External ACL-checking program

[jonrober]

Add support for external ACL checking programs. If the program exits with a zero status, access is granted. If it exits 1, access is not granted but checking continues. If it exits with any other exit status, access is not granted and checking aborts.

Ideally, for writing generic ACL checking programs, the program should get the type and service of the remctl command as well as any arguments. However, it would also be good to support passing other arguments into the program as specified in the ACL file.

[riton]

Hi @jonrober , About 1 year ago, I've started working on this very ACL scheme as described in those mail archive:

• http://mailman.mit.edu/pipermail/kerberos/2014-August/020080.html
• http://mailman.mit.edu/pipermail/kerberos/2014-August/020082.html

It was just a Work In Progress but as no one seems to be interested in this feature in the list, I just gave up.

Do you already have an idea about what the configuration file syntax would be for this ACL scheme ?

BTW, are you taking over the remctl development project ? It seems that, lately, @rra didn't had a lot of time to work on it.

[jonrober]

@rra is still the primary developer and release manager. I've done some development on remctl but don't anticipate doing a whole lot more in specific. Basically this is just part of a dump of old Stanford Jira tickets (mostly actually from Russ) that were being moved into github since he no longer has access to the Jira instance.

So I'm deferring answering your question to Russ. :)