diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-06-06 00:44:58 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-06-07 05:02:22 -0400 |
commit | 6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5 (patch) | |
tree | 9538581b497a59205378d05351acdb6472fc7939 /ipaserver | |
parent | 1fcbad4bcb6c3a98dc102c55bc17783ef7baff34 (diff) | |
download | freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.gz freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.tar.xz freeipa-6f1baf8b16e5c74ec1d2a8d9ebbf41c979e2f2d5.zip |
Only allow root to run update plugins
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.
This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.
https://fedorahosted.org/freeipa/ticket/2621
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/plugins/updateclient.py | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py index 8f463fa69..a2a2ce2aa 100644 --- a/ipaserver/install/plugins/updateclient.py +++ b/ipaserver/install/plugins/updateclient.py @@ -165,9 +165,6 @@ class updateclient(backend.Executioner): return self.Updater[method](**kw) #pylint: disable=E1101 def restart(self, dm_password, live_run): - if os.getegid() != 0: - self.log.warn("Not root, skipping restart") - return dsrestart = DSRestart() socket_name = '/var/run/slapd-%s.socket' % \ api.env.realm.replace('.','-') |