Bug 967036
Summary: | [RFE]realmd cannot join a domain executed under local user account | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> |
Component: | realmd | Assignee: | Stef Walter <stefw> |
Status: | CLOSED WONTFIX | QA Contact: | Patrik Kis <pkis> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | Keywords: | FutureFeature |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | 867807 | Environment: | |
Last Closed: | 2015-04-14 10:06:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 867807, 959864 | ||
Bug Blocks: |
Description
Patrik Kis
2013-05-24 14:43:45 UTC
I have no plans to fix this for RHEL 7.0. It is unlikely to be fixed. In order to accomplish this I need to fix Polkit and various other bits. Not a priority in my opinion. This bug tells the user they are not authorized. The typical sysadmin response to such an error is to run become root or run the command as sudo. This solves the issue. Running system commands as non-root users, and being prompted for privilege escalation is a nice touch. As of now this works from within a terminal running in a GUI desktop, but not when ssh'd into the machine or using a VT. But again this deficiency does not detract from the experience, is not core functionality and in my opinion too invasive to fix for RHEL 7.0 at this point. (In reply to Stef Walter from comment #1) > I have no plans to fix this for RHEL 7.0. It is unlikely to be fixed. In > order to accomplish this I need to fix Polkit and various other bits. > > Not a priority in my opinion. > > This bug tells the user they are not authorized. The typical sysadmin > response to such an error is to run become root or run the command as sudo. > This solves the issue. > > Running system commands as non-root users, and being prompted for privilege > escalation is a nice touch. As of now this works from within a terminal > running in a GUI desktop, but not when ssh'd into the machine or using a VT. > > But again this deficiency does not detract from the experience, is not core > functionality and in my opinion too invasive to fix for RHEL 7.0 at this > point. I must agree; this is not a priority at all. But what maybe could be fixed in RHEL-7.0 is to reject realm join immediately when a non privileged user runs it. I'm keeping this bug opened for RHEL-7.1 and opened a new one for RHEL-7.0 for the immediate reject: bug 967530. (In reply to Patrik Kis from comment #2) > (In reply to Stef Walter from comment #1) > > I have no plans to fix this for RHEL 7.0. It is unlikely to be fixed. In > > order to accomplish this I need to fix Polkit and various other bits. > > > > Not a priority in my opinion. > > > > This bug tells the user they are not authorized. The typical sysadmin > > response to such an error is to run become root or run the command as sudo. > > This solves the issue. > > > > Running system commands as non-root users, and being prompted for privilege > > escalation is a nice touch. As of now this works from within a terminal > > running in a GUI desktop, but not when ssh'd into the machine or using a VT. > > > > But again this deficiency does not detract from the experience, is not core > > functionality and in my opinion too invasive to fix for RHEL 7.0 at this > > point. > > I must agree; this is not a priority at all. > But what maybe could be fixed in RHEL-7.0 is to reject realm join > immediately when a non privileged user runs it. The actual Join() command will return as unauthorized immediately if the caller is not authorized. However 'realm join' does a Discover() first, which by default does not require special privileges. So it's not trivial to add a hack to detect the fact that Join() will fail before we've run Discover(). > > The actual Join() command will return as unauthorized immediately if the > caller is not authorized. However 'realm join' does a Discover() first, > which by default does not require special privileges. So it's not trivial to > add a hack to detect the fact that Join() will fail before we've run > Discover(). I see. It has really low priority; it would just give a little more comfort for admins but it is not a blocking issue for me. Feel free to reject the bug 967530, if you think the required change would involve more risk than the result benefit would be. *** Bug 967530 has been marked as a duplicate of this bug. *** Agree. Won't be able to fix this for RHEL 7.0, but we should work on this for a later release. After considering this, it should be WONTFIX. The user's session should be setup correctly for polkit in order to make use of privilege escalation. If not, then the user can use root or sudo. |