[389-devel] Ticket #47384 (plugin library path validation) and out-of-tree modules

Rich Megginson rmeggins at redhat.com
Tue Nov 19 17:05:13 UTC 2013


On 11/19/2013 09:44 AM, Nalin Dahyabhai wrote:
> Hi, everyone.
>
> I was recently adding a couple of changes to slapi-nis, and when I went
> to run its self-tests, some of the tests that modify the plugin entry
> started failing with LDAP_UNWILLING_TO_PERFORM.  I tracked the denial
> down to validation code that was added as part of ticket #47384.
>
> While the tests don't modify the nsslapd-pluginPath attribute (the
> entry's added to dse.ldif before the server starts up), some make other
> changes to the plugin entry, and when they attempt that,
> check_plugin_path() rejects the modify request.
>
> The checks that were added, which ensure that plugins are only loaded
> from the server's plugin directory, make it kind of difficult to run
> tests using the copies of plugins in my build tree.
>
> The language in the ticket description's pretty firm that this isn't
> going to be changed, and while I can _probably_ work around it on my
> end, I figured I'd ask here before going down that route:  is there room
> to expand this check to a whitelist, a search path, or some other method
> that could be used to provide for my use case?
Sure.  Please file a ticket.  We can figure out some way to hack this 
for testing.  What would you suggest?

>
> Thanks,
>
> Nalin
> --
> 389-devel mailing list
> 389-devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-devel



More information about the 389-devel mailing list