remctld - Server for remctl, a remote command execution utility

remctld [-dhmv] [-f config] [-p port] [-s service]

remctld is the server for remctl. It accepts a connection from remctl, receives the command to execute and the arguments, verifies authorization of the user and executes the command, returning the result back to the client. All connections are authenticated using GSSAPI Kerberos V, and all transmissions are also encrypted using Kerberos.

remctld is normally started using tcpserver or from inetd, but it may be run in stand-alone mode as a daemon using -m. Either -s must be given to use an alternate identity (which will require the same flag be used for remctl client invocations), or It must be run as root to read the host keytab file. remctld logs its activity using syslog (the daemon facility).

The location of the configuration file may be specified with the -f option. The default location is /etc/remctl/remctl.conf. For information on the format of the configuration file, see CONFIGURATION FILE below.

-d

Verbose debug logging to syslog.

-f config

The configuration file for remctld, overriding the default path.

-h

Show a brief usage message and then exit.

-m

Enable stand-alone mode. remctld will listen to its configured port, 4444 by default, and handle incoming connections one at a time. This is mostly useful for debugging purposes.

-p port

When running in stand-alone mode, Listen on port port rather than 4444, the default. This option does nothing unless used with -m.

-s service

This option is used to specify the Kerberos service principal for remctld to run as, the default is the server host principal: host/<machinename>.stanford.edu

-v

Print the version of remctld and exit.

The configuration file defines the allowed commands and specifies access control information. The configuration file format is lines of space- or tab-separated strings, where each line is:

    type service executable [logmask=n[,...]] {aclfile}+

Blank lines and lines beginning with CW# are ignored. Lines can be continued on the next line by ending them with a backslash (CW\). Be aware that comments can be continued with a backslash as well.

As a special case, a line like:

    include file

will include file as if its contents were pasted verbatim into the configuration file at that point. file may be a directory, in which case all files whose names do not contain a period found in that directory will be included (in no particular order). file should be a fully qualified path.

The meaning of these fields is:

type

The type of the command being requested, such as afs for the afs volume backend. This is used to group commands together into a class and allows all commands in the same class to be passed to the same backend program.

service

The service within the type being requested, such as release for the afs volume backend. The keyword ALL may be used instead of the service to specify an executable and aclfiles for the entire type in one line. The service is always passed as the first argument to the executable program that is listed for that service.

executable

The full path to the commmand executable to run for this type-service combination. (See examples below.)

logmask=n[,...]

Limit logging of command arguments. Any argument listed in the logmask list will have its value logged as **MASKED**. This is to avoid logging the arguments of commands that take privileged information. For example, if the command is CWadmin passwd {username} {passwd}, then you'd want to set logmask to CW3, so the password argument gets logged as CW**MASKED**.

aclfile

The full paths of one or more access control files, each containing one Kerberos v5 principal per line, such as CWusername@stanford.edu. Blank lines and lines beginning with CW# are ignored in the ACL files. As a special case, a line like:

    include file

in an ACL file includes other ACL files and is handled identically to the include directive in configuration files. The keyword ANYUSER may be used instead of the aclfiles to allow access to all users. Note the user still needs to authenticate to remctld, this only affects authorization. This can be used for backend programs that want to check ACLs themselves and will retrieve the authenticated principal from the REMUSER environment variable.

Typically remctld is to be started as follows, where hostname is the machine where remctld will run, and 4444 is the port:

    tcpserver hostname 4444 remctld

The equivalent line for /etc/inetd.conf is:

    4444 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/remctld

Example configuration file:

 # Comments can be used like this.
 accounts create /usr/local/bin/doaccount  /etc/acl/group1 /etc/acl/group2
 accounts delete /usr/local/bin/doaccount  /etc/acl/group3
 accounts view   /usr/local/bin/doaccount  ANYUSER
 accounts passwd /usr/local/bin/dopasswd   logmask=3 /etc/acl/group1
 printing ALL    /usr/local/bin/printthing /etc/acl/group2

The commands CWaccounts create, CWaccounts delete, and so forth will all be passed to /usr/local/bin/doaccount with the first argument being the specific subcommand, with the exception of CWaccounts passwd. That command will be passed to /usr/local/bin/dopasswd instead, but it will still get CWpasswd as its first argument. The third argument to CWaccounts passwd (presumably the password) will not be logged to syslog. All commands starting with CWprinting will be passed to /usr/local/bin/printthing.

remctl(1), syslog(3), tcpserver(1)

The current version of this program is available from its web page at <http://www.eyrie.org/~eagle/software/remctl/>.

Anton Ushakov <antonu@stanford.edu> is the original author. Updates and current maintenance are done by Russ Allbery <rra@stanford.edu>.

Copyright 2002, 2003, 2004, 2005, 2006 Board of Trustees, Leland Stanford Jr. University. All rights reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided as is without express or implied warranty.

THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.