt) {
+		int len;
+
+		va_start(ap, fmt);
+		len = vsnprintf(NULL, 0, fmt, ap);
+		va_end(ap);
+
+		if (len < 0) {
+			err("unable to calculate message size");
+			return -1;
+		}
+
+		rs.msglen = (size_t)len + 1;
+	}
+
+	iov.iov_base = &rs;
+	iov.iov_len = sizeof(rs);
+
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+
+	errno = 0;
+	if (sendmsg_retry(conn, &msg, MSG_NOSIGNAL) < 0) {
+		/* The client left without waiting for an answer */
+		if (errno == EPIPE)
+			return 0;
+
+		err("sendmsg: %m");
+		return -1;
+	}
+
+	if (!rs.msglen)
+		return 0;
+
+	msg.msg_iov[0].iov_base = malloc(rs.msglen);
+
+	if (!msg.msg_iov[0].iov_base) {
+		err("malloc: %m");
+		return -1;
+	}
+
+	msg.msg_iov[0].iov_len = rs.msglen;
+
+	va_start(ap, fmt);
+	vsnprintf(msg.msg_iov[0].iov_base, msg.msg_iov[0].iov_len, fmt, ap);
+	va_end(ap);
+
+	long int rc = 0;
+	errno = 0;
+	if (sendmsg_retry(conn, &msg, MSG_NOSIGNAL) < 0 && errno != EPIPE) {
+		err("sendmsg: %m");
+		rc = -1;
+	}
+
+	free(msg.msg_iov[0].iov_base);
+
+	return rc;
+}
+
+static int
+recv_command_response(int conn, cmd_status_t *retcode, char **m)
+{
+	struct cmd_resp rs = { 0 };
+
+	if (xrecvmsg(conn, &rs, sizeof(rs)) < 0)
+		return -1;
+
+	if (retcode)
+		*retcode = rs.status;
+
+	if (!m || !rs.msglen)
+		return 0;
+
+	char *x = xcalloc(1UL, rs.msglen);
+	if (xrecvmsg(conn, x, rs.msglen) < 0)
+		return -1;
+
+	*m = x;
+	return 0;
+}
+
+int
+server_command(int conn, cmd_t cmd, const char **args)
+{
+	cmd_status_t status;
+	char *msg = NULL;
+
+	if (send_list(conn, cmd, args) < 0)
+		return -1;
+
+	if (recv_command_response(conn, &status, &msg) < 0) {
+		free(msg);
+		return -1;
+	}
+
+	if (msg && *msg) {
+		err("%s", msg);
+		free(msg);
+	}
+
+	return status == CMD_STATUS_FAILED ? -1 : 0;
+}
+
+int
+server_open_session(const char *dir_name, const char *file_name, unsigned num)
+{
+	int conn = srv_connect(dir_name, file_name);
+
+	if (conn < 0)
+		return -1;
+
+	struct cmd hdr = {
+		.type    = CMD_OPEN_SESSION,
+		.datalen = sizeof(num),
+	};
+
+	if (xsendmsg(conn, &hdr, sizeof(hdr)) < 0)
+		return -1;
+
+	if (xsendmsg(conn, &num, sizeof(num)) < 0)
+		return -1;
+
+	cmd_status_t status;
+	char *msg = NULL;
+
+	if (recv_command_response(conn, &status, &msg) < 0) {
+		free(msg);
+		return -1;
+	}
+
+	close(conn);
+
+	if (msg && *msg) {
+		err("%s", msg);
+		free(msg);
+	}
+
+	return status == CMD_STATUS_FAILED ? -1 : 0;
+}
+
+int
+server_close_session(const char *dir_name, const char *file_name, unsigned num)
+{
+	int conn = srv_connect(dir_name, file_name);
+
+	if (conn < 0)
+		return -1;
+
+	struct cmd hdr = {
+		.type    = CMD_CLOSE_SESSION,
+		.datalen = sizeof(num),
+	};
+
+	if (xsendmsg(conn, &hdr, sizeof(hdr)) < 0)
+		return -1;
+
+	if (xsendmsg(conn, &num, sizeof(num)) < 0)
+		return -1;
+
+	cmd_status_t status;
+	char *msg = NULL;
+
+	if (recv_command_response(conn, &status, &msg) < 0) {
+		free(msg);
+		return -1;
+	}
+
+	close(conn);
+
+	if (msg && *msg) {
+		err("%s", msg);
+		free(msg);
+	}
+
+	return status == CMD_STATUS_FAILED ? -1 : 0;
+}
+
+int
+server_task(int conn, task_t type)
+{
+	struct cmd hdr = {
+		.type    = CMD_TASK_BEGIN,
+		.datalen = sizeof(type),
+	};
+
+	if (xsendmsg(conn, &hdr, sizeof(hdr)) < 0)
+		return -1;
+
+	if (xsendmsg(conn, &type, hdr.datalen) < 0)
+		return -1;
+
+	cmd_status_t status;
+	char *msg = NULL;
+
+	if (recv_command_response(conn, &status, &msg) < 0) {
+		free(msg);
+		return -1;
+	}
+
+	if (msg && *msg) {
+		err("%s", msg);
+		free(msg);
+	}
+
+	return status == CMD_STATUS_FAILED ? -1 : 0;
+}
+
+int
+server_task_fds(int conn)
+{
+	cmd_status_t status;
+	char *msg = NULL;
+
+	int myfds[3] = {
+		STDIN_FILENO,
+		STDOUT_FILENO,
+		STDERR_FILENO,
+	};
+
+	struct cmd hdr = {
+		.type    = CMD_TASK_FDS,
+		.datalen = sizeof(myfds),
+	};
+
+	if (xsendmsg(conn, &hdr, sizeof(hdr)) < 0)
+		return -1;
+
+	if (fds_send(conn, myfds, 3) < 0)
+		return -1;
+
+	if (recv_command_response(conn, &status, &msg) < 0) {
+		free(msg);
+		return -1;
+	}
+
+	if (msg && *msg) {
+		err("%s", msg);
+		free(msg);
+	}
+
+	return status == CMD_STATUS_FAILED ? -1 : 0;
+}
diff --git a/hasher-priv/communication.h b/hasher-priv/communication.h
new file mode 100644
index 0000000..9670593
--- /dev/null
+++ b/hasher-priv/communication.h
@@ -0,0 +1,80 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  This file offers some helper functions for client-server communication.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#ifndef _COMMUNICATION_H_
+#define _COMMUNICATION_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+extern const char *main_socket_base_name;
+
+typedef enum {
+	CMD_NONE = 0,
+
+	/* Master commands */
+	CMD_OPEN_SESSION,
+	CMD_CLOSE_SESSION,
+
+	/* Session commands */
+	CMD_TASK_BEGIN,
+	CMD_TASK_FDS,
+	CMD_TASK_ARGUMENTS,
+	CMD_TASK_ENVIRON,
+	CMD_TASK_RUN,
+
+} cmd_t;
+
+typedef enum {
+	CMD_STATUS_DONE = 0,
+	CMD_STATUS_FAILED,
+} cmd_status_t;
+
+struct cmd {
+	cmd_t  type;
+	size_t datalen;
+};
+
+typedef enum {
+	TASK_NONE = 0,
+	TASK_GETCONF,
+	TASK_KILLUID,
+	TASK_GETUGID1,
+	TASK_CHROOTUID1,
+	TASK_GETUGID2,
+	TASK_CHROOTUID2
+} task_t;
+
+struct task {
+	task_t type;
+	unsigned num;
+	int stdin;
+	int stdout;
+	int stderr;
+	char **argv;
+	char **env;
+};
+
+char *task2str(task_t type);
+task_t str2task(char *s) __attribute__((nonnull(1)));
+
+int recv_list(int conn, char ***argv, size_t datalen);
+
+long int send_command_response(int conn, cmd_status_t retcode, const char *fmt, ...) __attribute__((format(printf, 3, 4)));
+
+int server_command(int conn, cmd_t cmd, const char **args);
+int server_open_session(const char *dir_name, const char *file_name, unsigned caller_num) __attribute__((nonnull(1, 2)));
+int server_close_session(const char *dir_name, const char *file_name, unsigned caller_num) __attribute__((nonnull(1, 2)));
+
+int server_task(int conn, task_t task);
+int server_task_fds(int conn);
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+#endif /* _COMMUNICATION_H_ */
diff --git a/hasher-priv/config.c b/hasher-priv/config.c
index e3fedcd..4aa499d 100644
--- a/hasher-priv/config.c
+++ b/hasher-priv/config.c
@@ -1,8 +1,9 @@
 
 /*
   Copyright (C) 2003-2019  Dmitry V. Levin <ldv@altlinux.org>
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
 
-  Configuration support module for the hasher-priv program.
+  Configuration support module for the hasher-privd.
 
   SPDX-License-Identifier: GPL-2.0-or-later
 */
@@ -19,13 +20,17 @@
 #include <unistd.h>
 #include <limits.h>
 #include <pwd.h>
+#include <grp.h>
 
 #include "priv.h"
 #include "xmalloc.h"
+#include "logging.h"
 
 const char *const *chroot_prefix_list;
 const char *chroot_prefix_path;
 const char *change_user1, *change_user2;
+char *server_access_group = NULL;
+char *server_pidfile = NULL;
 const char *term;
 const char *x11_display, *x11_key;
 str_list_t allowed_devices;
@@ -33,6 +38,8 @@ str_list_t allowed_mountpoints;
 str_list_t requested_mountpoints;
 uid_t   change_uid1, change_uid2;
 gid_t   change_gid1, change_gid2;
+gid_t   server_gid;
+unsigned long server_session_timeout = 0;
 mode_t  change_umask = 022;
 int change_nice = 8;
 int     makedev_console;
@@ -42,6 +49,7 @@ int share_caller_network = 0;
 int share_ipc = -1;
 int share_network = -1;
 int share_uts = -1;
+int server_log_priority = -1;
 change_rlimit_t change_rlimit[] = {
 
 /* Per-process CPU limit, in seconds.  */
@@ -209,7 +217,7 @@ parse_rlim(const char *name, const char *value, const char *optname,
 }
 
 static unsigned long
-str2wlim(const char *name, const char *value, const char *filename)
+str2ul(const char *name, const char *value, const char *filename)
 {
 	char   *p = 0;
 	unsigned long long n;
@@ -229,7 +237,7 @@ static void
 modify_wlim(unsigned long *pval, const char *value,
 	    const char *optname, const char *filename, int is_system)
 {
-	unsigned long val = str2wlim(optname, value, filename);
+	unsigned long val = str2ul(optname, value, filename);
 
 	if (is_system || *pval == 0 || (val > 0 && val < *pval))
 		*pval = val;
@@ -283,7 +291,7 @@ parse_str_list(const char *value, str_list_t *s)
 	if (s->len)
 		qsort(s->list, s->len, sizeof(*s->list), strp_cmp);
 	/* clear duplicate entries */
-        for (size_t i = 1; i < s->len; ++i)
+	for (size_t i = 1; i < s->len; ++i)
 		if (!strcmp(s->list[i - 1], s->list[i]))
 			s->list[i - 1] = 0;
 }
@@ -633,3 +641,134 @@ parse_env(void)
 	if ((e = getenv("requested_mountpoints")))
 		parse_str_list(e, &requested_mountpoints);
 }
+
+static void
+check_server_access_group(void)
+{
+	struct group *gr;
+
+	if (!server_access_group || !*server_access_group)
+		error(EXIT_FAILURE, 0, "config: undefined option: access_group");
+
+	gr = getgrnam(server_access_group);
+
+	if (!gr || !gr->gr_name)
+		error(EXIT_FAILURE, 0, "config: access_group: %s lookup failure", server_access_group);
+
+	server_gid = gr->gr_gid;
+}
+
+static void
+set_server_config(const char *name, const char *value, const char *filename)
+{
+	if (!strcasecmp("priority", name)) {
+		server_log_priority = logging_level(value);
+	} else if (!strcasecmp("session_timeout", name)) {
+		server_session_timeout = str2ul(name, value, filename);
+	} else if (!strcasecmp("pidfile", name)) {
+		free(server_pidfile);
+		server_pidfile = xstrdup(value);
+	} else if (!strcasecmp("access_group", name)) {
+		free(server_access_group);
+		server_access_group = xstrdup(value);
+	} else {
+		bad_option_name(name, filename);
+	}
+}
+
+static void
+read_server_config(int fd, const char *name)
+{
+	FILE *fp = fdopen(fd, "r");
+	char buf[BUFSIZ];
+	unsigned line;
+
+	if (!fp)
+		error(EXIT_FAILURE, errno, "fdopen: %s", name);
+
+	for (line = 1; fgets(buf, BUFSIZ, fp); ++line) {
+		const char *start, *left;
+		char   *eq, *right, *end;
+
+		for (start = buf; *start && isspace(*start); ++start)
+			;
+
+		if (!*start || '#' == *start)
+			continue;
+
+		if (!(eq = strchr(start, '=')))
+			error(EXIT_FAILURE, 0, "%s: syntax error at line %u",
+			      name, line);
+
+		left = start;
+		right = eq + 1;
+
+		for (; eq > left; --eq)
+			if (!isspace(eq[-1]))
+				break;
+
+		if (left == eq)
+			error(EXIT_FAILURE, 0, "%s: syntax error at line %u",
+			      name, line);
+
+		*eq = '\0';
+		end = right + strlen(right);
+
+		for (; right < end; ++right)
+			if (!isspace(*right))
+				break;
+
+		for (; end > right; --end)
+			if (!isspace(end[-1]))
+				break;
+
+		*end = '\0';
+		set_server_config(left, right, name);
+	}
+
+	if (ferror(fp))
+		error(EXIT_FAILURE, errno, "fgets: %s", name);
+
+	if (fclose(fp))
+		error(EXIT_FAILURE, errno, "fclose: %s", name);
+}
+
+static void
+load_server_config(const char *name)
+{
+	struct stat st;
+	int fd = open(name, O_RDONLY | O_NOFOLLOW | O_NOCTTY);
+
+	if (fd < 0)
+		error(EXIT_FAILURE, errno, "open: %s", name);
+
+	if (fstat(fd, &st) < 0)
+		error(EXIT_FAILURE, errno, "fstat: %s", name);
+
+	stat_root_ok_validator(&st, name);
+
+	if (!S_ISREG(st.st_mode))
+		error(EXIT_FAILURE, 0, "%s: not a regular file", name);
+
+	if (st.st_size > MAX_CONFIG_SIZE)
+		error(EXIT_FAILURE, 0, "%s: file too large: %lu",
+		      name, (unsigned long) st.st_size);
+
+	read_server_config(fd, name);
+}
+
+void
+configure_server(void)
+{
+	safe_chdir("/", stat_root_ok_validator);
+	safe_chdir("etc/hasher-priv", stat_root_ok_validator);
+	load_server_config("daemon.conf");
+	check_server_access_group();
+}
+
+void
+free_server_configuration(void)
+{
+	free(server_pidfile);
+	free(server_access_group);
+}
diff --git a/hasher-priv/daemon.conf b/hasher-priv/daemon.conf
new file mode 100644
index 0000000..2d740a6
--- /dev/null
+++ b/hasher-priv/daemon.conf
@@ -0,0 +1,13 @@
+# Server configuration
+
+# Set the default logging priority. (can override with command line arguments)
+priority=info
+
+# Write a pid file. (can override with command line arguments)
+pidfile=/var/run/hasher-privd.pid
+
+# Stop user's session server after {session_timeout} seconds of inactivity.
+session_timeout=3600
+
+# Allow users of this group to interact with hasher-privd via the control socket.
+access_group=hashman
diff --git a/hasher-priv/epoll.c b/hasher-priv/epoll.c
new file mode 100644
index 0000000..6eecd71
--- /dev/null
+++ b/hasher-priv/epoll.c
@@ -0,0 +1,39 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  The helpers for epoll API for the hasher-privd program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#include <sys/epoll.h>
+
+#include <string.h>
+#include <unistd.h>
+
+#include "epoll.h"
+#include "logging.h"
+
+int epollin_add(int fd_ep, int fd)
+{
+	struct epoll_event ev = {
+		.events = EPOLLIN,
+		.data.fd = fd,
+	};
+
+	if (epoll_ctl(fd_ep, EPOLL_CTL_ADD, fd, &ev) < 0) {
+		err("epoll_ctl: %m");
+		return -1;
+	}
+
+	return 0;
+}
+
+void epollin_remove(int fd_ep, int fd)
+{
+	if (fd < 0)
+		return;
+	epoll_ctl(fd_ep, EPOLL_CTL_DEL, fd, NULL);
+	close(fd);
+}
diff --git a/hasher-priv/epoll.h b/hasher-priv/epoll.h
new file mode 100644
index 0000000..dc1e567
--- /dev/null
+++ b/hasher-priv/epoll.h
@@ -0,0 +1,18 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  The helpers for epoll API for the hasher-privd program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#ifndef _EPOLL_H_
+#define _EPOLL_H_
+
+#include <sys/epoll.h>
+
+int epollin_add(int fd_ep, int fd);
+void epollin_remove(int fd_ep, int fd);
+
+#endif /* _EPOLL_H_ */
diff --git a/hasher-priv/hasher-priv.c b/hasher-priv/hasher-priv.c
new file mode 100644
index 0000000..f60cb8e
--- /dev/null
+++ b/hasher-priv/hasher-priv.c
@@ -0,0 +1,78 @@
+
+/*
+  Copyright (C) 2003-2019  Dmitry V. Levin <ldv@altlinux.org>
+
+  The entry function for the hasher-priv program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+/* Code in this file may be executed with root privileges. */
+
+#include <linux/un.h>
+
+#include <errno.h>
+#include <error.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#include "priv.h"
+#include "logging.h"
+#include "sockets.h"
+#include "communication.h"
+
+int log_fd = -1;
+
+static void
+my_error_print_progname(void)
+{
+	fprintf(stderr, "%s: ", program_invocation_short_name);
+}
+
+int
+main(int ac, const char *av[], const char *ev[])
+{
+	int conn;
+	task_t task;
+	char socketname[UNIX_PATH_MAX];
+
+	error_print_progname = my_error_print_progname;
+
+	/* First, check and sanitize file descriptors. */
+	sanitize_fds();
+
+	/* Second, parse command line arguments. */
+	task = parse_cmdline(ac, av);
+
+	/* Connect to remote server and open session. */
+	if (server_open_session(SOCKETDIR, main_socket_base_name, caller_num) < 0)
+		error(EXIT_FAILURE, errno, "server_open_session(num=%d): %m", caller_num);
+
+	/* Open user session */
+	snprintf(socketname, sizeof(socketname), "%d:%u", geteuid(), caller_num);
+
+	if ((conn = srv_connect(SOCKETDIR, socketname)) < 0)
+		error(EXIT_FAILURE, errno, "connect(num=%d): %m", caller_num);
+
+	if (server_task(conn, task) < 0)
+		error(EXIT_FAILURE, errno, "task: %m");
+
+	if (server_task_fds(conn) < 0)
+		error(EXIT_FAILURE, errno, "task fds: %m");
+
+	if (server_command(conn, CMD_TASK_ARGUMENTS, task_args) < 0)
+		error(EXIT_FAILURE, errno, "cmd_task_arguments: %m");
+
+	if (server_command(conn, CMD_TASK_ENVIRON, ev) < 0)
+		error(EXIT_FAILURE, errno, "cmd_task_environ: %m");
+
+	if (server_command(conn, CMD_TASK_RUN, NULL) < 0)
+		error(EXIT_FAILURE, errno, "cmd_task_run: %m");
+
+	/* Close session socket. */
+	close(conn);
+
+	return EXIT_SUCCESS;
+}
diff --git a/hasher-priv/hasher-priv.spec b/hasher-priv/hasher-priv.spec
index 5479f2f..8ec0013 100644
--- a/hasher-priv/hasher-priv.spec
+++ b/hasher-priv/hasher-priv.spec
@@ -51,10 +51,13 @@ groupadd -r -f hashman
 %attr(750,root,hashman) %dir %configdir/user.d
 %attr(640,root,hashman) %config(noreplace) %configdir/fstab
 %attr(640,root,hashman) %config(noreplace) %configdir/system
+%attr(640,root,hashman) %config(noreplace) %configdir/daemon.conf
 # helpers
 %attr(750,root,hashman) %dir %helperdir
 %attr(6710,root,hashman) %helperdir/%name
 %attr(755,root,root) %helperdir/*.sh
+# daemon
+%_sbindir/hasher-privd
 
 %doc DESIGN
 
diff --git a/hasher-priv/hasher-privd.c b/hasher-priv/hasher-privd.c
new file mode 100644
index 0000000..06f2811
--- /dev/null
+++ b/hasher-priv/hasher-privd.c
@@ -0,0 +1,437 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  The entry function for the hasher-privd program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+/* Code in this file may be executed with root privileges. */
+
+#include <linux/un.h>
+
+#include <sys/types.h>
+#include <sys/epoll.h>
+#include <sys/signalfd.h>
+#include <sys/stat.h> /* umask */
+#include <sys/wait.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <error.h>
+#include <getopt.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <setproctitle.h>
+
+#include "epoll.h"
+#include "logging.h"
+#include "pidfile.h"
+#include "sockets.h"
+#include "communication.h"
+#include "priv.h"
+#include "xmalloc.h"
+
+struct hadaemon dn = { -1, -1, -1, };
+
+static struct session *pool = NULL;
+
+static pid_t
+spawn_caller_server(struct hadaemon* d, int cl_conn, struct session *a)
+{
+	int ret;
+	pid_t pid = fork();
+
+	if (pid < 0) {
+		err("fork: %m");
+		return -1;
+	}
+	if (pid != 0) {
+		return pid;
+	}
+
+	if (d->fd_ep >= 0)
+		close(d->fd_ep);
+	if (d->fd_ep >= 0)
+		close(d->fd_signal);
+	if (d->fd_conn >= 0)
+		close(d->fd_conn);
+
+	caller_num = a->caller_num;
+	ret = init_caller_data(a->caller_uid, a->caller_gid);
+	if (ret < 0) {
+		send_command_response(cl_conn, CMD_STATUS_FAILED, NULL);
+		close(cl_conn);
+		goto out_send_failure;
+	}
+
+	info("%s(%d) num=%u: starting session server", caller_user, caller_uid, caller_num);
+	struct hadaemon sh = {};
+
+	ret = caller_server_listener_init(&sh);
+	if (ret < 0) {
+		send_command_response(cl_conn, CMD_STATUS_FAILED, NULL);
+		close(cl_conn);
+		goto out_send_failure;
+	}
+
+	info("%s(%d) num=%u: started session server", caller_user, caller_uid, caller_num);
+	/* Tell the client that caller server is ready */
+	send_command_response(cl_conn, CMD_STATUS_DONE, NULL);
+	close(cl_conn);
+
+	ret = caller_server(&sh);
+	info("%s(%d): finish session server", caller_user, caller_uid);
+	exit(ret < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
+
+out_send_failure:
+	free_caller_data();
+
+	exit(ret < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
+}
+
+static int
+start_session(struct hadaemon* d, int conn, unsigned num)
+{
+	uid_t uid;
+	gid_t gid;
+	pid_t server_pid;
+	struct session *a = NULL;
+	struct session **sl = &pool;
+
+	if (get_peercred(conn, NULL, &uid, &gid) < 0)
+		return -1;
+
+	while (sl && *sl) {
+		if ((*sl)->caller_uid == uid && (*sl)->caller_num == num) {
+			/* Session exists and will be reused. */
+			send_command_response(conn, CMD_STATUS_DONE, NULL);
+			return 0;
+		}
+		sl = &(*sl)->next;
+	}
+
+	a = calloc(1L, sizeof(struct session));
+	if (!a) {
+		err("calloc: %m");
+		return -1;
+	}
+
+	a->caller_uid = uid;
+	a->caller_gid = gid;
+	a->caller_num = num;
+
+	info("starting session for user %d:%u", uid, num);
+
+	if ((server_pid = spawn_caller_server(d, conn, a)) < 0)
+		return -1;
+
+	a->server_pid = server_pid;
+
+	info("started session for user %d:%u", uid, num);
+
+	*sl = a;
+
+	return 0;
+}
+
+static int
+close_session(int conn, unsigned num)
+{
+	uid_t uid;
+	gid_t gid;
+	struct session *e = pool;
+
+	if (get_peercred(conn, NULL, &uid, &gid) < 0)
+		return -1;
+
+	while (e) {
+		if (e->caller_uid == uid && e->caller_num == num) {
+			info("close session for %d:%u user by request", uid, num);
+			if (kill(e->server_pid, SIGTERM) < 0) {
+				err("kill: %m");
+				return -1;
+			}
+			break;
+		}
+		e = e->next;
+	}
+
+	return 0;
+}
+
+static int
+process_request(struct hadaemon* d, int conn)
+{
+	int rc;
+	struct cmd hdr = { 0 };
+	unsigned num = 0;
+
+	if (xrecvmsg(conn, &hdr, sizeof(hdr)) < 0)
+		return -1;
+
+	if (hdr.datalen != sizeof(num)) {
+		err("bad command");
+		send_command_response(conn, CMD_STATUS_FAILED, "bad command");
+		return -1;
+	}
+
+	if (xrecvmsg(conn, &num, sizeof(num)) < 0)
+		return -1;
+
+	switch (hdr.type) {
+		case CMD_OPEN_SESSION:
+			rc = start_session(d, conn, num);
+			/* The successful response is delayed until the child
+			 * server is ready or an error happens.
+			 */
+			if (rc < 0)
+				send_command_response(conn, CMD_STATUS_FAILED, "command failed");
+			break;
+		case CMD_CLOSE_SESSION:
+			rc = close_session(conn, num);
+			(rc < 0)
+				? send_command_response(conn, CMD_STATUS_FAILED, "command failed")
+				: send_command_response(conn, CMD_STATUS_DONE, NULL);
+			break;
+		default:
+			err("unknown command");
+			send_command_response(conn, CMD_STATUS_FAILED, "unknown command");
+			rc = -1;
+	}
+
+	return rc;
+}
+
+static void
+finish_sessions(int sig)
+{
+	struct session *e = pool;
+
+	while (e) {
+		if (kill(e->server_pid, sig) < 0)
+			err("kill: %m");
+		e = e->next;
+	}
+}
+
+static void
+clean_session(pid_t pid)
+{
+	struct session *x, **a = &pool;
+
+	while (a && *a) {
+		if ((*a)->server_pid == pid) {
+			x = *a;
+			*a = (*a)->next;
+			free(x);
+		}
+		a = &(*a)->next;
+	}
+}
+
+int main(int argc, char **argv)
+{
+	int i;
+	int loglevel = -1;
+
+	const char *pidfile = NULL;
+	int daemonize = 1;
+
+	char socketpath[UNIX_PATH_MAX];
+
+	struct option long_options[] = {
+		{ "help", no_argument, 0, 'h' },
+		{ "version", no_argument, 0, 'V' },
+		{ "foreground", no_argument, 0, 'f' },
+		{ "loglevel", required_argument, 0, 'l' },
+		{ "pidfile", required_argument, 0, 'p' },
+		{ 0, 0, 0, 0 }
+	};
+
+	while ((i = getopt_long(argc, argv, "hVfl:p:", long_options, NULL)) != -1) {
+		switch (i) {
+			case 'p':
+				pidfile = optarg;
+				break;
+			case 'l':
+				loglevel = logging_level(optarg);
+				break;
+			case 'f':
+				daemonize = 0;
+				break;
+			case 'V':
+				printf("%s %s\n", program_invocation_short_name, PROJECT_VERSION);
+				return EXIT_SUCCESS;
+			default:
+			case 'h':
+				printf("Usage: %s [options]\n"
+				       " -p, --pidfile=FILE   pid file location;\n"
+				       " -l, --loglevel=LVL   set logging level;\n"
+				       " -f, --foreground     stay in the foreground;\n"
+				       " -V, --version        print program version and exit;\n"
+				       " -h, --help           show this text and exit.\n"
+				       "\n",
+				       program_invocation_short_name);
+				return EXIT_SUCCESS;
+		}
+	}
+
+	configure_server();
+
+	if (daemonize && !pidfile && server_pidfile && *server_pidfile)
+		pidfile = server_pidfile;
+
+	if (loglevel < 0)
+		loglevel = (server_log_priority >= 0)
+			? server_log_priority
+			: logging_level("info");
+
+	umask(022);
+
+	if (pidfile && check_pid(pidfile))
+		error(EXIT_FAILURE, 0, "%s: already running",
+		      program_invocation_short_name);
+
+	if (daemonize && daemon(0, 0) < 0)
+		error(EXIT_FAILURE, errno, "daemon");
+
+	logging_init(loglevel, !daemonize);
+
+	if (pidfile && write_pid(pidfile) == 0)
+		return EXIT_FAILURE;
+
+	sigset_t mask;
+
+	sigfillset(&mask);
+	sigprocmask(SIG_SETMASK, &mask, NULL);
+
+	sigdelset(&mask, SIGABRT);
+	sigdelset(&mask, SIGSEGV);
+
+	struct hadaemon *d = &dn;
+
+	if ((d->fd_ep = epoll_create1(EPOLL_CLOEXEC)) < 0)
+		fatal("epoll_create1: %m");
+
+	if ((d->fd_signal = signalfd(-1, &mask, SFD_NONBLOCK | SFD_CLOEXEC)) < 0)
+		fatal("signalfd: %m");
+
+
+	mode_t m = umask(017);
+
+	snprintf(socketpath, sizeof(socketpath), "%s/%s", SOCKETDIR, main_socket_base_name);
+
+	if ((d->fd_conn = srv_listen(socketpath)) < 0)
+		fatal("srv_listen: %m");
+
+	umask(m);
+
+	if (chown(socketpath, 0, server_gid))
+		fatal("fchown: %s: %m", socketpath);
+
+	if (epollin_add(d->fd_ep, d->fd_signal) < 0 || epollin_add(d->fd_ep, d->fd_conn) < 0)
+		return EXIT_FAILURE;
+
+	int ep_timeout = -1;
+	int finish_server = 0;
+
+	while (1) {
+		struct epoll_event ev[42];
+		int fdcount;
+
+		errno = 0;
+		if ((fdcount = epoll_wait(d->fd_ep, ev, ARRAY_SIZE(ev), ep_timeout)) < 0) {
+			if (errno == EINTR)
+				continue;
+			err("epoll_wait: %m");
+			break;
+		}
+
+		for (i = 0; i < fdcount; i++) {
+			if (!(ev[i].events & EPOLLIN)) {
+				continue;
+
+			} else if (ev[i].data.fd == d->fd_signal) {
+				struct signalfd_siginfo fdsi;
+				ssize_t size;
+
+				size = read_retry(d->fd_signal, &fdsi, sizeof(fdsi));
+
+				if (size != sizeof(fdsi)) {
+					err("unable to read signal info");
+					continue;
+				}
+
+				pid_t pid;
+				int status;
+
+				switch (fdsi.ssi_signo) {
+				case SIGINT:
+				case SIGTERM:
+					finish_server = 1;
+					break;
+				case SIGCHLD:
+					if ((pid = waitpid(-1, &status, 0)) < 0)
+						err("waitpid: %m");
+
+					clean_session(pid);
+					break;
+				}
+
+			} else if (ev[i].data.fd == d->fd_conn) {
+				int conn;
+
+				if ((conn = accept4(d->fd_conn, NULL, 0, SOCK_CLOEXEC)) < 0) {
+					err("accept4: %m");
+					continue;
+				}
+
+				if (set_recv_timeout(conn, 3) < 0) {
+					close(conn);
+					continue;
+				}
+
+				process_request(d, conn);
+				close(conn);
+			}
+		}
+
+		if (finish_server) {
+			if (!pool)
+				break;
+
+			if (d->fd_conn >= 0) {
+				epollin_remove(d->fd_ep, d->fd_conn);
+				d->fd_conn = -1;
+				ep_timeout = 3000;
+			}
+
+			finish_sessions(SIGTERM);
+		}
+	}
+
+	epollin_remove(d->fd_ep, d->fd_signal);
+	epollin_remove(d->fd_ep, d->fd_conn);
+
+	if (d->fd_ep >= 0)
+		close(d->fd_ep);
+	if (d->fd_ep >= 0)
+		close(d->fd_signal);
+	if (d->fd_conn >= 0)
+		close(d->fd_conn);
+
+	if (pidfile)
+		remove_pid(pidfile);
+
+	logging_close();
+	free_server_configuration();
+
+	return EXIT_SUCCESS;
+}
diff --git a/hasher-priv/io_log.c b/hasher-priv/io_log.c
index f5aea59..2689ff0 100644
--- a/hasher-priv/io_log.c
+++ b/hasher-priv/io_log.c
@@ -2,7 +2,7 @@
 /*
   Copyright (C) 2008-2019  Dmitry V. Levin <ldv@altlinux.org>
 
-  The chrootuid parent log I/O handler for the hasher-priv program.
+  The chrootuid parent log I/O handler for the hasher-privd program.
 
   SPDX-License-Identifier: GPL-2.0-or-later
 */
diff --git a/hasher-priv/io_x11.c b/hasher-priv/io_x11.c
index 93e3add..f193c56 100644
--- a/hasher-priv/io_x11.c
+++ b/hasher-priv/io_x11.c
@@ -2,7 +2,7 @@
 /*
   Copyright (C) 2005-2019  Dmitry V. Levin <ldv@altlinux.org>
 
-  The chrootuid parent X11 I/O handler for the hasher-priv program.
+  The chrootuid parent X11 I/O handler for the hasher-privd program.
 
   SPDX-License-Identifier: GPL-2.0-or-later
 */
diff --git a/hasher-priv/killuid.c b/hasher-priv/killuid.c
index f0bee84..71e52e1 100644
--- a/hasher-priv/killuid.c
+++ b/hasher-priv/killuid.c
@@ -2,7 +2,7 @@
 /*
   Copyright (C) 2003-2019  Dmitry V. Levin <ldv@altlinux.org>
 
-  The killuid actions for the hasher-priv program.
+  The killuid actions for the hasher-privd program.
 
   SPDX-License-Identifier: GPL-2.0-or-later
 */
diff --git a/hasher-priv/logging.c b/hasher-priv/logging.c
new file mode 100644
index 0000000..cd693e5
--- /dev/null
+++ b/hasher-priv/logging.c
@@ -0,0 +1,71 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  Logging functions for the hasher-privd program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <strings.h>
+#include <errno.h>
+#include <syslog.h>
+
+#include "logging.h"
+
+int log_priority = -1;
+int log_to_stderr = 0;
+
+int logging_level(const char *name)
+{
+	if (!strcasecmp(name, "debug"))
+		return LOG_DEBUG;
+
+	if (!strcasecmp(name, "info"))
+		return LOG_INFO;
+
+	if (!strcasecmp(name, "warning"))
+		return LOG_WARNING;
+
+	if (!strcasecmp(name, "error"))
+		return LOG_ERR;
+
+	return 0;
+}
+
+void logging_init(int loglevel, int is_foreground)
+{
+	int options = LOG_PID;
+	log_priority = loglevel;
+	log_to_stderr = !!is_foreground;
+	if (!is_foreground)
+		openlog(program_invocation_short_name, options, LOG_DAEMON);
+}
+
+void logging_close(void)
+{
+	if (!log_to_stderr)
+		closelog();
+}
+
+void
+message(int priority, const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (priority <= log_priority)
+	{
+		if (log_to_stderr)
+		{
+			fprintf(stderr, "<%d>", priority);
+			vfprintf(stderr, fmt, ap);
+			fprintf(stderr, "\n");
+		}
+		else
+			vsyslog(priority, fmt, ap);
+	}
+	va_end(ap);
+}
diff --git a/hasher-priv/logging.h b/hasher-priv/logging.h
new file mode 100644
index 0000000..bc6d0da
--- /dev/null
+++ b/hasher-priv/logging.h
@@ -0,0 +1,55 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  Logging functions for the hasher-privd program.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#ifndef _LOGGING_H_
+#define _LOGGING_H_
+
+#include <syslog.h>
+#include <stdlib.h>
+
+void logging_init(int, int);
+void logging_close(void);
+int logging_level(const char *lvl) __attribute__((nonnull(1)));
+
+void message(int priority, const char *fmt, ...) __attribute__((format(printf, 2, 3)));
+
+#define fatal(format, arg...)                             \
+	do {                                              \
+		message(LOG_CRIT,                         \
+		        "%s(%d): %s: " format,            \
+		        __FILE__, __LINE__, __FUNCTION__, \
+		        ##arg);                           \
+		exit(EXIT_FAILURE);                       \
+	} while (0)
+
+#define err(format, arg...)                               \
+	do {                                              \
+		message(LOG_ERR,                          \
+		        "%s(%d): %s: " format,            \
+		        __FILE__, __LINE__, __FUNCTION__, \
+		        ##arg);                           \
+	} while (0)
+
+#define info(format, arg...)                              \
+	do {                                              \
+		message(LOG_INFO,                         \
+		        "%s(%d): %s: " format,            \
+		        __FILE__, __LINE__, __FUNCTION__, \
+		        ##arg);                           \
+	} while (0)
+
+#define dbg(format, arg...)                               \
+	do {                                              \
+		message(LOG_DEBUG,                        \
+		        "%s(%d): %s: " format,            \
+		        __FILE__, __LINE__, __FUNCTION__, \
+		        ##arg);                           \
+	} while (0)
+
+#endif /* _LOGGING_H_ */
diff --git a/hasher-priv/main.c b/hasher-priv/main.c
deleted file mode 100644
index 310fd5d..0000000
--- a/hasher-priv/main.c
+++ /dev/null
@@ -1,75 +0,0 @@
-
-/*
-  Copyright (C) 2003-2019  Dmitry V. Levin <ldv@altlinux.org>
-
-  The entry function for the hasher-priv program.
-
-  SPDX-License-Identifier: GPL-2.0-or-later
-*/
-
-/* Code in this file may be executed with root privileges. */
-
-#include <errno.h>
-#include <error.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "priv.h"
-
-static void
-my_error_print_progname(void)
-{
-	fprintf(stderr, "%s: ", program_invocation_short_name);
-}
-
-int
-main(int ac, const char *av[])
-{
-	task_t  task;
-
-	error_print_progname = my_error_print_progname;
-
-	/* First, check and sanitize file descriptors. */
-	sanitize_fds();
-
-	/* Second, parse command line arguments. */
-	task = parse_cmdline(ac, av);
-
-	if (chroot_path && *chroot_path != '/')
-		error(EXIT_FAILURE, 0, "%s: invalid chroot path",
-		      chroot_path);
-
-	/* Third, initialize data related to caller. */
-	init_caller_data();
-
-	/* 4th, parse environment for config options. */
-	parse_env();
-
-	/* We don't need environment variables any longer. */
-	if (clearenv() != 0)
-		error(EXIT_FAILURE, errno, "clearenv");
-
-	/* Load config according to caller information. */
-	configure();
-
-	/* Finally, execute choosen task. */
-	switch (task)
-	{
-		case TASK_GETCONF:
-			return do_getconf();
-		case TASK_KILLUID:
-			return do_killuid();
-		case TASK_GETUGID1:
-			return do_getugid1();
-		case TASK_CHROOTUID1:
-			return do_chrootuid1();
-		case TASK_GETUGID2:
-			return do_getugid2();
-		case TASK_CHROOTUID2:
-			return do_chrootuid2();
-		default:
-			error(EXIT_FAILURE, 0, "unknown task %d", task);
-	}
-
-	return EXIT_FAILURE;
-}
diff --git a/hasher-priv/pass.c b/hasher-priv/pass.c
index b52c87e..03a07ec 100644
--- a/hasher-priv/pass.c
+++ b/hasher-priv/pass.c
@@ -17,6 +17,8 @@
 #include <unistd.h>
 #include <sys/socket.h>
 
+#include "logging.h"
+#include "sockets.h"
 #include "priv.h"
 
 union cmsg_data_u
@@ -55,8 +57,7 @@ fd_send(int ctl, int pass, const char *data, size_t data_len)
 
 	ssize_t rc;
 
-	if ((rc = TEMP_FAILURE_RETRY(sendmsg(ctl, &msg, 0))) !=
-	    (ssize_t) data_len)
+	if ((rc = sendmsg_retry(ctl, &msg, 0)) != (ssize_t) data_len)
 	{
 		if (rc < 0)
 		{
@@ -96,8 +97,7 @@ fd_recv(int ctl, char *data, size_t data_len)
 
 	ssize_t rc;
 
-	if ((rc = TEMP_FAILURE_RETRY(recvmsg(ctl, &msg, 0))) !=
-	    (ssize_t) data_len)
+	if ((rc = recvmsg_retry(ctl, &msg, 0)) != (ssize_t) data_len)
 	{
 		if (rc < 0)
 		{
@@ -132,3 +132,112 @@ fd_recv(int ctl, char *data, size_t data_len)
 	cmsg_data_p.c = CMSG_DATA(cmsg);
 	return *cmsg_data_p.i;
 }
+
+int
+fds_send(int conn, int *fds, size_t fds_len)
+{
+	ssize_t rc;
+	size_t len = sizeof(int) * fds_len;
+
+	union {
+		char buf[CMSG_SPACE(len)];
+		struct cmsghdr align;
+	} u;
+
+	/*
+	 * We must send at least 1 byte of real data in
+	 * order to send ancillary data
+	*/
+	char dummy;
+
+	struct iovec iov = { 0 };
+
+	iov.iov_base = &dummy;
+	iov.iov_len  = sizeof(dummy);
+
+	struct msghdr msg = { 0 };
+
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_control = u.buf;
+	msg.msg_controllen = sizeof(u.buf);
+
+	struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+
+	cmsg->cmsg_level = SOL_SOCKET;
+	cmsg->cmsg_type  = SCM_RIGHTS;
+	cmsg->cmsg_len   = CMSG_LEN(len);
+
+	memcpy(CMSG_DATA(cmsg), fds, len);
+
+	if ((rc = sendmsg_retry(conn, &msg, 0)) != sizeof(dummy)) {
+		if (rc < 0)
+			err("sendmsg: %m");
+		else if (rc)
+			err("sendmsg: expected size %lu, got %lu", sizeof(dummy), rc);
+		else
+			err("sendmsg: unexpected EOF");
+		return -1;
+	}
+
+	return 0;
+}
+
+int
+fds_recv(int conn, int *fds, size_t n_fds)
+{
+	char dummy;
+	size_t datalen = sizeof(int) * n_fds;
+
+	union {
+		struct cmsghdr cmh;
+		char   control[CMSG_SPACE(datalen)];
+	} u;
+
+	u.cmh.cmsg_len   = CMSG_LEN(datalen);
+	u.cmh.cmsg_level = SOL_SOCKET;
+	u.cmh.cmsg_type  = SCM_RIGHTS;
+
+	struct iovec iov = { 0 };
+
+	iov.iov_base = &dummy;
+	iov.iov_len  = sizeof(dummy);
+
+	struct msghdr msg = { 0 };
+
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_control = u.control;
+	msg.msg_controllen = sizeof(u.control);
+
+	ssize_t n;
+	if ((n = recvmsg_retry(conn, &msg, 0)) != sizeof(dummy)) {
+		if (n < 0)
+			err("recvmsg: %m");
+		else if (n)
+			err("recvmsg: expected size %lu, got %lu", sizeof(dummy), n);
+		else
+			err("recvmsg: unexpected EOF");
+		return -1;
+	}
+
+	if (!msg.msg_controllen) {
+		err("ancillary data not specified");
+		return -1;
+	}
+
+	for (struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+		if (cmsg->cmsg_level != SOL_SOCKET || cmsg->cmsg_type != SCM_RIGHTS)
+			continue;
+
+		if (cmsg->cmsg_len - CMSG_LEN(0) != datalen) {
+			err("expected fd payload");
+			return -1;
+		}
+
+		memcpy(fds, CMSG_DATA(cmsg), datalen);
+		break;
+	}
+
+	return 0;
+}
diff --git a/hasher-priv/pidfile.c b/hasher-priv/pidfile.c
new file mode 100644
index 0000000..3da63dd
--- /dev/null
+++ b/hasher-priv/pidfile.c
@@ -0,0 +1,129 @@
+
+/*
+    pidfile.c - interact with pidfiles
+    Copyright (c) 1995  Martin Schulze <Martin.Schulze@Linux.DE>
+
+    This file was originally part of the sysklogd package, a kernel and system
+    log daemon.
+
+    SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+/*
+ * Sat Aug 19 13:24:33 MET DST 1995: Martin Schulze
+ *	First version (v0.2) released
+ */
+
+#include <errno.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include "logging.h"
+#include "pidfile.h"
+
+/* read_pid
+ *
+ * Reads the specified pidfile and returns the read pid.
+ * 0 is returned if either there's no pidfile, it's empty
+ * or no pid can be read.
+ */
+int read_pid(const char *pidfile)
+{
+	FILE *f;
+	int pid;
+
+	if (!(f = fopen(pidfile, "r")))
+		return 0;
+	if (fscanf(f, "%d", &pid) != 1)
+		pid = 0;
+	fclose(f);
+	return pid;
+}
+
+/* check_pid
+ *
+ * Reads the pid using read_pid and looks up the pid in the process
+ * table (using /proc) to determine if the process already exists. If
+ * so 1 is returned, otherwise 0.
+ */
+int check_pid(const char *pidfile)
+{
+	int pid = read_pid(pidfile);
+
+	/* Amazing ! _I_ am already holding the pid file... */
+	if ((!pid) || (pid == getpid()))
+		return 0;
+
+	/*
+	 * The 'standard' method of doing this is to try and do a 'fake' kill
+	 * of the process.  If an ESRCH error is returned the process cannot
+	 * be found -- GW
+	 */
+	/* But... errno is usually changed only on error.. */
+	if (kill(pid, 0) && errno == ESRCH)
+		return (0);
+
+	return pid;
+}
+
+/* write_pid
+ *
+ * Writes the pid to the specified file. If that fails 0 is
+ * returned, otherwise the pid.
+ */
+int write_pid(const char *pidfile)
+{
+	FILE *f;
+	int fd;
+	int pid;
+
+	if (((fd = open(pidfile, O_RDWR | O_CREAT | O_TRUNC | O_CLOEXEC, 0644)) == -1) ||
+	    ((f = fdopen(fd, "r+")) == NULL)) {
+		err("Can't open or create %s", pidfile);
+		return 0;
+	}
+
+	if (flock(fd, LOCK_EX | LOCK_NB) == -1) {
+		if (fscanf(f, "%d", &pid) != 1)
+			pid = 0;
+		fclose(f);
+		err("Can't lock, lock is held by pid %d", pid);
+		return 0;
+	}
+
+	pid = getpid();
+	if (!fprintf(f, "%d\n", pid)) {
+		err("Can't write pid: %m");
+		close(fd);
+		return 0;
+	}
+	fflush(f);
+
+	if (flock(fd, LOCK_UN) == -1) {
+		err("flock: %s: %m", pidfile);
+		close(fd);
+		return 0;
+	}
+	close(fd);
+	fclose(f);
+
+	return pid;
+}
+
+/* remove_pid
+ *
+ * Remove the the specified file. The result from unlink(2)
+ * is returned
+ */
+int remove_pid(const char *pidfile)
+{
+	if (unlink(pidfile) == -1) {
+		err("unlink: %s: %m", pidfile);
+		return -1;
+	}
+	return 0;
+}
diff --git a/hasher-priv/pidfile.h b/hasher-priv/pidfile.h
new file mode 100644
index 0000000..e152538
--- /dev/null
+++ b/hasher-priv/pidfile.h
@@ -0,0 +1,44 @@
+
+/*
+    pidfile.h - interact with pidfiles
+    Copyright (c) 1995  Martin Schulze <Martin.Schulze@Linux.DE>
+
+    This file is part of the sysklogd package, a kernel and system log daemon.
+
+    SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#ifndef _PIDFILE_H_
+#define _PIDFILE_H_
+
+/* read_pid
+ *
+ * Reads the specified pidfile and returns the read pid.
+ * 0 is returned if either there's no pidfile, it's empty
+ * or no pid can be read.
+ */
+int read_pid(const char *pidfile) __attribute__((nonnull(1)));
+
+/* check_pid
+ *
+ * Reads the pid using read_pid and looks up the pid in the process
+ * table (using /proc) to determine if the process already exists. If
+ * so 1 is returned, otherwise 0.
+ */
+int check_pid(const char *pidfile) __attribute__((nonnull(1)));
+
+/* write_pid
+ *
+ * Writes the pid to the specified file. If that fails 0 is
+ * returned, otherwise the pid.
+ */
+int write_pid(const char *pidfile) __attribute__((nonnull(1)));
+
+/* remove_pid
+ *
+ * Remove the the specified file. The result from unlink(2)
+ * is returned
+ */
+int remove_pid(const char *pidfile) __attribute__((nonnull(1)));
+
+#endif /* _PIDFILE_H_ */
diff --git a/hasher-priv/priv.h b/hasher-priv/priv.h
index 87e72fb..1dc86dd 100644
--- a/hasher-priv/priv.h
+++ b/hasher-priv/priv.h
@@ -18,16 +18,30 @@
 #define	MIN_CHANGE_GID	34
 #define	MAX_CONFIG_SIZE	16384
 
-typedef enum
-{
-	TASK_NONE = 0,
-	TASK_GETCONF,
-	TASK_KILLUID,
-	TASK_GETUGID1,
-	TASK_CHROOTUID1,
-	TASK_GETUGID2,
-	TASK_CHROOTUID2,
-} task_t;
+#include "communication.h"
+
+struct hadaemon {
+	int fd_ep;
+	int fd_signal;
+	int fd_conn;
+};
+
+struct session {
+	struct session *next;
+
+	uid_t caller_uid;
+	gid_t caller_gid;
+
+	unsigned caller_num;
+
+	pid_t server_pid;
+};
+
+struct caller {
+	uid_t uid;
+	gid_t gid;
+	int fd_conn;
+};
 
 typedef struct
 {
@@ -68,9 +82,13 @@ void    restore_tty(void);
 int     tty_copy_winsize(int master_fd, int slave_fd);
 int     open_pty(int *slave_fd, int chrooted, int verbose_error);
 task_t  parse_cmdline(int ac, const char *av[]);
-void    init_caller_data(void);
+void    parse_task_args(task_t task, const char *argv[]);
+int     init_caller_data(uid_t uid, gid_t gid);
+void    free_caller_data(void);
 void    parse_env(void);
 void    configure(void);
+void    configure_server(void);
+void    free_server_configuration(void);
 void    ch_uid(uid_t uid, uid_t *save);
 void    ch_gid(gid_t gid, gid_t *save);
 void    chdiruid(const char *path, VALIDATE_FPTR validator);
@@ -85,6 +103,9 @@ void    stat_root_ok_validator(struct stat *st, const char *name);
 void    stat_any_ok_validator(struct stat *st, const char *name);
 void    fd_send(int ctl, int pass, const char *data, size_t len);
 int     fd_recv(int ctl, char *data, size_t data_len);
+int     fds_send(int conn, int *fds, size_t fds_len) __attribute__((nonnull(2)));
+int     fds_recv(int conn, int *fds, size_t datalen) __attribute__((nonnull(2)));
+
 int     unix_accept(int fd);
 int     log_listen(void);
 void    x11_drop_display(void);
@@ -120,9 +141,15 @@ int     do_chrootuid1(void);
 int     do_getugid2(void);
 int     do_chrootuid2(void);
 
+int process_cmd_task_run(struct hadaemon*, int, struct task *);
+int caller_server_listener_init(struct hadaemon*);
+int caller_server(struct hadaemon*);
+
 extern const char *chroot_path;
 extern const char **chroot_argv;
 
+extern const char **task_args;
+
 extern str_list_t allowed_devices;
 extern str_list_t allowed_mountpoints;
 extern str_list_t requested_mountpoints;
@@ -143,7 +170,7 @@ extern int log_fd;
 
 extern const char *const *chroot_prefix_list;
 extern const char *chroot_prefix_path;
-extern const char *caller_user, *caller_home;
+extern char *caller_user, *caller_home;
 extern uid_t caller_uid;
 extern gid_t caller_gid;
 extern unsigned caller_num;
@@ -156,4 +183,10 @@ extern int change_nice;
 extern change_rlimit_t change_rlimit[];
 extern work_limit_t wlimit;
 
+extern int server_log_priority;
+extern unsigned long server_session_timeout;
+extern char *server_access_group;
+extern char *server_pidfile;
+extern gid_t server_gid;
+
 #endif /* PKG_BUILD_PRIV_H */
diff --git a/hasher-priv/sockets.c b/hasher-priv/sockets.c
new file mode 100644
index 0000000..baad57e
--- /dev/null
+++ b/hasher-priv/sockets.c
@@ -0,0 +1,180 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  A collection of helpers to simplify the use of sockets.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/un.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "logging.h"
+#include "sockets.h"
+
+/* This function may be executed with caller or child privileges. */
+/* For simplicity, we assume the init scripts have already created all
+ * necessary path components.
+ */
+int srv_listen(const char *file_name)
+{
+	struct sockaddr_un sun = { .sun_family = AF_UNIX };
+
+	snprintf(sun.sun_path, sizeof(sun.sun_path), "%s", file_name);
+
+	if (unlink(sun.sun_path) && errno != ENOENT) {
+		err("unlink: %s: %m", sun.sun_path);
+		return -1;
+	}
+
+	int fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
+
+	if (fd < 0) {
+		err("socket AF_UNIX: %m");
+		return -1;
+	}
+
+	if (bind(fd, (struct sockaddr *)&sun, (socklen_t) sizeof(sun))) {
+		err("bind: %s: %m", sun.sun_path);
+		(void)close(fd);
+		return -1;
+	}
+
+	if (listen(fd, 16) < 0) {
+		err("listen: %s: %m", sun.sun_path);
+		(void)close(fd);
+		return -1;
+	}
+
+	return fd;
+}
+
+int srv_connect(const char *dir_name, const char *file_name)
+{
+	int conn = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
+
+	if (conn < 0) {
+		err("socket AF_UNIX: %m");
+		return -1;
+	}
+
+	struct sockaddr_un sun = { .sun_family = AF_UNIX };
+
+	snprintf(sun.sun_path, sizeof(sun.sun_path), "%s/%s", dir_name, file_name);
+
+	if (connect(conn, (const struct sockaddr *)&sun, sizeof(sun)) < 0) {
+		err("connect: %s: %m", sun.sun_path);
+		return -1;
+	}
+
+	return conn;
+}
+
+int get_peercred(int fd, pid_t *pid, uid_t *uid, gid_t *gid)
+{
+	struct ucred uc;
+	socklen_t len = sizeof(struct ucred);
+
+	if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &uc, &len) < 0) {
+		err("getsockopt(SO_PEERCRED): %m");
+		return -1;
+	}
+
+	if (pid)
+		*pid = uc.pid;
+
+	if (uid)
+		*uid = uc.uid;
+
+	if (gid)
+		*gid = uc.gid;
+
+	return 0;
+}
+
+int
+set_recv_timeout(int fd, int secs)
+{
+	struct timeval tv = { .tv_sec = secs };
+
+	if (setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) {
+		err("setsockopt(SO_RCVTIMEO): %m");
+		return -1;
+	}
+	return 0;
+}
+
+ssize_t
+sendmsg_retry(int sockfd, const struct msghdr *msg, int flags)
+{
+	return TEMP_FAILURE_RETRY(sendmsg(sockfd, msg, flags));
+}
+
+ssize_t
+recvmsg_retry(int sockfd, struct msghdr *msg, int flags)
+{
+	return TEMP_FAILURE_RETRY(recvmsg(sockfd, msg, flags));
+}
+
+int
+xsendmsg(int conn, void *data, size_t len)
+{
+	struct iovec iov = { 0 };
+	struct msghdr msg = { 0 };
+
+	iov.iov_base = data;
+	iov.iov_len  = len;
+
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+
+	ssize_t n = sendmsg_retry(conn, &msg, 0);
+
+	if (n != (ssize_t) len) {
+		if (n < 0)
+			err("recvmsg: %m");
+		else if (n)
+			err("recvmsg: expected size %lu, got %lu", len, n);
+		else
+			err("recvmsg: unexpected EOF");
+		return -1;
+	}
+
+	return 0;
+}
+
+int
+xrecvmsg(int conn, void *data, size_t len)
+{
+	struct iovec iov = { 0 };
+	struct msghdr msg = { 0 };
+
+	iov.iov_base = data;
+	iov.iov_len  = len;
+
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+
+	ssize_t n = recvmsg_retry(conn, &msg, MSG_WAITALL);
+
+	if (n != (ssize_t) len) {
+		if (n < 0)
+			err("recvmsg: %m");
+		else if (n)
+			err("recvmsg: expected size %lu, got %lu", len, n);
+		else
+			err("recvmsg: unexpected EOF");
+		return -1;
+	}
+
+	return 0;
+}
diff --git a/hasher-priv/sockets.h b/hasher-priv/sockets.h
new file mode 100644
index 0000000..0b65eb9
--- /dev/null
+++ b/hasher-priv/sockets.h
@@ -0,0 +1,32 @@
+
+/*
+  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
+
+  A collection of helpers to simplify the use of sockets.
+
+  SPDX-License-Identifier: GPL-2.0-or-later
+*/
+
+#ifndef _SOCKETS_H_
+#define _SOCKETS_H_
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+ssize_t sendmsg_retry(int sockfd, const struct msghdr *msg, int flags) __attribute__((nonnull(2)));
+ssize_t recvmsg_retry(int sockfd, struct msghdr *msg, int flags) __attribute__((nonnull(2)));
+
+#include <unistd.h>
+
+int srv_listen(const char *)  __attribute__((nonnull(1)));
+int srv_connect(const char *, const char *) __attribute__((nonnull(1, 2)));
+
+int get_peercred(int, pid_t *, uid_t *, gid_t *);
+int set_recv_timeout(int fd, int secs);
+
+#include <stdint.h>
+
+int xsendmsg(int conn, void *data, size_t len) __attribute__((nonnull(2)));
+int xrecvmsg(int conn, void *data, size_t len) __attribute__((nonnull(2)));
+
+#endif /* _SOCKETS_H_ */
diff --git a/hasher-priv/x11.c b/hasher-priv/x11.c
index 854c453..0a6b4fb 100644
--- a/hasher-priv/x11.c
+++ b/hasher-priv/x11.c
@@ -22,6 +22,7 @@
 
 #include "priv.h"
 #include "xmalloc.h"
+#include "sockets.h"
 
 #define X11_UNIX_DIR "/tmp/.X11-unix"
 
-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [devel] [PATCH hasher-priv v3 2/7] sockets: xsendmsg: get rid of SIGPIPE on socket writes
  2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 1/7] Turn hasher-priv into a daemon Arseny Maslennikov
@ 2021-08-24  8:24 ` Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload Arseny Maslennikov
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov

In the daemon, we do not want to receive SIGPIPE and very much prefer to
handle emerging communication errors ourselves.

In the client, SIGPIPE is a bit more bearable. It prevents logging to
stderr, though, so we'd like to avoid that as well.

Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
---
 hasher-priv/sockets.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hasher-priv/sockets.c b/hasher-priv/sockets.c
index baad57e..3451627 100644
--- a/hasher-priv/sockets.c
+++ b/hasher-priv/sockets.c
@@ -137,7 +137,7 @@ xsendmsg(int conn, void *data, size_t len)
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 
-	ssize_t n = sendmsg_retry(conn, &msg, 0);
+	ssize_t n = sendmsg_retry(conn, &msg, MSG_NOSIGNAL);
 
 	if (n != (ssize_t) len) {
 		if (n < 0)
-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload
  2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 1/7] Turn hasher-priv into a daemon Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 2/7] sockets: xsendmsg: get rid of SIGPIPE on socket writes Arseny Maslennikov
@ 2021-08-24  8:24 ` Arseny Maslennikov
  2021-12-01 19:23   ` Dmitry V. Levin
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 4/7] Link with libsetproctitle by Dmitry V. Levin Arseny Maslennikov
                   ` (3 subsequent siblings)
  6 siblings, 1 reply; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov

Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
---
 hasher-priv/chrootuid.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hasher-priv/chrootuid.c b/hasher-priv/chrootuid.c
index 89c112e..357d3ef 100644
--- a/hasher-priv/chrootuid.c
+++ b/hasher-priv/chrootuid.c
@@ -134,6 +134,11 @@ chrootuid(uid_t uid, gid_t gid, const char *ehome,
 	/* Set close-on-exec flag on all non-standard descriptors. */
 	cloexec_fds();
 
+	sigset_t sigmask;
+
+	sigemptyset(&sigmask);
+	sigprocmask(SIG_SETMASK, &sigmask, NULL);
+
 	block_signal_handler(SIGCHLD, SIG_BLOCK);
 
 	if ((pid = fork()) < 0)
-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [devel] [PATCH hasher-priv v3 4/7] Link with libsetproctitle by Dmitry V. Levin
  2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
                   ` (2 preceding siblings ...)
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload Arseny Maslennikov
@ 2021-08-24  8:24 ` Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 5/7] daemon: set titles for subprocesses Arseny Maslennikov
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov

This being a shared library is an implementation detail: to overcome the
lack of such an interface on Linux, we need to run some preparation code
before main() and pass argv/envp memory buffers to it. A function
declared with __attribute__((constructor)) gets called with no
arguments, we can't pass the argv/envp buffers to it, so we put an
implementation of setproctitle(3) in a shared object and hijack its
_init().

Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
---
 hasher-priv/Makefile         | 3 ++-
 hasher-priv/hasher-priv.spec | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hasher-priv/Makefile b/hasher-priv/Makefile
index 8ccf99d..a08f6a8 100644
--- a/hasher-priv/Makefile
+++ b/hasher-priv/Makefile
@@ -42,6 +42,7 @@ CPPFLAGS = -std=gnu99 -D_GNU_SOURCE $(CHDIRUID_FLAGS) \
 CFLAGS = -pipe -O2
 override CFLAGS += $(WARNINGS)
 LDLIBS =
+server_LDLIBS = -lsetproctitle
 
 SRC = hasher-priv.c cmdline.c fds.c sockets.c logging.c communication.c xmalloc.c pass.c
 OBJ = $(SRC:.c=.o)
@@ -65,7 +66,7 @@ $(PROJECT): $(OBJ)
 	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@
 
 hasher-privd: $(server_OBJ)
-	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@
+	$(LINK.o) $^ $(LOADLIBES) $(LDLIBS) $(server_LDLIBS) -o $@
 
 install: all
 	$(MKDIR_P) -m710 $(DESTDIR)$(configdir)/user.d
diff --git a/hasher-priv/hasher-priv.spec b/hasher-priv/hasher-priv.spec
index 8ec0013..e21dec1 100644
--- a/hasher-priv/hasher-priv.spec
+++ b/hasher-priv/hasher-priv.spec
@@ -20,6 +20,7 @@ Obsoletes: pkg-build-priv
 Conflicts: hasher < 1.4.0
 
 BuildPreReq: help2man, sisyphus_check >= 0:0.7.11
+BuildRequires: setproctitle-devel
 
 %description
 This package provides helpers for executing privileged operations
-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [devel] [PATCH hasher-priv v3 5/7] daemon: set titles for subprocesses
  2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
                   ` (3 preceding siblings ...)
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 4/7] Link with libsetproctitle by Dmitry V. Levin Arseny Maslennikov
@ 2021-08-24  8:24 ` Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 6/7] Add systemd and sysvinit service files Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 7/7] Install hasher-priv without set ugids Arseny Maslennikov
  6 siblings, 0 replies; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov

Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
---
 hasher-priv/caller_task.c  | 6 ++++++
 hasher-priv/hasher-privd.c | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/hasher-priv/caller_task.c b/hasher-priv/caller_task.c
index 7a9fc98..0a37977 100644
--- a/hasher-priv/caller_task.c
+++ b/hasher-priv/caller_task.c
@@ -16,6 +16,8 @@
 #include <stdio.h>
 #include <stdint.h>
 
+#include <setproctitle.h>
+
 #include "communication.h"
 #include "xmalloc.h"
 #include "logging.h"
@@ -100,6 +102,8 @@ spawn_caller_task(struct task *task)
 		return pid;
 	}
 
+	setproctitle("%s for [%u:%u]: %s", "task handler", caller_uid, caller_num, task2str(task->type));
+
 	if ((rc = reopen_iostreams(task->stdin, task->stdout, task->stderr)) < 0)
 		exit(rc);
 
@@ -187,6 +191,8 @@ process_cmd_task_run(struct hadaemon* d, int conn, struct task *task)
 	if (d->fd_conn >= 0)
 		close(d->fd_conn);
 
+	setproctitle("%s", __func__);
+
 	if ((cpid = spawn_caller_task(task)) > 0) {
 		while (1) {
 			pid_t w;
diff --git a/hasher-priv/hasher-privd.c b/hasher-priv/hasher-privd.c
index 06f2811..2cc7588 100644
--- a/hasher-priv/hasher-privd.c
+++ b/hasher-priv/hasher-privd.c
@@ -71,6 +71,8 @@ spawn_caller_server(struct hadaemon* d, int cl_conn, struct session *a)
 		goto out_send_failure;
 	}
 
+	setproctitle("%s %s/%u:%u", "privileged helper for", caller_user, caller_uid, caller_num);
+
 	info("%s(%d) num=%u: starting session server", caller_user, caller_uid, caller_num);
 	struct hadaemon sh = {};
 
-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [devel] [PATCH hasher-priv v3 6/7] Add systemd and sysvinit service files
  2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
                   ` (4 preceding siblings ...)
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 5/7] daemon: set titles for subprocesses Arseny Maslennikov
@ 2021-08-24  8:24 ` Arseny Maslennikov
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 7/7] Install hasher-priv without set ugids Arseny Maslennikov
  6 siblings, 0 replies; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov, Alexey Gladkov

From: Alexey Gladkov <legion@altlinux.org>

Signed-off-by: Alexey Gladkov <legion@altlinux.org>
Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
---
 hasher-priv/Makefile              |   6 ++
 hasher-priv/hasher-priv.spec      |   6 +-
 hasher-priv/hasher-privd.service  |  14 ++++
 hasher-priv/hasher-privd.sysvinit | 103 ++++++++++++++++++++++++++++++
 4 files changed, 128 insertions(+), 1 deletion(-)
 create mode 100644 hasher-priv/hasher-privd.service
 create mode 100755 hasher-priv/hasher-privd.sysvinit

diff --git a/hasher-priv/Makefile b/hasher-priv/Makefile
index a08f6a8..6d8b49b 100644
--- a/hasher-priv/Makefile
+++ b/hasher-priv/Makefile
@@ -16,6 +16,8 @@ TARGETS = $(PROJECT) hasher-privd hasher-useradd $(HELPERS) $(MAN5PAGES) $(MAN8P
 have-cc-function = $(shell echo 'extern void $(1)(void); int main () { $(1)(); return 0; }' |$(CC) -o /dev/null -xc - > /dev/null 2>&1 && echo "-D$(2)")
 
 sysconfdir = /etc
+initdir=$(sysconfdir)/rc.d/init.d
+systemd_unitdir=/lib/systemd/system
 libexecdir = /usr/lib
 sbindir = /usr/sbin
 mandir = /usr/share/man
@@ -76,6 +78,10 @@ install: all
 	$(MKDIR_P) -m750 $(DESTDIR)$(helperdir)
 	$(INSTALL) -p -m700 $(PROJECT) $(DESTDIR)$(helperdir)/
 	$(INSTALL) -p -m755 $(HELPERS) $(DESTDIR)$(helperdir)/
+	$(MKDIR_P) -m755 $(DESTDIR)$(systemd_unitdir)
+	$(INSTALL) -p -m644 hasher-privd.service $(DESTDIR)$(systemd_unitdir)/
+	$(MKDIR_P) -m755 $(DESTDIR)$(initdir)
+	$(INSTALL) -p -m755 hasher-privd.sysvinit $(DESTDIR)$(initdir)/hasher-privd
 	$(MKDIR_P) -m755 $(DESTDIR)$(sbindir)
 	$(INSTALL) -p -m755 hasher-privd $(DESTDIR)$(sbindir)/
 	$(INSTALL) -p -m755 hasher-useradd $(DESTDIR)$(sbindir)/
diff --git a/hasher-priv/hasher-priv.spec b/hasher-priv/hasher-priv.spec
index e21dec1..e6fc873 100644
--- a/hasher-priv/hasher-priv.spec
+++ b/hasher-priv/hasher-priv.spec
@@ -33,7 +33,9 @@ required by hasher utilities.
 %make_build CC="%__cc" CFLAGS="%optflags" libexecdir="%_libexecdir"
 
 %install
-%makeinstall
+%makeinstall \
+	systemd_unitdir="%{?buildroot:%{buildroot}}%_unitdir" \
+	#
 
 %pre
 if getent group pkg-build > /dev/null; then
@@ -59,6 +61,8 @@ groupadd -r -f hashman
 %attr(755,root,root) %helperdir/*.sh
 # daemon
 %_sbindir/hasher-privd
+%_unitdir/hasher-privd.service
+%_initdir/hasher-privd
 
 %doc DESIGN
 
diff --git a/hasher-priv/hasher-privd.service b/hasher-priv/hasher-privd.service
new file mode 100644
index 0000000..f44faa0
--- /dev/null
+++ b/hasher-priv/hasher-privd.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=A privileged helper for the hasher project
+ConditionVirtualization=!container
+Documentation=man:hasher-priv(8)
+
+[Service]
+ExecStart=/usr/sbin/hasher-privd -f
+Group=hashman
+RuntimeDirectory=hasher-priv
+RuntimeDirectoryMode=0710
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
diff --git a/hasher-priv/hasher-privd.sysvinit b/hasher-priv/hasher-privd.sysvinit
new file mode 100755
index 0000000..263c9f7
--- /dev/null
+++ b/hasher-priv/hasher-privd.sysvinit
@@ -0,0 +1,103 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Short-Description:    A privileged helper for the hasher project
+# Description:          A privileged helper for the hasher project
+# Provides:             hasher-priv
+# Required-Start:       $remote_fs
+# Required-Stop:        $remote_fs
+# Default-Start:        2 3 4 5
+# Default-Stop:         0 1 6
+### END INIT INFO
+
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+NAME=hasher-privd
+PIDFILE="/var/run/$NAME.pid"
+LOCKFILE="/var/lock/subsys/$NAME"
+RUNTIMEDIR="/run/hasher-priv"
+RUNTIMEDIRMODE="0710"
+GROUP=hashman
+RETVAL=0
+
+ensure_runtime_directory()
+{
+	mkdir -p "$RUNTIMEDIR"
+	chmod 0710 "$RUNTIMEDIR"
+	chgrp "$GROUP" "$RUNTIMEDIR"
+}
+
+ensure_no_runtime_directory()
+{
+	rm -rf "$RUNTIMEDIR"
+}
+
+start()
+{
+	start_daemon --pidfile "$PIDFILE" --lockfile "$LOCKFILE" -- "$NAME"
+	RETVAL=$?
+	return $RETVAL
+}
+
+stop()
+{
+	stop_daemon --pidfile "$PIDFILE" --lockfile "$LOCKFILE" "$NAME"
+	RETVAL=$?
+	return $RETVAL
+}
+
+restart()
+{
+	stop
+	start
+}
+
+# See how we were called.
+case "$1" in
+	start)
+		ensure_runtime_directory
+		start
+		;;
+	stop)
+		stop
+		ensure_no_runtime_directory
+		;;
+	status)
+		status --pidfile "$PIDFILE" "$NAME"
+		RETVAL=$?
+		;;
+	restart)
+		restart
+		;;
+	reload)
+		restart
+		;;
+	condstart)
+		if [ ! -e "$LOCKFILE" ]; then
+			start
+		fi
+		;;
+	condstop)
+		if [ -e "$LOCKFILE" ]; then
+			stop
+		fi
+		;;
+	condrestart)
+		if [ -e "$LOCKFILE" ]; then
+			restart
+		fi
+		;;
+	condreload)
+		if [ -e "$LOCKFILE" ]; then
+			reload
+		fi
+		;;
+	*)
+		msg_usage "${0##*/} {start|stop|status|restart|reload|condstart|condstop|condrestart|condreload}"
+		RETVAL=1
+esac
+
+exit $RETVAL
-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [devel] [PATCH hasher-priv v3 7/7] Install hasher-priv without set ugids
  2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
                   ` (5 preceding siblings ...)
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 6/7] Add systemd and sysvinit service files Arseny Maslennikov
@ 2021-08-24  8:24 ` Arseny Maslennikov
  6 siblings, 0 replies; 11+ messages in thread
From: Arseny Maslennikov @ 2021-08-24  8:24 UTC (permalink / raw)
  To: devel; +Cc: Arseny Maslennikov

Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
---
 hasher-priv/hasher-priv.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hasher-priv/hasher-priv.spec b/hasher-priv/hasher-priv.spec
index e6fc873..8051277 100644
--- a/hasher-priv/hasher-priv.spec
+++ b/hasher-priv/hasher-priv.spec
@@ -57,7 +57,7 @@ groupadd -r -f hashman
 %attr(640,root,hashman) %config(noreplace) %configdir/daemon.conf
 # helpers
 %attr(750,root,hashman) %dir %helperdir
-%attr(6710,root,hashman) %helperdir/%name
+%attr(710,root,hashman) %helperdir/%name
 %attr(755,root,root) %helperdir/*.sh
 # daemon
 %_sbindir/hasher-privd
-- 
2.32.0



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload
  2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload Arseny Maslennikov
@ 2021-12-01 19:23   ` Dmitry V. Levin
  2021-12-03 15:03     ` Arseny Maslennikov
  0 siblings, 1 reply; 11+ messages in thread
From: Dmitry V. Levin @ 2021-12-01 19:23 UTC (permalink / raw)
  To: Arseny Maslennikov; +Cc: devel

On Tue, Aug 24, 2021 at 11:24:32AM +0300, Arseny Maslennikov wrote:
> Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
> ---
>  hasher-priv/chrootuid.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/hasher-priv/chrootuid.c b/hasher-priv/chrootuid.c
> index 89c112e..357d3ef 100644
> --- a/hasher-priv/chrootuid.c
> +++ b/hasher-priv/chrootuid.c
> @@ -134,6 +134,11 @@ chrootuid(uid_t uid, gid_t gid, const char *ehome,
>  	/* Set close-on-exec flag on all non-standard descriptors. */
>  	cloexec_fds();
>  
> +	sigset_t sigmask;
> +
> +	sigemptyset(&sigmask);
> +	sigprocmask(SIG_SETMASK, &sigmask, NULL);
> +
>  	block_signal_handler(SIGCHLD, SIG_BLOCK);
>  
>  	if ((pid = fork()) < 0)

Assuming it really should reset the signal mask (I don't have the context
to say whether it should or not), looks like it should rather be written as

	block_signal_handler(SIGCHLD, SIG_SETMASK);

instead of

	sigset_t sigmask;
	sigemptyset(&sigmask);
	sigprocmask(SIG_SETMASK, &sigmask, NULL);
	block_signal_handler(SIGCHLD, SIG_BLOCK);

?


-- 
ldv


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload
  2021-12-01 19:23   ` Dmitry V. Levin
@ 2021-12-03 15:03     ` Arseny Maslennikov
  2021-12-03 16:06       ` Dmitry V. Levin
  0 siblings, 1 reply; 11+ messages in thread
From: Arseny Maslennikov @ 2021-12-03 15:03 UTC (permalink / raw)
  To: ALT Linux Team development discussions

[-- Attachment #1: Type: text/plain, Size: 1967 bytes --]

On Wed, Dec 01, 2021 at 10:23:37PM +0300, Dmitry V. Levin wrote:
> On Tue, Aug 24, 2021 at 11:24:32AM +0300, Arseny Maslennikov wrote:
> > Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
> > ---
> >  hasher-priv/chrootuid.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/hasher-priv/chrootuid.c b/hasher-priv/chrootuid.c
> > index 89c112e..357d3ef 100644
> > --- a/hasher-priv/chrootuid.c
> > +++ b/hasher-priv/chrootuid.c
> > @@ -134,6 +134,11 @@ chrootuid(uid_t uid, gid_t gid, const char *ehome,
> >  	/* Set close-on-exec flag on all non-standard descriptors. */
> >  	cloexec_fds();
> >  
> > +	sigset_t sigmask;
> > +
> > +	sigemptyset(&sigmask);
> > +	sigprocmask(SIG_SETMASK, &sigmask, NULL);
> > +
> >  	block_signal_handler(SIGCHLD, SIG_BLOCK);
> >  
> >  	if ((pid = fork()) < 0)
> 
> Assuming it really should reset the signal mask (I don't have the context

Parent processes use signalfd(2) to handle signals and block those
signals before opening the signalfd.

% git grep -nF 'sigprocmask('                            
hasher-priv/caller_server.c:236:        sigprocmask(SIG_SETMASK, &mask, NULL);
hasher-priv/chrootuid.c:140:    sigprocmask(SIG_SETMASK, &sigmask, NULL);
hasher-priv/hasher-privd.c:315: sigprocmask(SIG_SETMASK, &mask, NULL);
hasher-priv/signal.c:27:        if (sigprocmask(what, &set, 0) < 0)

> to say whether it should or not), looks like it should rather be written as
> 
> 	block_signal_handler(SIGCHLD, SIG_SETMASK);
> 
> instead of
> 
> 	sigset_t sigmask;
> 	sigemptyset(&sigmask);
> 	sigprocmask(SIG_SETMASK, &sigmask, NULL);
> 	block_signal_handler(SIGCHLD, SIG_BLOCK);
> 
> ?

I'd never seen a call like block_signal_handler(*, SIG_SETMASK)
in hasher-priv codebase at the time + I decided to make the patches as
non-intrusive to the unchanged part of the codebase as possible.
That's why I wrote this as is; I don't mind to change it, though.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload
  2021-12-03 15:03     ` Arseny Maslennikov
@ 2021-12-03 16:06       ` Dmitry V. Levin
  0 siblings, 0 replies; 11+ messages in thread
From: Dmitry V. Levin @ 2021-12-03 16:06 UTC (permalink / raw)
  To: devel

On Fri, Dec 03, 2021 at 06:03:31PM +0300, Arseny Maslennikov wrote:
> On Wed, Dec 01, 2021 at 10:23:37PM +0300, Dmitry V. Levin wrote:
> > On Tue, Aug 24, 2021 at 11:24:32AM +0300, Arseny Maslennikov wrote:
> > > Signed-off-by: Arseny Maslennikov <arseny@altlinux.org>
> > > ---
> > >  hasher-priv/chrootuid.c | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > > 
> > > diff --git a/hasher-priv/chrootuid.c b/hasher-priv/chrootuid.c
> > > index 89c112e..357d3ef 100644
> > > --- a/hasher-priv/chrootuid.c
> > > +++ b/hasher-priv/chrootuid.c
> > > @@ -134,6 +134,11 @@ chrootuid(uid_t uid, gid_t gid, const char *ehome,
> > >  	/* Set close-on-exec flag on all non-standard descriptors. */
> > >  	cloexec_fds();
> > >  
> > > +	sigset_t sigmask;
> > > +
> > > +	sigemptyset(&sigmask);
> > > +	sigprocmask(SIG_SETMASK, &sigmask, NULL);
> > > +
> > >  	block_signal_handler(SIGCHLD, SIG_BLOCK);
> > >  
> > >  	if ((pid = fork()) < 0)
> > 
> > Assuming it really should reset the signal mask (I don't have the context
> 
> Parent processes use signalfd(2) to handle signals and block those
> signals before opening the signalfd.

The question is what is the correct place to unblock them.

> % git grep -nF 'sigprocmask('                            
> hasher-priv/caller_server.c:236:        sigprocmask(SIG_SETMASK, &mask, NULL);
> hasher-priv/chrootuid.c:140:    sigprocmask(SIG_SETMASK, &sigmask, NULL);
> hasher-priv/hasher-privd.c:315: sigprocmask(SIG_SETMASK, &mask, NULL);
> hasher-priv/signal.c:27:        if (sigprocmask(what, &set, 0) < 0)

sigprocmask has a return value, it must be tested in all cases.

> > to say whether it should or not), looks like it should rather be written as
> > 
> > 	block_signal_handler(SIGCHLD, SIG_SETMASK);
> > 
> > instead of
> > 
> > 	sigset_t sigmask;
> > 	sigemptyset(&sigmask);
> > 	sigprocmask(SIG_SETMASK, &sigmask, NULL);
> > 	block_signal_handler(SIGCHLD, SIG_BLOCK);
> > 
> > ?
> 
> I'd never seen a call like block_signal_handler(*, SIG_SETMASK)
> in hasher-priv codebase at the time + I decided to make the patches as
> non-intrusive to the unchanged part of the codebase as possible.
> That's why I wrote this as is; I don't mind to change it, though.

Well, it's a very unusual approach when you're rewriting the whole thing.


-- 
ldv


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-12-03 16:06 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-24  8:24 [devel] [PATCH hasher-priv v3 0/7] hasher-privd Arseny Maslennikov
2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 1/7] Turn hasher-priv into a daemon Arseny Maslennikov
2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 2/7] sockets: xsendmsg: get rid of SIGPIPE on socket writes Arseny Maslennikov
2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 3/7] chrootuid: explicitly reset signal mask before forking off payload Arseny Maslennikov
2021-12-01 19:23   ` Dmitry V. Levin
2021-12-03 15:03     ` Arseny Maslennikov
2021-12-03 16:06       ` Dmitry V. Levin
2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 4/7] Link with libsetproctitle by Dmitry V. Levin Arseny Maslennikov
2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 5/7] daemon: set titles for subprocesses Arseny Maslennikov
2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 6/7] Add systemd and sysvinit service files Arseny Maslennikov
2021-08-24  8:24 ` [devel] [PATCH hasher-priv v3 7/7] Install hasher-priv without set ugids Arseny Maslennikov

ALT Linux Team development discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
		devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
	public-inbox-index devel

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git