On Аўт, 13 мая 2025, Данила Скачедубов via FreeIPA-users wrote:
Good day! I am writing a plugin for ipaserver and would like to know if I can implement the creation/editing of files/folders in this plugin? I tried to find such practices in other plugins but couldn't find any. Could you please tell me if I can do this at all, and if yes, where can I see an example of how to properly implement this, for example, using the os library? I would also like to ask which user permissions this will run under, and what is the most effective way to debug code during development?
IPA API endpoint runs under 'ipaapi' user under Apache server. It has no particular rights, so in order to escalate privileges we use oddjobd. You can look at `install/oddjob/` in the source code. For example, `install/oddjob/org.freeipa.server.config-enable-sid.in` script is configured using `install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in` oddjobd configuration file. It is then called from `config_mod._enable_sid()` via DBUS call to oddjob service. There are few nuances there if you need to pass some parameters as oddjobd-executed helpers cannot have variable arguments, so we have to define a max possible set of arguments and pad them in the DBUS call. The helper script executed through the oddjobd interface will run as root and must have proper SELinux policy context configured: $ git grep oddjob selinux selinux/ipa.fc:/usr/libexec/ipa/oddjob/com\.redhat\.idm.* -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) selinux/ipa.fc:/usr/libexec/ipa/oddjob/org\.freeipa.* -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) selinux/ipa.te: oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t) selinux/ipa.te: type oddjob_t; selinux/ipa.te: ipa_helper_noatsecure(oddjob_t) -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
