113/04/17 - op 1.34 2================== 3 * port to RHEL 7 4 * https://travis-ci.org/ 5 616/04/16 - op 1.33 7================== 8 * code auditing using flawfinder, cppcheck, cpplint.py and scan-build. 9 * Replaced strcpy/strcat by strlcpy/strlcat which are also provided if missing. 10 * Provided v/snprintf if missing. 11 * Replaced atoi by strtolong (util.c), atov still provided but unused. 12 * contrib dir added for various building and packaging architectures 13 (aix, hp-ux, linux, solaris). results goes to build and packages dirs. 14 * autoconf-archive macros added to m4 dir to enhance autotools configuration 15 such as compiler flags for hardening building. 16 * automake scripts moves to build-aux dir. 17 * Replaced v8 regexp by POSIX regex if possible. 18 1908/12/05 - op 1.32 20================== 21 22 * Added rpl_malloc/rpl_realloc so that systems with dodgy implementations 23 will link. This fixes compilation on HPUX, for example. 24 * If a 'help' parameter does not exist, use the actual command to be run for 25 the help. 26 * Added detection for openlog() returning void. 27 2801/09/05 - op 1.31 29================== 30 31The biggest change is the move to the autotools. 32 33Broken down changes. 34 35 * Trailing args are now expanded from the last numbered argument encountered. 36 eg. with {{{/bin/echo $1 $*}}}, the {{{$*}}} will expand to arguments 2 and on. 37 * Fixed usage of snprintf. 38 * Renamed fowner to fowners to be more consistent with the rest of the op commands. 39 * Fixed long standing bug where the incorrect user is reported in the logs. 40 * Added fperms and fowner constraints thanks to Pierre. 41 * Logging beautification. 42 * More automake/autoconf additions and cleanup. 43 * Cleaned up ChangeLog, README, AUTHORS and NEWS. 44 * Added man page. 45 * Merged autoconf branch into trunk. 46 * Fixed build errors on AIX reported by Pierre. 47 * {{{make clean}}} cleans up {{{lex.c}}}. 48 * Some configure fixes for crypt and pam fallback. 49 * Added --with-shadow. 50 * Added patch from Pierre that automatically reduces commands in the form "op 51 /bin/ksh" to "op ksh" if the target is a valid executable. Convenience only. 52 * Added a log prettification patch from Pierre. Also removed "=>" as it was 53 ugly. This may break log parsers. 54 * Added xauth support back in with {{{--enable-xauth=<xauth-binary>}}}. 55 56 5727/05/05 - op 1.30 58================== 59Fixed use of DEFAULT section, closes #5. Quite a pain in the arse actually. 60 61Environment variables can now be propagated into child environments even when 62"environment" is specified. This will override any existing variables. 63 64Now using vsnprintf rather than snprintf. Correspondingly, changed preprocessor 65define which may mean build scripts need to be changed. 66 67Added an INSTALL file documenting the usual installation instructions. 68 69Default to using Flex, as Lex has internal constraints. 70 71Added default op.pam which is now installed if /etc/pam.d exists. 72 73Added patches by Pierre fixing strnprintf issues and a wildcard constraint bug. 74Thanks Pierre. 75 7608/04/05 - op 1.29 77================== 78Added -l argument which lists available commands. 79 80Also added a {{{help="<help>"}}} option which defines the help string displayed 81by -l. 82 83Cleaned up the code a bit, adding some basic dynamic array functions instead of 84replicating the code across multiple areas. 85 86Closes #4 87 8807/04/05 - op 1.27/1.28 89================== 90Added ''nolog'' option which suppresses informational logs. Useful for 91automated jobs to prevent log spam. 92 93Configuration files in /etc/op.d are now lexically sorted. This allows 94variables in configuration files to be used deterministically. Commands 95can also be overridden in this fashion. 96 9707/04/05 - op 1.26 98================== 99op will now read all config files in /etc/op.d with a .conf extension. This is 100a clean way of adding extra commands without having to manipulate op.conf. 101op.conf does not have to be present at all. Useful for dropping in op config 102with other packages or when adding config to systems in bulk. Thanks to Kyle 103Hyland for this idea. 104 105Also made error reporting a bit smarter when config files are missing or have 106incorrect permissions. 107 10806/07/04 - op 1.24 109================== 110The xauth directive can now be given a target user, into whose environment the 111X authentication information is imported. 112 11304/05/04 - op 1.23 114================== 115The xauth modifier now updates $XAUTHORITY in the child environment. 116Fixed a bug when setting the GID explicitly. 117 11803/05/04 - op 1.22 119================== 120Added xauth support. This allows the X authority for the current display to be 121exported to the destination users X authority database. eg. 122 123 shell /bin/su -; users=athomas $TERM xauth password 124 125To enable xauth support, the preprocessor macro XAUTH must be defined as 126a string pointing to the FULL PATH to the xauth binary. 127 12823/04/04 - op 1.21 129================== 130Added netgroup support. eg. 131 132 shell /bin/su -; netgroup=op-shell environment 133 134This is very useful in conjunction with either LDAP or NIS based netgroups. 135 13602/02/04 - op 1.20 137================== 138Fixed a fairly major bug whereby blocked signals were not restored to their 139original state upon execv'ing the child process. 140 141Changed version number scheme to match the original op versions, and bumped up 142to 1.20. This is part of a collaborative effort between myself and Steve 143Simmons, who is going to add Kerberos support to op in the near future. Welcome 144Steve. 145 14627/01/04 - op 1.1.10 147==================== 148Applied some of the FreeBSD patches, thanks to Cyrille Lefevre (the previous 149FreeBSD port maintainer) for pointing me to these. 150Patched a potential buffer overflow, again, picked up by Cyrille. 151Added lots of checks for allocation failures. 152Added constraints to as many uses of strcpy/strcat as I could find. 153Added constraint on number of simultaneous groups a user can be in. 154 15524/01/04 - op 1.1.9 156=================== 157Trapping signals (SIGINT, etc.) so that a failed authentication attempt can not 158be broken out of. 159 16006/11/03 - op 1.1.8 161=================== 162Fixed a fairly substantial bug where command arguments with multiple variables 163were not being expanded at all. 164 16528/10/03 - op 1.1.7 166=================== 167Logging now uses auth.level, and level is actually useful. 168 16922/07/03 - op 1.1.6 170=================== 171Added PAM support. 172 173April 17th 2003 - op 1.1.5 174========================== 175Added extensive logging to op. All logging is sent to syslog as auth.notice. 176 177April 16th 2003 - op 1.1.4 178========================== 179Added basic quoted argument passing to exec commands. This allows for complex 180shell scripts: 181 182 inetd /bin/sh -c ' 183 case $1 in 184 on) /usr/sbin/inetd -s ;; 185 off) /usr/bin/pkill inetd ;; 186 esac 187 '; 188 users=ROOTUSERS 189 $1=on|off 190 191April 10th 2003 - op 1.1.3 192========================== 193Added a max length arugment to GetField to help prevent buffer overflows. 194Regular expressions always have ^ prepended and $ appended so that if you put 195'a' in an rx field it will not match any string with an 'a'. Old behaviour can 196be emulated with '.*a.*'. 197Added expiration support to users (user[@host][/expiry]). 198 199September 13th 2002 - op 1.1.2 200============================== 201Added user@host and group@host based access as well as variable expansion. 202Changed SHADOW to USE_SHADOW so it doesn't conflict with system defines. 203 204November 22nd 1997 - op 1.1.1 205=============================== 206Break shadow support out from Solaris support. Added SHADOW symbol to the 207build. It works on Linux 2.0.30. Presumably it still works on Solaris. 8) 208 209Cleaned up logging code. It was an uncomfortable mess. Slimmed it down some. 210 211Historical ChangeLog entries below 212================================== 213Dave Koblas added the keyword "password" to the list of options 214accepted by op. This requires the user to supply op with a password 215before executing the command. The password can be specified in the 216op.access file (with "password=") or the user's personal password may 217be required. 218 219Howard Owen added the keyword "securid" to the list of options 220accepted by op. This functions similarly to the "password" option, 221requiring the user to supply op with his or her current SecurID code before 222executing the command. If op is compiled without SecurID support, use 223of this option in op.access will result in an error message and a 224refusal to execute the corresponding command. 225