[Freeipa-devel] [PATCH] add requires_root option to Command
Simo Sorce
ssorce at redhat.com
Wed Apr 22 08:46:46 UTC 2009
On Tue, 2009-04-21 at 17:16 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Tue, 2009-04-21 at 10:24 -0400, Rob Crittenden wrote:
> >> Some commands will require that the local user have root permissions.
> >> I'm not 100% sure this is the right place to put it but it at least
> >> starts the conversation.
> >
> > Speaking just in general terms I don't like doings things like:
> > if uid == 0 fail;
> >
> > I think that we should gracefully catch whatever exception is thrown up
> > (access denied or whatever) and then return an error.
> >
> > Some times this is not possible, and I haven't looked at what's around
> > that patch, so this may be the right way in this case.
> >
> > Simo.
> >
>
> That is exactly what this does. It raises an exception that Root is
> required and the client catches this and displays it:
>
> $ ipa join foo.example.com
> ipa: ERROR: This command requires root access
>
> Otherwise we're going to get file permission errors and nasty things
> like that which won't provide a useful error message to the client. If
> we catch this up front then we can prevent doing unnecessary things.
>
> Note that this is only for client-side stuff. In this case, when joining
> a machine to the IPA domain I want root access so the keytab we retrieve
> will be protected (and since I'll ultimiately update /etc/krb5.keytab
> root will be mandatory).
Yet, but I would rather check if we can write to /etc/krb5.keytab with
the current user (even just using access(2)), not just check if geteuid
== 0
Simo.
More information about the Freeipa-devel
mailing list