[Freeipa-devel] [PATCH] add requires_root option to Command
Rob Crittenden
rcritten at redhat.com
Tue Apr 21 21:16:02 UTC 2009
Simo Sorce wrote:
> On Tue, 2009-04-21 at 10:24 -0400, Rob Crittenden wrote:
>> Some commands will require that the local user have root permissions.
>> I'm not 100% sure this is the right place to put it but it at least
>> starts the conversation.
>
> Speaking just in general terms I don't like doings things like:
> if uid == 0 fail;
>
> I think that we should gracefully catch whatever exception is thrown up
> (access denied or whatever) and then return an error.
>
> Some times this is not possible, and I haven't looked at what's around
> that patch, so this may be the right way in this case.
>
> Simo.
>
That is exactly what this does. It raises an exception that Root is
required and the client catches this and displays it:
$ ipa join foo.example.com
ipa: ERROR: This command requires root access
Otherwise we're going to get file permission errors and nasty things
like that which won't provide a useful error message to the client. If
we catch this up front then we can prevent doing unnecessary things.
Note that this is only for client-side stuff. In this case, when joining
a machine to the IPA domain I want root access so the keytab we retrieve
will be protected (and since I'll ultimiately update /etc/krb5.keytab
root will be mandatory).
rob
More information about the Freeipa-devel
mailing list