-
Notifications
You must be signed in to change notification settings - Fork 14
/
NEWS
1541 lines (1148 loc) · 68.1 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
User-Visible remctl Changes
remctl 3.18 (2022-05-08)
Add support for PCRE2 for pcre ACLs and use it by preference over
PCRE1 if it is found. UTF-8 regular expressions are not enabled by
default, but can be enabled by adding (*UTF) to the beginning of the
regular expression (a standard PCRE2 feature not specific to remctl).
Document that pcre and regex ACL expressions are not automatically
anchored at the start and end of the principal name, so they should be
explicitly anchored in the configuration unless one intends to allow
partial matches.
The Perl libraries and the remctl test suite now require Perl 5.10 or
later.
Document sending SIGHUP to remctld when running in stand-alone mode to
ask it to re-read its configuration file, and document that SIGTERM
will cause it to exit. (Fixes #30)
Mark remctl client library functions that allocate memory with their
corresponding deallocation functions so that GCC 11 and later can
diagnose memory deallocation bugs.
Remove remaining references to pytest-runner in the Python bindings.
Thanks, Ken Dreyer.
Switch the Ruby bindings tests to Minitest from Test::Unit. Thanks,
Ken Dreyer.
Update to rra-c-util 10.2:
* Fix IN6_ARE_ADDR_EQUAL Autoconf probe on macOS.
* Fix compiler flag probes with Clang.
* Check that Kerberos headers can be included.
* Fix util/fdflag test on Solaris 11 and OpenBSD.
* Suppress some additional warnings in GCC 10.
remctl 3.17 (2020-12-13)
Port the PHP extention to PHP 8. This required declaring the
arguments to the functions (which should have been done with PHP 7)
and removing some obsolete constructs.
Make the Python install_requires dependency on typing conditional on
Python versions earlier than 3.5 so that setuptools won't attempt to
download typing when it's part of the standard library. Thanks to
Gianfranco Costamagna and Matthias Klose for the bug report.
Fix the Python module build to more reliably test the newly-built
module and to enable verbose testing.
Fix non-Kerberos network tests on hosts with no IPv4 addresses. In
this case, the network tests for binding all configured addresses will
bind only to IPv6, which broke some prior assumptions in the test
suite. Thanks to Niko Tyni for the bug report. Note that the tests
that require a Kerberos setup will still fail in this scenario, since
they assume remctld will bind to 127.0.0.1 by default.
Stop providing a replacement for a broken snprintf and assume the libc
version works correctly. This portability code has proven difficult
to maintain, and was only relevant for ancient proprietary UNIX
versions that have been obsolete for many years.
Update to rra-c-util 8.4:
* Fix reallocarray prototyping on NetBSD.
* Fix getnameinfo tests on musl-based Linux distributions.
* Include string.h when probing for getaddrinfo properties.
* Fix Perl style issues found by Perl::Critic::Freenode.
* Fix support for configuring the test suite with a krb5.conf file.
* Fix tests when the system krb5.conf file does not set default_realm.
* Ignore files in tests/config when checking for license identifiers.
* Ignore object files when checking for license identifiers.
* Drop support for Perl 5.6.
* Reformat all C source using clang-format 10.
* Remove bogus snprintf tests.
Update to C TAP Harness 4.7:
* Fix warning with GCC 10.
remctl 3.16 (2019-10-26)
The Python bindings now support Python 3. They have been tested only
with Python 2.7 and Python 3.7, but should work with any version of
Python 3 later than Python 3.1.
The Python bindings have been modernized to remove obsolete syntax,
which may mean that versions of Python back to Python 2.3 are no
longer supported. The bindings are only tested with Python 2.7.
Passing in anything other than an iterable of str or bytes as the
command to run is deprecated and support for using objects that can be
converted to str in commands will be removed in a future release.
Update the Python bindings documentation to use proper Python types
and to document how str and bytes values are handled.
Building the Python bindings now requires the setuptools, pytest,
pytest-runner, and typing Python modules.
Add -t flag to the remctl client to specify the network timeout.
Thanks, Remi Ferrand.
Fix NULL pointer dereference in the client library if allocation of
memory fails, caught by cppcheck.
Add GCC attributes to the declarations of the libremctl client
functions, which will allow some minor optimization improvements and
better compiler errors about NULL pointers.
Check for minimum versions of Perl or Python during configure if
building the Perl or Python bindings is requested.
More correctly handle user-supplied CFLAGS in combination with make
warnings when building the PHP bindings. Add the warning flags to
AM_CFLAGS instead of CFLAGS and pass user-supplied CFLAGS through to
configure (but not the warning flags). Thanks, Ken Dreyer.
Fix Kerberos library probing with --enable-reduced-depends and
correctly suppress probing for Kerberos library features when no
Kerberos library is present.
Update to rra-c-util 8.0:
* Skip more Automake files in tests.
* Fix warnings with current versions of GCC and cppcheck.
Update to C TAP Harness 4.5:
* Fix error checking for malloc failure in bstrndup.
remctl 3.15 (2018-05-05)
Fix a bug where output could have been truncated for a command run by
the server that was accepting an argument on standard input, if it
exited before reading all of the input data. Incorrect server logic
disabled reads from the child process on write failure, so could have
missed the last buffer of output from the child. This was only seen
under valgrind testing, not reported as a bug, so it's not clear how
widespread of a problem this was.
Validate command argument count, the length of command arguments, and
the length of blocks of output from the server fit into the data type
used in the wire protocol.
Check the port argument to remctl and remctld to ensure that it is a
valid port number.
Add maintainer check-cppcheck target to run cppcheck across the source
base with a standard configuration. Fix all issues found by cppcheck.
Rework the check-valgrind target to use the new C TAP Harness valgrind
support and automatically check the valgrind log files for errors at
the end of the test suite. This catches the bad free that caused the
security issue in 3.14.
Flesh out support for Clang warnings and compile cleanly under Clang
with most warnings enabled (-Weverything with some exclusions).
Add SPDX-License-Identifier headers to all substantial source files.
Update to rra-c-util 7.1:
* Avoid spurious test failures from the network library.
* Fix configure output when a Kerberos install prefix was provided.
* Fix new warnings in GCC 7 and add new warning flags.
* Fix all warnings from the Clang static analyzer.
* Fix warnings under Clang with most warnings enabled.
* Define UINT32_MAX for systems that don't have it.
* Support running remctld under valgrind for memory leak testing.
* Update the valgrind suppression file.
Update to C TAP Harness 4.3:
* Add support for valgrind testing via test list options.
* Report test failures as left and right, not wanted and seen.
* Fix is_string comparisons involving NULL pointers and "(null)".
remctl 3.14 (2018-03-31)
SECURITY: Fix use-after-free and double-free when handling the sudo
option in the remctld and remctl-shell server. For remctl-shell, this
will occasionally produce a spurious non-zero exit status for a
command that succeeded. For remctld, the normal consequence is a
server process crash after running a command with the sudo option, but
it may be possible (albeit difficult) for a streaming client to abuse
this bug to execute an arbitrary command on the server or corrupt
server memory. Thanks, Santosh Ananthakrishnan. (CVE-2018-0493)
remctl 3.13 (2016-10-10)
remctl-shell now also supports being run as a forced command from
authorized_keys (or other methods). This may be preferrable to using
it as a shell since it doesn't require setting non-standard sshd
options.
The summary configuration option is now allowed for commands with
subcommands other than ALL. When generating a help summary (done in
response to the command "help" with no arguments), command lines with
a subcommand and a summary option will be run with two arguments: the
value of the summary option and then the subcommand. This allows
proper generation of command summaries even for users who only have
access to a few subcommands of a command. Patch from Remi Ferrand.
The build system now supports new REMCTL_PROGRAM_CFLAGS and
REMCTL_PROGRAM_LDFLAGS variables that can be set at build time to pass
in additional arguments when compiling and linking programs (like
remctl and remctld) but not libraries and, more importantly, language
bindings. This can be used in distribution builds to pass in -fPIE
for additional binary hardening. (CFLAGS and LDFLAGS cannot be used
since -fPIE breaks the builds of the dynamic modules for langauges
like Perl.)
Update to rra-c-util 6.1:
* Correct return-value checks for snprintf.
* Adjust Test::RRA::Config for new load path behavior in Perl 5.22.2.
remctl 3.12 (2016-07-29)
Add a new server implementation, remctl-shell. This does not use the
remctl protocol; instead, it is meant to be run via ssh by being
configured as the shell of a dedicated user. It interprets a command
it was given as a remctl command, using the same configuration and
authorization checking as the normal remctl server. This can be
useful to introduce remctl into an environment that has ssh public key
authentication instead of Kerberos. remctl-shell has some significant
limitations inherited from ssh and requires some setup to use. See
its manual page for more information.
Add a new configuration option, sudo, which tells remctld and
remctl-shell to run the command as a different user using sudo. The
path to the sudo binary is determined when remctld is compiled.
Normally, it's more convenient to use the existing user option, but it
relies on remctld running as root. If running the daemon as a
non-root user, or when running remctl-shell as a non-root user, this
option may work better.
remctl 3.11 (2016-05-07)
The PHP bindings have been ported to PHP 7, based on work by Nish
Aravamudan. The PHP 7 API is sufficiently different that this was
done by forking the PHP code and creating a new version for PHP 7 and
later, chosing which extension to compile based on the discovered
version of PHP. Currently, there is no functionality difference, but
the PHP 5 extension should be considered frozen and may not get any
new features. It will eventually be removed in a future version of
remctl when PHP 7 is sufficiently widespread.
Rename the script to bootstrap from a Git checkout to bootstrap,
matching the emerging consensus in the Autoconf world.
Fix numerous portability issues to various versions of Heimdal, thanks
to multiple patches from Jeffrey Hutzelman.
Multiple fixes and improvements to the RPM spec file from Jeffrey
Hutzelman: systemd support, SLES support, add the missing
libevent-devel dependency, fix the version, and fix an invalid date.
Update to rra-c-util 6.0:
* Remove all remaining uses of strlcpy and strlcat.
* Fix the Perl docs/synopsis.t test to be less UNIX-specific.
* Make util/network/server-t more robust against missing IPv6.
Update to C TAP Harness 4.0:
* Use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.
remctl 3.10 (2015-11-27)
Two new remctld ACLs are supported: anyuser:auth and
anyuser:anonymous. The first is equivalent to ANYUSER, and indeed
ANYUSER is now treated as a backwards-compatibility alias for
anyuser:auth. This permits any authenticated user in either the local
realm or any realm with which there is cross-realm trust. The new
anyuser:anonymous ACL permits absolutely any user, even
unauthenticated users, allowing anyone with network access to the
server to run the command. (Note, however, that actually running
commands anonymously requires anonymous PKINIT and anonymous service
tickets be enabled for the local Kerberos realm. These are not common
configurations, particularly the second.)
The remctld server now sets the REMOTE_EXPIRES environment variable to
the time (in seconds since UNIX epoch) when the authenticated session
used to run a command will expire. This will generally be the
expiration time of the Kerberos ticket used to authenticate to the
server.
Anonymous authentication (such as via anonymous PKINIT) no longer
satisfies ANYUSER ACLs. It's unlikely that existing installations
would have encountered anonymous authentication, since obtaining
service tickets with anonymous PKINIT is disabled by default.
Simplify the Python RemctlError exception class. The code in the
exception class just duplicated the behavior of the parent Exception
class and was unnecessary, and it interfered with pickling the
exception. This means that RemctlError exceptions, and any derived
from RemctlError, will no longer have a value attribute. To get this
information, use the string value of the exception object, or call the
error() method on the remctl object. Thanks to Andrew Deason for the
report.
Previous versions always passed the flags to disable certain warnings
to the language binding builds, even if warnings weren't otherwise
enabled. As of remctl 3.9, that included a warning flag not supported
by old versions of gcc, breaking builds on RHEL 5. Instead, only pass
the warning suppression flags when building with warnings (via make
warnings), which is not the default and is only supported with recent
versions of gcc. Thanks to Ken Dreyer for the report.
For the localgroup ACL scheme, dynamically resize the buffer passed to
getgrnam_r if the call fails due to ERANGE. Users in large numbers of
local groups may require more space than the buffer size returned by
the sysconf call. Patch from Hugh Cole-Baker.
Fix test suite portability to systems with older versions of Kerberos
that didn't have krb5_get_init_creds_opt_alloc, such as the included
Kerberos in Solaris 10.
Update to rra-c-util 5.9:
* Add missing va_end to xasprintf implementation.
* Fix Perl test suite framework for new Automake relative paths.
* Avoid $() in the probe for systemd support for Solaris portability.
* Prefer libsystemd to libsystemd-daemon if it is available.
* Improve portability to Kerberos included in Solaris 10.
* Use appropriate warning flags with Clang (currently not warning clean).
* Check for integer overflow in vector_join.
* Avoid strlcpy in more of the portability code.
* Fix hidden visibility of some utility functions.
* Improve portability of socket error codes to Windows.
Update to C TAP Harness 3.4:
* Fix segfault in runtests with an empty test list.
* Display verbose test results with -v or C_TAP_VERBOSE.
* Support comments and blank lines in test lists.
remctl 3.9 (2014-07-02)
Add a new server ACL type, localgroup, which converts the principal to
a local username with krb5_aname_to_localname and then checks whether
it is a member of a given local group. Based on work by Remi Ferrand.
Use calloc in preference to calculating a malloc size with
multiplication everywhere, and reallocarray in preference to
calculating a realloc size. In most places this caution was probably
not necessary, but uniformity is easier to audit and no one will ever
notice the speed difference between malloc and calloc. Add explicit
overflow checks before every remaining malloc call with a calculated
size.
Fix incorrect handling of interruptions of network writes by signals
in the server. Previous versions of remctld did not correctly handle
EINTR returns from select, read, and write and might abort the
connection instead of retrying the system call.
Reset the SIGPIPE signal handler before running a command. The server
sets SIGPIPE to SIG_IGN, which meant that, since ignored signals are
inherited across an exec, the child process would inherit possibly
surprising SIGPIPE behavior. Reset the handler to SIG_DFL so that
commands get default SIGPIPE handling.
Add version and compatibility information to all manual pages.
Command-line and configuration options, ACL methods, environment
variables, client library APIs, and other major features are now
annotated with the version of remctl in which they were added.
Update to rra-c-util 5.5:
* Use Lancaster Consensus environment variables to control tests.
* Work around perltidy bug that leaves behind stray log files.
* Use calloc or reallocarray for protection against integer overflows.
* Suppress warnings from Kerberos headers in non-system paths.
Update to C TAP Harness 3.1:
* Add breallocarray API for error-checked reallocarray in tests.
* Check for integer overflow on memory allocations.
remctl 3.8 (2014-01-28)
The remctld server now uses libevent for the event loop that processes
output from a command. This is primarily an internal change to
improve maintainability, but it does have some noticable if minor
benefits: primarily, no need to poll for child process exit every five
seconds, and therefore faster responsiveness and less resource usage
in each remctld process. libevent 1.4.4 or later is now required to
build remctl.
Rather than capping the data returned by the server in one
MESSAGE_OUTPUT token at the rather arbitrary length of 65,000 octets,
send up to the maximum amount of data permitted by the protocol. This
also slightly increases the maximum length of the output returned
under the version one protocol.
Fix a minor memory leak in the server when processing help commands.
Fix a GSS-API context leak in the remctl client when failing to send a
protocol version one token.
Use a temporary file and atomic rename when writing the server PID
file to avoid racing with a process monitor that tries to read the PID
out of the file before it's written.
Update to rra-c-util 5.2:
* Assume calloc initializes pointers to NULL.
* Assume free(NULL) is properly ignored.
* Suppress shell errors from systemd probes without pkg-config.
* Better logging and shutdown of subprocesses during testing.
Update to C TAP Harness 3.0:
* Reopen standard input to /dev/null when running a test list.
* Don't leak extraneous file descriptors to tests.
remctl 3.7 (2014-01-06)
Fix a client memory leak when remctl_set_ccache is used with a
Kerberos library that supports gss_krb5_import_cred. The credential
was never freed, leaking memory with each remctl client call, and a
Kerberos ticket cache struct could also be leaked in some situations.
Fix Net::Remctl::Backend argument count validation when one of the
arguments is coming from standard input. The count of arguments was
previously not updated properly after splicing in the extra argument.
Add support for systemd. If built on a system with systemd installed,
remctl will install (but not enable) systemd units to start remctld
via socket activation. remctld will also notify systemd when its
initialization is complete if started by systemd with service
notification enabled.
Add support for upstart's expect stop daemon synchronization method.
When starting remctld in stand-alone mode with upstart, pass the new
-Z option to remctld, and it will raise SIGSTOP when ready to accept
connections, signaling to upstart that the daemon has fully started.
Work around a bug in the Module::Build version that comes with RHEL 5
in passing compiler and linker flags to the Perl module build.
Net::Remctl and related classes now check that the class argument is
not undef and croak if it is, rather than dereferencing a NULL
pointer. Caught by clang --analyze.
Update to rra-c-util 5.1:
* Suppress a dummy symbol in the client library that could leak.
* Don't attempt to use Kerberos if no Kerberos error APIs were found.
* Improve error handling in xasprintf and xvasprintf.
* Check the return status of snprintf and vsnprintf properly.
* Preserve errno if snprintf fails in vasprintf replacement.
* Improve error handling of network_bind_* functions.
* vector_free and cvector_free now can be passed NULL.
* Abort remctl tests if the PID file already exists.
Update to C TAP Harness 2.4:
* Suppress lazy plans and test summaries if the test failed with bail.
remctl 3.6 (2013-08-14)
If the client specifies a timeout, restart the wait for a nonblocking
connect when interrupted by a signal. This can mean that a connect
can take longer than the timeout if interrupted; hopefully both
timeouts and catching signals are rare enough that this won't pose a
serious issue.
The help output from Net::Remctl::Backend now checks for commands
whose syntax is excessively long and does not let them influence the
formatting of the summary. This keeps commands with a long syntax
from forcing all the summary output into a skinny column against the
right margin and allows proper help output for commands with a syntax
longer than 80 columns.
Fix compilation problems with Kerberos libraries that don't have
gss_krb5_import_cred, including Mac OS X and older Red Hat. Patch
from Ken Dreyer.
Fix problems with PCRE detection on platforms that have the library
but not pcre-config or the pcre.h header file, such as Mac OS X.
Update to rra-c-util 4.9:
* Fix GCC warnings of casts that could increase alignment.
* Add a portable replacement for a missing strndup.
Update to C TAP Harness 2.2:
* bail and sysbail now exit with status 255 to match Test::More.
remctl 3.5 (2013-06-28)
Fix a long-standing race condition in remctld (introduced in remctl
2.7) that could truncate large backend output if the backend program
exits immediately after sending that output. On systems with pipe
buffers larger than 64KB, remctld could discard some buffered output
after determining that the child had exited. remctld now polls for
and continues to process output from the child until no more is
immediately available, even after the child has exited.
If a Kerberos library and gss_krb5_import_cred are available at build
time, libremctl now uses them to implement remctl_set_ccache to avoid
affecting global program GSS-API state. If those requirements are
met, remctl_set_ccache will only affect the remctl context on which
it's called.
The version numbers of the Net::Remctl and Net::Remctl::Backend Perl
modules now match the versions of the remctl package, but with at
least two digits for the minor version so that, for example, 3.9
(which becomes 3.09) and 3.10 will sort properly as numbers. This
means that, from Perl's perspective, the version numbers have gone
backwards in this release relative to earlier 3.0 releases. This is a
one-time adjustment to a more reliable versioning scheme.
remctl 3.4 (2013-03-26)
Add new C APIs for establishing a remctl connection given a sockaddr,
a list of struct addrinfo, or an already-open socket. Patch from
Jeffrey Hutzelman.
The Perl bindings now include a new module, Net::Remctl::Backend,
which handles the setup, dispatch, and help output for the recommended
style for remctl backend scripts written in Perl. See its
documentation for more information.
Following Perl Best Practices, remove prototypes from all Net::Remctl
functions. The confusion caused by changing context away from how
Perl normally works is not worth any diagnostic value.
The Net::Remctl Perl bindings now require Perl 5.8 or later (instead
of 5.006 in previous versions) and are now built with Module::Build
instead of ExtUtils::MakeMaker. This should be transparent to anyone
not working with the source code, since Perl 5.8 was released in 2002,
but Module::Build and ExtUtils::CBuilder are now required to build
Net::Remctl. They are included in Perl 5.10 or later and can be
installed separately for older versions of Perl.
Return an error if an empty command is passed into remctl_command
rather than attempting to malloc zero bytes.
Update to rra-c-util 4.8:
* Fix probing for Heimdal's libroken to work with older versions.
* Improve POD and Perl module tests.
* Cleanly passes clang --analyze.
Update to C TAP Harness 2.1:
* runtests now treats the command line as a list of tests by default.
* The full test executable path can now be passed to runtests -o.
* Improved harness output for tests with lazy plans.
* Improved harness output to a terminal for some abort cases.
* Flush harness output after each test even when not on a terminal.
remctl 3.3 (2012-09-25)
Fix a file descriptor leak when checking ACL files. This would cause
long-running remctld processes to eventually run out of available file
descriptors.
Fix some memory leaks when reloading the remctld configuration and
several memory leaks when closing or reusing client connections in
libremctl.
Don't create the remctld PID file until the network socket is bound
and listening. This helps init scripts starting the daemon to know
when startup is complete and the service is available.
Remove prototypes from the Perl remctl() function. With prototypes,
the connection and command information could not be provided via an
array, since the prototype forces it into scalar context.
Fix build dependencies for language bindings to work with parallel
builds and pass CPPFLAGS down to the language binding build systems.
Update to rra-c-util 4.6:
* Drop concat from the util library in favor of asprintf.
* Fail on any error in [bx]asprintf and [bx]vasprintf.
remctl 3.2 (2012-06-19)
Add new summary option to the remctld configuration. If remctld
receives a command of "help" with no arguments and no command by that
name has been defined, the server will look through the configuration
for any command with a summary option set, a subcommand of ALL, and
which the user would have been allowed to run. If any such commands
are found, the server will run each with the subcommand specified by
the summary option, sending the results to the user. This allows
display of a command summary to the user based on which commands that
user is authorized to run. Written by Jon Robertson.
Add new help option to the remctld configuration. If remctld receives
a command of "help" with either one or two arguments and no command by
that name has been defined, it takes the arguments to the command as a
command and subcommand and checks for an entry in the configuration
file that matches. If such an entry is found, the help option is set
for that command, and the user is authorized to run it, remctld runs
the command, passing the value of the help option as the subcommand
and the arguments to help as additional arguments. This permits a
standard interface to get additional help for a particular remctl
command. Written by Jon Robertson.
remctld now always closes the client connection after low-level errors
reading or sending tokens. Previously, it would attempt to continue
after some socket or GSS-API errors, which may have caused hanging
remctld processes in some circumstances.
Fix remctld segfault when the configuration does not define any
commands. Thanks to Andrew Mortensen for the report.
Fix GSS-API header probes when configure was told to build with a
specific GSS-API library in a non-default path. Previously, configure
still used the compiler to probe for the correct header names, which
could pick up incorrect headers from the default include path. Thanks
to Jeffrey Hutzelman for the suggested solution.
Solaris can return ECONNRESET instead of EPIPE on write when the other
end of the network connection closes it. Handle that error properly
in the remctld server. Patch from Jeffrey Hutzelman.
Fix multiple portability issues in the test suite on Solaris and old
versions of Heimdal. Thanks to Jeffrey Hutzelman for the series of
patches.
Update to rra-c-util 4.5:
* Pass --deps to krb5-config in the non-reduced-dependencies case.
* Silence __attribute__ warnings on more compilers.
Update to C TAP Harness 1.12:
* Only use feature-test macros when requested or built with gcc -ansi.
* Drop is_double from the C TAP library to avoid requiring -lm.
* Avoid using local in the shell libtap.sh library.
* Silence __attribute__ warnings on more compilers.
remctl 3.1 (2012-02-29)
Add new remctl_set_timeout function to the remctl library API and the
Perl, PHP, Python, and Ruby bindings. Call this function any time
after remctl_new to set a network timeout in seconds for all
subsequent operations. The client must then receive a reply from the
server in no more than that number of seconds or will abort whatever
action is in progress with a timeout error. The timeout also applies
to the initial connection if remctl_set_timeout is called before
remctl_open.
The remctld server now supports an additional configuration option,
user, which sets the user as which to run a command. If this option
is set for a command configuration, remctld will run the command as
that user (including their primary and supplemental groups). The user
may be specified as either a username or a UID. Patch from Andrew
Mortensen.
The remctld server now imposes a one-hour timeout between messages
from the client rather than a one-hour limit on the entire session,
allowing clients to continue to send commands for as long as they stay
connected and not idle.
The PHP bindings no longer output a PHP warning if remctl_output
fails. This was inconsistent with the other API calls (remctl_open
and remctl_command can also fail but didn't result in warnings), may
be expected and handled by the caller, and made testing difficult.
The internal _remctl.remctl_output function in the Python bindings now
returns an empty tuple on error instead of a bool. This change will
not affect callers that only use the recommended public remctl
interface.
Update to rra-c-util 4.2:
* Fix error reporting for non-blocking connect.
* Fix network test when short listen queues don't cause timeout.
* Handle DNS failure in the getaddrinfo test suite.
* Ensure config.h is included for portable/stdbool.h.
* Fix compiler warnings when built with -D_FORTIFY_SOURCE=2.
* Add test wrappers around asprintf and vasprintf.
Update to C TAP Harness 1.10:
* Add test_tmpdir and test_tmpdir_free to TAP library.
* Add bstrndup function to the C TAP library.
* runtests now frees all allocated resources on exit.
remctl 3.0 (2011-10-31)
New protocol version 3, which introduces a new NOOP message. When the
client sends this message, the server replies with a NOOP message.
This can be used to keep a persistent remctl connection alive despite
network session timeouts. Add new remctl_noop function to the remctl
library API and the Perl, PHP, Python, and Ruby bindings to send the
NOOP message and read the response.
Be more explicit in the protocol about handling of continuation
commands. Do not allow any messages from the client after a continued
command except the continuation of that command or a QUIT message.
Explicitly document that a QUIT message abandons the partial command.
Add the new ERROR_UNEXPECTED_MESSAGE error code, used when the client
sends incorrect messages during a command continuation.
The server no longer closes the connection after version or error
replies. The connection will now stay open until MESSAGE_COMMAND is
sent without keepalive or MESSAGE_QUIT is sent.
Add new remctl_set_source_ip function to the remctl library API and
the Perl, PHP, Python, and Ruby bindings. Call this function after
remctl_new and before remctl_open to set the source IP address that
will be used for subequent client connections to a remctl server. For
the Ruby bindings, this is implemented as the source_ip class variable
rather than a separate method.
Add new -b option to the remctl command-line client to specify the
source IP for client connections.
Add new remctl_set_ccache function to the remctl library API and the
Perl, PHP, Python, and Ruby bindings. Call this function after
remctl_new and before remctl_open to set the Kerberos credential cache
that will be used for client authentication, overriding KRB5CCNAME.
Be aware that this will normally change the default credential cache
for all other GSS-API operations in this context or thread, not just
for that remctl object, due to GSS-API limitations. For the Ruby
bindings, this is implemented as the ccache class variable rather than
a separate method.
In the client, only check the negotiated GSS-API context flags after
the context has been fully established. Current versions of Heimdal,
including the system Kerberos libraries in Mac OS X Lion, only declare
mutual authentication once the context negotiation is complete.
Close a client memory leak caused by the GSS-API context not being
freed by the client in remctl_close.
When calling remctl_open on an existing struct remctl object, send
QUIT to the server if a connection is already open.
remctld can be configured to pass the subcommand on standard input,
but the documentation said this was not allowed. Fix the
documentation to match the implementation.
Use PATH_KRB5_CONFIG as the environment variable to set the path to
krb5-config rather than KRB5_CONFIG when running configure, since the
latter is used by the Kerberos libraries to specify an alternative
path to krb5.conf.
Fix the Ruby bindings test suite to test against the newly-built
libremctl and Ruby module rather than any installed on the system.
Update to rra-c-util 3.10:
* Add notices in each file copied from rra-c-util.
* Prefer gssapi/gssapi.h to gssapi.h.
* Include strings.h if it exists for strncasecmp on some platforms.
* getaddrinfo replacement now portable to systems with bad netdb.h.
* Avoid krb5-config if --with-gssapi-{include,lib} are given.
* Add Windows implementation of fdflag_nonblocking.
* The network_connect utility functions now take an optional timeout.
* Wait longer for remctld to start in remctl tests.
* Use an atexit handler to clean up after Kerberos tests.
* Use typedef instead of #define for socklen_t and sig_atomic_t.
* Stop providing or using INADDR_LOOPBACK for portability reasons.
* Don't override a user's existing AFS tokens while testing.
* Fix removal of -I/usr/include from GSS-API CPPFLAGS.
* Provide ssize_t on platforms without it, such as Windows.
* Fix vector_join and cvector_join with empty vectors.
Update to C TAP Harness 1.8:
* Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
* Fix runtests to still honor SOURCE and -s without BUILD and -b.
remctl 2.18 (2011-05-31)
Fix uninitialized variable in the remctld standalone server code that
could cause all remote connections to fail and add a more complete
test suite for remote address handling.
remctl 2.17 (2011-05-31)
Fix construction of the return object for the Python bindings to the
simple remctl interface. Patch from Andrew Mortensen.
The remctld server now supports a -b command-line option specifying
which local addresses to which to bind. This option may be given
multiple times to bind to multiple local addresses.
When run as a standalone daemon, remctld now binds to both IPv4 and
IPv6 addresses rather than only IPv4.
The remctl client library also installs a pkg-config configuration
file for the use of software that wants to link against it. Thanks to
Tollef Fog Heen for the assistance in writing it.
Remove reference to the defunct messages-die.c source file in the
Windows build system.
Fix broken GCC attribute markers causing problems with compilation on
Windows (and likely any non-GCC compiler).
Symbol versioning is now enabled on any system using GNU ld, rather
than only Linux and related platforms, and a Libtool symbol list is
used as a fallback to prevent leaking symbols with other linkers where
possible.
Set the PHP extension test suite to be noninteractive so that the user
is not prompted to send results to the PHP QA group.
Skip portable/getaddrinfo test on systems where invalid hostnames
still resolve.
Update to rra-c-util 3.5:
* Check for krb5-config in /usr/kerberos/bin as well as PATH.
* Avoid configure warnings when building with AIX bundled Kerberos.
* Initialize sockaddr structs more correctly.
* Correctly detect Heimdal GSS-API on OpenBSD without libroken.
* Fix underquoting in m4/socket.m4.
* Update warning flags for GCC 4.6.1.
Update to C TAP Harness 1.7:
* Add tests/HOWTO documenting how to add new tests.
* More correct handling of system-specific errors in output checking.
* Ensure correct output ordering in test results.
* Add -h and a better usage message to tests/runtests.
remctl 2.16 (2010-05-02)
Add Ruby bindings contributed by Anthony M. Martinez, enabled with
--enable-ruby at configure time. These bindings are tested with Ruby
1.8 and may not work with older versions. See ruby/README for more
information.
remctld now includes support for a PCRE (Perl-compatible regular
expressions) ACL type if the PCRE library is found at configure time.
A PCRE ACL matches any user whose identity matches the given
Perl-compatible regular expression. Based on work contributed by
Anton Lundin.
remctld now includes support for a POSIX regex ACL type if the system
supports the POSIX regex API. A regex ACL matches any user whose
identity matches the given POSIX extended regular expression. Based
on work contributed by Anton Lundin.
remctld now sets the environment variable REMCTL_COMMAND to the
command (not subcommand or arguments) that causes a program to be
run. Thanks, Thomas L. Kula.
remctld -h now reports the list of supported ACL methods for that
build of remctld.
Add an example SMF manifest for the remctld daemon in
examples/remctld.xml. Contributed by Peter Eriksson.
Fix PHP test suite to work with PHP 5.3, which no longer passes
environment variables down to the running test program.
Stop passing GCC-specific warning suppression flags into the language
binding build systems unless the compiler used to build remctl is GCC.
This still isn't quite right, since the language bindings may use a
different compiler than the main remctl build, but it should be closer
than the previous behavior of using GCC flags unconditionally.
Update to rra-c-util 2.4:
* Improve network error handling with unknown address domains.
* Disable xmalloc test except for maintainers.
* Break util/util.h apart into separate header files.
* Add additional GCC function attributes to utility libraries.
* Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]).
Update to C TAP Harness 1.2:
* Summarize results at the end of test execution.
* Add diag and sysdiag functions to the basic TAP library.
* Clean up data types in the basic C TAP library.
* Add the GCC nonnull attribute to the TAP library bail functions.
remctl 2.15 (2009-11-29)
Allow subcommand to be omitted on the remctl command line, which sends
a command without a subcommand. This makes available on the command
line functionality that was already available via the library API.
Add the special keyword EMPTY for the subcommand field in the remctld
configuration file, specifying that this line should only match
commands with no subcommands.
Allow use of ALL in the command field in the remctld configuration
file as well as the subcommand field, matching all commands.
Fix read of uninitialized memory caused by moving one character beyond
the beginning of the buffer when parsing blank lines in ACL files.
Use a socket_type typedef rather than int directly to store the file
descriptors of sockets and, on Windows, typedef that to SOCKET instead
of int. Update the function signatures of the network utility
functions appropriately. Compare socket_type variables against an
INVALID_SOCKET define instead of -1. Fixes portability issues to
64-bit Windows. Thanks, Jeffrey Altman.
For the Windows build, get the current version number from
configure.ac rather than configure so that the Windows build scripts
work from a Git checkout. Link with the correct GSS-API library for
64-bit Windows builds. Correct or suppress multiple warnings.
Thanks, Jeffrey Altman.
Enable Automake silent rules. For a quieter build, pass the
--enable-silent-rules option to configure or build with make V=0.
Update to rra-c-util 2.1:
* Revert separation of die into a separate object file.
* Fall back on manual library probing if krb5-config doesn't work.
* Don't try to use a non-executable krb5-config for GSS-API probes.
* Suppress error output from krb5-config GSS-API probes.
* Prefer KRB5_CONFIG over a path constructed from --with-gssapi.
* Fix network test suite failures when IPv6 is available but disabled.
remctl 2.14 (2009-05-22)
The remctld configuration file may now specify that one argument to a
command is passed on standard input instead of on the command line
using the stdin= option. This option allows passing data to commands
that's too long to fit into a command-line argument or that contains
nul characters.
remctld logging of commands or arguments now replaces unprintable
characters (characters between ASCII 0 and 31 and ASCII 127) with
periods rather than assuming syslog will cope with them correctly.
Use command and subcommand as the names for the first two parameters
to the remctl client and the first two strings in a remctl command
instead of the unintuitive "type" and "service" terminology borrowed
from sysctl. This only changes documentation and some internal
variable names; no external APIs should be affected.
Declare message_fatal_cleanup extern in util.h. Fixes compilation
problems on Mac OS X and probably elsewhere.
Diagnose and explicitly reject on the server nul characters in command
arguments that don't support them rather than truncating the argument
silently.
Plug several memory leaks in the remctld server. (These would have
little practical effect unless a client stayed connected and issued
multiple commands.)
The protocol now permits commands with no arguments. remctld
currently doesn't support them, but now returns ERROR_UNKNOWN_COMMAND
instead of ERROR_BAD_COMMAND when receiving one.
Add documentation on extending remctl in docs/extending.
Add initial protocol version three draft in docs/protocol-v3.
Better check logmask options when parsing the server configuration
file and report errors instead of silently ignoring them. Masking the
command is also no longer supported (it previously worked by
accident).
Support building against Solaris 10's native generic GSS-API
libraries. Thanks, Peter Eriksson.
Update to rra-c-util 1.0:
* Fix open call parameters in daemon portability test.
* Fix AI_ADDRCONFIG portability on BSD/OS systems.
* Split die into a separate object to not link it in shared libraries.
* Don't break if the user clobbers CPPFLAGS at build time.
* Correctly set -L options with --with-gssapi-lib, not -I.
* Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
* Update portable and util test suite for C TAP Harness 1.0.
* Use native Kerberos instead of forking kinit in test suite.
Update to C TAP Harness 1.0:
* Rewrite of all test cases to use the new TAP library support.
* Much improved and simplified builddir != srcdir test suite support.
* Support running a single test with tests/runtests -o.
* Correctly handle completely skipped tests, like client/pod.
* Better reporting of fatal errors in the test suite.
remctl 2.13 (2008-11-14)
Add support for ACL methods in the remctld server. The supported
schemes in this release are file and princ, which together provide the
same functionality as earlier releases, plus deny to explicitly reject
a user who matches another ACL and support for the CMU GPUT
authorization system. There is now a framework in place for adding
new ACL methods in the future. This work was contributed by Jeffrey
Hutzelman.
When processing the include of a directory for configuration files or
ACL files, limit the files read to those whose names contain only