[Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users
Rob Crittenden
rcritten at redhat.com
Tue Jun 5 13:00:39 UTC 2012
Petr Viktorin wrote:
> On 06/05/2012 10:06 AM, Martin Kosek wrote:
>> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote:
>>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote:
>>>> An update plugin needed root privileges, and aborted the update if an
>>>> ordinary user user ran it.
>>>> With this patch the plugin is skipped with a warning in that case.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/2621
>>>
>>> Hi Petr,
>>> I am not sure I like the proposed solution.
>>>
>>> If there is a legitimate reason to run this plugin as non-root (eg admin
>>> user) then you should change the connection part to try to use GSSAPI
>>> auth over ldap when non-root, not just throw a warning.
>>>
>>> If there is no reason for anyone but root to run this script then we
>>> should just abort if not root IMO.
>>>
>>> Simo.
>>>
>>
>> I would keep this script runable for root users only. Regularly, this
>> should not be run manually but as a part of RPM update which is done by
>> root. It is being run manually only when something is broken anyway and
>> I am not convinced that non-root users should be involved in such
>> recovery.
>>
>> Martin
>>
>
> Thanks for the advice. The attached patch only allows root to run
> ipa-ldap-updater.
NACK. It is very handy for developers to be able to run ipa-ldap-updater
to test update files.
rob
More information about the Freeipa-devel
mailing list