remctl 3.7 released

Russ Allbery eagle at eyrie.org
Mon Jan 6 18:54:43 EST 2014


I'm pleased to announce release 3.7 of remctl.

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh.  remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.

Changes from previous release:

    Fix a client memory leak when remctl_set_ccache is used with a
    Kerberos library that supports gss_krb5_import_cred.  The credential
    was never freed, leaking memory with each remctl client call, and a
    Kerberos ticket cache struct could also be leaked in some situations.

    Fix Net::Remctl::Backend argument count validation when one of the
    arguments is coming from standard input.  The count of arguments was
    previously not updated properly after splicing in the extra argument.

    Add support for systemd.  If built on a system with systemd installed,
    remctl will install (but not enable) systemd units to start remctld
    via socket activation.  remctld will also notify systemd when its
    initialization is complete if started by systemd with service
    notification enabled.

    Add support for upstart's expect stop daemon synchronization method.
    When starting remctld in stand-alone mode with upstart, pass the new
    -Z option to remctld, and it will raise SIGSTOP when ready to accept
    connections, signaling to upstart that the daemon has fully started.

    Work around a bug in the Module::Build version that comes with RHEL 5
    in passing compiler and linker flags to the Perl module build.

    Net::Remctl and related classes now check that the class argument is
    not undef and croak if it is, rather than dereferencing a NULL
    pointer.  Caught by clang --analyze.

    Update to rra-c-util 5.1:

    * Suppress a dummy symbol in the client library that could leak.
    * Don't attempt to use Kerberos if no Kerberos error APIs were found.
    * Improve error handling in xasprintf and xvasprintf.
    * Check the return status of snprintf and vsnprintf properly.
    * Preserve errno if snprintf fails in vasprintf replacement.
    * Improve error handling of network_bind_* functions.
    * vector_free and cvector_free now can be passed NULL.
    * Abort remctl tests if the PID file already exists.

    Update to C TAP Harness 2.4:

    * Suppress lazy plans and test summaries if the test failed with bail.

You can download it from:

    <http://www.eyrie.org/~eagle/software/remctl/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list