Issue #2621: ipa-ldap-updater plugin fix_replica_memberof.py requires root - freeipa

freeipa

#2621 ipa-ldap-updater plugin fix_replica_memberof.py requires root

Closed: Fixed None Opened 12 years ago by rcritten.

It always does a SASL EXTERNAL bind which requires root:

$ ipa-ldap-updater 
Directory Manager password:

ipa         : INFO     PRE_UPDATE
Traceback (most recent call last):
  File "/usr/sbin/ipa-ldap-updater", line 160, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-ldap-updater", line 140, in main
    modified = ld.update(files)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 792, in update
    updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 135, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 165, in run
    return self.Updater[method](**kw) #pylint: disable=E1101
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1398, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_memberof.py", line 44, in execute
    conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 387, in do_external_bind
    self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 347, in __bind_with_wait
    bind_func(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.INAPPROPRIATE_AUTH: {'info': 'SASL EXTERNAL bind requires an SSL connection', 'desc': 'Inappropriate authentication'}

dpal commented 12 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=813373

pviktori commented 11 years ago

I'll take this.

rcritten commented 11 years ago

master: 6f1baf8

Only allow root to run update plugins

Several plugins need restarting the DS (or they currently do an external bind).
Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user.

This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options.

Metadata Update from @rcritten:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 3.0 Beta 1

7 years ago

Metadata

Assignee

pviktori

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 3.0 Beta 1

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=813373

tester

None

changelog

None

design

None

freeipa

Source Code

#2621 ipa-ldap-updater plugin fix_replica_memberof.py requires root Closed: Fixed None Opened 12 years ago by rcritten.

Metadata

#2621 ipa-ldap-updater plugin fix_replica_memberof.py requires root

Closed: Fixed None Opened 12 years ago by rcritten.