Only allow root to run update plugins

Several plugins need restarting the DS (or they currently do an external bind). Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user. This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options. https://fedorahosted.org/freeipa/ticket/2621
2024-12-27 09:21:59 -06:00 · 2012-06-06 00:44:58 -04:00 · 2012-06-06 00:44:58 -04:00 · 6f1baf8b16
commit 6f1baf8b16
parent 1fcbad4bcb
2 changed files with 17 additions and 16 deletions
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@ -83,14 +83,27 @@ def get_dirman_password():
 def main():
    badsyntax = False
    upgradefailed = False
-    run_plugins = False

    safe_options, options, args = parse_options()

+    run_plugins = options.plugins
+
+    files = []
+    if len(args) > 0:
+        files = args
+
+    if len(files) < 1:
+        run_plugins = True
+
    if os.getegid() == 0:
        installutils.check_server_configuration()
-    elif not os.path.exists('/etc/ipa/default.conf'):
-        sys.exit("IPA is not configured on this system.")
+    else:
+        if not os.path.exists('/etc/ipa/default.conf'):
+            sys.exit("IPA is not configured on this system.")
+        if options.upgrade:
+            sys.exit('Upgrade can only be done as root')
+        if run_plugins:
+            sys.exit('Plugins can only be run as root.')

    dirman_password = ""
    if options.password:
@ -115,17 +128,8 @@ def main():
    api.bootstrap(**cfg)
    api.finalize()

-    files = []
-    if len(args) > 0:
-        files = args
-
-    if len(files) < 1:
-        run_plugins = True
-
    updates = None
    if options.upgrade:
-        if os.getegid() != 0:
-            sys.exit('Upgrade can only be done as root')
        root_logger.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options))
        realm = krbV.default_context().default_realm
        upgrade = IPAUpgrade(realm, files, live_run=not options.test)
@ -134,7 +138,7 @@ def main():
        badsyntax = upgrade.badsyntax
        upgradefailed = upgrade.upgradefailed
    else:
-        ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=options.plugins or run_plugins)
+        ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=run_plugins)
        if len(files) < 1:
            files = ld.get_all_files(UPDATES_DIR)
        modified = ld.update(files)
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@ -165,9 +165,6 @@ class updateclient(backend.Executioner):
        return self.Updater[method](**kw) #pylint: disable=E1101

    def restart(self, dm_password, live_run):
-        if os.getegid() != 0:
-            self.log.warn("Not root, skipping restart")
-            return
        dsrestart = DSRestart()
        socket_name = '/var/run/slapd-%s.socket' % \
            api.env.realm.replace('.','-')