[389-devel] Ticket #47384 (plugin library path validation) and out-of-tree modules
Rich Megginson
rmeggins at redhat.com
Tue Nov 19 18:10:41 UTC 2013
On 11/19/2013 11:06 AM, Nalin Dahyabhai wrote:
> On Tue, Nov 19, 2013 at 10:05:13AM -0700, Rich Megginson wrote:
>> On 11/19/2013 09:44 AM, Nalin Dahyabhai wrote:
>>> The language in the ticket description's pretty firm that this isn't
>>> going to be changed, and while I can _probably_ work around it on my
>>> end, I figured I'd ask here before going down that route: is there room
>>> to expand this check to a whitelist, a search path, or some other method
>>> that could be used to provide for my use case?
>> Sure. Please file a ticket. We can figure out some way to hack
>> this for testing. What would you suggest?
> Great! I've opened ticket #47601 for this, and we can continue there if
> you like.
Yes.
> In case there's more to discuss on the list, here are the
> options that come to mind:
> * When checking a modify request, only check the nsslapd-pluginPath
> value if it shows up in the mods list.
> * Add a run-time-configurable whitelist of acceptable locations.
> * Replace the check with logic to go ahead and try loading the module,
> unloading it if the load succeeds.
>
> I haven't tried any of these, but I think any of them would be enough.
>
> Thanks,
>
> Nalin
More information about the 389-devel
mailing list