diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2012-06-06 00:44:58 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-06-07 05:02:22 -0400 |
| commit | 6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5 (patch) | |
| tree | 9538581b497a59205378d05351acdb6472fc7939 | |
| parent | 1fcbad4bcb6c3a98dc102c55bc17783ef7baff34 (diff) | |
| download | freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.gz freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.xz freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.zip | |
Only allow root to run update plugins
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.
This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.
https://fedorahosted.org/freeipa/ticket/2621
| -rwxr-xr-x | install/tools/ipa-ldap-updater | 30 | ||||
| -rw-r--r-- | ipaserver/install/plugins/updateclient.py | 3 |
2 files changed, 17 insertions, 16 deletions
diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater index bd2233a94..197b840b0 100755 --- a/install/tools/ipa-ldap-updater +++ b/install/tools/ipa-ldap-updater @@ -83,14 +83,27 @@ def get_dirman_password(): def main(): badsyntax = False upgradefailed = False - run_plugins = False safe_options, options, args = parse_options() + run_plugins = options.plugins + + files = [] + if len(args) > 0: + files = args + + if len(files) < 1: + run_plugins = True + if os.getegid() == 0: installutils.check_server_configuration() - elif not os.path.exists('/etc/ipa/default.conf'): - sys.exit("IPA is not configured on this system.") + else: + if not os.path.exists('/etc/ipa/default.conf'): + sys.exit("IPA is not configured on this system.") + if options.upgrade: + sys.exit('Upgrade can only be done as root') + if run_plugins: + sys.exit('Plugins can only be run as root.') dirman_password = "" if options.password: @@ -115,17 +128,8 @@ def main(): api.bootstrap(**cfg) api.finalize() - files = [] - if len(args) > 0: - files = args - - if len(files) < 1: - run_plugins = True - updates = None if options.upgrade: - if os.getegid() != 0: - sys.exit('Upgrade can only be done as root') root_logger.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options)) realm = krbV.default_context().default_realm upgrade = IPAUpgrade(realm, files, live_run=not options.test) @@ -134,7 +138,7 @@ def main(): badsyntax = upgrade.badsyntax upgradefailed = upgrade.upgradefailed else: - ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=options.plugins or run_plugins) + ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=run_plugins) if len(files) < 1: files = ld.get_all_files(UPDATES_DIR) modified = ld.update(files) diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py index 8f463fa69..a2a2ce2aa 100644 --- a/ipaserver/install/plugins/updateclient.py +++ b/ipaserver/install/plugins/updateclient.py @@ -165,9 +165,6 @@ class updateclient(backend.Executioner): return self.Updater[method](**kw) #pylint: disable=E1101 def restart(self, dm_password, live_run): - if os.getegid() != 0: - self.log.warn("Not root, skipping restart") - return dsrestart = DSRestart() socket_name = '/var/run/slapd-%s.socket' % \ api.env.realm.replace('.','-') |