[Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users
Petr Viktorin
pviktori at redhat.com
Tue Jun 5 08:53:16 UTC 2012
On 06/05/2012 10:06 AM, Martin Kosek wrote:
> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote:
>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote:
>>> An update plugin needed root privileges, and aborted the update if an
>>> ordinary user user ran it.
>>> With this patch the plugin is skipped with a warning in that case.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2621
>>
>> Hi Petr,
>> I am not sure I like the proposed solution.
>>
>> If there is a legitimate reason to run this plugin as non-root (eg admin
>> user) then you should change the connection part to try to use GSSAPI
>> auth over ldap when non-root, not just throw a warning.
>>
>> If there is no reason for anyone but root to run this script then we
>> should just abort if not root IMO.
>>
>> Simo.
>>
>
> I would keep this script runable for root users only. Regularly, this
> should not be run manually but as a part of RPM update which is done by
> root. It is being run manually only when something is broken anyway and
> I am not convinced that non-root users should be involved in such
> recovery.
>
> Martin
>
Thanks for the advice. The attached patch only allows root to run
ipa-ldap-updater.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0057-02-Only-allow-root-to-run-ipa-ldap-updater.patch
Type: text/x-patch
Size: 1668 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120605/3dae0bd0/attachment.bin>
More information about the Freeipa-devel
mailing list