Imported Upstream version 1.0

8 files changed, 316 insertions, 92 deletions

diff --git a/server/keytab-backend b/server/keytab-backend
index 7b6adb4..b0116c7 100755
--- a/server/keytab-backend
+++ b/server/keytab-backend
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# keytab-backend -- Extract keytabs from the KDC without changing the key.
+# Extract keytabs from the KDC without changing the key.
 #
 # This is a remctl backend that extracts existing keys from a KDC database
 # using kadmin.local.  It requires a patched version of kadmin.local that
@@ -15,12 +15,6 @@
 # do any additional authorization checks itself.
 #
 # The keytab for the extracted principal will be printed to standard output.
-#
-# Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2006, 2007, 2008, 2010
-#     Board of Trustees, Leland Stanford Jr. University
-#
-# See LICENSE for licensing terms.
 
 ##############################################################################
 # Declarations and site configuration
@@ -158,7 +152,7 @@ __END__
 
 =for stopwords
 keytab-backend keytabs KDC keytab kadmin.local -norandkey ktadd remctld
-auth Allbery rekeying
+auth Allbery rekeying MERCHANTABILITY NONINFRINGEMENT sublicense
 
 =head1 NAME
 
@@ -215,6 +209,33 @@ standard output.
 
 =back
 
+=head1 AUTHOR
+
+Russ Allbery <rra@stanford.edu>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2006, 2007, 2008, 2010, 2013 The Board of Trustees of the Leland
+Stanford Junior University
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+
 =head1 SEE ALSO
 
 kadmin.local(8), remctld(8)
@@ -222,8 +243,4 @@ kadmin.local(8), remctld(8)
 This program is part of the wallet system.  The current version is
 available from L<http://www.eyrie.org/~eagle/software/wallet/>.
 
-=head1 AUTHOR
-
-Russ Allbery <rra@stanford.edu>
-
 =cut
diff --git a/server/keytab-backend.8 b/server/keytab-backend.8
index 2ad3d61..4808d29 100644
--- a/server/keytab-backend.8
+++ b/server/keytab-backend.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "KEYTAB-BACKEND 8"
-.TH KEYTAB-BACKEND 8 "2010-08-25" "0.12" "wallet"
+.TH KEYTAB-BACKEND 8 "2013-03-27" "1.0" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -174,12 +174,34 @@ The temporary directory used for creating keytabs.  \fBkeytab-backend\fR will
 create the keytab in this directory, make sure that was successful, and
 then delete the temporary file after the results have been sent to
 standard output.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Russ Allbery <rra@stanford.edu>
+.SH "COPYRIGHT AND LICENSE"
+.IX Header "COPYRIGHT AND LICENSE"
+Copyright 2006, 2007, 2008, 2010, 2013 The Board of Trustees of the Leland
+Stanford Junior University
+.PP
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the \*(L"Software\*(R"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+.PP
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+.PP
+\&\s-1THE\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \*(L"\s-1AS\s0 \s-1IS\s0\*(R", \s-1WITHOUT\s0 \s-1WARRANTY\s0 \s-1OF\s0 \s-1ANY\s0 \s-1KIND\s0, \s-1EXPRESS\s0 \s-1OR\s0
+\&\s-1IMPLIED\s0, \s-1INCLUDING\s0 \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0 \s-1THE\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0,
+\&\s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1AND\s0 \s-1NONINFRINGEMENT\s0.  \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0
+\&\s-1THE\s0 \s-1AUTHORS\s0 \s-1OR\s0 \s-1COPYRIGHT\s0 \s-1HOLDERS\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1CLAIM\s0, \s-1DAMAGES\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1LIABILITY\s0, \s-1WHETHER\s0 \s-1IN\s0 \s-1AN\s0 \s-1ACTION\s0 \s-1OF\s0 \s-1CONTRACT\s0, \s-1TORT\s0 \s-1OR\s0 \s-1OTHERWISE\s0, \s-1ARISING\s0
+\&\s-1FROM\s0, \s-1OUT\s0 \s-1OF\s0 \s-1OR\s0 \s-1IN\s0 \s-1CONNECTION\s0 \s-1WITH\s0 \s-1THE\s0 \s-1SOFTWARE\s0 \s-1OR\s0 \s-1THE\s0 \s-1USE\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1DEALINGS\s0 \s-1IN\s0 \s-1THE\s0 \s-1SOFTWARE\s0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIkadmin.local\fR\|(8), \fIremctld\fR\|(8)
 .PP
 This program is part of the wallet system.  The current version is
 available from <http://www.eyrie.org/~eagle/software/wallet/>.
-.SH "AUTHOR"
-.IX Header "AUTHOR"
-Russ Allbery <rra@stanford.edu>
diff --git a/server/wallet-admin b/server/wallet-admin
index f81c195..02982dc 100755
--- a/server/wallet-admin
+++ b/server/wallet-admin
@@ -1,11 +1,6 @@
 #!/usr/bin/perl -w
 #
-# wallet-admin -- Wallet server administrative commands.
-#
-# Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2008, 2009, 2010 Board of Trustees, Leland Stanford Jr. University
-#
-# See LICENSE for licensing terms.
+# Wallet server administrative commands.
 
 ##############################################################################
 # Declarations and site configuration
@@ -56,6 +51,9 @@ sub command {
         } else {
             die "only object or verifier is supported for register\n";
         }
+    } elsif ($command eq 'upgrade') {
+        die "too many arguments to upgrade\n" if @args;
+        $admin->upgrade or die $admin->error, "\n";
     } else {
         die "unknown command $command\n";
     }
@@ -67,13 +65,14 @@ __END__
 # Documentation
 ##############################################################################
 
+=for stopwords
+metadata ACL hostname backend acl acls wildcard SQL Allbery verifier
+MERCHANTABILITY NONINFRINGEMENT sublicense
+
 =head1 NAME
 
 wallet-admin - Wallet server administrative commands
 
-=for stopwords
-metadata ACL hostname backend acl acls wildcard SQL Allbery
-
 =head1 SYNOPSIS
 
 B<wallet-admin> I<command> [I<args> ...]
@@ -133,8 +132,40 @@ default as part of database initialization, so this command is used
 primarily to register local implementations of additional object types or
 ACL schemes.
 
+=item upgrade
+
+Upgrades the database to the latest schema version, preserving data as
+much as possible.
+
 =back
 
+=head1 AUTHOR
+
+Russ Allbery <rra@stanford.edu>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2008, 2009, 2010, 2011, 2013 The Board of Trustees of the Leland
+Stanford Junior University
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+
 =head1 SEE ALSO
 
 Wallet::Admin(3), Wallet::Config(3), wallet-backend(8)
@@ -142,8 +173,4 @@ Wallet::Admin(3), Wallet::Config(3), wallet-backend(8)
 This program is part of the wallet system.  The current version is
 available from L<http://www.eyrie.org/~eagle/software/wallet/>.
 
-=head1 AUTHOR
-
-Russ Allbery <rra@stanford.edu>
-
 =cut
diff --git a/server/wallet-admin.8 b/server/wallet-admin.8
index 295fce2..b03dbcc 100644
--- a/server/wallet-admin.8
+++ b/server/wallet-admin.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-ADMIN 8"
-.TH WALLET-ADMIN 8 "2010-08-25" "0.12" "wallet"
+.TH WALLET-ADMIN 8 "2013-03-27" "1.0" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -182,12 +182,38 @@ All object and \s-1ACL\s0 implementations that come with wallet are registered b
 default as part of database initialization, so this command is used
 primarily to register local implementations of additional object types or
 \&\s-1ACL\s0 schemes.
+.IP "upgrade" 4
+.IX Item "upgrade"
+Upgrades the database to the latest schema version, preserving data as
+much as possible.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Russ Allbery <rra@stanford.edu>
+.SH "COPYRIGHT AND LICENSE"
+.IX Header "COPYRIGHT AND LICENSE"
+Copyright 2008, 2009, 2010, 2011, 2013 The Board of Trustees of the Leland
+Stanford Junior University
+.PP
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the \*(L"Software\*(R"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+.PP
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+.PP
+\&\s-1THE\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \*(L"\s-1AS\s0 \s-1IS\s0\*(R", \s-1WITHOUT\s0 \s-1WARRANTY\s0 \s-1OF\s0 \s-1ANY\s0 \s-1KIND\s0, \s-1EXPRESS\s0 \s-1OR\s0
+\&\s-1IMPLIED\s0, \s-1INCLUDING\s0 \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0 \s-1THE\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0,
+\&\s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1AND\s0 \s-1NONINFRINGEMENT\s0.  \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0
+\&\s-1THE\s0 \s-1AUTHORS\s0 \s-1OR\s0 \s-1COPYRIGHT\s0 \s-1HOLDERS\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1CLAIM\s0, \s-1DAMAGES\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1LIABILITY\s0, \s-1WHETHER\s0 \s-1IN\s0 \s-1AN\s0 \s-1ACTION\s0 \s-1OF\s0 \s-1CONTRACT\s0, \s-1TORT\s0 \s-1OR\s0 \s-1OTHERWISE\s0, \s-1ARISING\s0
+\&\s-1FROM\s0, \s-1OUT\s0 \s-1OF\s0 \s-1OR\s0 \s-1IN\s0 \s-1CONNECTION\s0 \s-1WITH\s0 \s-1THE\s0 \s-1SOFTWARE\s0 \s-1OR\s0 \s-1THE\s0 \s-1USE\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1DEALINGS\s0 \s-1IN\s0 \s-1THE\s0 \s-1SOFTWARE\s0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIWallet::Admin\fR\|(3), \fIWallet::Config\fR\|(3), \fIwallet\-backend\fR\|(8)
 .PP
 This program is part of the wallet system.  The current version is
 available from <http://www.eyrie.org/~eagle/software/wallet/>.
-.SH "AUTHOR"
-.IX Header "AUTHOR"
-Russ Allbery <rra@stanford.edu>
diff --git a/server/wallet-backend b/server/wallet-backend
index 52e9857..fc3434e 100755
--- a/server/wallet-backend
+++ b/server/wallet-backend
@@ -1,11 +1,6 @@
 #!/usr/bin/perl
 #
-# wallet-backend -- Wallet server for storing and retrieving secure data.
-#
-# Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
-#
-# See LICENSE for licensing terms.
+# Wallet server for storing and retrieving secure data.
 
 ##############################################################################
 # Declarations and site configuration
@@ -149,6 +144,14 @@ sub command {
         if ($action eq 'add') {
             check_args (3, 3, [3], @args);
             $server->acl_add (@args) or failure ($server->error, @_);
+        } elsif ($action eq 'check') {
+            check_args (1, 1, [], @args);
+            my $status = $server->acl_check (@args);
+            if (!defined ($status)) {
+                failure ($server->error, @_);
+            } else {
+                print $status ? "yes\n" : "no\n";
+            }
         } elsif ($action eq 'create') {
             check_args (1, 1, [], @args);
             $server->acl_create (@args) or failure ($server->error, @_);
@@ -191,6 +194,20 @@ sub command {
         } else {
             print $status ? "yes\n" : "no\n";
         }
+    } elsif ($command eq 'comment') {
+        check_args (2, 3, [], @args);
+        if (@args > 2) {
+            $server->comment (@args) or failure ($server->error, @_);
+        } else {
+            my $output = $server->comment (@args);
+            if (defined $output) {
+                print $output, "\n";
+            } elsif (not $server->error) {
+                print "No comment set\n";
+            } else {
+                failure ($server->error, @_);
+            }
+        }
     } elsif ($command eq 'create') {
         check_args (2, 2, [], @args);
         $server->create (@args) or failure ($server->error, @_);
@@ -318,7 +335,7 @@ __END__
 =for stopwords
 wallet-backend backend backend-specific remctld ACL acl timestamp getacl
 setacl metadata keytab keytabs enctypes enctype ktadd KDC Allbery
-autocreate
+autocreate MERCHANTABILITY NONINFRINGEMENT sublicense
 
 =head1 NAME
 
@@ -361,16 +378,17 @@ syslog.
 =head1 COMMANDS
 
 Most commands are only available to wallet administrators (users on the
-C<ADMIN> ACL).  The exceptions are C<autocreate>, C<get>, C<store>,
-C<show>, C<destroy>, C<flag clear>, C<flag set>, C<getattr>, C<setattr>,
-and C<history>.  All of those commands have their own ACLs except
-C<getattr> and C<history>, which use the C<show> ACL, and C<setattr>,
-which uses the C<store> ACL.  If the appropriate ACL is set, it alone is
-checked to see if the user has access.  Otherwise, C<get>, C<store>,
-C<show>, C<getattr>, C<setattr>, and C<history> access is permitted if the
-user is authorized by the owner ACL of the object.  C<autocreate> is
-permitted if the user is listed in the default ACL for an object for that
-name.
+C<ADMIN> ACL).  The exceptions are C<acl check>, C<check>, C<get>,
+C<store>, C<show>, C<destroy>, C<flag clear>, C<flag set>, C<getattr>,
+C<setattr>, and C<history>.  C<acl check> and C<check> can be run by
+anyone.  All of the rest of those commands have their own ACLs except
+C<getattr> and C<history>, which use the C<show> ACL, C<setattr>, which
+uses the C<store> ACL, and C<comment>, which uses the owner or C<show> ACL
+depending on whether one is setting or retrieving the comment.  If the
+appropriate ACL is set, it alone is checked to see if the user has access.
+Otherwise, C<destroy>, C<get>, C<store>, C<show>, C<getattr>, C<setattr>,
+C<history>, and C<comment> access is permitted if the user is authorized
+by the owner ACL of the object.
 
 Administrators can run any command on any object or ACL except for C<get>
 and C<store>.  For C<get> and C<store>, they must still be authorized by
@@ -379,8 +397,8 @@ either the appropriate specific ACL or the owner ACL.
 If the locked flag is set on an object, no commands can be run on that
 object that change data except the C<flags> commands, nor can the C<get>
 command be used on that object.  C<show>, C<history>, C<getacl>,
-C<getattr>, and C<owner> or C<expires> without an argument can still be
-used on that object.
+C<getattr>, and C<owner>, C<comment>, or C<expires> without an argument
+can still be used on that object.
 
 For more information on attributes, see L<ATTRIBUTES>.
 
@@ -388,9 +406,14 @@ For more information on attributes, see L<ATTRIBUTES>.
 
 =item acl add <id> <scheme> <identifier>
 
-Adds an entry with <scheme> and <identifier> to the ACL <id>.  <id> may be
+Add an entry with <scheme> and <identifier> to the ACL <id>.  <id> may be
 either the name of an ACL or its numeric identifier.
 
+=item acl check <id>
+
+Check whether an ACL with the ID <id> already exists.  If it does, prints
+C<yes>; if not, prints C<no>.
+
 =item acl create <name>
 
 Create a new, empty ACL with name <name>.  When setting an ACL on an
@@ -437,6 +460,15 @@ object will be created with that default ACL set as the object owner.
 Check whether an object of type <type> and name <name> already exists.  If
 it does, prints C<yes>; if not, prints C<no>.
 
+=item comment <type> <name> [<comment>]
+
+If <comment> is not given, displays the current comment for the object
+identified by <type> and <name>, or C<No comment set> if none is set.
+
+If <comment> is given, sets the comment on the object identified by
+<type> and <name> to <comment>.  If <comment> is the empty string, clears
+the comment.
+
 =item create <type> <name>
 
 Create a new object of type <type> with name <name>.  With some backends,
@@ -580,6 +612,33 @@ enctypes than those requested by this attribute.
 
 =back
 
+=head1 AUTHOR
+
+Russ Allbery <rra@stanford.edu>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2007, 2008, 2010, 2011, 2012, 2013 The Board of Trustees of the
+Leland Stanford Junior University
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+
 =head1 SEE ALSO
 
 Wallet::Server(3), remctld(8)
@@ -587,8 +646,4 @@ Wallet::Server(3), remctld(8)
 This program is part of the wallet system.  The current version is
 available from L<http://www.eyrie.org/~eagle/software/wallet/>.
 
-=head1 AUTHOR
-
-Russ Allbery <rra@stanford.edu>
-
 =cut
diff --git a/server/wallet-backend.8 b/server/wallet-backend.8
index 1ecad1a..980455f 100644
--- a/server/wallet-backend.8
+++ b/server/wallet-backend.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-BACKEND 8"
-.TH WALLET-BACKEND 8 "2010-08-25" "0.12" "wallet"
+.TH WALLET-BACKEND 8 "2013-03-27" "1.0" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -161,16 +161,17 @@ syslog.
 .SH "COMMANDS"
 .IX Header "COMMANDS"
 Most commands are only available to wallet administrators (users on the
-\&\f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0).  The exceptions are \f(CW\*(C`autocreate\*(C'\fR, \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR,
-\&\f(CW\*(C`show\*(C'\fR, \f(CW\*(C`destroy\*(C'\fR, \f(CW\*(C`flag clear\*(C'\fR, \f(CW\*(C`flag set\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, \f(CW\*(C`setattr\*(C'\fR,
-and \f(CW\*(C`history\*(C'\fR.  All of those commands have their own ACLs except
-\&\f(CW\*(C`getattr\*(C'\fR and \f(CW\*(C`history\*(C'\fR, which use the \f(CW\*(C`show\*(C'\fR \s-1ACL\s0, and \f(CW\*(C`setattr\*(C'\fR,
-which uses the \f(CW\*(C`store\*(C'\fR \s-1ACL\s0.  If the appropriate \s-1ACL\s0 is set, it alone is
-checked to see if the user has access.  Otherwise, \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR,
-\&\f(CW\*(C`show\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, \f(CW\*(C`setattr\*(C'\fR, and \f(CW\*(C`history\*(C'\fR access is permitted if the
-user is authorized by the owner \s-1ACL\s0 of the object.  \f(CW\*(C`autocreate\*(C'\fR is
-permitted if the user is listed in the default \s-1ACL\s0 for an object for that
-name.
+\&\f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0).  The exceptions are \f(CW\*(C`acl check\*(C'\fR, \f(CW\*(C`check\*(C'\fR, \f(CW\*(C`get\*(C'\fR,
+\&\f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`destroy\*(C'\fR, \f(CW\*(C`flag clear\*(C'\fR, \f(CW\*(C`flag set\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR,
+\&\f(CW\*(C`setattr\*(C'\fR, and \f(CW\*(C`history\*(C'\fR.  \f(CW\*(C`acl check\*(C'\fR and \f(CW\*(C`check\*(C'\fR can be run by
+anyone.  All of the rest of those commands have their own ACLs except
+\&\f(CW\*(C`getattr\*(C'\fR and \f(CW\*(C`history\*(C'\fR, which use the \f(CW\*(C`show\*(C'\fR \s-1ACL\s0, \f(CW\*(C`setattr\*(C'\fR, which
+uses the \f(CW\*(C`store\*(C'\fR \s-1ACL\s0, and \f(CW\*(C`comment\*(C'\fR, which uses the owner or \f(CW\*(C`show\*(C'\fR \s-1ACL\s0
+depending on whether one is setting or retrieving the comment.  If the
+appropriate \s-1ACL\s0 is set, it alone is checked to see if the user has access.
+Otherwise, \f(CW\*(C`destroy\*(C'\fR, \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, \f(CW\*(C`setattr\*(C'\fR,
+\&\f(CW\*(C`history\*(C'\fR, and \f(CW\*(C`comment\*(C'\fR access is permitted if the user is authorized
+by the owner \s-1ACL\s0 of the object.
 .PP
 Administrators can run any command on any object or \s-1ACL\s0 except for \f(CW\*(C`get\*(C'\fR
 and \f(CW\*(C`store\*(C'\fR.  For \f(CW\*(C`get\*(C'\fR and \f(CW\*(C`store\*(C'\fR, they must still be authorized by
@@ -179,14 +180,18 @@ either the appropriate specific \s-1ACL\s0 or the owner \s-1ACL\s0.
 If the locked flag is set on an object, no commands can be run on that
 object that change data except the \f(CW\*(C`flags\*(C'\fR commands, nor can the \f(CW\*(C`get\*(C'\fR
 command be used on that object.  \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`history\*(C'\fR, \f(CW\*(C`getacl\*(C'\fR,
-\&\f(CW\*(C`getattr\*(C'\fR, and \f(CW\*(C`owner\*(C'\fR or \f(CW\*(C`expires\*(C'\fR without an argument can still be
-used on that object.
+\&\f(CW\*(C`getattr\*(C'\fR, and \f(CW\*(C`owner\*(C'\fR, \f(CW\*(C`comment\*(C'\fR, or \f(CW\*(C`expires\*(C'\fR without an argument
+can still be used on that object.
 .PP
 For more information on attributes, see \s-1ATTRIBUTES\s0.
 .IP "acl add <id> <scheme> <identifier>" 4
 .IX Item "acl add <id> <scheme> <identifier>"
-Adds an entry with <scheme> and <identifier> to the \s-1ACL\s0 <id>.  <id> may be
+Add an entry with <scheme> and <identifier> to the \s-1ACL\s0 <id>.  <id> may be
 either the name of an \s-1ACL\s0 or its numeric identifier.
+.IP "acl check <id>" 4
+.IX Item "acl check <id>"
+Check whether an \s-1ACL\s0 with the \s-1ID\s0 <id> already exists.  If it does, prints
+\&\f(CW\*(C`yes\*(C'\fR; if not, prints \f(CW\*(C`no\*(C'\fR.
 .IP "acl create <name>" 4
 .IX Item "acl create <name>"
 Create a new, empty \s-1ACL\s0 with name <name>.  When setting an \s-1ACL\s0 on an
@@ -226,6 +231,14 @@ object will be created with that default \s-1ACL\s0 set as the object owner.
 .IX Item "check <type> <name>"
 Check whether an object of type <type> and name <name> already exists.  If
 it does, prints \f(CW\*(C`yes\*(C'\fR; if not, prints \f(CW\*(C`no\*(C'\fR.
+.IP "comment <type> <name> [<comment>]" 4
+.IX Item "comment <type> <name> [<comment>]"
+If <comment> is not given, displays the current comment for the object
+identified by <type> and <name>, or \f(CW\*(C`No comment set\*(C'\fR if none is set.
+.Sp
+If <comment> is given, sets the comment on the object identified by
+<type> and <name> to <comment>.  If <comment> is the empty string, clears
+the comment.
 .IP "create <type> <name>" 4
 .IX Item "create <type> <name>"
 Create a new object of type <type> with name <name>.  With some backends,
@@ -346,12 +359,34 @@ This attribute is ignored if the \f(CW\*(C`unchanging\*(C'\fR flag is set on a k
 Keytabs retrieved with \f(CW\*(C`unchanging\*(C'\fR set will contain all keys present in
 the \s-1KDC\s0 for that Kerberos principal and therefore may contain different
 enctypes than those requested by this attribute.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Russ Allbery <rra@stanford.edu>
+.SH "COPYRIGHT AND LICENSE"
+.IX Header "COPYRIGHT AND LICENSE"
+Copyright 2007, 2008, 2010, 2011, 2012, 2013 The Board of Trustees of the
+Leland Stanford Junior University
+.PP
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the \*(L"Software\*(R"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+.PP
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+.PP
+\&\s-1THE\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \*(L"\s-1AS\s0 \s-1IS\s0\*(R", \s-1WITHOUT\s0 \s-1WARRANTY\s0 \s-1OF\s0 \s-1ANY\s0 \s-1KIND\s0, \s-1EXPRESS\s0 \s-1OR\s0
+\&\s-1IMPLIED\s0, \s-1INCLUDING\s0 \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0 \s-1THE\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0,
+\&\s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1AND\s0 \s-1NONINFRINGEMENT\s0.  \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0
+\&\s-1THE\s0 \s-1AUTHORS\s0 \s-1OR\s0 \s-1COPYRIGHT\s0 \s-1HOLDERS\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1CLAIM\s0, \s-1DAMAGES\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1LIABILITY\s0, \s-1WHETHER\s0 \s-1IN\s0 \s-1AN\s0 \s-1ACTION\s0 \s-1OF\s0 \s-1CONTRACT\s0, \s-1TORT\s0 \s-1OR\s0 \s-1OTHERWISE\s0, \s-1ARISING\s0
+\&\s-1FROM\s0, \s-1OUT\s0 \s-1OF\s0 \s-1OR\s0 \s-1IN\s0 \s-1CONNECTION\s0 \s-1WITH\s0 \s-1THE\s0 \s-1SOFTWARE\s0 \s-1OR\s0 \s-1THE\s0 \s-1USE\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1DEALINGS\s0 \s-1IN\s0 \s-1THE\s0 \s-1SOFTWARE\s0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIWallet::Server\fR\|(3), \fIremctld\fR\|(8)
 .PP
 This program is part of the wallet system.  The current version is
 available from <http://www.eyrie.org/~eagle/software/wallet/>.
-.SH "AUTHOR"
-.IX Header "AUTHOR"
-Russ Allbery <rra@stanford.edu>
diff --git a/server/wallet-report b/server/wallet-report
index 98fd07a..87755b8 100755
--- a/server/wallet-report
+++ b/server/wallet-report
@@ -1,11 +1,6 @@
 #!/usr/bin/perl -w
 #
-# wallet-report -- Wallet server reporting interface.
-#
-# Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2008, 2009, 2010 Board of Trustees, Leland Stanford Jr. University
-#
-# See LICENSE for licensing terms.
+# Wallet server reporting interface.
 
 ##############################################################################
 # Declarations and globals
@@ -31,6 +26,7 @@ Wallet reporting help:
   objects owner <owner>         Objects owned by that owner
   objects type <type>           Objects of that type
   objects unused                Objects that have never been stored/gotten
+  owners <type> <name>          All ACL entries owning matching objects
 EOH
 
 ##############################################################################
@@ -112,6 +108,7 @@ wallet-report - Wallet server reporting interface
 
 =for stopwords
 metadata ACL hostname backend acl acls wildcard SQL Allbery remctl
+MERCHANTABILITY NONINFRINGEMENT sublicense
 
 =head1 SYNOPSIS
 
@@ -278,6 +275,33 @@ with duplicates suppressed.
 
 =back
 
+=head1 AUTHOR
+
+Russ Allbery <rra@stanford.edu>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2008, 2009, 2010, 2013 The Board of Trustees of the Leland
+Stanford Junior University
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+
 =head1 SEE ALSO
 
 Wallet::Config(3), Wallet::Report(3), wallet-backend(8)
@@ -285,8 +309,4 @@ Wallet::Config(3), Wallet::Report(3), wallet-backend(8)
 This program is part of the wallet system.  The current version is
 available from L<http://www.eyrie.org/~eagle/software/wallet/>.
 
-=head1 AUTHOR
-
-Russ Allbery <rra@stanford.edu>
-
 =cut
diff --git a/server/wallet-report.8 b/server/wallet-report.8
index 0600736..003bafb 100644
--- a/server/wallet-report.8
+++ b/server/wallet-report.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-REPORT 8"
-.TH WALLET-REPORT 8 "2010-08-25" "0.12" "wallet"
+.TH WALLET-REPORT 8 "2013-03-27" "1.0" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -291,12 +291,34 @@ The output will be one line per \s-1ACL\s0 line in the form:
 .Ve
 .Sp
 with duplicates suppressed.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Russ Allbery <rra@stanford.edu>
+.SH "COPYRIGHT AND LICENSE"
+.IX Header "COPYRIGHT AND LICENSE"
+Copyright 2008, 2009, 2010, 2013 The Board of Trustees of the Leland
+Stanford Junior University
+.PP
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the \*(L"Software\*(R"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+.PP
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+.PP
+\&\s-1THE\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \*(L"\s-1AS\s0 \s-1IS\s0\*(R", \s-1WITHOUT\s0 \s-1WARRANTY\s0 \s-1OF\s0 \s-1ANY\s0 \s-1KIND\s0, \s-1EXPRESS\s0 \s-1OR\s0
+\&\s-1IMPLIED\s0, \s-1INCLUDING\s0 \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0 \s-1THE\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0,
+\&\s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1AND\s0 \s-1NONINFRINGEMENT\s0.  \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0
+\&\s-1THE\s0 \s-1AUTHORS\s0 \s-1OR\s0 \s-1COPYRIGHT\s0 \s-1HOLDERS\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1CLAIM\s0, \s-1DAMAGES\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1LIABILITY\s0, \s-1WHETHER\s0 \s-1IN\s0 \s-1AN\s0 \s-1ACTION\s0 \s-1OF\s0 \s-1CONTRACT\s0, \s-1TORT\s0 \s-1OR\s0 \s-1OTHERWISE\s0, \s-1ARISING\s0
+\&\s-1FROM\s0, \s-1OUT\s0 \s-1OF\s0 \s-1OR\s0 \s-1IN\s0 \s-1CONNECTION\s0 \s-1WITH\s0 \s-1THE\s0 \s-1SOFTWARE\s0 \s-1OR\s0 \s-1THE\s0 \s-1USE\s0 \s-1OR\s0 \s-1OTHER\s0
+\&\s-1DEALINGS\s0 \s-1IN\s0 \s-1THE\s0 \s-1SOFTWARE\s0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIWallet::Config\fR\|(3), \fIWallet::Report\fR\|(3), \fIwallet\-backend\fR\|(8)
 .PP
 This program is part of the wallet system.  The current version is
 available from <http://www.eyrie.org/~eagle/software/wallet/>.
-.SH "AUTHOR"
-.IX Header "AUTHOR"
-Russ Allbery <rra@stanford.edu>