Bug 1044172

Summary: Plugin library path validation prevents intentional loading of out-of-tree modules
Product: Red Hat Enterprise Linux 7 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.0CC: amsharma, mreynolds, nhosoi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:32:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Kinder 2013-12-17 21:40:40 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47601

Ticket #47384 adds some sanity testing to the value of nsslapd-pluginPath when a plugin entry is added or modified.  This is tripping up the slapi-nis self-tests which involve modifying the plugin entry (the plugin entry is added to dse.ldif offline), as the server now returns an unwilling-to-perform error in response to the modify request when it succeeded before.

I think that any of these would work:
* When checking a modify request, only sanity-check nsslapd-pluginPath when it shows up in the list of mods.
* Add a run-time-configurable whitelist of locations where plugins could be found.
* Replace the pathname check with an stat() call or a dlopen(RTLD_NOW) equivalent, to see if it can be loaded (with dlopen() followed by an immediate dlclose()).
Comment 6 Amita Sharma 2015-01-09 09:17:20 UTC 
Seems that selinux was the culprit..
[root@dhcp201-126 ~]# cp /usr/lib64/dirsrv/plugins/libautomember-plugin.so /tmp
[root@dhcp201-126 ~]# getenforce 
Enforcing
[root@dhcp201-126 ~]# setenforce 0
[root@dhcp201-126 ~]# ls -al /tmp
total 96
drwxrwxrwt.  9 root root  4096 Jan  9 14:46 .
dr-xr-xr-x. 19 root root  4096 Nov  5 18:57 ..
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .font-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .ICE-unix
-rwxr-xr-x.  1 root root 45120 Jan  9 14:46 libautomember-plugin.so
-rw-------.  1 root root  5495 Jan  6 16:35 setup0Xa3ia.log
-rw-------.  1 root root  5495 Dec 30 13:11 setupAziFGz.log
-rw-------.  1 root root  1524 Jan  9 12:39 setupeNbm8D.log
-rw-------.  1 root root  5635 Jan  9 12:40 setupotKmaL.log
-rw-------.  1 root root  1524 Jan  5 13:56 setupPCo5sN.log
-rw-------.  1 root root  6852 Jan  5 13:56 setupZ2iB6r.log
drwx------.  3 root root    16 Nov 10 13:15 systemd-private-nLBTOZ
drwx------.  3 root root    16 Dec 22 17:11 systemd-private-yCZgiJ
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .Test-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .X11-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .XIM-unix

[root@dhcp201-126 ~]# chmod 777 /tmp/libautomember-plugin.so 
[root@dhcp201-126 ~]# ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=Auto Membership Plugin,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginPath
> nsslapd-pluginPath: /tmp/libautomember-plugin.so
> EOF
modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config"

[root@dhcp201-126 ~]# /usr/lib64/dirsrv/slapd-dhcp201-126/stop-slapd 
[root@dhcp201-126 ~]# /usr/lib64/dirsrv/slapd-dhcp201-126/start-slapd 
[root@dhcp201-126 ~]# 

Hence VERIFIED.
Comment 8 errata-xmlrpc 2015-03-05 09:32:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html