source: web/old/remctl-2.14/NEWS @ f6f3e91

web
Last change on this file since f6f3e91 was f6f3e91, checked in by Jessica B. Hamrick <jhamrick@…>, 15 years ago

Preserve directory hierarchy (not sure what happened to it)

  • Property mode set to 100644
File size: 25.9 KB
Line 
1                       User-Visible remctl Changes
2
3remctl 2.14 (2009-05-22)
4
5    The remctld configuration file may now specify that one argument to a
6    command is passed on standard input instead of on the command line
7    using the stdin= option.  This option allows passing data to commands
8    that's too long to fit into a command-line argument or that contains
9    nul characters.
10
11    remctld logging of commands or arguments now replaces unprintable
12    characters (characters between ASCII 0 and 31 and ASCII 127) with
13    periods rather than assuming syslog will cope with them correctly.
14
15    Use command and subcommand as the names for the first two parameters
16    to the remctl client and the first two strings in a remctl command
17    instead of the unintuitive "type" and "service" terminology borrowed
18    from sysctl.  This only changes documentation and some internal
19    variable names; no external APIs should be affected.
20
21    Declare message_fatal_cleanup extern in util.h.  Fixes compilation
22    problems on Mac OS X and probably elsewhere.
23
24    Diagnose and explicitly reject on the server nul characters in command
25    arguments that don't support them rather than truncating the argument
26    silently.
27
28    Plug several memory leaks in the remctld server.  (These would have
29    little practical effect unless a client stayed connected and issued
30    multiple commands.)
31
32    The protocol now permits commands with no arguments.  remctld
33    currently doesn't support them, but now returns ERROR_UNKNOWN_COMMAND
34    instead of ERROR_BAD_COMMAND when receiving one.
35
36    Add documentation on extending remctl in docs/extending.
37
38    Add initial protocol version three draft in docs/protocol-v3.
39
40    Better check logmask options when parsing the server configuration
41    file and report errors instead of silently ignoring them.  Masking the
42    command is also no longer supported (it previously worked by
43    accident).
44
45    Support building against Solaris 10's native generic GSS-API
46    libraries.  Thanks, Peter Eriksson.
47
48    Update to rra-c-util 1.0:
49
50    * Fix open call parameters in daemon portability test.
51    * Fix AI_ADDRCONFIG portability on BSD/OS systems.
52    * Split die into a separate object to not link it in shared libraries.
53    * Don't break if the user clobbers CPPFLAGS at build time.
54    * Correctly set -L options with --with-gssapi-lib, not -I.
55    * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
56    * Update portable and util test suite for C TAP Harness 1.0.
57    * Use native Kerberos instead of forking kinit in test suite.
58
59    Update to C TAP Harness 1.0:
60
61    * Rewrite of all test cases to use the new TAP library support.
62    * Much improved and simplified builddir != srcdir test suite support.
63    * Support running a single test with tests/runtests -o.
64    * Correctly handle completely skipped tests, like client/pod.
65    * Better reporting of fatal errors in the test suite.
66
67remctl 2.13 (2008-11-14)
68
69    Add support for ACL methods in the remctld server.  The supported
70    schemes in this release are file and princ, which together provide the
71    same functionality as earlier releases, plus deny to explicitly reject
72    a user who matches another ACL and support for the CMU GPUT
73    authorization system.  There is now a framework in place for adding
74    new ACL methods in the future.  This work was contributed by Jeffrey
75    Hutzelman.
76
77    When processing the include of a directory for configuration files or
78    ACL files, limit the files read to those whose names contain only
79    characters in [a-zA-Z0-9_-].  This replaces the previous exclusion of
80    files containing periods and also excludes Emacs backup and temporary
81    files.  Thanks, Timothy G. Abbott.
82
83    Add a PHP remctl PECL module from Andrew Mortensen, enabled with
84    --enable-php at configure time.  These bindings are only tested with
85    PHP 5.
86
87    Add Python bindings from Thomas L. Kula, enabled with --enable-python
88    at configure time.  These bindings are tested with Python 2.5 but
89    should work with versions back to 2.3.
90
91    Include all *.class files in the JAR file built by java/Makefile,
92    making the resulting JAR actually useful.  Thanks, Marcus Watts.
93
94    Add an ant build configuration for the Java remctl implementation.
95    It also has the capability to generate a distribution of just the Java
96    implementation using a file layout more similar to an Apache Jakarta
97    project than the layout of the java subdirectory.
98
99    Several Windows fixes from Matthew Loar, plus really include
100    portable/winsock.c in the distribution.  This version should now build
101    and run on Windows.
102
103    With --with-gssapi, attempt to determine if the library directory is
104    lib32 or lib64 instead of lib and set LDFLAGS accordingly.  Based on
105    an idea from the CMU Autoconf macros.
106
107    Add --with-gssapi-include and --with-gssapi-lib options to set the
108    include and library paths separately if needed.
109
110    Restore GSS-API portability checks for old versions of MIT Kerberos
111    accidentally dropped in the previous release.
112
113    Provide a proper bool type when built with Sun Studio 12 on Solaris
114    10.  Thanks, Jeffrey Hutzelman.
115
116    Sanity-check the results of krb5-config before proceeding and error
117    out in configure if they don't work.
118
119    Fix Autoconf syntax error when probing for libkrb5support.  Thanks,
120    Mike Garrison.
121
122    Create the docs directory in the build tree if it's missing, fixing a
123    build failure when builddir != srcdir.  Thanks, Jeffrey Hutzelman.
124
125    In standalone mode, close the main server socket immediately in the
126    child handler processes.  Since the socket was already marked close on
127    exec, this probably only matters for consistent test suite results,
128    ensuring that the port is released immediately, but it's more correct.
129
130remctl 2.12 (2008-04-04)
131
132    If no server principal is specified on the remctl command line or in
133    the remctl() or remctl_open() C or Perl library interfaces, remctl now
134    uses a host-based service name for the server instead of a Kerberos
135    principal of host/server.  The practical effect of this is that
136    domain-realm mapping rules will be applied rather than assuming the
137    server's principal is in the local domain and, for the C and Perl
138    library interfaces, server name canonicalization will be done if
139    configured in the GSS-API library.  Users of the C or Perl library
140    interfaces will find that remctl now authenticates to a principal for
141    the host after a forward and reverse DNS lookup instead of the host
142    specified in the API call with most GSS-API libraries.  To disable
143    this canonicalization behavior, see your GSS-API library
144    documentation; setting rdns in [libdefaults] to false works for MIT
145    Kerberos.  The remctl command-line client continues to canonicalize
146    its host argument always prior to any network connection or GSS-API
147    calls.
148
149    Add documentation of hostname canonicalization and the choice of
150    authentication principals to the remctl client, remctl() and
151    remctl_open() C API, and Net::Remctl Perl API documentation.
152
153    Fix a place in libremctl where the library would call exit rather than
154    returning an error on memory allocation failure.
155
156    Standardize on lowercase first characters in library error strings.
157
158    Include the Windows port of the client done by Matthew Loar.  See
159    README for information on requirements and compilation.  Only the
160    client shared library and command-line utility are supported or built
161    currently.  I cannot easily test this code and probably broke it when
162    integrating the patch; please report any problems so that they can be
163    fixed in subsequent releases.
164
165    When running the server in standalone mode, set the network file
166    descriptors close-on-exec so that they're not inherited by commands
167    run by remctl.  Also close the low-numbered file descriptors before
168    running a command to catch the replay cache file, which isn't marked
169    close-on-exec in older versions of MIT Kerberos.
170
171    When passing a variable set to undef into remctl_open in the Perl API,
172    the principal was converted to the empty string.  Adjust Net::Remctl
173    to recognize the empty string as an unspecified principal.
174
175    The configure option to specify the path to the GSS-API libraries is
176    now --with-gssapi instead of --with-kerberos and the GSS-API probes
177    should be more robust.
178
179    Delete the man page symlinks before recreating them so that reinstalls
180    work.  Thanks, Nicholas Riley.
181
182    Belatedly bump the libtool versioning for libremctl for the port
183    number change in the previous release.  (This is primarily for
184    documentation purposes and doesn't change the library SONAME.)
185
186remctl 2.11 (2007-11-09)
187
188    remctl now has an official port registered with IANA (4373), replacing
189    the original, poorly-chosen port of 4444.  The previous port conflicts
190    with the krb524 service.  The remctld server and example configuration
191    files have been changed to bind to port 4373 by default if no port is
192    specified.  The client will attempt to connect to port 4373 first if
193    no port is specified and then fall back to trying 4444.  All sites
194    running remctl are encouraged to upgrade their clients and then
195    migrate their servers to the new port.  Support for the old port
196    without explicit configuration will be phased out in a future release.
197
198    Stop using stdout and stderr as structure members, fixing compilation
199    problems on AIX, NetBSD, and other platforms.
200
201    Fix (non-exploitable) segfaults in remctld when sent a command with a
202    type and no service (not permitted by the command-line client but
203    possible with the library API).  Thanks to Marcus Watts for the
204    analysis.
205
206    Port to the Kerberos GSS-API implementation shipped with AIX 5.2.
207    Thanks to Sandor Sklar for bug reports and testing.
208
209    Improve the configuration file documentation in the remctld man page.
210    Document the first-match properties.
211
212remctl 2.10 (2007-08-26)
213
214    Include a rewritten Java client and a Java server implementation, both
215    by Marcus Watts.  The rewritten Java client supports protocol version
216    two and works with Sun Java 1.4.2, 5, and 6.
217
218    Fix a (non-exploitable) remctld crash when the client sent more
219    command arguments than it claimed it was going to send.  Thanks,
220    Marcus Watts.  Also added a test with a variety of malformed command
221    tokens in an effort to keep bugs like this from going unnoticed in the
222    future.
223
224    The remctl client now also requests sequence protection, but the
225    client and server do not insist on it or on replay protection since
226    Heimdal 0.6 doesn't support replay protection.  This has been
227    documented in the protocol specification as well.
228
229    remctld when running in stand-alone mode now removes the PID file (if
230    any) and exits cleanly after receiving SIGINT or SIGTERM.  Based on a
231    patch by Marcus Watts.
232
233    remctld when running in stand-alone mode now re-reads its
234    configuration file file after receiving a SIGHUP.
235
236    Don't self-destruct after an hour in stand-alone mode, fixing a bug
237    introduced in 2.8.
238
239    The libremctl client library now uses symbol versioning on Linux.
240
241    Allow port and principal to be omitted in calls to Net::Remctl::open,
242    matching the documentation.  Thanks, Marcus Watts.
243
244    Include a dummy symbol in libportable so that it always contains at
245    least one object.  Fixes compilation problems on Mac OS X 10.4 and
246    Solaris 10.
247
248    Fix builds outside the source directory by creating the docs directory
249    properly, based on a patch by Marcus Watts.  Also fix make clean and
250    the POD tests when run outside the source directory.
251
252    Change the Net::Remctl documentation for remctl() to suggest 0 and the
253    empty string as default values for port and principal, since this
254    avoids Perl warnings.
255
256    Check for the MIT Kerberos GSS-API library first in reduced dependency
257    mode for improved reproducibility of the Debian build.
258
259remctl 2.9 (2007-06-29)
260
261    Fix remctl client library crashes due to an uninitialized variable
262    when the network connection fails.
263
264    Added complete C API documentation (as section 3 manual pages) for the
265    libremctl library.
266
267    Fix several inaccuracies in the Net::Remctl API documentation.
268    Thanks, Alf Wachsmann.
269
270    Pass DESTDIR to the Perl module installation as well.  Thanks, Darren
271    Patterson.
272
273remctl 2.8 (2007-06-27)
274
275    Add a Net::Remctl Perl module, optionally compiled (and enabled with
276    the --enable-perl configure flag), that provides native Perl bindings
277    to the libremctl client library.
278
279    Fix various null pointer dereferences in the simplified remctl client
280    library call when the server returns an error.
281
282    When running in stand-alone mode, remctld now forks a new child for
283    each incoming connection and can therefore handle multiple
284    simultaneous connections.  This makes stand-alone mode useful for more
285    than just testing.  Also, remctld now backgrounds itself by default in
286    stand-alone mode; disable this with the -F flag.  Based on a patch by
287    Andrew Mortensen.
288
289    Add a new -k flag to remctld to tell it to use a non-default keytab.
290    Thanks, Andrew Mortensen.
291
292    Default to port 4444 in the library if a port of 0 is passed in, and
293    (following the documentation) default to host/<hostname> if a NULL
294    principal is passed in.
295
296    remctld now exits properly when it can't parse its configuration file
297    rather than proceeding with a null configuration.
298
299    Fix problems with the parameter types for GSS-API memory freeing
300    functions in some error cases.
301
302    In the test suite, fix the kinit flags for MIT Kerberos 1.6.
303
304remctl 2.7 (2007-03-25)
305
306    In remctld, consider the command complete once the child process
307    exits.  Do not wait for its standard output and error to be closed,
308    since the child process may have spawned a long-running daemon that
309    doesn't clean up its file descriptors properly.
310
311    When the command-line remctl client canonicalizes the name of the
312    server host to get the right principal, it then needs to connect to
313    the canonical hostname.  Otherwise, DNS schemes that return a
314    different answer each time one asks for a given host may cause remctl
315    to connect to a different host than the canonical name used for the
316    principal, resulting in authentication failure.
317
318    Fixed a subtle bookkeeping error when sending commands larger than the
319    maximum token size that would have resulted in malformed tokens for
320    boundary cases of argument lengths.
321
322    Fixed memory and file descriptor leaks in remctld that only become
323    apparent when the server runs many commands before exiting.
324
325    Various minor fixes so that make warnings and make check work on a
326    Solaris 8 system without IPv6 configured.
327
328    Use a portability wrapper around the GSS-API header to avoid repeating
329    the same portability code in every file.
330
331remctl 2.6 (2007-02-03)
332
333    SECURITY: If an ACL listed for a command didn't exist, the
334    authorization check was treated as a success instead of a failure.
335    This had, embarassingly, apparently been broken since at least 2.0.
336
337remctl 2.5 (2007-02-03)
338
339    Automatically use a continued MESSAGE_COMMAND if the total command
340    length is larger than 64KB (minus token overhead).  The remctl client
341    library can now send arbitrarily large commands, at some cost in
342    memory consumption on the client and server.  The server is still
343    limited by the OS-imposed maximum length of a command line.
344
345    When the server runs a command, open /dev/null for standard input
346    rather than leaving standard input closed.  Some programs don't cope
347    with a closed standard input.
348
349    Audited memory handling of buffers sent to and read from the network
350    and closed several memory leaks.
351
352    Use the same limit (1MB) on token size everywhere.  Enforce the
353    protocol limit on unencrypted data size (64KB) in both the server and
354    when sending messages in the client.
355
356    Correctly handle a zero-length argument at the end of a command in the
357    server.  Previously, that argument was ignored.
358
359    Check that the expected argument count matches the count of arguments
360    seen in the server and that all of the client data was consumed when
361    parsing arguments.
362
363    Add a newline to the end of error messages when converting to protocol
364    version one replies.  The old remctl client didn't add a newline.
365
366    Document the limits on token size and unencrypted data size in the
367    protocol specification.  Improve the protocol documentation for the
368    continue status for MESSAGE_COMMAND.  Use octet instead of byte
369    uniformly.
370
371remctl 2.4 (2007-01-17)
372
373    IPv6 support is now automatically enabled on systems that support it.
374    The remctl code uniformly uses the new IPv6-aware host and address
375    functions, using replacements on systems that don't provide them in
376    libc.  Thanks to Jonathan Kollasch for the initial patch.
377
378    When sending tokens, correctly check for network errors rather than
379    ignoring them due to a miswritten test.
380
381    In the remctl command-line client, print a newline after protocol
382    error messages from the server.
383
384    Add error messages to the protocol specification for sending too many
385    arguments in a command and sending too much data with a command.
386    Return the more specific error message if the number of command
387    arguments exceed the current hard-coded limit rather than just
388    reporting a bad command token.
389
390    Don't use $< in non-pattern rules (again), fixing a build error on
391    some systems with non-GNU make (although since the generated man
392    pages are part of the distribution, only those modifying the POD
393    source would have seen this error).
394
395remctl 2.3 (2006-12-06)
396
397    Increase the maximum number of arguments the server will accept for a
398    command to 4096 from 64.  This is an arbitrary limit to protect
399    against memory-consumption denial-of-service attacks.
400
401    Document the exit status of the remctl client.
402
403    Add the -S flag to remctld, which tells it to log to standard output
404    and standard error rather than syslog.  Use this flag in the test
405    suite so that make check doesn't spew into a system's syslog.
406
407    Require Automake 1.10 and Autoconf 2.60 and use AC_CONFIG_LIBOBJ_DIR
408    to locate replacements for missing system functions.  This means that
409    an Automake patch is no longer required for bootstrapping and remctl
410    will now work with stock Autoconf and Automake.
411
412remctl 2.2 (2006-09-08)
413
414    Add appropriate casts when passing size_t variables to printf on
415    64-bit systems.
416
417    Include <sys/socket.h> in appropriate places for socklen_t on Solaris.
418
419    Make the xmalloc test suite indifferent to filename differences from
420    builddir != srcdir builds.
421
422    Work around strange GCC 4.1 behavior on AMD64 that creates a const
423    temporary variable in the macro expansion of the W* wait macros on
424    glibc systems, causing the build of runtests to fail.  For some reason
425    this apparently only affects AMD64.
426
427    Redirect /dev/null into kinit in the test suite so that the Heimdal
428    syntax doesn't cause an MIT kinit to hang.
429
430    Try all kinit varients in the remctl client test as well as the C API
431    tests.
432
433remctl 2.1 (2006-08-22)
434
435    Set REMOTE_USER in the environment for commands run by remctld, using
436    the same value as REMUSER.  This makes it easier to use programs that
437    also run as CGI scripts.  Also set REMOTE_ADDR to the IP address of
438    the remote host and set REMOTE_HOST to the hostname if available.
439
440    Stop setting SCPRINCIPAL in the environment.  This was for backward
441    compatibility with sysctl and it's highly unlikely that anyone still
442    cares (not to mention that the value was qualified with the realm and
443    therefore didn't match sysctld's setting anyway).
444
445    Properly nul-terminate error replies when using the simplified remctl
446    client API.
447
448    Support make check with builddir != srcdir builds.  Thanks to Ralf
449    Wildenhues for the help in identifying the issues.
450
451remctl 2.0 (2006-08-09)
452
453    Implement a new version 2 protocol, with automatic down-negotiation
454    to the old protocol for backward compatibility.  The new protocol is
455    more binary-safe for command arguments, supports streaming output
456    from the server, allows distinguishing between stdout output and
457    stderr output, has no arbitrary limits on output size, and supports
458    persistant connections.
459
460    Document the details of the remctl protocol, both the old version 1
461    protocol and the new version 2 protocol, in hopefully sufficient
462    detail for anyone else to implement it.
463
464    Don't consider inclusion of empty directories in a configuration file
465    an error.
466
467    Add the -P flag to remctld to write its PID to a file when invoked in
468    stand-alone mode.
469
470    Add an automated test suite.
471
472    Completely rewrite the build system to use Automake, a supporting
473    utility library, separate subdirectories for different parts of the
474    source tree, and a wrapper include file for system headers.
475
476    Don't use $< in non-pattern rules, fixing a build error on some
477    systems with non-GNU make.
478
479remctl 1.12 (2006-01-01)
480
481    Initialize memory properly when parsing the server configuration file.
482
483    Library probes with --enable-static cannot use krb5-config, since we
484    can't distinguish between the Kerberos libraries that should be static
485    and the system library dependencies that must not be made static.
486
487remctl 1.11 (2005-12-22)
488
489    Support include directives in remctld ACL files with the same syntax
490    and semantics as include directives in configuration files.
491
492    Stop option parsing at the first non-option on Linux (this is the
493    standard behavior of getopt on other platforms).  Otherwise, calling
494    remote programs that take options is annoying.
495
496    Use krb5-config where available to get Kerberos libraries and compiler
497    flags unless --enable-reduced-depends is used.
498
499    Fix builds and installs where builddir != srcdir.
500
501    Initial port to Heimdal.  remctl now compiles but isn't able to talk
502    to a server built with MIT Kerberos, so further porting is still
503    needed.
504
505    Remove some debugging code for displaying the GSS-API OID as a string
506    that isn't supported by the Heimdal API and is of questionable
507    usefulness regardless.
508
509remctl 1.10 (2005-12-01)
510
511    Move the -v option to remctl and remctld to -d (debug), since the
512    verbose output or logging is only really useful when debugging.
513
514    Add -h (show usage) and -v (show version) options to both remctl
515    and remctld and add real option parsing (so combining multiple options
516    in one switch should now work).
517
518    Overhaul error and status reporting in remctl and remctld.  Among
519    other advantages, this should eliminate any lingering format string
520    worries and get rid of the trailing newlines in syslog messages from
521    remctld, as well as regularize the text of the error messages and the
522    priority of syslog messages.
523
524remctl 1.9 (2005-05-10)
525
526    Fix serious bug with inclusion of configuration directories.  When
527    reading any file after the first, remctl would use random bits of
528    memory as the file name.
529
530remctl 1.8 (2005-05-04)
531
532    Support include <file> in the configuration file.  Also support
533    including a directory, which includes every file in that directory
534    that doesn't have a period in the name.
535
536    Support continuation lines (using backslash) in the configuration
537    file, and clean up the parser to be more flexible about whitespace on
538    otherwise empty lines or comment lines.
539
540    Change the default remctl.conf location to be relative to sysconfdir
541    (<prefix>/etc by default) instead of the current directory.
542
543    remctld now only logs the initial connection authentication and the
544    argument count if -v was given, reducing to one the number of syslog
545    messages per command.
546
547    Improve the remctld man page, documenting all of the supported options
548    including stand-alone mode.
549
550remctl 1.7 (2005-02-22)
551
552    Close extra file descriptors before spawning a child process in
553    remctl.  The only file descriptors open should be standard output and
554    standard error.  This will fix problems with using remctld to start
555    long-running daemons; before, remctld would never realize that the
556    child process had exited.
557
558    Use select to wait for child output in remctld rather than
559    busy-waiting so as not to burn CPU cycles when the child takes a while
560    to produce output.
561
562    Document the -p option for the client.
563
564remctl 1.6 (2004-05-18)
565
566    Fix format string vulnerabilities when logging the remote command.
567
568remctl 1.5 (2004-03-04)
569
570    Fix a bug in remctld where it would segfault when trying to check the
571    ACLs for a command not present in the configuration file.
572
573    Portability fix to return the exit status of the command in network
574    byte order.
575
576remctl 1.4 (2003-11-12)
577
578    Add support for a logmask=n option in the configuration file that
579    masks those arguments in the logging output (used when some of the
580    options for that command contain private information).
581
582    Add optimizations in the GSS code to do fewer network writes.
583
584    Significant improvements to the Java client.
585
586    Some minor cleanups to logging, installation, and the configure
587    script.
588
589remctl 1.3 (2003-07-21)
590
591    Exit with non-zero status if the remote command failed rather than
592    always exiting with zero status if the network exchange worked
593    successfully.
594
595    Adjust logging priorities and include some additional information in
596    the log of the command.
597
598    Improved the README and added a make dist target to the makefile.
599
600remctl 1.2 (2003-04-04)
601
602    Read from both standard out and standard error of the spawned command
603    in turn to better prevent deadlock.
604
605    Set the REMUSER environment variable to the remote authenticated user
606    (and continue setting SCPRINCIPAL as well for backward compatibility).
607
608remctl 1.1 (2003-02-28)
609
610    Add an snprintf implementation for systems that don't have it and use
611    it for log messages.
612
613    Additional fleshing out of the Java client.
614
615    Lots of code cleanup and style fixes.
616
617remctl 1.0 (2002-11-22)
618
619    Initial release.
Note: See TracBrowser for help on using the repository browser.