[Freeipa-devel] [PATCH] 0057 Skip the fix_replica_memberof update plugin for non-root users
Petr Viktorin
pviktori at redhat.com
Tue Jun 5 14:15:40 UTC 2012
On 06/05/2012 03:00 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 06/05/2012 10:06 AM, Martin Kosek wrote:
>>> On Mon, 2012-06-04 at 11:51 -0400, Simo Sorce wrote:
>>>> On Mon, 2012-06-04 at 17:22 +0200, Petr Viktorin wrote:
>>>>> An update plugin needed root privileges, and aborted the update if an
>>>>> ordinary user user ran it.
>>>>> With this patch the plugin is skipped with a warning in that case.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2621
>>>>
>>>> Hi Petr,
>>>> I am not sure I like the proposed solution.
>>>>
>>>> If there is a legitimate reason to run this plugin as non-root (eg
>>>> admin
>>>> user) then you should change the connection part to try to use GSSAPI
>>>> auth over ldap when non-root, not just throw a warning.
>>>>
>>>> If there is no reason for anyone but root to run this script then we
>>>> should just abort if not root IMO.
>>>>
>>>> Simo.
>>>>
>>>
>>> I would keep this script runable for root users only. Regularly, this
>>> should not be run manually but as a part of RPM update which is done by
>>> root. It is being run manually only when something is broken anyway and
>>> I am not convinced that non-root users should be involved in such
>>> recovery.
>>>
>>> Martin
>>>
>>
>> Thanks for the advice. The attached patch only allows root to run
>> ipa-ldap-updater.
>
> NACK. It is very handy for developers to be able to run ipa-ldap-updater
> to test update files.
>
> rob
Developers can run it as root, I don't see a problem here.
--
Petr³
More information about the Freeipa-devel
mailing list