1 User-Visible remctl Changes
3 remctl 3.18 (2022-05-08)
5 Add support for PCRE2 for pcre ACLs and use it by preference over
6 PCRE1 if it is found. UTF-8 regular expressions are not enabled by
7 default, but can be enabled by adding (*UTF) to the beginning of the
8 regular expression (a standard PCRE2 feature not specific to remctl).
10 Document that pcre and regex ACL expressions are not automatically
11 anchored at the start and end of the principal name, so they should be
12 explicitly anchored in the configuration unless one intends to allow
15 The Perl libraries and the remctl test suite now require Perl 5.10 or
18 Document sending SIGHUP to remctld when running in stand-alone mode to
19 ask it to re-read its configuration file, and document that SIGTERM
20 will cause it to exit. (Fixes #30)
22 Mark remctl client library functions that allocate memory with their
23 corresponding deallocation functions so that GCC 11 and later can
24 diagnose memory deallocation bugs.
26 Remove remaining references to pytest-runner in the Python bindings.
29 Switch the Ruby bindings tests to Minitest from Test::Unit. Thanks,
32 Update to rra-c-util 10.2:
34 * Fix IN6_ARE_ADDR_EQUAL Autoconf probe on macOS.
35 * Fix compiler flag probes with Clang.
36 * Check that Kerberos headers can be included.
37 * Fix util/fdflag test on Solaris 11 and OpenBSD.
38 * Suppress some additional warnings in GCC 10.
40 remctl 3.17 (2020-12-13)
42 Port the PHP extention to PHP 8. This required declaring the
43 arguments to the functions (which should have been done with PHP 7)
44 and removing some obsolete constructs.
46 Make the Python install_requires dependency on typing conditional on
47 Python versions earlier than 3.5 so that setuptools won't attempt to
48 download typing when it's part of the standard library. Thanks to
49 Gianfranco Costamagna and Matthias Klose for the bug report.
51 Fix the Python module build to more reliably test the newly-built
52 module and to enable verbose testing.
54 Fix non-Kerberos network tests on hosts with no IPv4 addresses. In
55 this case, the network tests for binding all configured addresses will
56 bind only to IPv6, which broke some prior assumptions in the test
57 suite. Thanks to Niko Tyni for the bug report. Note that the tests
58 that require a Kerberos setup will still fail in this scenario, since
59 they assume remctld will bind to 127.0.0.1 by default.
61 Stop providing a replacement for a broken snprintf and assume the libc
62 version works correctly. This portability code has proven difficult
63 to maintain, and was only relevant for ancient proprietary UNIX
64 versions that have been obsolete for many years.
66 Update to rra-c-util 8.4:
68 * Fix reallocarray prototyping on NetBSD.
69 * Fix getnameinfo tests on musl-based Linux distributions.
70 * Include string.h when probing for getaddrinfo properties.
71 * Fix Perl style issues found by Perl::Critic::Freenode.
72 * Fix support for configuring the test suite with a krb5.conf file.
73 * Fix tests when the system krb5.conf file does not set default_realm.
74 * Ignore files in tests/config when checking for license identifiers.
75 * Ignore object files when checking for license identifiers.
76 * Drop support for Perl 5.6.
77 * Reformat all C source using clang-format 10.
78 * Remove bogus snprintf tests.
80 Update to C TAP Harness 4.7:
82 * Fix warning with GCC 10.
84 remctl 3.16 (2019-10-26)
86 The Python bindings now support Python 3. They have been tested only
87 with Python 2.7 and Python 3.7, but should work with any version of
88 Python 3 later than Python 3.1.
90 The Python bindings have been modernized to remove obsolete syntax,
91 which may mean that versions of Python back to Python 2.3 are no
92 longer supported. The bindings are only tested with Python 2.7.
93 Passing in anything other than an iterable of str or bytes as the
94 command to run is deprecated and support for using objects that can be
95 converted to str in commands will be removed in a future release.
97 Update the Python bindings documentation to use proper Python types
98 and to document how str and bytes values are handled.
100 Building the Python bindings now requires the setuptools, pytest,
101 pytest-runner, and typing Python modules.
103 Add -t flag to the remctl client to specify the network timeout.
104 Thanks, Remi Ferrand.
106 Fix NULL pointer dereference in the client library if allocation of
107 memory fails, caught by cppcheck.
109 Add GCC attributes to the declarations of the libremctl client
110 functions, which will allow some minor optimization improvements and
111 better compiler errors about NULL pointers.
113 Check for minimum versions of Perl or Python during configure if
114 building the Perl or Python bindings is requested.
116 More correctly handle user-supplied CFLAGS in combination with make
117 warnings when building the PHP bindings. Add the warning flags to
118 AM_CFLAGS instead of CFLAGS and pass user-supplied CFLAGS through to
119 configure (but not the warning flags). Thanks, Ken Dreyer.
121 Fix Kerberos library probing with --enable-reduced-depends and
122 correctly suppress probing for Kerberos library features when no
123 Kerberos library is present.
125 Update to rra-c-util 8.0:
127 * Skip more Automake files in tests.
128 * Fix warnings with current versions of GCC and cppcheck.
130 Update to C TAP Harness 4.5:
132 * Fix error checking for malloc failure in bstrndup.
134 remctl 3.15 (2018-05-05)
136 Fix a bug where output could have been truncated for a command run by
137 the server that was accepting an argument on standard input, if it
138 exited before reading all of the input data. Incorrect server logic
139 disabled reads from the child process on write failure, so could have
140 missed the last buffer of output from the child. This was only seen
141 under valgrind testing, not reported as a bug, so it's not clear how
142 widespread of a problem this was.
144 Validate command argument count, the length of command arguments, and
145 the length of blocks of output from the server fit into the data type
146 used in the wire protocol.
148 Check the port argument to remctl and remctld to ensure that it is a
151 Add maintainer check-cppcheck target to run cppcheck across the source
152 base with a standard configuration. Fix all issues found by cppcheck.
154 Rework the check-valgrind target to use the new C TAP Harness valgrind
155 support and automatically check the valgrind log files for errors at
156 the end of the test suite. This catches the bad free that caused the
157 security issue in 3.14.
159 Flesh out support for Clang warnings and compile cleanly under Clang
160 with most warnings enabled (-Weverything with some exclusions).
162 Add SPDX-License-Identifier headers to all substantial source files.
164 Update to rra-c-util 7.1:
166 * Avoid spurious test failures from the network library.
167 * Fix configure output when a Kerberos install prefix was provided.
168 * Fix new warnings in GCC 7 and add new warning flags.
169 * Fix all warnings from the Clang static analyzer.
170 * Fix warnings under Clang with most warnings enabled.
171 * Define UINT32_MAX for systems that don't have it.
172 * Support running remctld under valgrind for memory leak testing.
173 * Update the valgrind suppression file.
175 Update to C TAP Harness 4.3:
177 * Add support for valgrind testing via test list options.
178 * Report test failures as left and right, not wanted and seen.
179 * Fix is_string comparisons involving NULL pointers and "(null)".
181 remctl 3.14 (2018-03-31)
183 SECURITY: Fix use-after-free and double-free when handling the sudo
184 option in the remctld and remctl-shell server. For remctl-shell, this
185 will occasionally produce a spurious non-zero exit status for a
186 command that succeeded. For remctld, the normal consequence is a
187 server process crash after running a command with the sudo option, but
188 it may be possible (albeit difficult) for a streaming client to abuse
189 this bug to execute an arbitrary command on the server or corrupt
190 server memory. Thanks, Santosh Ananthakrishnan. (CVE-2018-0493)
192 remctl 3.13 (2016-10-10)
194 remctl-shell now also supports being run as a forced command from
195 authorized_keys (or other methods). This may be preferrable to using
196 it as a shell since it doesn't require setting non-standard sshd
199 The summary configuration option is now allowed for commands with
200 subcommands other than ALL. When generating a help summary (done in
201 response to the command "help" with no arguments), command lines with
202 a subcommand and a summary option will be run with two arguments: the
203 value of the summary option and then the subcommand. This allows
204 proper generation of command summaries even for users who only have
205 access to a few subcommands of a command. Patch from Remi Ferrand.
207 The build system now supports new REMCTL_PROGRAM_CFLAGS and
208 REMCTL_PROGRAM_LDFLAGS variables that can be set at build time to pass
209 in additional arguments when compiling and linking programs (like
210 remctl and remctld) but not libraries and, more importantly, language
211 bindings. This can be used in distribution builds to pass in -fPIE
212 for additional binary hardening. (CFLAGS and LDFLAGS cannot be used
213 since -fPIE breaks the builds of the dynamic modules for langauges
216 Update to rra-c-util 6.1:
218 * Correct return-value checks for snprintf.
219 * Adjust Test::RRA::Config for new load path behavior in Perl 5.22.2.
221 remctl 3.12 (2016-07-29)
223 Add a new server implementation, remctl-shell. This does not use the
224 remctl protocol; instead, it is meant to be run via ssh by being
225 configured as the shell of a dedicated user. It interprets a command
226 it was given as a remctl command, using the same configuration and
227 authorization checking as the normal remctl server. This can be
228 useful to introduce remctl into an environment that has ssh public key
229 authentication instead of Kerberos. remctl-shell has some significant
230 limitations inherited from ssh and requires some setup to use. See
231 its manual page for more information.
233 Add a new configuration option, sudo, which tells remctld and
234 remctl-shell to run the command as a different user using sudo. The
235 path to the sudo binary is determined when remctld is compiled.
236 Normally, it's more convenient to use the existing user option, but it
237 relies on remctld running as root. If running the daemon as a
238 non-root user, or when running remctl-shell as a non-root user, this
239 option may work better.
241 remctl 3.11 (2016-05-07)
243 The PHP bindings have been ported to PHP 7, based on work by Nish
244 Aravamudan. The PHP 7 API is sufficiently different that this was
245 done by forking the PHP code and creating a new version for PHP 7 and
246 later, chosing which extension to compile based on the discovered
247 version of PHP. Currently, there is no functionality difference, but
248 the PHP 5 extension should be considered frozen and may not get any
249 new features. It will eventually be removed in a future version of
250 remctl when PHP 7 is sufficiently widespread.
252 Rename the script to bootstrap from a Git checkout to bootstrap,
253 matching the emerging consensus in the Autoconf world.
255 Fix numerous portability issues to various versions of Heimdal, thanks
256 to multiple patches from Jeffrey Hutzelman.
258 Multiple fixes and improvements to the RPM spec file from Jeffrey
259 Hutzelman: systemd support, SLES support, add the missing
260 libevent-devel dependency, fix the version, and fix an invalid date.
262 Update to rra-c-util 6.0:
264 * Remove all remaining uses of strlcpy and strlcat.
265 * Fix the Perl docs/synopsis.t test to be less UNIX-specific.
266 * Make util/network/server-t more robust against missing IPv6.
268 Update to C TAP Harness 4.0:
270 * Use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.
272 remctl 3.10 (2015-11-27)
274 Two new remctld ACLs are supported: anyuser:auth and
275 anyuser:anonymous. The first is equivalent to ANYUSER, and indeed
276 ANYUSER is now treated as a backwards-compatibility alias for
277 anyuser:auth. This permits any authenticated user in either the local
278 realm or any realm with which there is cross-realm trust. The new
279 anyuser:anonymous ACL permits absolutely any user, even
280 unauthenticated users, allowing anyone with network access to the
281 server to run the command. (Note, however, that actually running
282 commands anonymously requires anonymous PKINIT and anonymous service
283 tickets be enabled for the local Kerberos realm. These are not common
284 configurations, particularly the second.)
286 The remctld server now sets the REMOTE_EXPIRES environment variable to
287 the time (in seconds since UNIX epoch) when the authenticated session
288 used to run a command will expire. This will generally be the
289 expiration time of the Kerberos ticket used to authenticate to the
292 Anonymous authentication (such as via anonymous PKINIT) no longer
293 satisfies ANYUSER ACLs. It's unlikely that existing installations
294 would have encountered anonymous authentication, since obtaining
295 service tickets with anonymous PKINIT is disabled by default.
297 Simplify the Python RemctlError exception class. The code in the
298 exception class just duplicated the behavior of the parent Exception
299 class and was unnecessary, and it interfered with pickling the
300 exception. This means that RemctlError exceptions, and any derived
301 from RemctlError, will no longer have a value attribute. To get this
302 information, use the string value of the exception object, or call the
303 error() method on the remctl object. Thanks to Andrew Deason for the
306 Previous versions always passed the flags to disable certain warnings
307 to the language binding builds, even if warnings weren't otherwise
308 enabled. As of remctl 3.9, that included a warning flag not supported
309 by old versions of gcc, breaking builds on RHEL 5. Instead, only pass
310 the warning suppression flags when building with warnings (via make
311 warnings), which is not the default and is only supported with recent
312 versions of gcc. Thanks to Ken Dreyer for the report.
314 For the localgroup ACL scheme, dynamically resize the buffer passed to
315 getgrnam_r if the call fails due to ERANGE. Users in large numbers of
316 local groups may require more space than the buffer size returned by
317 the sysconf call. Patch from Hugh Cole-Baker.
319 Fix test suite portability to systems with older versions of Kerberos
320 that didn't have krb5_get_init_creds_opt_alloc, such as the included
321 Kerberos in Solaris 10.
323 Update to rra-c-util 5.9:
325 * Add missing va_end to xasprintf implementation.
326 * Fix Perl test suite framework for new Automake relative paths.
327 * Avoid $() in the probe for systemd support for Solaris portability.
328 * Prefer libsystemd to libsystemd-daemon if it is available.
329 * Improve portability to Kerberos included in Solaris 10.
330 * Use appropriate warning flags with Clang (currently not warning clean).
331 * Check for integer overflow in vector_join.
332 * Avoid strlcpy in more of the portability code.
333 * Fix hidden visibility of some utility functions.
334 * Improve portability of socket error codes to Windows.
336 Update to C TAP Harness 3.4:
338 * Fix segfault in runtests with an empty test list.
339 * Display verbose test results with -v or C_TAP_VERBOSE.
340 * Support comments and blank lines in test lists.
342 remctl 3.9 (2014-07-02)
344 Add a new server ACL type, localgroup, which converts the principal to
345 a local username with krb5_aname_to_localname and then checks whether
346 it is a member of a given local group. Based on work by Remi Ferrand.
348 Use calloc in preference to calculating a malloc size with
349 multiplication everywhere, and reallocarray in preference to
350 calculating a realloc size. In most places this caution was probably
351 not necessary, but uniformity is easier to audit and no one will ever
352 notice the speed difference between malloc and calloc. Add explicit
353 overflow checks before every remaining malloc call with a calculated
356 Fix incorrect handling of interruptions of network writes by signals
357 in the server. Previous versions of remctld did not correctly handle
358 EINTR returns from select, read, and write and might abort the
359 connection instead of retrying the system call.
361 Reset the SIGPIPE signal handler before running a command. The server
362 sets SIGPIPE to SIG_IGN, which meant that, since ignored signals are
363 inherited across an exec, the child process would inherit possibly
364 surprising SIGPIPE behavior. Reset the handler to SIG_DFL so that
365 commands get default SIGPIPE handling.
367 Add version and compatibility information to all manual pages.
368 Command-line and configuration options, ACL methods, environment
369 variables, client library APIs, and other major features are now
370 annotated with the version of remctl in which they were added.
372 Update to rra-c-util 5.5:
374 * Use Lancaster Consensus environment variables to control tests.
375 * Work around perltidy bug that leaves behind stray log files.
376 * Use calloc or reallocarray for protection against integer overflows.
377 * Suppress warnings from Kerberos headers in non-system paths.
379 Update to C TAP Harness 3.1:
381 * Add breallocarray API for error-checked reallocarray in tests.
382 * Check for integer overflow on memory allocations.
384 remctl 3.8 (2014-01-28)
386 The remctld server now uses libevent for the event loop that processes
387 output from a command. This is primarily an internal change to
388 improve maintainability, but it does have some noticable if minor
389 benefits: primarily, no need to poll for child process exit every five
390 seconds, and therefore faster responsiveness and less resource usage
391 in each remctld process. libevent 1.4.4 or later is now required to
394 Rather than capping the data returned by the server in one
395 MESSAGE_OUTPUT token at the rather arbitrary length of 65,000 octets,
396 send up to the maximum amount of data permitted by the protocol. This
397 also slightly increases the maximum length of the output returned
398 under the version one protocol.
400 Fix a minor memory leak in the server when processing help commands.
402 Fix a GSS-API context leak in the remctl client when failing to send a
403 protocol version one token.
405 Use a temporary file and atomic rename when writing the server PID
406 file to avoid racing with a process monitor that tries to read the PID
407 out of the file before it's written.
409 Update to rra-c-util 5.2:
411 * Assume calloc initializes pointers to NULL.
412 * Assume free(NULL) is properly ignored.
413 * Suppress shell errors from systemd probes without pkg-config.
414 * Better logging and shutdown of subprocesses during testing.
416 Update to C TAP Harness 3.0:
418 * Reopen standard input to /dev/null when running a test list.
419 * Don't leak extraneous file descriptors to tests.
421 remctl 3.7 (2014-01-06)
423 Fix a client memory leak when remctl_set_ccache is used with a
424 Kerberos library that supports gss_krb5_import_cred. The credential
425 was never freed, leaking memory with each remctl client call, and a
426 Kerberos ticket cache struct could also be leaked in some situations.
428 Fix Net::Remctl::Backend argument count validation when one of the
429 arguments is coming from standard input. The count of arguments was
430 previously not updated properly after splicing in the extra argument.
432 Add support for systemd. If built on a system with systemd installed,
433 remctl will install (but not enable) systemd units to start remctld
434 via socket activation. remctld will also notify systemd when its
435 initialization is complete if started by systemd with service
436 notification enabled.
438 Add support for upstart's expect stop daemon synchronization method.
439 When starting remctld in stand-alone mode with upstart, pass the new
440 -Z option to remctld, and it will raise SIGSTOP when ready to accept
441 connections, signaling to upstart that the daemon has fully started.
443 Work around a bug in the Module::Build version that comes with RHEL 5
444 in passing compiler and linker flags to the Perl module build.
446 Net::Remctl and related classes now check that the class argument is
447 not undef and croak if it is, rather than dereferencing a NULL
448 pointer. Caught by clang --analyze.
450 Update to rra-c-util 5.1:
452 * Suppress a dummy symbol in the client library that could leak.
453 * Don't attempt to use Kerberos if no Kerberos error APIs were found.
454 * Improve error handling in xasprintf and xvasprintf.
455 * Check the return status of snprintf and vsnprintf properly.
456 * Preserve errno if snprintf fails in vasprintf replacement.
457 * Improve error handling of network_bind_* functions.
458 * vector_free and cvector_free now can be passed NULL.
459 * Abort remctl tests if the PID file already exists.
461 Update to C TAP Harness 2.4:
463 * Suppress lazy plans and test summaries if the test failed with bail.
465 remctl 3.6 (2013-08-14)
467 If the client specifies a timeout, restart the wait for a nonblocking
468 connect when interrupted by a signal. This can mean that a connect
469 can take longer than the timeout if interrupted; hopefully both
470 timeouts and catching signals are rare enough that this won't pose a
473 The help output from Net::Remctl::Backend now checks for commands
474 whose syntax is excessively long and does not let them influence the
475 formatting of the summary. This keeps commands with a long syntax
476 from forcing all the summary output into a skinny column against the
477 right margin and allows proper help output for commands with a syntax
478 longer than 80 columns.
480 Fix compilation problems with Kerberos libraries that don't have
481 gss_krb5_import_cred, including Mac OS X and older Red Hat. Patch
484 Fix problems with PCRE detection on platforms that have the library
485 but not pcre-config or the pcre.h header file, such as Mac OS X.
487 Update to rra-c-util 4.9:
489 * Fix GCC warnings of casts that could increase alignment.
490 * Add a portable replacement for a missing strndup.
492 Update to C TAP Harness 2.2:
494 * bail and sysbail now exit with status 255 to match Test::More.
496 remctl 3.5 (2013-06-28)
498 Fix a long-standing race condition in remctld (introduced in remctl
499 2.7) that could truncate large backend output if the backend program
500 exits immediately after sending that output. On systems with pipe
501 buffers larger than 64KB, remctld could discard some buffered output
502 after determining that the child had exited. remctld now polls for
503 and continues to process output from the child until no more is
504 immediately available, even after the child has exited.
506 If a Kerberos library and gss_krb5_import_cred are available at build
507 time, libremctl now uses them to implement remctl_set_ccache to avoid
508 affecting global program GSS-API state. If those requirements are
509 met, remctl_set_ccache will only affect the remctl context on which
512 The version numbers of the Net::Remctl and Net::Remctl::Backend Perl
513 modules now match the versions of the remctl package, but with at
514 least two digits for the minor version so that, for example, 3.9
515 (which becomes 3.09) and 3.10 will sort properly as numbers. This
516 means that, from Perl's perspective, the version numbers have gone
517 backwards in this release relative to earlier 3.0 releases. This is a
518 one-time adjustment to a more reliable versioning scheme.
520 remctl 3.4 (2013-03-26)
522 Add new C APIs for establishing a remctl connection given a sockaddr,
523 a list of struct addrinfo, or an already-open socket. Patch from
526 The Perl bindings now include a new module, Net::Remctl::Backend,
527 which handles the setup, dispatch, and help output for the recommended
528 style for remctl backend scripts written in Perl. See its
529 documentation for more information.
531 Following Perl Best Practices, remove prototypes from all Net::Remctl
532 functions. The confusion caused by changing context away from how
533 Perl normally works is not worth any diagnostic value.
535 The Net::Remctl Perl bindings now require Perl 5.8 or later (instead
536 of 5.006 in previous versions) and are now built with Module::Build
537 instead of ExtUtils::MakeMaker. This should be transparent to anyone
538 not working with the source code, since Perl 5.8 was released in 2002,
539 but Module::Build and ExtUtils::CBuilder are now required to build
540 Net::Remctl. They are included in Perl 5.10 or later and can be
541 installed separately for older versions of Perl.
543 Return an error if an empty command is passed into remctl_command
544 rather than attempting to malloc zero bytes.
546 Update to rra-c-util 4.8:
548 * Fix probing for Heimdal's libroken to work with older versions.
549 * Improve POD and Perl module tests.
550 * Cleanly passes clang --analyze.
552 Update to C TAP Harness 2.1:
554 * runtests now treats the command line as a list of tests by default.
555 * The full test executable path can now be passed to runtests -o.
556 * Improved harness output for tests with lazy plans.
557 * Improved harness output to a terminal for some abort cases.
558 * Flush harness output after each test even when not on a terminal.
560 remctl 3.3 (2012-09-25)
562 Fix a file descriptor leak when checking ACL files. This would cause
563 long-running remctld processes to eventually run out of available file
566 Fix some memory leaks when reloading the remctld configuration and
567 several memory leaks when closing or reusing client connections in
570 Don't create the remctld PID file until the network socket is bound
571 and listening. This helps init scripts starting the daemon to know
572 when startup is complete and the service is available.
574 Remove prototypes from the Perl remctl() function. With prototypes,
575 the connection and command information could not be provided via an
576 array, since the prototype forces it into scalar context.
578 Fix build dependencies for language bindings to work with parallel
579 builds and pass CPPFLAGS down to the language binding build systems.
581 Update to rra-c-util 4.6:
583 * Drop concat from the util library in favor of asprintf.
584 * Fail on any error in [bx]asprintf and [bx]vasprintf.
586 remctl 3.2 (2012-06-19)
588 Add new summary option to the remctld configuration. If remctld
589 receives a command of "help" with no arguments and no command by that
590 name has been defined, the server will look through the configuration
591 for any command with a summary option set, a subcommand of ALL, and
592 which the user would have been allowed to run. If any such commands
593 are found, the server will run each with the subcommand specified by
594 the summary option, sending the results to the user. This allows
595 display of a command summary to the user based on which commands that
596 user is authorized to run. Written by Jon Robertson.
598 Add new help option to the remctld configuration. If remctld receives
599 a command of "help" with either one or two arguments and no command by
600 that name has been defined, it takes the arguments to the command as a
601 command and subcommand and checks for an entry in the configuration
602 file that matches. If such an entry is found, the help option is set
603 for that command, and the user is authorized to run it, remctld runs
604 the command, passing the value of the help option as the subcommand
605 and the arguments to help as additional arguments. This permits a
606 standard interface to get additional help for a particular remctl
607 command. Written by Jon Robertson.
609 remctld now always closes the client connection after low-level errors
610 reading or sending tokens. Previously, it would attempt to continue
611 after some socket or GSS-API errors, which may have caused hanging
612 remctld processes in some circumstances.
614 Fix remctld segfault when the configuration does not define any
615 commands. Thanks to Andrew Mortensen for the report.
617 Fix GSS-API header probes when configure was told to build with a
618 specific GSS-API library in a non-default path. Previously, configure
619 still used the compiler to probe for the correct header names, which
620 could pick up incorrect headers from the default include path. Thanks
621 to Jeffrey Hutzelman for the suggested solution.
623 Solaris can return ECONNRESET instead of EPIPE on write when the other
624 end of the network connection closes it. Handle that error properly
625 in the remctld server. Patch from Jeffrey Hutzelman.
627 Fix multiple portability issues in the test suite on Solaris and old
628 versions of Heimdal. Thanks to Jeffrey Hutzelman for the series of
631 Update to rra-c-util 4.5:
633 * Pass --deps to krb5-config in the non-reduced-dependencies case.
634 * Silence __attribute__ warnings on more compilers.
636 Update to C TAP Harness 1.12:
638 * Only use feature-test macros when requested or built with gcc -ansi.
639 * Drop is_double from the C TAP library to avoid requiring -lm.
640 * Avoid using local in the shell libtap.sh library.
641 * Silence __attribute__ warnings on more compilers.
643 remctl 3.1 (2012-02-29)
645 Add new remctl_set_timeout function to the remctl library API and the
646 Perl, PHP, Python, and Ruby bindings. Call this function any time
647 after remctl_new to set a network timeout in seconds for all
648 subsequent operations. The client must then receive a reply from the
649 server in no more than that number of seconds or will abort whatever
650 action is in progress with a timeout error. The timeout also applies
651 to the initial connection if remctl_set_timeout is called before
654 The remctld server now supports an additional configuration option,
655 user, which sets the user as which to run a command. If this option
656 is set for a command configuration, remctld will run the command as
657 that user (including their primary and supplemental groups). The user
658 may be specified as either a username or a UID. Patch from Andrew
661 The remctld server now imposes a one-hour timeout between messages
662 from the client rather than a one-hour limit on the entire session,
663 allowing clients to continue to send commands for as long as they stay
664 connected and not idle.
666 The PHP bindings no longer output a PHP warning if remctl_output
667 fails. This was inconsistent with the other API calls (remctl_open
668 and remctl_command can also fail but didn't result in warnings), may
669 be expected and handled by the caller, and made testing difficult.
671 The internal _remctl.remctl_output function in the Python bindings now
672 returns an empty tuple on error instead of a bool. This change will
673 not affect callers that only use the recommended public remctl
676 Update to rra-c-util 4.2:
678 * Fix error reporting for non-blocking connect.
679 * Fix network test when short listen queues don't cause timeout.
680 * Handle DNS failure in the getaddrinfo test suite.
681 * Ensure config.h is included for portable/stdbool.h.
682 * Fix compiler warnings when built with -D_FORTIFY_SOURCE=2.
683 * Add test wrappers around asprintf and vasprintf.
685 Update to C TAP Harness 1.10:
687 * Add test_tmpdir and test_tmpdir_free to TAP library.
688 * Add bstrndup function to the C TAP library.
689 * runtests now frees all allocated resources on exit.
691 remctl 3.0 (2011-10-31)
693 New protocol version 3, which introduces a new NOOP message. When the
694 client sends this message, the server replies with a NOOP message.
695 This can be used to keep a persistent remctl connection alive despite
696 network session timeouts. Add new remctl_noop function to the remctl
697 library API and the Perl, PHP, Python, and Ruby bindings to send the
698 NOOP message and read the response.
700 Be more explicit in the protocol about handling of continuation
701 commands. Do not allow any messages from the client after a continued
702 command except the continuation of that command or a QUIT message.
703 Explicitly document that a QUIT message abandons the partial command.
704 Add the new ERROR_UNEXPECTED_MESSAGE error code, used when the client
705 sends incorrect messages during a command continuation.
707 The server no longer closes the connection after version or error
708 replies. The connection will now stay open until MESSAGE_COMMAND is
709 sent without keepalive or MESSAGE_QUIT is sent.
711 Add new remctl_set_source_ip function to the remctl library API and
712 the Perl, PHP, Python, and Ruby bindings. Call this function after
713 remctl_new and before remctl_open to set the source IP address that
714 will be used for subequent client connections to a remctl server. For
715 the Ruby bindings, this is implemented as the source_ip class variable
716 rather than a separate method.
718 Add new -b option to the remctl command-line client to specify the
719 source IP for client connections.
721 Add new remctl_set_ccache function to the remctl library API and the
722 Perl, PHP, Python, and Ruby bindings. Call this function after
723 remctl_new and before remctl_open to set the Kerberos credential cache
724 that will be used for client authentication, overriding KRB5CCNAME.
725 Be aware that this will normally change the default credential cache
726 for all other GSS-API operations in this context or thread, not just
727 for that remctl object, due to GSS-API limitations. For the Ruby
728 bindings, this is implemented as the ccache class variable rather than
731 In the client, only check the negotiated GSS-API context flags after
732 the context has been fully established. Current versions of Heimdal,
733 including the system Kerberos libraries in Mac OS X Lion, only declare
734 mutual authentication once the context negotiation is complete.
736 Close a client memory leak caused by the GSS-API context not being
737 freed by the client in remctl_close.
739 When calling remctl_open on an existing struct remctl object, send
740 QUIT to the server if a connection is already open.
742 remctld can be configured to pass the subcommand on standard input,
743 but the documentation said this was not allowed. Fix the
744 documentation to match the implementation.
746 Use PATH_KRB5_CONFIG as the environment variable to set the path to
747 krb5-config rather than KRB5_CONFIG when running configure, since the
748 latter is used by the Kerberos libraries to specify an alternative
751 Fix the Ruby bindings test suite to test against the newly-built
752 libremctl and Ruby module rather than any installed on the system.
754 Update to rra-c-util 3.10:
756 * Add notices in each file copied from rra-c-util.
757 * Prefer gssapi/gssapi.h to gssapi.h.
758 * Include strings.h if it exists for strncasecmp on some platforms.
759 * getaddrinfo replacement now portable to systems with bad netdb.h.
760 * Avoid krb5-config if --with-gssapi-{include,lib} are given.
761 * Add Windows implementation of fdflag_nonblocking.
762 * The network_connect utility functions now take an optional timeout.
763 * Wait longer for remctld to start in remctl tests.
764 * Use an atexit handler to clean up after Kerberos tests.
765 * Use typedef instead of #define for socklen_t and sig_atomic_t.
766 * Stop providing or using INADDR_LOOPBACK for portability reasons.
767 * Don't override a user's existing AFS tokens while testing.
768 * Fix removal of -I/usr/include from GSS-API CPPFLAGS.
769 * Provide ssize_t on platforms without it, such as Windows.
770 * Fix vector_join and cvector_join with empty vectors.
772 Update to C TAP Harness 1.8:
774 * Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
775 * Fix runtests to still honor SOURCE and -s without BUILD and -b.
777 remctl 2.18 (2011-05-31)
779 Fix uninitialized variable in the remctld standalone server code that
780 could cause all remote connections to fail and add a more complete
781 test suite for remote address handling.
783 remctl 2.17 (2011-05-31)
785 Fix construction of the return object for the Python bindings to the
786 simple remctl interface. Patch from Andrew Mortensen.
788 The remctld server now supports a -b command-line option specifying
789 which local addresses to which to bind. This option may be given
790 multiple times to bind to multiple local addresses.
792 When run as a standalone daemon, remctld now binds to both IPv4 and
793 IPv6 addresses rather than only IPv4.
795 The remctl client library also installs a pkg-config configuration
796 file for the use of software that wants to link against it. Thanks to
797 Tollef Fog Heen for the assistance in writing it.
799 Remove reference to the defunct messages-die.c source file in the
800 Windows build system.
802 Fix broken GCC attribute markers causing problems with compilation on
803 Windows (and likely any non-GCC compiler).
805 Symbol versioning is now enabled on any system using GNU ld, rather
806 than only Linux and related platforms, and a Libtool symbol list is
807 used as a fallback to prevent leaking symbols with other linkers where
810 Set the PHP extension test suite to be noninteractive so that the user
811 is not prompted to send results to the PHP QA group.
813 Skip portable/getaddrinfo test on systems where invalid hostnames
816 Update to rra-c-util 3.5:
818 * Check for krb5-config in /usr/kerberos/bin as well as PATH.
819 * Avoid configure warnings when building with AIX bundled Kerberos.
820 * Initialize sockaddr structs more correctly.
821 * Correctly detect Heimdal GSS-API on OpenBSD without libroken.
822 * Fix underquoting in m4/socket.m4.
823 * Update warning flags for GCC 4.6.1.
825 Update to C TAP Harness 1.7:
827 * Add tests/HOWTO documenting how to add new tests.
828 * More correct handling of system-specific errors in output checking.
829 * Ensure correct output ordering in test results.
830 * Add -h and a better usage message to tests/runtests.
832 remctl 2.16 (2010-05-02)
834 Add Ruby bindings contributed by Anthony M. Martinez, enabled with
835 --enable-ruby at configure time. These bindings are tested with Ruby
836 1.8 and may not work with older versions. See ruby/README for more
839 remctld now includes support for a PCRE (Perl-compatible regular
840 expressions) ACL type if the PCRE library is found at configure time.
841 A PCRE ACL matches any user whose identity matches the given
842 Perl-compatible regular expression. Based on work contributed by
845 remctld now includes support for a POSIX regex ACL type if the system
846 supports the POSIX regex API. A regex ACL matches any user whose
847 identity matches the given POSIX extended regular expression. Based
848 on work contributed by Anton Lundin.
850 remctld now sets the environment variable REMCTL_COMMAND to the
851 command (not subcommand or arguments) that causes a program to be
852 run. Thanks, Thomas L. Kula.
854 remctld -h now reports the list of supported ACL methods for that
857 Add an example SMF manifest for the remctld daemon in
858 examples/remctld.xml. Contributed by Peter Eriksson.
860 Fix PHP test suite to work with PHP 5.3, which no longer passes
861 environment variables down to the running test program.
863 Stop passing GCC-specific warning suppression flags into the language
864 binding build systems unless the compiler used to build remctl is GCC.
865 This still isn't quite right, since the language bindings may use a
866 different compiler than the main remctl build, but it should be closer
867 than the previous behavior of using GCC flags unconditionally.
869 Update to rra-c-util 2.4:
871 * Improve network error handling with unknown address domains.
872 * Disable xmalloc test except for maintainers.
873 * Break util/util.h apart into separate header files.
874 * Add additional GCC function attributes to utility libraries.
875 * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]).
877 Update to C TAP Harness 1.2:
879 * Summarize results at the end of test execution.
880 * Add diag and sysdiag functions to the basic TAP library.
881 * Clean up data types in the basic C TAP library.
882 * Add the GCC nonnull attribute to the TAP library bail functions.
884 remctl 2.15 (2009-11-29)
886 Allow subcommand to be omitted on the remctl command line, which sends
887 a command without a subcommand. This makes available on the command
888 line functionality that was already available via the library API.
890 Add the special keyword EMPTY for the subcommand field in the remctld
891 configuration file, specifying that this line should only match
892 commands with no subcommands.
894 Allow use of ALL in the command field in the remctld configuration
895 file as well as the subcommand field, matching all commands.
897 Fix read of uninitialized memory caused by moving one character beyond
898 the beginning of the buffer when parsing blank lines in ACL files.
900 Use a socket_type typedef rather than int directly to store the file
901 descriptors of sockets and, on Windows, typedef that to SOCKET instead
902 of int. Update the function signatures of the network utility
903 functions appropriately. Compare socket_type variables against an
904 INVALID_SOCKET define instead of -1. Fixes portability issues to
905 64-bit Windows. Thanks, Jeffrey Altman.
907 For the Windows build, get the current version number from
908 configure.ac rather than configure so that the Windows build scripts
909 work from a Git checkout. Link with the correct GSS-API library for
910 64-bit Windows builds. Correct or suppress multiple warnings.
911 Thanks, Jeffrey Altman.
913 Enable Automake silent rules. For a quieter build, pass the
914 --enable-silent-rules option to configure or build with make V=0.
916 Update to rra-c-util 2.1:
918 * Revert separation of die into a separate object file.
919 * Fall back on manual library probing if krb5-config doesn't work.
920 * Don't try to use a non-executable krb5-config for GSS-API probes.
921 * Suppress error output from krb5-config GSS-API probes.
922 * Prefer KRB5_CONFIG over a path constructed from --with-gssapi.
923 * Fix network test suite failures when IPv6 is available but disabled.
925 remctl 2.14 (2009-05-22)
927 The remctld configuration file may now specify that one argument to a
928 command is passed on standard input instead of on the command line
929 using the stdin= option. This option allows passing data to commands
930 that's too long to fit into a command-line argument or that contains
933 remctld logging of commands or arguments now replaces unprintable
934 characters (characters between ASCII 0 and 31 and ASCII 127) with
935 periods rather than assuming syslog will cope with them correctly.
937 Use command and subcommand as the names for the first two parameters
938 to the remctl client and the first two strings in a remctl command
939 instead of the unintuitive "type" and "service" terminology borrowed
940 from sysctl. This only changes documentation and some internal
941 variable names; no external APIs should be affected.
943 Declare message_fatal_cleanup extern in util.h. Fixes compilation
944 problems on Mac OS X and probably elsewhere.
946 Diagnose and explicitly reject on the server nul characters in command
947 arguments that don't support them rather than truncating the argument
950 Plug several memory leaks in the remctld server. (These would have
951 little practical effect unless a client stayed connected and issued
954 The protocol now permits commands with no arguments. remctld
955 currently doesn't support them, but now returns ERROR_UNKNOWN_COMMAND
956 instead of ERROR_BAD_COMMAND when receiving one.
958 Add documentation on extending remctl in docs/extending.
960 Add initial protocol version three draft in docs/protocol-v3.
962 Better check logmask options when parsing the server configuration
963 file and report errors instead of silently ignoring them. Masking the
964 command is also no longer supported (it previously worked by
967 Support building against Solaris 10's native generic GSS-API
968 libraries. Thanks, Peter Eriksson.
970 Update to rra-c-util 1.0:
972 * Fix open call parameters in daemon portability test.
973 * Fix AI_ADDRCONFIG portability on BSD/OS systems.
974 * Split die into a separate object to not link it in shared libraries.
975 * Don't break if the user clobbers CPPFLAGS at build time.
976 * Correctly set -L options with --with-gssapi-lib, not -I.
977 * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
978 * Update portable and util test suite for C TAP Harness 1.0.
979 * Use native Kerberos instead of forking kinit in test suite.
981 Update to C TAP Harness 1.0:
983 * Rewrite of all test cases to use the new TAP library support.
984 * Much improved and simplified builddir != srcdir test suite support.
985 * Support running a single test with tests/runtests -o.
986 * Correctly handle completely skipped tests, like client/pod.
987 * Better reporting of fatal errors in the test suite.
989 remctl 2.13 (2008-11-14)
991 Add support for ACL methods in the remctld server. The supported
992 schemes in this release are file and princ, which together provide the
993 same functionality as earlier releases, plus deny to explicitly reject
994 a user who matches another ACL and support for the CMU GPUT
995 authorization system. There is now a framework in place for adding
996 new ACL methods in the future. This work was contributed by Jeffrey
999 When processing the include of a directory for configuration files or
1000 ACL files, limit the files read to those whose names contain only
1001 characters in [a-zA-Z0-9_-]. This replaces the previous exclusion of
1002 files containing periods and also excludes Emacs backup and temporary
1003 files. Thanks, Timothy G. Abbott.
1005 Add a PHP remctl PECL module from Andrew Mortensen, enabled with
1006 --enable-php at configure time. These bindings are only tested with
1009 Add Python bindings from Thomas L. Kula, enabled with --enable-python
1010 at configure time. These bindings are tested with Python 2.5 but
1011 should work with versions back to 2.3.
1013 Include all *.class files in the JAR file built by java/Makefile,
1014 making the resulting JAR actually useful. Thanks, Marcus Watts.
1016 Add an ant build configuration for the Java remctl implementation.
1017 It also has the capability to generate a distribution of just the Java
1018 implementation using a file layout more similar to an Apache Jakarta
1019 project than the layout of the java subdirectory.
1021 Several Windows fixes from Matthew Loar, plus really include
1022 portable/winsock.c in the distribution. This version should now build
1025 With --with-gssapi, attempt to determine if the library directory is
1026 lib32 or lib64 instead of lib and set LDFLAGS accordingly. Based on
1027 an idea from the CMU Autoconf macros.
1029 Add --with-gssapi-include and --with-gssapi-lib options to set the
1030 include and library paths separately if needed.
1032 Restore GSS-API portability checks for old versions of MIT Kerberos
1033 accidentally dropped in the previous release.
1035 Provide a proper bool type when built with Sun Studio 12 on Solaris
1036 10. Thanks, Jeffrey Hutzelman.
1038 Sanity-check the results of krb5-config before proceeding and error
1039 out in configure if they don't work.
1041 Fix Autoconf syntax error when probing for libkrb5support. Thanks,
1044 Create the docs directory in the build tree if it's missing, fixing a
1045 build failure when builddir != srcdir. Thanks, Jeffrey Hutzelman.
1047 In standalone mode, close the main server socket immediately in the
1048 child handler processes. Since the socket was already marked close on
1049 exec, this probably only matters for consistent test suite results,
1050 ensuring that the port is released immediately, but it's more correct.
1052 remctl 2.12 (2008-04-04)
1054 If no server principal is specified on the remctl command line or in
1055 the remctl() or remctl_open() C or Perl library interfaces, remctl now
1056 uses a host-based service name for the server instead of a Kerberos
1057 principal of host/server. The practical effect of this is that
1058 domain-realm mapping rules will be applied rather than assuming the
1059 server's principal is in the local domain and, for the C and Perl
1060 library interfaces, server name canonicalization will be done if
1061 configured in the GSS-API library. Users of the C or Perl library
1062 interfaces will find that remctl now authenticates to a principal for
1063 the host after a forward and reverse DNS lookup instead of the host
1064 specified in the API call with most GSS-API libraries. To disable
1065 this canonicalization behavior, see your GSS-API library
1066 documentation; setting rdns in [libdefaults] to false works for MIT
1067 Kerberos. The remctl command-line client continues to canonicalize
1068 its host argument always prior to any network connection or GSS-API
1071 Add documentation of hostname canonicalization and the choice of
1072 authentication principals to the remctl client, remctl() and
1073 remctl_open() C API, and Net::Remctl Perl API documentation.
1075 Fix a place in libremctl where the library would call exit rather than
1076 returning an error on memory allocation failure.
1078 Standardize on lowercase first characters in library error strings.
1080 Include the Windows port of the client done by Matthew Loar. See
1081 README for information on requirements and compilation. Only the
1082 client shared library and command-line utility are supported or built
1083 currently. I cannot easily test this code and probably broke it when
1084 integrating the patch; please report any problems so that they can be
1085 fixed in subsequent releases.
1087 When running the server in standalone mode, set the network file
1088 descriptors close-on-exec so that they're not inherited by commands
1089 run by remctl. Also close the low-numbered file descriptors before
1090 running a command to catch the replay cache file, which isn't marked
1091 close-on-exec in older versions of MIT Kerberos.
1093 When passing a variable set to undef into remctl_open in the Perl API,
1094 the principal was converted to the empty string. Adjust Net::Remctl
1095 to recognize the empty string as an unspecified principal.
1097 The configure option to specify the path to the GSS-API libraries is
1098 now --with-gssapi instead of --with-kerberos and the GSS-API probes
1099 should be more robust.
1101 Delete the man page symlinks before recreating them so that reinstalls
1102 work. Thanks, Nicholas Riley.
1104 Belatedly bump the libtool versioning for libremctl for the port
1105 number change in the previous release. (This is primarily for
1106 documentation purposes and doesn't change the library SONAME.)
1108 remctl 2.11 (2007-11-09)
1110 remctl now has an official port registered with IANA (4373), replacing
1111 the original, poorly-chosen port of 4444. The previous port conflicts
1112 with the krb524 service. The remctld server and example configuration
1113 files have been changed to bind to port 4373 by default if no port is
1114 specified. The client will attempt to connect to port 4373 first if
1115 no port is specified and then fall back to trying 4444. All sites
1116 running remctl are encouraged to upgrade their clients and then
1117 migrate their servers to the new port. Support for the old port
1118 without explicit configuration will be phased out in a future release.
1120 Stop using stdout and stderr as structure members, fixing compilation
1121 problems on AIX, NetBSD, and other platforms.
1123 Fix (non-exploitable) segfaults in remctld when sent a command with a
1124 type and no service (not permitted by the command-line client but
1125 possible with the library API). Thanks to Marcus Watts for the
1128 Port to the Kerberos GSS-API implementation shipped with AIX 5.2.
1129 Thanks to Sandor Sklar for bug reports and testing.
1131 Improve the configuration file documentation in the remctld man page.
1132 Document the first-match properties.
1134 remctl 2.10 (2007-08-26)
1136 Include a rewritten Java client and a Java server implementation, both
1137 by Marcus Watts. The rewritten Java client supports protocol version
1138 two and works with Sun Java 1.4.2, 5, and 6.
1140 Fix a (non-exploitable) remctld crash when the client sent more
1141 command arguments than it claimed it was going to send. Thanks,
1142 Marcus Watts. Also added a test with a variety of malformed command
1143 tokens in an effort to keep bugs like this from going unnoticed in the
1146 The remctl client now also requests sequence protection, but the
1147 client and server do not insist on it or on replay protection since
1148 Heimdal 0.6 doesn't support replay protection. This has been
1149 documented in the protocol specification as well.
1151 remctld when running in stand-alone mode now removes the PID file (if
1152 any) and exits cleanly after receiving SIGINT or SIGTERM. Based on a
1153 patch by Marcus Watts.
1155 remctld when running in stand-alone mode now re-reads its
1156 configuration file file after receiving a SIGHUP.
1158 Don't self-destruct after an hour in stand-alone mode, fixing a bug
1161 The libremctl client library now uses symbol versioning on Linux.
1163 Allow port and principal to be omitted in calls to Net::Remctl::open,
1164 matching the documentation. Thanks, Marcus Watts.
1166 Include a dummy symbol in libportable so that it always contains at
1167 least one object. Fixes compilation problems on Mac OS X 10.4 and
1170 Fix builds outside the source directory by creating the docs directory
1171 properly, based on a patch by Marcus Watts. Also fix make clean and
1172 the POD tests when run outside the source directory.
1174 Change the Net::Remctl documentation for remctl() to suggest 0 and the
1175 empty string as default values for port and principal, since this
1176 avoids Perl warnings.
1178 Check for the MIT Kerberos GSS-API library first in reduced dependency
1179 mode for improved reproducibility of the Debian build.
1181 remctl 2.9 (2007-06-29)
1183 Fix remctl client library crashes due to an uninitialized variable
1184 when the network connection fails.
1186 Added complete C API documentation (as section 3 manual pages) for the
1189 Fix several inaccuracies in the Net::Remctl API documentation.
1190 Thanks, Alf Wachsmann.
1192 Pass DESTDIR to the Perl module installation as well. Thanks, Darren
1195 remctl 2.8 (2007-06-27)
1197 Add a Net::Remctl Perl module, optionally compiled (and enabled with
1198 the --enable-perl configure flag), that provides native Perl bindings
1199 to the libremctl client library.
1201 Fix various null pointer dereferences in the simplified remctl client
1202 library call when the server returns an error.
1204 When running in stand-alone mode, remctld now forks a new child for
1205 each incoming connection and can therefore handle multiple
1206 simultaneous connections. This makes stand-alone mode useful for more
1207 than just testing. Also, remctld now backgrounds itself by default in
1208 stand-alone mode; disable this with the -F flag. Based on a patch by
1211 Add a new -k flag to remctld to tell it to use a non-default keytab.
1212 Thanks, Andrew Mortensen.
1214 Default to port 4444 in the library if a port of 0 is passed in, and
1215 (following the documentation) default to host/<hostname> if a NULL
1216 principal is passed in.
1218 remctld now exits properly when it can't parse its configuration file
1219 rather than proceeding with a null configuration.
1221 Fix problems with the parameter types for GSS-API memory freeing
1222 functions in some error cases.
1224 In the test suite, fix the kinit flags for MIT Kerberos 1.6.
1226 remctl 2.7 (2007-03-25)
1228 In remctld, consider the command complete once the child process
1229 exits. Do not wait for its standard output and error to be closed,
1230 since the child process may have spawned a long-running daemon that
1231 doesn't clean up its file descriptors properly.
1233 When the command-line remctl client canonicalizes the name of the
1234 server host to get the right principal, it then needs to connect to
1235 the canonical hostname. Otherwise, DNS schemes that return a
1236 different answer each time one asks for a given host may cause remctl
1237 to connect to a different host than the canonical name used for the
1238 principal, resulting in authentication failure.
1240 Fixed a subtle bookkeeping error when sending commands larger than the
1241 maximum token size that would have resulted in malformed tokens for
1242 boundary cases of argument lengths.
1244 Fixed memory and file descriptor leaks in remctld that only become
1245 apparent when the server runs many commands before exiting.
1247 Various minor fixes so that make warnings and make check work on a
1248 Solaris 8 system without IPv6 configured.
1250 Use a portability wrapper around the GSS-API header to avoid repeating
1251 the same portability code in every file.
1253 remctl 2.6 (2007-02-03)
1255 SECURITY: If an ACL listed for a command didn't exist, the
1256 authorization check was treated as a success instead of a failure.
1257 This had, embarassingly, apparently been broken since at least 2.0.
1259 remctl 2.5 (2007-02-03)
1261 Automatically use a continued MESSAGE_COMMAND if the total command
1262 length is larger than 64KB (minus token overhead). The remctl client
1263 library can now send arbitrarily large commands, at some cost in
1264 memory consumption on the client and server. The server is still
1265 limited by the OS-imposed maximum length of a command line.
1267 When the server runs a command, open /dev/null for standard input
1268 rather than leaving standard input closed. Some programs don't cope
1269 with a closed standard input.
1271 Audited memory handling of buffers sent to and read from the network
1272 and closed several memory leaks.
1274 Use the same limit (1MB) on token size everywhere. Enforce the
1275 protocol limit on unencrypted data size (64KB) in both the server and
1276 when sending messages in the client.
1278 Correctly handle a zero-length argument at the end of a command in the
1279 server. Previously, that argument was ignored.
1281 Check that the expected argument count matches the count of arguments
1282 seen in the server and that all of the client data was consumed when
1285 Add a newline to the end of error messages when converting to protocol
1286 version one replies. The old remctl client didn't add a newline.
1288 Document the limits on token size and unencrypted data size in the
1289 protocol specification. Improve the protocol documentation for the
1290 continue status for MESSAGE_COMMAND. Use octet instead of byte
1293 remctl 2.4 (2007-01-17)
1295 IPv6 support is now automatically enabled on systems that support it.
1296 The remctl code uniformly uses the new IPv6-aware host and address
1297 functions, using replacements on systems that don't provide them in
1298 libc. Thanks to Jonathan Kollasch for the initial patch.
1300 When sending tokens, correctly check for network errors rather than
1301 ignoring them due to a miswritten test.
1303 In the remctl command-line client, print a newline after protocol
1304 error messages from the server.
1306 Add error messages to the protocol specification for sending too many
1307 arguments in a command and sending too much data with a command.
1308 Return the more specific error message if the number of command
1309 arguments exceed the current hard-coded limit rather than just
1310 reporting a bad command token.
1312 Don't use $< in non-pattern rules (again), fixing a build error on
1313 some systems with non-GNU make (although since the generated man
1314 pages are part of the distribution, only those modifying the POD
1315 source would have seen this error).
1317 remctl 2.3 (2006-12-06)
1319 Increase the maximum number of arguments the server will accept for a
1320 command to 4096 from 64. This is an arbitrary limit to protect
1321 against memory-consumption denial-of-service attacks.
1323 Document the exit status of the remctl client.
1325 Add the -S flag to remctld, which tells it to log to standard output
1326 and standard error rather than syslog. Use this flag in the test
1327 suite so that make check doesn't spew into a system's syslog.
1329 Require Automake 1.10 and Autoconf 2.60 and use AC_CONFIG_LIBOBJ_DIR
1330 to locate replacements for missing system functions. This means that
1331 an Automake patch is no longer required for bootstrapping and remctl
1332 will now work with stock Autoconf and Automake.
1334 remctl 2.2 (2006-09-08)
1336 Add appropriate casts when passing size_t variables to printf on
1339 Include <sys/socket.h> in appropriate places for socklen_t on Solaris.
1341 Make the xmalloc test suite indifferent to filename differences from
1342 builddir != srcdir builds.
1344 Work around strange GCC 4.1 behavior on AMD64 that creates a const
1345 temporary variable in the macro expansion of the W* wait macros on
1346 glibc systems, causing the build of runtests to fail. For some reason
1347 this apparently only affects AMD64.
1349 Redirect /dev/null into kinit in the test suite so that the Heimdal
1350 syntax doesn't cause an MIT kinit to hang.
1352 Try all kinit varients in the remctl client test as well as the C API
1355 remctl 2.1 (2006-08-22)
1357 Set REMOTE_USER in the environment for commands run by remctld, using
1358 the same value as REMUSER. This makes it easier to use programs that
1359 also run as CGI scripts. Also set REMOTE_ADDR to the IP address of
1360 the remote host and set REMOTE_HOST to the hostname if available.
1362 Stop setting SCPRINCIPAL in the environment. This was for backward
1363 compatibility with sysctl and it's highly unlikely that anyone still
1364 cares (not to mention that the value was qualified with the realm and
1365 therefore didn't match sysctld's setting anyway).
1367 Properly nul-terminate error replies when using the simplified remctl
1370 Support make check with builddir != srcdir builds. Thanks to Ralf
1371 Wildenhues for the help in identifying the issues.
1373 remctl 2.0 (2006-08-09)
1375 Implement a new version 2 protocol, with automatic down-negotiation
1376 to the old protocol for backward compatibility. The new protocol is
1377 more binary-safe for command arguments, supports streaming output
1378 from the server, allows distinguishing between stdout output and
1379 stderr output, has no arbitrary limits on output size, and supports
1380 persistant connections.
1382 Document the details of the remctl protocol, both the old version 1
1383 protocol and the new version 2 protocol, in hopefully sufficient
1384 detail for anyone else to implement it.
1386 Don't consider inclusion of empty directories in a configuration file
1389 Add the -P flag to remctld to write its PID to a file when invoked in
1392 Add an automated test suite.
1394 Completely rewrite the build system to use Automake, a supporting
1395 utility library, separate subdirectories for different parts of the
1396 source tree, and a wrapper include file for system headers.
1398 Don't use $< in non-pattern rules, fixing a build error on some
1399 systems with non-GNU make.
1401 remctl 1.12 (2006-01-01)
1403 Initialize memory properly when parsing the server configuration file.
1405 Library probes with --enable-static cannot use krb5-config, since we
1406 can't distinguish between the Kerberos libraries that should be static
1407 and the system library dependencies that must not be made static.
1409 remctl 1.11 (2005-12-22)
1411 Support include directives in remctld ACL files with the same syntax
1412 and semantics as include directives in configuration files.
1414 Stop option parsing at the first non-option on Linux (this is the
1415 standard behavior of getopt on other platforms). Otherwise, calling
1416 remote programs that take options is annoying.
1418 Use krb5-config where available to get Kerberos libraries and compiler
1419 flags unless --enable-reduced-depends is used.
1421 Fix builds and installs where builddir != srcdir.
1423 Initial port to Heimdal. remctl now compiles but isn't able to talk
1424 to a server built with MIT Kerberos, so further porting is still
1427 Remove some debugging code for displaying the GSS-API OID as a string
1428 that isn't supported by the Heimdal API and is of questionable
1429 usefulness regardless.
1431 remctl 1.10 (2005-12-01)
1433 Move the -v option to remctl and remctld to -d (debug), since the
1434 verbose output or logging is only really useful when debugging.
1436 Add -h (show usage) and -v (show version) options to both remctl
1437 and remctld and add real option parsing (so combining multiple options
1438 in one switch should now work).
1440 Overhaul error and status reporting in remctl and remctld. Among
1441 other advantages, this should eliminate any lingering format string
1442 worries and get rid of the trailing newlines in syslog messages from
1443 remctld, as well as regularize the text of the error messages and the
1444 priority of syslog messages.
1446 remctl 1.9 (2005-05-10)
1448 Fix serious bug with inclusion of configuration directories. When
1449 reading any file after the first, remctl would use random bits of
1450 memory as the file name.
1452 remctl 1.8 (2005-05-04)
1454 Support include <file> in the configuration file. Also support
1455 including a directory, which includes every file in that directory
1456 that doesn't have a period in the name.
1458 Support continuation lines (using backslash) in the configuration
1459 file, and clean up the parser to be more flexible about whitespace on
1460 otherwise empty lines or comment lines.
1462 Change the default remctl.conf location to be relative to sysconfdir
1463 (<prefix>/etc by default) instead of the current directory.
1465 remctld now only logs the initial connection authentication and the
1466 argument count if -v was given, reducing to one the number of syslog
1467 messages per command.
1469 Improve the remctld man page, documenting all of the supported options
1470 including stand-alone mode.
1472 remctl 1.7 (2005-02-22)
1474 Close extra file descriptors before spawning a child process in
1475 remctl. The only file descriptors open should be standard output and
1476 standard error. This will fix problems with using remctld to start
1477 long-running daemons; before, remctld would never realize that the
1478 child process had exited.
1480 Use select to wait for child output in remctld rather than
1481 busy-waiting so as not to burn CPU cycles when the child takes a while
1484 Document the -p option for the client.
1486 remctl 1.6 (2004-05-18)
1488 Fix format string vulnerabilities when logging the remote command.
1490 remctl 1.5 (2004-03-04)
1492 Fix a bug in remctld where it would segfault when trying to check the
1493 ACLs for a command not present in the configuration file.
1495 Portability fix to return the exit status of the command in network
1498 remctl 1.4 (2003-11-12)
1500 Add support for a logmask=n option in the configuration file that
1501 masks those arguments in the logging output (used when some of the
1502 options for that command contain private information).
1504 Add optimizations in the GSS code to do fewer network writes.
1506 Significant improvements to the Java client.
1508 Some minor cleanups to logging, installation, and the configure
1511 remctl 1.3 (2003-07-21)
1513 Exit with non-zero status if the remote command failed rather than
1514 always exiting with zero status if the network exchange worked
1517 Adjust logging priorities and include some additional information in
1518 the log of the command.
1520 Improved the README and added a make dist target to the makefile.
1522 remctl 1.2 (2003-04-04)
1524 Read from both standard out and standard error of the spawned command
1525 in turn to better prevent deadlock.
1527 Set the REMUSER environment variable to the remote authenticated user
1528 (and continue setting SCPRINCIPAL as well for backward compatibility).
1530 remctl 1.1 (2003-02-28)
1532 Add an snprintf implementation for systems that don't have it and use
1533 it for log messages.
1535 Additional fleshing out of the Java client.
1537 Lots of code cleanup and style fixes.
1539 remctl 1.0 (2002-11-22)