Contents of /trunk/glexec/NEWS

Version 0.9.12
--------------
Bugfixes / Improvements:
- various small changes to fix compiler and cppcheck warnings.
- fix log message when user has no home directory.

Version 0.9.11
--------------
Bugfixes:
- glexec-configure cannot configure for cURL+NSS as on RH6.
  See https://bugzilla.nikhef.nl/show_bug.cgi?id=20
- maximum id_t is incorrectly determined on Solaris (part of the safefile
  library).

Improvements:
- numerous improvements to glexec-configure
- some improvements in the glexec-lcas-compound test suite
- add banning plugins to template lcmaps-glexec.db
- backup original glexec.conf (and lcmaps-glexec.db) when installing and install
  glexec.conf with the advertised settings instead of the old-style settings.
- add proper setting of feature macros for (among others) dirfd prototype, using
  test for POSIX2008.

Version 0.9.10
--------------
Bugfixes:
- when no log_destination is set, openlog() is not always called before LCMAPS,
  which will then log with syslog defaults.
  See https://bugzilla.nikhef.nl/show_bug.cgi?id=19

Improvements:
- Update to newer version of Jim Kupsch' safefile (now version 1.0.5)
- Some internal refactoring to fix compiler warnings (casts and _XOPEN_SOURCE
  definitions).
- Update the glexec-lcas-lcmaps-compount-test.sh script:
    * properly put back glexec.conf and settings of glexec binary
    * put all other files (db, log etc.) in custom temporary directory: only
      glexec.conf is hard-coded
    * update some of the errors and warnings printed (or add them).
    * internal cleanup to make code somewhat cleaner.

Version 0.9.9
-------------
Bugfixes:
- gLExec incorrectly handles MALLOC_ variables in the input, failing instead of
  cleaning them. See https://bugzilla.nikhef.nl/show_bug.cgi?id=16
- it incorrectly handles extremely long environment variables.

Improvements:
- When cleaning the environment fails, it logs the reason, instead of returning
  it to the user.

Version 0.9.8
-------------
Bugfixes:
- potential crash for very large configurations.
- improve handling of type-conversions (some potential issues with
  signed-unsigned were uncovered).
- protect against partial output from LCMAPS.
- glexec-configure.sh should create /etc/lcmaps if it does not exist.

Version 0.9.7
-------------
Improvements:
- Only log how we tried to open config file if it failed, preventing
  uninteresting log entries in syslog.

Version 0.9.6
-------------
Bugfixes:
- umask was not reverted in non-linger mode.

Version 0.9.5
-------------
Bugfixes:
- Fix broken lcmaps-glexec.db produced by glexec-configure.sh script

Improvements:
- lower loglevel when homedir of payload does not exist from warning to info

Version 0.9.4
-------------
Bugfixes:
- specifying preserve_env_variables in the glexec.conf caused a segfault.

Improvements:
- Update location of wiki pages in man pages.

Version 0.9.2
-------------
Bugfixes:
- When either stdin, stdout or stderr is closed, a directory or opened in the
  wrong mode (readonly for out or writeonly for in) then gLExec (re)opens
  /dev/null instead.

Improvements:
- Install also manpage for glexec-configure

Version 0.9.1
-------------
Bugfixes:
- Signal handling code is greatly improved to prevent lockups.

Version 0.9.0
-------------
This version introduces several new features. The preferred and advised run-mode
is linger mode with gLExec doing the userswitch. This is the most secure, simple
and versatile run-mode. It means that LCMAPS should NOT run the posix_enf
plugin.

New functionality
- epilogue functionality:
    - When a absolute path to a root-trusted file is specified as epilogue in
      the config file, it will be run after the payload has finished.
    - It can optionally run as a different user and/or group which then are also
      trusted concerning the binary writability.
    - It runs for a maximum time of epilogue_timeout (default 300 seconds) after
      which it is send a SIGTERM.
    - It will have /dev/null as stdin, stdout and stderr. It is for the epilogue
      itself to take care of its logging.
    - The epilogue process will run with the target environment.
    - In addition it will have a number of special other variables named
      GLEXEC_EPILOG_* which contain information about the payload process,
      calling account and target account is put in the environment for the
      epilogue process:
        GLEXEC_EPILOG_GLEXEC_CWD    startup dir of gLExec
        GLEXEC_EPILOG_GLEXEC_USER   calling username
        GLEXEC_EPILOG_GLEXEC_GROUP  calling primary groupname
        GLEXEC_EPILOG_TARGET_USER   target username
        GLEXEC_EPILOG_TARGET_GROUP  target primary groupname
        GLEXEC_EPILOG_GLEXEC_PID    gLExec process ID
        GLEXEC_EPILOG_GLEXEC_SID    gLExec session 
        GLEXEC_EPILOG_GLEXEC_PGID   gLExec process group
        GLEXEC_EPILOG_GLEXEC_UID    calling uid
        GLEXEC_EPILOG_GLEXEC_GID    calling primary gid
        GLEXEC_EPILOG_GLEXEC_SGIDS  calling secondary gids, colon separated
        GLEXEC_EPILOG_TARGET_UID    target uid
        GLEXEC_EPILOG_TARGET_GID    target primary gid
        GLEXEC_EPILOG_TARGET_SGIDS  target secondary gids, colon separated
        GLEXEC_EPILOG_ARGC          argc of payload
        GLEXEC_EPILOG_ARGV<N>       argv of payload
        GLEXEC_EPILOG_TARGET_PID    payload process ID
        GLEXEC_EPILOG_TARGET_PGID   payload process group
        GLEXEC_EPILOG_TARGET_RC     payload exit code
    - When using process groups (default, use_setpgid=yes) both payload and
      epilogue will run in a separate process group equal to their PID.
    - A non-zero exit status of the epilogue will always result in a gLExec exit
      code of 202.
    - new options related to epilogue, see man glexec.conf(5)
        epilogue            (empty: no epilogue)
        epilogue_user       (default root)
        epilogue_group      (default root)
        epilogue_timeout    (default 300 seconds)
      in addition, also the sighandling options influence the epilogue.

- implementing signal handling:
    - most signals, are
      forwarded to payload or epilogue (when present).
    - SIGINT, TERM etc. will gracefully terminate the payload/epilogue by first
      sending a SIGTERM to the child process (group) and allowing a gracetime of
      term_delay before sending a SIGKILL. After the SIGKILL a second gracetime
      of kill_delay allows logging of the exit status. Note that since the
      lingering gLExec runs as root after the payload finishes, only root can
      forward signals to the epilogue.
    - handlers for SIGBUS, SIGFPE, SIGILL and SIGSEGV (and optionally SIGSTKFLT
      which normally should be unused) which only act when the signal comes from
      the kernel. They send a SIGTERM to the payload or epilogue process (group)
      and quit. No gracetime is wanted here. Similar behaviour happens for
      SIGABRT and SIGSYS except that these are typically not coming from the
      kernel and hence provide different information.
    - SIGPIPE is logged and ignored, SIGTTOU and SIGTTIN are directly ignored in
      order to allow jobcontrol.
    - gLExec is doing job-control on the payload: normally the payload will run
      in the foreground: When the payload suspends, gLExec will take back the
      tty. When the job resumes, the tty is returned to it.
      The payload can be forced to run in the background by either the -b
      cmdline option or the force_payload_background config option.
      SIGINT and SIGTSTP (typically ctrl-c and ctrl-z) give feedback on stderr.
    - gLExec normally will also forward the 'debug' signals SIGTRAP, SIGEMT,
      SIGVTALRM and SIGPROF, and additionally the realtime signals SIGRTMIN till
      SIGRTMAX, unless the extra_sighandlers option is set to no.
      Note that many modern debuggers including gdb work around the problem and
      seem to work fine even when installing sighandlers for SIGTRAP etc. Some
      of the realtime signals are used by valgrind, which prevents it from
      installing handler.
    - new options related to sighandling, see man glexec.conf(5)
        force_payload_background    (default off)
        term_delay                  (default 5 seconds)
        kill_delay                  (default 1 second)
        use_setpgid                 (default yes)
        extra_sighandlers           (default yes)

- use of separate process group for the payload: this allows gLExec to signal
  the entire process group (e.g. SIGTERM). Signals will only be *forwarded* to
  the child itself. The feature can be disabled using the use_setpgid option.

- Closing of all open file descriptors in lingering gLExec process. This can be
  prevented by setting close_fds to 'no' in the config file.

- Calling user can disable writing/setting of payload proxy by setting
  GLEXEC_TARGET_PROXY to /dev/null (the sysadmin could already do this via the
  create_target_proxy option)

Several defaults are changed, the old behaviour is still configurable:
- When gLExec is doing the userswitch (advised and default setting) gLExec will
  run as calling user until the payload starts. At that moment, the payload will
  run as the target user, while the lingering gLExec will keep running as
  calling user. This allows the pilot user to send signals to the running
  gLExec. As soon as the payload finishes or a terminating signal is received,
  the lingering gLExec will become root and group 0.
  When really needed, the lingering gLExec can run as the target user (pre 0.9
  behaviour) using the linger_as_payload option. This is not considered a safe
  setting and is strongly advised against.

- Logging defaults:
    - all (gLExec, LCAS, LCMAPS) builtin default loglevels are 4
    - a number of log messages are lowered in loglevel while improving the
      information in others.
    - gLExec now by default uses different syslog levels
      (diff_syslog_levels=yes).
    - LCMAPS logging in version 1.5 is much reduced and also split over syslog
      levels. Hence the builtin default of 4 allows reducing logoutput via
      syslog's own mechanism.
    - at the time of this release LCAS logging is not yet reorganized, hence
      it is advised to set the lcas_debug_loglevel to 0 (old default).

- LCAS/LCMAPS modules: when the {lcas,lcmaps}_libdir is set, gLExec now sets the
  {LCAS,LCMAPS}_MODULES_DIR variables to that libdir followed by /lcas or
  /lcmaps, in line with the EPEL standards. This suffix can be set in the config
  file using the lcas_moduledir_sfx and the lcmaps_moduledir_sfx.

Bugfixes:
- Lookup/use the lcmaps/lcas libdir only when they are existing and absolute
  directories.

- When the config file is untrusted, gLExec reverts to builtin defaults, which
  often lead to a 'not-whitelisted' error to the user. The stderr message now
  mentions that it might be due to a permission issue of the config file.

- In addition to disabling voms checking, it can be enabled. This is needed when
  LCMAPS is build with a default set to no-voms-checking.

Build-time changes:
- default directories for LCMAPS and LCAS modules are now $libdir/lcmaps and
  $libdir/lcas. This can be overridden using the --with-lcmaps-moduledir-sfx
  (and likewise for LCAS) flags.

Version 0.8.10
--------------
This version of gLExec introduces the following new features:
- fix a few minor segfault situations.
- fix crash when "linger= ..." is absent.
- installation of a default glexec.conf file and a default (fully commented-out)
  lcmaps-glexec.db file.
- support for specifying lcas and lcmaps db files on the configure cmdline.
- cleanup of unused files and support for distribution tarball.
1	Version 0.9.12
2	--------------
3	Bugfixes / Improvements:
4	- various small changes to fix compiler and cppcheck warnings.
5	- fix log message when user has no home directory.
6
7	Version 0.9.11
8	--------------
9	Bugfixes:
10	- glexec-configure cannot configure for cURL+NSS as on RH6.
11	See https://bugzilla.nikhef.nl/show_bug.cgi?id=20
12	- maximum id_t is incorrectly determined on Solaris (part of the safefile
13	library).
14
15	Improvements:
16	- numerous improvements to glexec-configure
17	- some improvements in the glexec-lcas-compound test suite
18	- add banning plugins to template lcmaps-glexec.db
19	- backup original glexec.conf (and lcmaps-glexec.db) when installing and install
20	glexec.conf with the advertised settings instead of the old-style settings.
21	- add proper setting of feature macros for (among others) dirfd prototype, using
22	test for POSIX2008.
23
24	Version 0.9.10
25	--------------
26	Bugfixes:
27	- when no log_destination is set, openlog() is not always called before LCMAPS,
28	which will then log with syslog defaults.
29	See https://bugzilla.nikhef.nl/show_bug.cgi?id=19
30
31	Improvements:
32	- Update to newer version of Jim Kupsch' safefile (now version 1.0.5)
33	- Some internal refactoring to fix compiler warnings (casts and _XOPEN_SOURCE
34	definitions).
35	- Update the glexec-lcas-lcmaps-compount-test.sh script:
36	* properly put back glexec.conf and settings of glexec binary
37	* put all other files (db, log etc.) in custom temporary directory: only
38	glexec.conf is hard-coded
39	* update some of the errors and warnings printed (or add them).
40	* internal cleanup to make code somewhat cleaner.
41
42	Version 0.9.9
43	-------------
44	Bugfixes:
45	- gLExec incorrectly handles MALLOC_ variables in the input, failing instead of
46	cleaning them. See https://bugzilla.nikhef.nl/show_bug.cgi?id=16
47	- it incorrectly handles extremely long environment variables.
48
49	Improvements:
50	- When cleaning the environment fails, it logs the reason, instead of returning
51	it to the user.
52
53	Version 0.9.8
54	-------------
55	Bugfixes:
56	- potential crash for very large configurations.
57	- improve handling of type-conversions (some potential issues with
58	signed-unsigned were uncovered).
59	- protect against partial output from LCMAPS.
60	- glexec-configure.sh should create /etc/lcmaps if it does not exist.
61
62	Version 0.9.7
63	-------------
64	Improvements:
65	- Only log how we tried to open config file if it failed, preventing
66	uninteresting log entries in syslog.
67
68	Version 0.9.6
69	-------------
70	Bugfixes:
71	- umask was not reverted in non-linger mode.
72
73	Version 0.9.5
74	-------------
75	Bugfixes:
76	- Fix broken lcmaps-glexec.db produced by glexec-configure.sh script
77
78	Improvements:
79	- lower loglevel when homedir of payload does not exist from warning to info
80
81	Version 0.9.4
82	-------------
83	Bugfixes:
84	- specifying preserve_env_variables in the glexec.conf caused a segfault.
85
86	Improvements:
87	- Update location of wiki pages in man pages.
88
89	Version 0.9.2
90	-------------
91	Bugfixes:
92	- When either stdin, stdout or stderr is closed, a directory or opened in the
93	wrong mode (readonly for out or writeonly for in) then gLExec (re)opens
94	/dev/null instead.
95
96	Improvements:
97	- Install also manpage for glexec-configure
98
99	Version 0.9.1
100	-------------
101	Bugfixes:
102	- Signal handling code is greatly improved to prevent lockups.
103
104	Version 0.9.0
105	-------------
106	This version introduces several new features. The preferred and advised run-mode
107	is linger mode with gLExec doing the userswitch. This is the most secure, simple
108	and versatile run-mode. It means that LCMAPS should NOT run the posix_enf
109	plugin.
110
111	New functionality
112	- epilogue functionality:
113	- When a absolute path to a root-trusted file is specified as epilogue in
114	the config file, it will be run after the payload has finished.
115	- It can optionally run as a different user and/or group which then are also
116	trusted concerning the binary writability.
117	- It runs for a maximum time of epilogue_timeout (default 300 seconds) after
118	which it is send a SIGTERM.
119	- It will have /dev/null as stdin, stdout and stderr. It is for the epilogue
120	itself to take care of its logging.
121	- The epilogue process will run with the target environment.
122	- In addition it will have a number of special other variables named
123	GLEXEC_EPILOG_* which contain information about the payload process,
124	calling account and target account is put in the environment for the
125	epilogue process:
126	GLEXEC_EPILOG_GLEXEC_CWD startup dir of gLExec
127	GLEXEC_EPILOG_GLEXEC_USER calling username
128	GLEXEC_EPILOG_GLEXEC_GROUP calling primary groupname
129	GLEXEC_EPILOG_TARGET_USER target username
130	GLEXEC_EPILOG_TARGET_GROUP target primary groupname
131	GLEXEC_EPILOG_GLEXEC_PID gLExec process ID
132	GLEXEC_EPILOG_GLEXEC_SID gLExec session
133	GLEXEC_EPILOG_GLEXEC_PGID gLExec process group
134	GLEXEC_EPILOG_GLEXEC_UID calling uid
135	GLEXEC_EPILOG_GLEXEC_GID calling primary gid
136	GLEXEC_EPILOG_GLEXEC_SGIDS calling secondary gids, colon separated
137	GLEXEC_EPILOG_TARGET_UID target uid
138	GLEXEC_EPILOG_TARGET_GID target primary gid
139	GLEXEC_EPILOG_TARGET_SGIDS target secondary gids, colon separated
140	GLEXEC_EPILOG_ARGC argc of payload
141	GLEXEC_EPILOG_ARGV<N> argv of payload
142	GLEXEC_EPILOG_TARGET_PID payload process ID
143	GLEXEC_EPILOG_TARGET_PGID payload process group
144	GLEXEC_EPILOG_TARGET_RC payload exit code
145	- When using process groups (default, use_setpgid=yes) both payload and
146	epilogue will run in a separate process group equal to their PID.
147	- A non-zero exit status of the epilogue will always result in a gLExec exit
148	code of 202.
149	- new options related to epilogue, see man glexec.conf(5)
150	epilogue (empty: no epilogue)
151	epilogue_user (default root)
152	epilogue_group (default root)
153	epilogue_timeout (default 300 seconds)
154	in addition, also the sighandling options influence the epilogue.
155
156	- implementing signal handling:
157	- most signals, are
158	forwarded to payload or epilogue (when present).
159	- SIGINT, TERM etc. will gracefully terminate the payload/epilogue by first
160	sending a SIGTERM to the child process (group) and allowing a gracetime of
161	term_delay before sending a SIGKILL. After the SIGKILL a second gracetime
162	of kill_delay allows logging of the exit status. Note that since the
163	lingering gLExec runs as root after the payload finishes, only root can
164	forward signals to the epilogue.
165	- handlers for SIGBUS, SIGFPE, SIGILL and SIGSEGV (and optionally SIGSTKFLT
166	which normally should be unused) which only act when the signal comes from
167	the kernel. They send a SIGTERM to the payload or epilogue process (group)
168	and quit. No gracetime is wanted here. Similar behaviour happens for
169	SIGABRT and SIGSYS except that these are typically not coming from the
170	kernel and hence provide different information.
171	- SIGPIPE is logged and ignored, SIGTTOU and SIGTTIN are directly ignored in
172	order to allow jobcontrol.
173	- gLExec is doing job-control on the payload: normally the payload will run
174	in the foreground: When the payload suspends, gLExec will take back the
175	tty. When the job resumes, the tty is returned to it.
176	The payload can be forced to run in the background by either the -b
177	cmdline option or the force_payload_background config option.
178	SIGINT and SIGTSTP (typically ctrl-c and ctrl-z) give feedback on stderr.
179	- gLExec normally will also forward the 'debug' signals SIGTRAP, SIGEMT,
180	SIGVTALRM and SIGPROF, and additionally the realtime signals SIGRTMIN till
181	SIGRTMAX, unless the extra_sighandlers option is set to no.
182	Note that many modern debuggers including gdb work around the problem and
183	seem to work fine even when installing sighandlers for SIGTRAP etc. Some
184	of the realtime signals are used by valgrind, which prevents it from
185	installing handler.
186	- new options related to sighandling, see man glexec.conf(5)
187	force_payload_background (default off)
188	term_delay (default 5 seconds)
189	kill_delay (default 1 second)
190	use_setpgid (default yes)
191	extra_sighandlers (default yes)
192
193	- use of separate process group for the payload: this allows gLExec to signal
194	the entire process group (e.g. SIGTERM). Signals will only be forwarded to
195	the child itself. The feature can be disabled using the use_setpgid option.
196
197	- Closing of all open file descriptors in lingering gLExec process. This can be
198	prevented by setting close_fds to 'no' in the config file.
199
200	- Calling user can disable writing/setting of payload proxy by setting
201	GLEXEC_TARGET_PROXY to /dev/null (the sysadmin could already do this via the
202	create_target_proxy option)
203
204	Several defaults are changed, the old behaviour is still configurable:
205	- When gLExec is doing the userswitch (advised and default setting) gLExec will
206	run as calling user until the payload starts. At that moment, the payload will
207	run as the target user, while the lingering gLExec will keep running as
208	calling user. This allows the pilot user to send signals to the running
209	gLExec. As soon as the payload finishes or a terminating signal is received,
210	the lingering gLExec will become root and group 0.
211	When really needed, the lingering gLExec can run as the target user (pre 0.9
212	behaviour) using the linger_as_payload option. This is not considered a safe
213	setting and is strongly advised against.
214
215	- Logging defaults:
216	- all (gLExec, LCAS, LCMAPS) builtin default loglevels are 4
217	- a number of log messages are lowered in loglevel while improving the
218	information in others.
219	- gLExec now by default uses different syslog levels
220	(diff_syslog_levels=yes).
221	- LCMAPS logging in version 1.5 is much reduced and also split over syslog
222	levels. Hence the builtin default of 4 allows reducing logoutput via
223	syslog's own mechanism.
224	- at the time of this release LCAS logging is not yet reorganized, hence
225	it is advised to set the lcas_debug_loglevel to 0 (old default).
226
227	- LCAS/LCMAPS modules: when the {lcas,lcmaps}_libdir is set, gLExec now sets the
228	{LCAS,LCMAPS}_MODULES_DIR variables to that libdir followed by /lcas or
229	/lcmaps, in line with the EPEL standards. This suffix can be set in the config
230	file using the lcas_moduledir_sfx and the lcmaps_moduledir_sfx.
231
232	Bugfixes:
233	- Lookup/use the lcmaps/lcas libdir only when they are existing and absolute
234	directories.
235
236	- When the config file is untrusted, gLExec reverts to builtin defaults, which
237	often lead to a 'not-whitelisted' error to the user. The stderr message now
238	mentions that it might be due to a permission issue of the config file.
239
240	- In addition to disabling voms checking, it can be enabled. This is needed when
241	LCMAPS is build with a default set to no-voms-checking.
242
243	Build-time changes:
244	- default directories for LCMAPS and LCAS modules are now $libdir/lcmaps and
245	$libdir/lcas. This can be overridden using the --with-lcmaps-moduledir-sfx
246	(and likewise for LCAS) flags.
247
248	Version 0.8.10
249	--------------
250	This version of gLExec introduces the following new features:
251	- fix a few minor segfault situations.
252	- fix crash when "linger= ..." is absent.
253	- installation of a default glexec.conf file and a default (fully commented-out)
254	lcmaps-glexec.db file.
255	- support for specifying lcas and lcmaps db files on the configure cmdline.
256	- cleanup of unused files and support for distribution tarball.
grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.26