On 2016-11-11 18:33, Rob Crittenden wrote: > Martin Basti wrote: >> 2) if I understand correctly, you want to separate client installer code >> and client CLI code. In past we had freeipa-admintools but it was >> removed because it was really tightly bounded to installed client. Do >> you want to revive it and make it independent? > > The admintools package consisted only of the ipa command so I don't see > the relevance. > > This should have no impact on the installers. I think the only proposal > is to ignore the IPA_CONFDIR variable in all installer contexts. I think > I'd prefer it if it were simply wiped from the environment on startup of > *install commands prior to bootstrap so it can't leak it at all.
With the latest patch, all installers, updaters and similar tools with an exception when a IPA_CONFDIR env var is present. I have also considered to fail for geteuid() == 0. On the other hand the env var is useful for containered application and people sure love to run all their containers as root.
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code