From 6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Wed, 6 Jun 2012 00:44:58 -0400
Subject: Only allow root to run update plugins

Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.

This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.

https://fedorahosted.org/freeipa/ticket/2621
---
 ipaserver/install/plugins/updateclient.py | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'ipaserver/install/plugins')

diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
index 8f463fa69..a2a2ce2aa 100644
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@@ -165,9 +165,6 @@ class updateclient(backend.Executioner):
         return self.Updater[method](**kw) #pylint: disable=E1101
 
     def restart(self, dm_password, live_run):
-        if os.getegid() != 0:
-            self.log.warn("Not root, skipping restart")
-            return
         dsrestart = DSRestart()
         socket_name = '/var/run/slapd-%s.socket' % \
             api.env.realm.replace('.','-')
-- 
cgit