dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py | 7 +++++++
ldap/servers/slapd/plugin.c | 13 ++++++++-----
2 files changed, 15 insertions(+), 5 deletions(-)
New commits:
commit 1fe0088d6bdef7e1ad02ef0b27bb451ec61f8be6
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Apr 30 15:17:55 2015 -0400
Ticket 48177 - dynamic plugins should not return an error when modifying a critical plugin
Bug Description: When dynamic plugins are enabled, any update to a "critical" plugin
is rejected.
Fix Description: The operation should still be allowed, even though the change might
not be dynamically applied. Log an error instead stating that a
restart might be required.
https://fedorahosted.org/389/ticket/48177
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit aa0588ee576d75ac6802c1775a5aa7558957ab48)
diff --git a/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py b/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py
index a2a174b..f5fc6f5 100644
--- a/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py
+++ b/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py
@@ -169,6 +169,13 @@ def test_dynamic_plugins(topology):
ldap.fatal('Failed to enable dynamic plugin!' + e.message['desc'])
assert False
+ # Test that critical plugins can be updated even though the change might not be applied
+ try:
+ topology.standalone.modify_s(DN_LDBM, [(ldap.MOD_REPLACE, 'description', 'test')])
+ except ldap.LDAPError, e:
+ ldap.fatal('Failed to apply change to critical plugin' + e.message['desc'])
+ assert False
+
while 1:
#
# First run the tests with replication disabled, then rerun them with replication set up
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index 2b3428e..e54c01d 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -2308,12 +2308,15 @@ plugin_restart(Slapi_Entry *pentryBefore, Slapi_Entry *pentryAfter)
char returntext[SLAPI_DSE_RETURNTEXT_SIZE];
int rc = LDAP_SUCCESS;
- /* We can not restart the critical plugins */
+ /*
+ * We can not restart a critical plugin, but the operation should still
+ * be allowed
+ */
if(plugin_is_critical(pentryBefore)){
- LDAPDebug(LDAP_DEBUG_PLUGIN, "plugin_restart: Plugin (%s) is critical to server operation. "
- "Any changes will not take effect until the server is restarted.\n",
- slapi_entry_get_dn(pentryBefore),0,0);
- return 1; /* failure - dse code will log a fatal message */
+ LDAPDebug(LDAP_DEBUG_ANY, "plugin_restart: Plugin (%s) is critical "
+ "to server operation. Server requires restart for changes to "
+ "take effect.\n", slapi_entry_get_dn(pentryBefore),0,0);
+ return 0;
}
slapi_rwlock_wrlock(global_rwlock);
dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py | 7 +++++++
ldap/servers/slapd/plugin.c | 13 ++++++++-----
2 files changed, 15 insertions(+), 5 deletions(-)
New commits:
commit aa0588ee576d75ac6802c1775a5aa7558957ab48
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Apr 30 15:17:55 2015 -0400
Ticket 48177 - dynamic plugins should not return an error when modifying a critical plugin
Bug Description: When dynamic plugins are enabled, any update to a "critical" plugin
is rejected.
Fix Description: The operation should still be allowed, even though the change might
not be dynamically applied. Log an error instead stating that a
restart might be required.
https://fedorahosted.org/389/ticket/48177
Reviewed by: rmeggins(Thanks!)
diff --git a/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py b/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py
index 6567f47..26f4225 100644
--- a/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py
+++ b/dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py
@@ -111,6 +111,13 @@ def test_dynamic_plugins(topology):
ldap.fatal('Failed to enable dynamic plugin!' + e.message['desc'])
assert False
+ # Test that critical plugins can be updated even though the change might not be applied
+ try:
+ topology.standalone.modify_s(DN_LDBM, [(ldap.MOD_REPLACE, 'description', 'test')])
+ except ldap.LDAPError, e:
+ ldap.fatal('Failed to apply change to critical plugin' + e.message['desc'])
+ assert False
+
while 1:
#
# First run the tests with replication disabled, then rerun them with replication set up
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index 2b3428e..e54c01d 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -2308,12 +2308,15 @@ plugin_restart(Slapi_Entry *pentryBefore, Slapi_Entry *pentryAfter)
char returntext[SLAPI_DSE_RETURNTEXT_SIZE];
int rc = LDAP_SUCCESS;
- /* We can not restart the critical plugins */
+ /*
+ * We can not restart a critical plugin, but the operation should still
+ * be allowed
+ */
if(plugin_is_critical(pentryBefore)){
- LDAPDebug(LDAP_DEBUG_PLUGIN, "plugin_restart: Plugin (%s) is critical to server operation. "
- "Any changes will not take effect until the server is restarted.\n",
- slapi_entry_get_dn(pentryBefore),0,0);
- return 1; /* failure - dse code will log a fatal message */
+ LDAPDebug(LDAP_DEBUG_ANY, "plugin_restart: Plugin (%s) is critical "
+ "to server operation. Server requires restart for changes to "
+ "take effect.\n", slapi_entry_get_dn(pentryBefore),0,0);
+ return 0;
}
slapi_rwlock_wrlock(global_rwlock);
New branch '389-ds-base-1.3.3.10-CVE-2015-1854' available with the following commits:
commit 81b56c2e129c42e1b94024aeabe71f1b3ade1e6a
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 28 10:16:17 2015 -0700
bump version to 1.3.3.10
commit 886ae7eb6f5bace39105129098833f828d617855
Author: Thierry Bordaz <tbordaz(a)redhat.com>
Date: Tue Apr 14 16:24:44 2015 +0200
CVE-2015-1854 389ds-base: access control bypass with modrdn
Bug Description:
47553 fix checks the write right access only if the RDN is
modified. This allows to rename entries even if the
authenticated user is not allowed of that.
Fix Description:
Roll back a wrong optimization that tested the write access
only if RDN value was changed.
https://fedorahosted.org/389/ticket/47553
Reviewed by: ?
Platforms tested: F17 (upstream test)
Flag Day: no
Doc impact: no
(cherry picked from commit 44e5c0998bdf7dcb167e8472713ff393b776e4e3)
Conflicts:
dirsrvtests/tickets/ticket47553_single_aci_test.py