[389-devel] Ticket #47384 (plugin library path validation) and out-of-tree modules

Rich Megginson rmeggins at redhat.com
Tue Nov 19 18:10:41 UTC 2013


On 11/19/2013 11:06 AM, Nalin Dahyabhai wrote:
> On Tue, Nov 19, 2013 at 10:05:13AM -0700, Rich Megginson wrote:
>> On 11/19/2013 09:44 AM, Nalin Dahyabhai wrote:
>>> The language in the ticket description's pretty firm that this isn't
>>> going to be changed, and while I can _probably_ work around it on my
>>> end, I figured I'd ask here before going down that route:  is there room
>>> to expand this check to a whitelist, a search path, or some other method
>>> that could be used to provide for my use case?
>> Sure.  Please file a ticket.  We can figure out some way to hack
>> this for testing.  What would you suggest?
> Great!  I've opened ticket #47601 for this, and we can continue there if
> you like.
Yes.
> In case there's more to discuss on the list, here are the
> options that come to mind:
> * When checking a modify request, only check the nsslapd-pluginPath
>    value if it shows up in the mods list.
> * Add a run-time-configurable whitelist of acceptable locations.
> * Replace the check with logic to go ahead and try loading the module,
>    unloading it if the load succeeds.
>
> I haven't tried any of these, but I think any of them would be enough.
>
> Thanks,
>
> Nalin



More information about the 389-devel mailing list