[Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users
Rob Crittenden
rcritten at redhat.com
Tue Jun 5 12:59:02 UTC 2012
Martin Kosek wrote:
> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote:
>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote:
>>> An update plugin needed root privileges, and aborted the update if an
>>> ordinary user user ran it.
>>> With this patch the plugin is skipped with a warning in that case.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2621
>>
>> Hi Petr,
>> I am not sure I like the proposed solution.
>>
>> If there is a legitimate reason to run this plugin as non-root (eg admin
>> user) then you should change the connection part to try to use GSSAPI
>> auth over ldap when non-root, not just throw a warning.
>>
>> If there is no reason for anyone but root to run this script then we
>> should just abort if not root IMO.
>>
>> Simo.
>>
>
> I would keep this script runable for root users only. Regularly, this
> should not be run manually but as a part of RPM update which is done by
> root. It is being run manually only when something is broken anyway and
> I am not convinced that non-root users should be involved in such
> recovery.
I'd agree if root was actually needed for this. It is only needed
because we're using ldapi and relying on autobind.
The real trick is that this doesn't use GSSAPI. Many updates require the
DM password. So the question becomes, do we have the DM password
available in the plugin to bind if we're not running a root?
rob
More information about the Freeipa-devel
mailing list