summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2012-06-06 00:44:58 -0400
committerRob Crittenden <rcritten@redhat.com>2012-06-07 05:02:22 -0400
commit6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5 (patch)
tree9538581b497a59205378d05351acdb6472fc7939 /ipaserver
parent1fcbad4bcb6c3a98dc102c55bc17783ef7baff34 (diff)
downloadfreeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.gz
freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.xz
freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.zip
Only allow root to run update plugins
Several plugins need restarting the DS (or they currently do an external bind). Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user. This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options. https://fedorahosted.org/freeipa/ticket/2621
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/plugins/updateclient.py3
1 files changed, 0 insertions, 3 deletions
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
index 8f463fa69..a2a2ce2aa 100644
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@@ -165,9 +165,6 @@ class updateclient(backend.Executioner):
return self.Updater[method](**kw) #pylint: disable=E1101
def restart(self, dm_password, live_run):
- if os.getegid() != 0:
- self.log.warn("Not root, skipping restart")
- return
dsrestart = DSRestart()
socket_name = '/var/run/slapd-%s.socket' % \
api.env.realm.replace('.','-')