[389-devel] Ticket #47384 (plugin library path validation) and out-of-tree modules
Nalin Dahyabhai
nalin at redhat.com
Tue Nov 19 18:06:12 UTC 2013
On Tue, Nov 19, 2013 at 10:05:13AM -0700, Rich Megginson wrote:
> On 11/19/2013 09:44 AM, Nalin Dahyabhai wrote:
> >The language in the ticket description's pretty firm that this isn't
> >going to be changed, and while I can _probably_ work around it on my
> >end, I figured I'd ask here before going down that route: is there room
> >to expand this check to a whitelist, a search path, or some other method
> >that could be used to provide for my use case?
>
> Sure. Please file a ticket. We can figure out some way to hack
> this for testing. What would you suggest?
Great! I've opened ticket #47601 for this, and we can continue there if
you like. In case there's more to discuss on the list, here are the
options that come to mind:
* When checking a modify request, only check the nsslapd-pluginPath
value if it shows up in the mods list.
* Add a run-time-configurable whitelist of acceptable locations.
* Replace the check with logic to go ahead and try loading the module,
unloading it if the load succeeds.
I haven't tried any of these, but I think any of them would be enough.
Thanks,
Nalin
More information about the 389-devel
mailing list