mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-15 19:01:55 -06:00
Only allow root to run update plugins
Several plugins need restarting the DS (or they currently do an external bind). Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user. This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options. https://fedorahosted.org/freeipa/ticket/2621
This commit is contained in:
parent
1fcbad4bcb
commit
6f1baf8b16
@ -83,14 +83,27 @@ def get_dirman_password():
|
|||||||
def main():
|
def main():
|
||||||
badsyntax = False
|
badsyntax = False
|
||||||
upgradefailed = False
|
upgradefailed = False
|
||||||
run_plugins = False
|
|
||||||
|
|
||||||
safe_options, options, args = parse_options()
|
safe_options, options, args = parse_options()
|
||||||
|
|
||||||
|
run_plugins = options.plugins
|
||||||
|
|
||||||
|
files = []
|
||||||
|
if len(args) > 0:
|
||||||
|
files = args
|
||||||
|
|
||||||
|
if len(files) < 1:
|
||||||
|
run_plugins = True
|
||||||
|
|
||||||
if os.getegid() == 0:
|
if os.getegid() == 0:
|
||||||
installutils.check_server_configuration()
|
installutils.check_server_configuration()
|
||||||
elif not os.path.exists('/etc/ipa/default.conf'):
|
else:
|
||||||
sys.exit("IPA is not configured on this system.")
|
if not os.path.exists('/etc/ipa/default.conf'):
|
||||||
|
sys.exit("IPA is not configured on this system.")
|
||||||
|
if options.upgrade:
|
||||||
|
sys.exit('Upgrade can only be done as root')
|
||||||
|
if run_plugins:
|
||||||
|
sys.exit('Plugins can only be run as root.')
|
||||||
|
|
||||||
dirman_password = ""
|
dirman_password = ""
|
||||||
if options.password:
|
if options.password:
|
||||||
@ -115,17 +128,8 @@ def main():
|
|||||||
api.bootstrap(**cfg)
|
api.bootstrap(**cfg)
|
||||||
api.finalize()
|
api.finalize()
|
||||||
|
|
||||||
files = []
|
|
||||||
if len(args) > 0:
|
|
||||||
files = args
|
|
||||||
|
|
||||||
if len(files) < 1:
|
|
||||||
run_plugins = True
|
|
||||||
|
|
||||||
updates = None
|
updates = None
|
||||||
if options.upgrade:
|
if options.upgrade:
|
||||||
if os.getegid() != 0:
|
|
||||||
sys.exit('Upgrade can only be done as root')
|
|
||||||
root_logger.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options))
|
root_logger.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options))
|
||||||
realm = krbV.default_context().default_realm
|
realm = krbV.default_context().default_realm
|
||||||
upgrade = IPAUpgrade(realm, files, live_run=not options.test)
|
upgrade = IPAUpgrade(realm, files, live_run=not options.test)
|
||||||
@ -134,7 +138,7 @@ def main():
|
|||||||
badsyntax = upgrade.badsyntax
|
badsyntax = upgrade.badsyntax
|
||||||
upgradefailed = upgrade.upgradefailed
|
upgradefailed = upgrade.upgradefailed
|
||||||
else:
|
else:
|
||||||
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=options.plugins or run_plugins)
|
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=run_plugins)
|
||||||
if len(files) < 1:
|
if len(files) < 1:
|
||||||
files = ld.get_all_files(UPDATES_DIR)
|
files = ld.get_all_files(UPDATES_DIR)
|
||||||
modified = ld.update(files)
|
modified = ld.update(files)
|
||||||
|
@ -165,9 +165,6 @@ class updateclient(backend.Executioner):
|
|||||||
return self.Updater[method](**kw) #pylint: disable=E1101
|
return self.Updater[method](**kw) #pylint: disable=E1101
|
||||||
|
|
||||||
def restart(self, dm_password, live_run):
|
def restart(self, dm_password, live_run):
|
||||||
if os.getegid() != 0:
|
|
||||||
self.log.warn("Not root, skipping restart")
|
|
||||||
return
|
|
||||||
dsrestart = DSRestart()
|
dsrestart = DSRestart()
|
||||||
socket_name = '/var/run/slapd-%s.socket' % \
|
socket_name = '/var/run/slapd-%s.socket' % \
|
||||||
api.env.realm.replace('.','-')
|
api.env.realm.replace('.','-')
|
||||||
|
Loading…
Reference in New Issue
Block a user