summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2012-06-06 00:44:58 -0400
committerRob Crittenden <rcritten@redhat.com>2012-06-07 05:02:22 -0400
commit6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5 (patch)
tree9538581b497a59205378d05351acdb6472fc7939
parent1fcbad4bcb6c3a98dc102c55bc17783ef7baff34 (diff)
downloadfreeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.zip
freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.gz
freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.xz
Only allow root to run update plugins
Several plugins need restarting the DS (or they currently do an external bind). Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user. This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options. https://fedorahosted.org/freeipa/ticket/2621
-rwxr-xr-xinstall/tools/ipa-ldap-updater30
-rw-r--r--ipaserver/install/plugins/updateclient.py3
2 files changed, 17 insertions, 16 deletions
diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater
index bd2233a..197b840 100755
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@@ -83,14 +83,27 @@ def get_dirman_password():
def main():
badsyntax = False
upgradefailed = False
- run_plugins = False
safe_options, options, args = parse_options()
+ run_plugins = options.plugins
+
+ files = []
+ if len(args) > 0:
+ files = args
+
+ if len(files) < 1:
+ run_plugins = True
+
if os.getegid() == 0:
installutils.check_server_configuration()
- elif not os.path.exists('/etc/ipa/default.conf'):
- sys.exit("IPA is not configured on this system.")
+ else:
+ if not os.path.exists('/etc/ipa/default.conf'):
+ sys.exit("IPA is not configured on this system.")
+ if options.upgrade:
+ sys.exit('Upgrade can only be done as root')
+ if run_plugins:
+ sys.exit('Plugins can only be run as root.')
dirman_password = ""
if options.password:
@@ -115,17 +128,8 @@ def main():
api.bootstrap(**cfg)
api.finalize()
- files = []
- if len(args) > 0:
- files = args
-
- if len(files) < 1:
- run_plugins = True
-
updates = None
if options.upgrade:
- if os.getegid() != 0:
- sys.exit('Upgrade can only be done as root')
root_logger.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options))
realm = krbV.default_context().default_realm
upgrade = IPAUpgrade(realm, files, live_run=not options.test)
@@ -134,7 +138,7 @@ def main():
badsyntax = upgrade.badsyntax
upgradefailed = upgrade.upgradefailed
else:
- ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=options.plugins or run_plugins)
+ ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=run_plugins)
if len(files) < 1:
files = ld.get_all_files(UPDATES_DIR)
modified = ld.update(files)
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
index 8f463fa..a2a2ce2 100644
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@@ -165,9 +165,6 @@ class updateclient(backend.Executioner):
return self.Updater[method](**kw) #pylint: disable=E1101
def restart(self, dm_password, live_run):
- if os.getegid() != 0:
- self.log.warn("Not root, skipping restart")
- return
dsrestart = DSRestart()
socket_name = '/var/run/slapd-%s.socket' % \
api.env.realm.replace('.','-')