Company Innovation Man pages Tech News Developer Mirrors Search
 
REMCTLD   (8) manpage
REMCTLD
8
2005-05-04
1.9
System Daemons
  • NAME
      remctld - Server for remctl, a remote command execution utility
  • SYNOPSIS
      remctld [-mv] [-f config] [-p port] [-s service]
  • DESCRIPTION
      remctld is the server for remctl.  It accepts a connection from remctl, receives the command to execute and the arguments, verifies authorization of the user and executes the command, returning the result back to the client.  All connections are authenticated using GSSAPI Kerberos V, and all transmissions are also encrypted using Kerberos.

      remctld is normally started using tcpserver or from inetd, but it may be run in stand-alone mode as a daemon using -m.  Either -s must be given to use an alternate identity (which will require the same flag be used for remctl client invocations), or It must be run as root to read the host keytab file.  remctld logs its activity using syslog (the daemon facility).

      The location of the configuration file may be specified with the -f option.  The default location is /etc/remctl/remctl.conf.  For information on the format of the configuration file, see "CONFIGURATION FILE" below.
  • OPTIONS
      "-f
      The configuration file for remctld, overriding the default path.
      "-m"
      Enable stand-alone mode.  remctld will listen to its configured port, 4444 by default, and handle incoming connections one at a time.  This is mostly useful for debugging purposes.
      "-p
      When running in stand-alone mode, Listen on port port rather than 4444, the default.  This option does nothing unless used with -m.
      "-s
      This option is used to specify the Kerberos service principal for remctld to run as, the default is the server host principal: "host/<machinename>.stanford.edu"
      "-v"
      Verbose logging to syslog.
  • CONFIGURATION FILE
      The configuration file defines the allowed commands and specifies access control information.  The configuration file format is lines of space- or tab-separated strings, where each line is:


          type service executable [logmask=n[,...]] {aclfile}+


      Blank lines and lines beginning with "#" are ignored.  Lines can be continued on the next line by ending them with a backslash ( "\").  Be aware that comments can be continued with a backslash as well.

      As a special case, a line like:


          include file


      will include file as if its contents were pasted verbatim into the configuration file at that point.  file may be a directory, in which case all files whose names do not contain a period found in that directory will be included (in no particular order).  file should be a fully qualified path.

      The meaning of these fields is:
      "type"
      The type of the command being requested, such as "afs" for the afs volume backend.  This is used to group commands together into a class and allows all commands in the same class to be passed to the same backend program.
      "service"
      The service within the type being requested, such as "release" for the afs volume backend.  The keyword ALL may be used instead of the service to specify an executable and aclfiles for the entire type in one line.  The service is always passed as the first argument to the executable program that is listed for that service.
      "executable"
      The full path to the commmand executable to run for this type-service combination.  (See examples below.)
      "logmask=n[,...]"
      Limit logging of command arguments.  Any argument listed in the logmask list will have its value logged as "**MASKED**".  This is to avoid logging the arguments of commands that take privileged information. For example, if the command is "admin passwd {username} {passwd}", then you'd want to set logmask to 3, so the password argument gets logged as "**MASKED**".
      "aclfile"
      The full paths of one or more access control files, each containing one Kerberos v5 principal per line, such as "username@stanford.edu". The keyword ANYUSER may be used instead of the aclfiles to allow access to all users.  Note the user still needs to authenticate to remctld, this only affects authorization.  This can be used for backend programs that want to check ACLs themselves and will retrieve the authenticated principal from the REMUSER environment variable.
  • EXAMPLES
      Typically remctld is to be started as follows, where "hostname" is the machine where remctld will run, and 4444 is the port:


          tcpserver hostname 4444 remctld


      The equivalent line for /etc/inetd.conf is:


          4444 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/remctld


      Example configuration file:


      # Comments can be used like this.
      accounts create /usr/local/bin/doaccount  /etc/acl/group1 /etc/acl/group2
      accounts delete /usr/local/bin/doaccount  /etc/acl/group3
      accounts view   /usr/local/bin/doaccount  ANYUSER
      accounts passwd /usr/local/bin/dopasswd   logmask=3 /etc/acl/group1
      printing ALL    /usr/local/bin/printthing /etc/acl/group2


      The commands "accounts create", "accounts delete", and so forth will all be passed to /usr/local/bin/doaccount with the first argument being the specific subcommand, with the exception of "accounts passwd".  That command will be passed to /usr/local/bin/dopasswd instead, but it will still get "passwd" as its first argument.  The third argument to "accounts passwd" (presumably the password) will not be logged to syslog. All commands starting with "printing" will be passed to /usr/local/bin/printthing.
  • SEE ALSO
      remctl(1) , syslog(3) , tcpserver(1)

      The current version of this program is available from its web page at <http://www.eyrie.org/~eagle/software/remctl/>.
  • AUTHOR
      Anton Ushakov <antonu@stanford.edu> is the original author.  Updates and current maintenance are done by Russ Allbery <rra@stanford.edu>.
  • COPYRIGHT AND LICENSE
      Copyright 2002, 2003, 2004, 2005 Board of Trustees, Leland Stanford Jr. University.  All rights reserved.

      Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.  Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

      THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Current Users: 30 © 1999-2006 Linux.com.hk PenguinSoft
All trademarks and copyrights on this page are owned by their respective companies. Linux is a trademark of Linus Torvalds.