From 5a729c0902813b91473fda585d1d22dae6d3e549 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 16 Jun 2022 11:01:02 -0400
Subject: [PATCH] Require root to run ipa-healthcheck

The vast majority of checks require root access so enforce
it at run time.

This won't affect other runtimes that use healthcheck-core.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
 src/ipahealthcheck/core/main.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/ipahealthcheck/core/main.py b/src/ipahealthcheck/core/main.py
index 741118b5..4a5dba8c 100644
--- a/src/ipahealthcheck/core/main.py
+++ b/src/ipahealthcheck/core/main.py
@@ -2,7 +2,7 @@
 # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
 #
 
-from os import environ
+import os
 import sys
 
 from ipahealthcheck.core import constants
@@ -43,8 +43,10 @@ def add_options(self):
 
 
 def main():
-    environ["KRB5_CLIENT_KTNAME"] = "/etc/krb5.keytab"
-    environ["KRB5CCNAME"] = "MEMORY:"
+    if not os.getegid() == 0:
+        sys.exit("\nYou must be root to run this script.\n")
+    os.environ["KRB5_CLIENT_KTNAME"] = "/etc/krb5.keytab"
+    os.environ["KRB5CCNAME"] = "MEMORY:"
 
     ipachecks = IPAChecks(['ipahealthcheck.registry',
                            'pkihealthcheck.registry'],