RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1044172 - Plugin library path validation prevents intentional loading of out-of-tree modules
Summary: Plugin library path validation prevents intentional loading of out-of-tree mo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
low
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-17 21:40 UTC by Nathan Kinder
Modified: 2020-09-13 20:50 UTC (History)
3 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 09:32:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 938 0 None None None 2020-09-13 20:50:51 UTC
Red Hat Product Errata RHSA-2015:0416 0 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Nathan Kinder 2013-12-17 21:40:40 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47601

Ticket #47384 adds some sanity testing to the value of nsslapd-pluginPath when a plugin entry is added or modified.  This is tripping up the slapi-nis self-tests which involve modifying the plugin entry (the plugin entry is added to dse.ldif offline), as the server now returns an unwilling-to-perform error in response to the modify request when it succeeded before.

I think that any of these would work:
* When checking a modify request, only sanity-check nsslapd-pluginPath when it shows up in the list of mods.
* Add a run-time-configurable whitelist of locations where plugins could be found.
* Replace the pathname check with an stat() call or a dlopen(RTLD_NOW) equivalent, to see if it can be loaded (with dlopen() followed by an immediate dlclose()).
Comment 6 Amita Sharma 2015-01-09 09:17:20 UTC 
Seems that selinux was the culprit..
[root@dhcp201-126 ~]# cp /usr/lib64/dirsrv/plugins/libautomember-plugin.so /tmp
[root@dhcp201-126 ~]# getenforce 
Enforcing
[root@dhcp201-126 ~]# setenforce 0
[root@dhcp201-126 ~]# ls -al /tmp
total 96
drwxrwxrwt.  9 root root  4096 Jan  9 14:46 .
dr-xr-xr-x. 19 root root  4096 Nov  5 18:57 ..
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .font-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .ICE-unix
-rwxr-xr-x.  1 root root 45120 Jan  9 14:46 libautomember-plugin.so
-rw-------.  1 root root  5495 Jan  6 16:35 setup0Xa3ia.log
-rw-------.  1 root root  5495 Dec 30 13:11 setupAziFGz.log
-rw-------.  1 root root  1524 Jan  9 12:39 setupeNbm8D.log
-rw-------.  1 root root  5635 Jan  9 12:40 setupotKmaL.log
-rw-------.  1 root root  1524 Jan  5 13:56 setupPCo5sN.log
-rw-------.  1 root root  6852 Jan  5 13:56 setupZ2iB6r.log
drwx------.  3 root root    16 Nov 10 13:15 systemd-private-nLBTOZ
drwx------.  3 root root    16 Dec 22 17:11 systemd-private-yCZgiJ
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .Test-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .X11-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .XIM-unix

[root@dhcp201-126 ~]# chmod 777 /tmp/libautomember-plugin.so 
[root@dhcp201-126 ~]# ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=Auto Membership Plugin,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginPath
> nsslapd-pluginPath: /tmp/libautomember-plugin.so
> EOF
modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config"

[root@dhcp201-126 ~]# /usr/lib64/dirsrv/slapd-dhcp201-126/stop-slapd 
[root@dhcp201-126 ~]# /usr/lib64/dirsrv/slapd-dhcp201-126/start-slapd 
[root@dhcp201-126 ~]# 

Hence VERIFIED.
Comment 8 errata-xmlrpc 2015-03-05 09:32:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html
Note You need to log in before you can comment on or make changes to this bug.