Hi, Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised.
https://fedorahosted.org/freeipa/ticket/3098 Tomas
>From 667031a12f7c2bc0b95573afc0a7cf572d64cb43 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Tue, 25 Sep 2012 08:14:57 -0400 Subject: [PATCH] Restrict admins group modifications Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098 --- ipalib/errors.py | 6 +++--- ipalib/plugins/group.py | 12 ++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 6a4e2c5d68f6a6f9b94d8e6b3d7a81d5c1922093..3dc38a4fba1ce826dba03f75937e2609baf3b5bf 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1643,18 +1643,18 @@ class LastMemberError(ExecutionError): class ProtectedEntryError(ExecutionError): """ - **4309** Raised when an entry being deleted is protected + **4309** Raised when an entry being deleted or modified in a forbidden way is protected For example: >>> raise ProtectedEntryError(label=u'group', key=u'admins', reason=_(u'privileged group')) Traceback (most recent call last): ... - ProtectedEntryError: group admins cannot be deleted: privileged group + ProtectedEntryError: group admins cannot be deleted/modified: privileged group """ errno = 4309 - format = _('%(label)s %(key)s cannot be deleted: %(reason)s') + format = _('%(label)s %(key)s cannot be deleted/modified: %(reason)s') ############################################################################## diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index f1e34bd56fc2427e2e9f60da89cab731021e1db0..f739d3604f242d23ad32e1548ca2603ad2befdbd 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -260,6 +260,14 @@ class group_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) + + self.log.info(str(keys)) + is_admins_group = u'admins' in keys + + if 'rename' in options: + if is_admins_group: + raise errors.ProtectedEntryError(label=u'group', key=u'admins', reason=u'Cannot be renamed.') + if ('posix' in options and options['posix']) or 'gidnumber' in options: (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) if 'ipaexternalgroup' in old_entry_attrs['objectclass']: @@ -272,7 +280,10 @@ class group_mod(LDAPUpdate): entry_attrs['objectclass'] = old_entry_attrs['objectclass'] if not 'gidnumber' in options: entry_attrs['gidnumber'] = 999 + if options['external']: + if is_admins_group: + raise errors.ProtectedEntryError(label=u'group', key=u'admins', reason=u'Cannot support external non-IPA members.') (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) if 'posixgroup' in old_entry_attrs['objectclass']: raise errors.PosixGroupViolation() @@ -281,6 +292,7 @@ class group_mod(LDAPUpdate): else: old_entry_attrs['objectclass'].append('ipaexternalgroup') entry_attrs['objectclass'] = old_entry_attrs['objectclass'] + # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: raise errors.RequirementError(name='gid') -- 1.7.11.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
