[Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users
Martin Kosek
mkosek at redhat.com
Tue Jun 5 08:06:37 UTC 2012
On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote:
> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote:
> > An update plugin needed root privileges, and aborted the update if an
> > ordinary user user ran it.
> > With this patch the plugin is skipped with a warning in that case.
> >
> > https://fedorahosted.org/freeipa/ticket/2621
>
> Hi Petr,
> I am not sure I like the proposed solution.
>
> If there is a legitimate reason to run this plugin as non-root (eg admin
> user) then you should change the connection part to try to use GSSAPI
> auth over ldap when non-root, not just throw a warning.
>
> If there is no reason for anyone but root to run this script then we
> should just abort if not root IMO.
>
> Simo.
>
I would keep this script runable for root users only. Regularly, this
should not be run manually but as a part of RPM update which is done by
root. It is being run manually only when something is broken anyway and
I am not convinced that non-root users should be involved in such
recovery.
Martin
More information about the Freeipa-devel
mailing list