1 |
Version 0.9.12 |
2 |
-------------- |
3 |
Bugfixes / Improvements: |
4 |
- various small changes to fix compiler and cppcheck warnings. |
5 |
- fix log message when user has no home directory. |
6 |
|
7 |
Version 0.9.11 |
8 |
-------------- |
9 |
Bugfixes: |
10 |
- glexec-configure cannot configure for cURL+NSS as on RH6. |
11 |
See https://bugzilla.nikhef.nl/show_bug.cgi?id=20 |
12 |
- maximum id_t is incorrectly determined on Solaris (part of the safefile |
13 |
library). |
14 |
|
15 |
Improvements: |
16 |
- numerous improvements to glexec-configure |
17 |
- some improvements in the glexec-lcas-compound test suite |
18 |
- add banning plugins to template lcmaps-glexec.db |
19 |
- backup original glexec.conf (and lcmaps-glexec.db) when installing and install |
20 |
glexec.conf with the advertised settings instead of the old-style settings. |
21 |
- add proper setting of feature macros for (among others) dirfd prototype, using |
22 |
test for POSIX2008. |
23 |
|
24 |
Version 0.9.10 |
25 |
-------------- |
26 |
Bugfixes: |
27 |
- when no log_destination is set, openlog() is not always called before LCMAPS, |
28 |
which will then log with syslog defaults. |
29 |
See https://bugzilla.nikhef.nl/show_bug.cgi?id=19 |
30 |
|
31 |
Improvements: |
32 |
- Update to newer version of Jim Kupsch' safefile (now version 1.0.5) |
33 |
- Some internal refactoring to fix compiler warnings (casts and _XOPEN_SOURCE |
34 |
definitions). |
35 |
- Update the glexec-lcas-lcmaps-compount-test.sh script: |
36 |
* properly put back glexec.conf and settings of glexec binary |
37 |
* put all other files (db, log etc.) in custom temporary directory: only |
38 |
glexec.conf is hard-coded |
39 |
* update some of the errors and warnings printed (or add them). |
40 |
* internal cleanup to make code somewhat cleaner. |
41 |
|
42 |
Version 0.9.9 |
43 |
------------- |
44 |
Bugfixes: |
45 |
- gLExec incorrectly handles MALLOC_ variables in the input, failing instead of |
46 |
cleaning them. See https://bugzilla.nikhef.nl/show_bug.cgi?id=16 |
47 |
- it incorrectly handles extremely long environment variables. |
48 |
|
49 |
Improvements: |
50 |
- When cleaning the environment fails, it logs the reason, instead of returning |
51 |
it to the user. |
52 |
|
53 |
Version 0.9.8 |
54 |
------------- |
55 |
Bugfixes: |
56 |
- potential crash for very large configurations. |
57 |
- improve handling of type-conversions (some potential issues with |
58 |
signed-unsigned were uncovered). |
59 |
- protect against partial output from LCMAPS. |
60 |
- glexec-configure.sh should create /etc/lcmaps if it does not exist. |
61 |
|
62 |
Version 0.9.7 |
63 |
------------- |
64 |
Improvements: |
65 |
- Only log how we tried to open config file if it failed, preventing |
66 |
uninteresting log entries in syslog. |
67 |
|
68 |
Version 0.9.6 |
69 |
------------- |
70 |
Bugfixes: |
71 |
- umask was not reverted in non-linger mode. |
72 |
|
73 |
Version 0.9.5 |
74 |
------------- |
75 |
Bugfixes: |
76 |
- Fix broken lcmaps-glexec.db produced by glexec-configure.sh script |
77 |
|
78 |
Improvements: |
79 |
- lower loglevel when homedir of payload does not exist from warning to info |
80 |
|
81 |
Version 0.9.4 |
82 |
------------- |
83 |
Bugfixes: |
84 |
- specifying preserve_env_variables in the glexec.conf caused a segfault. |
85 |
|
86 |
Improvements: |
87 |
- Update location of wiki pages in man pages. |
88 |
|
89 |
Version 0.9.2 |
90 |
------------- |
91 |
Bugfixes: |
92 |
- When either stdin, stdout or stderr is closed, a directory or opened in the |
93 |
wrong mode (readonly for out or writeonly for in) then gLExec (re)opens |
94 |
/dev/null instead. |
95 |
|
96 |
Improvements: |
97 |
- Install also manpage for glexec-configure |
98 |
|
99 |
Version 0.9.1 |
100 |
------------- |
101 |
Bugfixes: |
102 |
- Signal handling code is greatly improved to prevent lockups. |
103 |
|
104 |
Version 0.9.0 |
105 |
------------- |
106 |
This version introduces several new features. The preferred and advised run-mode |
107 |
is linger mode with gLExec doing the userswitch. This is the most secure, simple |
108 |
and versatile run-mode. It means that LCMAPS should NOT run the posix_enf |
109 |
plugin. |
110 |
|
111 |
New functionality |
112 |
- epilogue functionality: |
113 |
- When a absolute path to a root-trusted file is specified as epilogue in |
114 |
the config file, it will be run after the payload has finished. |
115 |
- It can optionally run as a different user and/or group which then are also |
116 |
trusted concerning the binary writability. |
117 |
- It runs for a maximum time of epilogue_timeout (default 300 seconds) after |
118 |
which it is send a SIGTERM. |
119 |
- It will have /dev/null as stdin, stdout and stderr. It is for the epilogue |
120 |
itself to take care of its logging. |
121 |
- The epilogue process will run with the target environment. |
122 |
- In addition it will have a number of special other variables named |
123 |
GLEXEC_EPILOG_* which contain information about the payload process, |
124 |
calling account and target account is put in the environment for the |
125 |
epilogue process: |
126 |
GLEXEC_EPILOG_GLEXEC_CWD startup dir of gLExec |
127 |
GLEXEC_EPILOG_GLEXEC_USER calling username |
128 |
GLEXEC_EPILOG_GLEXEC_GROUP calling primary groupname |
129 |
GLEXEC_EPILOG_TARGET_USER target username |
130 |
GLEXEC_EPILOG_TARGET_GROUP target primary groupname |
131 |
GLEXEC_EPILOG_GLEXEC_PID gLExec process ID |
132 |
GLEXEC_EPILOG_GLEXEC_SID gLExec session |
133 |
GLEXEC_EPILOG_GLEXEC_PGID gLExec process group |
134 |
GLEXEC_EPILOG_GLEXEC_UID calling uid |
135 |
GLEXEC_EPILOG_GLEXEC_GID calling primary gid |
136 |
GLEXEC_EPILOG_GLEXEC_SGIDS calling secondary gids, colon separated |
137 |
GLEXEC_EPILOG_TARGET_UID target uid |
138 |
GLEXEC_EPILOG_TARGET_GID target primary gid |
139 |
GLEXEC_EPILOG_TARGET_SGIDS target secondary gids, colon separated |
140 |
GLEXEC_EPILOG_ARGC argc of payload |
141 |
GLEXEC_EPILOG_ARGV<N> argv of payload |
142 |
GLEXEC_EPILOG_TARGET_PID payload process ID |
143 |
GLEXEC_EPILOG_TARGET_PGID payload process group |
144 |
GLEXEC_EPILOG_TARGET_RC payload exit code |
145 |
- When using process groups (default, use_setpgid=yes) both payload and |
146 |
epilogue will run in a separate process group equal to their PID. |
147 |
- A non-zero exit status of the epilogue will always result in a gLExec exit |
148 |
code of 202. |
149 |
- new options related to epilogue, see man glexec.conf(5) |
150 |
epilogue (empty: no epilogue) |
151 |
epilogue_user (default root) |
152 |
epilogue_group (default root) |
153 |
epilogue_timeout (default 300 seconds) |
154 |
in addition, also the sighandling options influence the epilogue. |
155 |
|
156 |
- implementing signal handling: |
157 |
- most signals, are |
158 |
forwarded to payload or epilogue (when present). |
159 |
- SIGINT, TERM etc. will gracefully terminate the payload/epilogue by first |
160 |
sending a SIGTERM to the child process (group) and allowing a gracetime of |
161 |
term_delay before sending a SIGKILL. After the SIGKILL a second gracetime |
162 |
of kill_delay allows logging of the exit status. Note that since the |
163 |
lingering gLExec runs as root after the payload finishes, only root can |
164 |
forward signals to the epilogue. |
165 |
- handlers for SIGBUS, SIGFPE, SIGILL and SIGSEGV (and optionally SIGSTKFLT |
166 |
which normally should be unused) which only act when the signal comes from |
167 |
the kernel. They send a SIGTERM to the payload or epilogue process (group) |
168 |
and quit. No gracetime is wanted here. Similar behaviour happens for |
169 |
SIGABRT and SIGSYS except that these are typically not coming from the |
170 |
kernel and hence provide different information. |
171 |
- SIGPIPE is logged and ignored, SIGTTOU and SIGTTIN are directly ignored in |
172 |
order to allow jobcontrol. |
173 |
- gLExec is doing job-control on the payload: normally the payload will run |
174 |
in the foreground: When the payload suspends, gLExec will take back the |
175 |
tty. When the job resumes, the tty is returned to it. |
176 |
The payload can be forced to run in the background by either the -b |
177 |
cmdline option or the force_payload_background config option. |
178 |
SIGINT and SIGTSTP (typically ctrl-c and ctrl-z) give feedback on stderr. |
179 |
- gLExec normally will also forward the 'debug' signals SIGTRAP, SIGEMT, |
180 |
SIGVTALRM and SIGPROF, and additionally the realtime signals SIGRTMIN till |
181 |
SIGRTMAX, unless the extra_sighandlers option is set to no. |
182 |
Note that many modern debuggers including gdb work around the problem and |
183 |
seem to work fine even when installing sighandlers for SIGTRAP etc. Some |
184 |
of the realtime signals are used by valgrind, which prevents it from |
185 |
installing handler. |
186 |
- new options related to sighandling, see man glexec.conf(5) |
187 |
force_payload_background (default off) |
188 |
term_delay (default 5 seconds) |
189 |
kill_delay (default 1 second) |
190 |
use_setpgid (default yes) |
191 |
extra_sighandlers (default yes) |
192 |
|
193 |
- use of separate process group for the payload: this allows gLExec to signal |
194 |
the entire process group (e.g. SIGTERM). Signals will only be *forwarded* to |
195 |
the child itself. The feature can be disabled using the use_setpgid option. |
196 |
|
197 |
- Closing of all open file descriptors in lingering gLExec process. This can be |
198 |
prevented by setting close_fds to 'no' in the config file. |
199 |
|
200 |
- Calling user can disable writing/setting of payload proxy by setting |
201 |
GLEXEC_TARGET_PROXY to /dev/null (the sysadmin could already do this via the |
202 |
create_target_proxy option) |
203 |
|
204 |
Several defaults are changed, the old behaviour is still configurable: |
205 |
- When gLExec is doing the userswitch (advised and default setting) gLExec will |
206 |
run as calling user until the payload starts. At that moment, the payload will |
207 |
run as the target user, while the lingering gLExec will keep running as |
208 |
calling user. This allows the pilot user to send signals to the running |
209 |
gLExec. As soon as the payload finishes or a terminating signal is received, |
210 |
the lingering gLExec will become root and group 0. |
211 |
When really needed, the lingering gLExec can run as the target user (pre 0.9 |
212 |
behaviour) using the linger_as_payload option. This is not considered a safe |
213 |
setting and is strongly advised against. |
214 |
|
215 |
- Logging defaults: |
216 |
- all (gLExec, LCAS, LCMAPS) builtin default loglevels are 4 |
217 |
- a number of log messages are lowered in loglevel while improving the |
218 |
information in others. |
219 |
- gLExec now by default uses different syslog levels |
220 |
(diff_syslog_levels=yes). |
221 |
- LCMAPS logging in version 1.5 is much reduced and also split over syslog |
222 |
levels. Hence the builtin default of 4 allows reducing logoutput via |
223 |
syslog's own mechanism. |
224 |
- at the time of this release LCAS logging is not yet reorganized, hence |
225 |
it is advised to set the lcas_debug_loglevel to 0 (old default). |
226 |
|
227 |
- LCAS/LCMAPS modules: when the {lcas,lcmaps}_libdir is set, gLExec now sets the |
228 |
{LCAS,LCMAPS}_MODULES_DIR variables to that libdir followed by /lcas or |
229 |
/lcmaps, in line with the EPEL standards. This suffix can be set in the config |
230 |
file using the lcas_moduledir_sfx and the lcmaps_moduledir_sfx. |
231 |
|
232 |
Bugfixes: |
233 |
- Lookup/use the lcmaps/lcas libdir only when they are existing and absolute |
234 |
directories. |
235 |
|
236 |
- When the config file is untrusted, gLExec reverts to builtin defaults, which |
237 |
often lead to a 'not-whitelisted' error to the user. The stderr message now |
238 |
mentions that it might be due to a permission issue of the config file. |
239 |
|
240 |
- In addition to disabling voms checking, it can be enabled. This is needed when |
241 |
LCMAPS is build with a default set to no-voms-checking. |
242 |
|
243 |
Build-time changes: |
244 |
- default directories for LCMAPS and LCAS modules are now $libdir/lcmaps and |
245 |
$libdir/lcas. This can be overridden using the --with-lcmaps-moduledir-sfx |
246 |
(and likewise for LCAS) flags. |
247 |
|
248 |
Version 0.8.10 |
249 |
-------------- |
250 |
This version of gLExec introduces the following new features: |
251 |
- fix a few minor segfault situations. |
252 |
- fix crash when "linger= ..." is absent. |
253 |
- installation of a default glexec.conf file and a default (fully commented-out) |
254 |
lcmaps-glexec.db file. |
255 |
- support for specifying lcas and lcmaps db files on the configure cmdline. |
256 |
- cleanup of unused files and support for distribution tarball. |