[Freeipa-devel] --setattr for attributes that are handled via command options
Tomas Babej
tbabej at redhat.com
Fri Oct 26 09:58:30 UTC 2012
In many ipa commands you are usually able to mess things up using
--setattr for attributes that are handled by command options.
using --setattr=attributename=:
- I am able to set the attribute to None
using --setattr=attributename=value:
- I am often able to bypass validation in pre_callback that operates
with options[]
- I am able to override the value given using the option that handles
this attribute.
Therefore I am able to save a value that completely bypasses the
rules even for
compulsory attributes.
The question is, should we support such usage? Make our commands foolproof?
Or should we give the power to break the system to the unwary user?
There is also a option of disabling --setattr for attributes that are
fully handled
via command options. I suppose that would not require extensive changes
in the
IPA code, as opposed to tiresome checking for these corner use cases in
every
command.
Tomas
More information about the Freeipa-devel
mailing list