[Freeipa-devel] [PATCH 78] Ticket #2979 - prevent last admin from being disabled
Petr Viktorin
pviktori at redhat.com
Mon Aug 20 17:37:29 UTC 2012
(Sorry if you're getting this twice; I didn't send it to the list)
On 08/16/2012 08:38 PM, John Dennis wrote:
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
> freeipa-jdennis-0078-Ticket-2979-prevent-last-admin-from-being-disabled.patch
>
>
>>From c47109c63530e188db76986fdda48c76bf681d10 Mon Sep 17 00:00:00 2001
> From: John Dennis<jdennis at redhat.com>
> Date: Thu, 16 Aug 2012 20:28:44 -0400
> Subject: [PATCH 78] Ticket #2979 - prevent last admin from being disabled
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: 8bit
>
> We prevent the last member of the admin group from being deleted. The
> same check needs to be performed when disabling a user.
>
> Moved the code in del_user to a common subroutine and call it from
> both user_del and user_disable. Note, unlike user_del user_disable
> does not have a 'pre' callback therefore the check function is called
> in user_disable's execute routine.
This should also prevent disabling all admins if there's more than one:
# ipa user-add admin2 --first=a --last=b
-------------------
Added user "admin2"
-------------------
...
# ipa group-add-member admins --user=admin2
-------------------------
Number of members added 1
-------------------------
# ipa user-disable admin2
------------------------------
Disabled user account "admin2"
------------------------------
# ipa user-disable admin
------------------------------
Disabled user account "admin"
------------------------------
# ipa ping
ipa: ERROR: Server is unwilling to perform: Account inactivated. Contact
system administrator.
Also with one enabled and one disabled admin, it shouldn't be possible
to delete the enabled one.
Please add some tests; you can extend the ones added in commit f8e7b51.
--
Petr³
More information about the Freeipa-devel
mailing list