Petr Viktorin wrote:
On 06/05/2012 03:00 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 06/05/2012 10:06 AM, Martin Kosek wrote:
On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote:
On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote:
An update plugin needed root privileges, and aborted the update if an
ordinary user user ran it.
With this patch the plugin is skipped with a warning in that case.

Hi Petr,
I am not sure I like the proposed solution.

If there is a legitimate reason to run this plugin as non-root (eg
user) then you should change the connection part to try to use GSSAPI
auth over ldap when non-root, not just throw a warning.

If there is no reason for anyone but root to run this script then we
should just abort if not root IMO.


I would keep this script runable for root users only. Regularly, this
should not be run manually but as a part of RPM update which is done by
root. It is being run manually only when something is broken anyway and
I am not convinced that non-root users should be involved in such


Thanks for the advice. The attached patch only allows root to run

NACK. It is very handy for developers to be able to run ipa-ldap-updater
to test update files.


Developers can run it as root, I don't see a problem here.

I'd really rather not. This does nothing requiring root permissions, it's all done over LDAP. I'd rather trade not running some plugins than always requiring root.


Freeipa-devel mailing list

Reply via email to