On 06/05/2012 10:06 AM, Martin Kosek wrote:
On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote:
On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote:
An update plugin needed root privileges, and aborted the update if an
ordinary user user ran it.
With this patch the plugin is skipped with a warning in that case.
https://fedorahosted.org/freeipa/ticket/2621
Hi Petr,
I am not sure I like the proposed solution.
If there is a legitimate reason to run this plugin as non-root (eg admin
user) then you should change the connection part to try to use GSSAPI
auth over ldap when non-root, not just throw a warning.
If there is no reason for anyone but root to run this script then we
should just abort if not root IMO.
Simo.
I would keep this script runable for root users only. Regularly, this
should not be run manually but as a part of RPM update which is done by
root. It is being run manually only when something is broken anyway and
I am not convinced that non-root users should be involved in such
recovery.
Martin
Thanks for the advice. The attached patch only allows root to run
ipa-ldap-updater.
--
PetrĀ³
From a4069362d5fd85db58a8dfc75c3d210bec11a361 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 5 Jun 2012 04:33:30 -0400
Subject: [PATCH] Only allow root to run ipa-ldap-updater
This script is an internal tool not intended to be executed by
end-users. We only run it when installing/upgrading.
Therefore there's no reason to allow non-root users to run it.
https://fedorahosted.org/freeipa/ticket/2621
---
install/tools/ipa-ldap-updater | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater
index bd2233a94241c28375b29cc10d60908238b8f176..73e5d1680eb8344bb09de18f1409acb1161be44e 100755
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@@ -87,10 +87,10 @@ def main():
safe_options, options, args = parse_options()
- if os.getegid() == 0:
- installutils.check_server_configuration()
- elif not os.path.exists('/etc/ipa/default.conf'):
- sys.exit("IPA is not configured on this system.")
+ if os.getegid() != 0:
+ sys.exit("Must be root to run this script")
+
+ installutils.check_server_configuration()
dirman_password = ""
if options.password:
@@ -124,8 +124,6 @@ def main():
updates = None
if options.upgrade:
- if os.getegid() != 0:
- sys.exit('Upgrade can only be done as root')
root_logger.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options))
realm = krbV.default_context().default_realm
upgrade = IPAUpgrade(realm, files, live_run=not options.test)
--
1.7.10.2
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
