Bug 1044172 - Plugin library path validation prevents intentional loading of out-of-tree modules
Summary: Plugin library path validation prevents intentional loading of out-of-tree mo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
low
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-17 21:40 UTC by Nathan Kinder
Modified: 2015-03-05 09:32 UTC (History)
3 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 09:32:20 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0416 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Nathan Kinder 2013-12-17 21:40:40 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47601

Ticket #47384 adds some sanity testing to the value of nsslapd-pluginPath when a plugin entry is added or modified.  This is tripping up the slapi-nis self-tests which involve modifying the plugin entry (the plugin entry is added to dse.ldif offline), as the server now returns an unwilling-to-perform error in response to the modify request when it succeeded before.

I think that any of these would work:
* When checking a modify request, only sanity-check nsslapd-pluginPath when it shows up in the list of mods.
* Add a run-time-configurable whitelist of locations where plugins could be found.
* Replace the pathname check with an stat() call or a dlopen(RTLD_NOW) equivalent, to see if it can be loaded (with dlopen() followed by an immediate dlclose()).

Comment 6 Amita Sharma 2015-01-09 09:17:20 UTC
Seems that selinux was the culprit..
[root@dhcp201-126 ~]# cp /usr/lib64/dirsrv/plugins/libautomember-plugin.so /tmp
[root@dhcp201-126 ~]# getenforce 
Enforcing
[root@dhcp201-126 ~]# setenforce 0
[root@dhcp201-126 ~]# ls -al /tmp
total 96
drwxrwxrwt.  9 root root  4096 Jan  9 14:46 .
dr-xr-xr-x. 19 root root  4096 Nov  5 18:57 ..
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .font-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .ICE-unix
-rwxr-xr-x.  1 root root 45120 Jan  9 14:46 libautomember-plugin.so
-rw-------.  1 root root  5495 Jan  6 16:35 setup0Xa3ia.log
-rw-------.  1 root root  5495 Dec 30 13:11 setupAziFGz.log
-rw-------.  1 root root  1524 Jan  9 12:39 setupeNbm8D.log
-rw-------.  1 root root  5635 Jan  9 12:40 setupotKmaL.log
-rw-------.  1 root root  1524 Jan  5 13:56 setupPCo5sN.log
-rw-------.  1 root root  6852 Jan  5 13:56 setupZ2iB6r.log
drwx------.  3 root root    16 Nov 10 13:15 systemd-private-nLBTOZ
drwx------.  3 root root    16 Dec 22 17:11 systemd-private-yCZgiJ
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .Test-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .X11-unix
drwxrwxrwt.  2 root root     6 Nov  5 13:35 .XIM-unix

[root@dhcp201-126 ~]# chmod 777 /tmp/libautomember-plugin.so 
[root@dhcp201-126 ~]# ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=Auto Membership Plugin,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginPath
> nsslapd-pluginPath: /tmp/libautomember-plugin.so
> EOF
modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config"

[root@dhcp201-126 ~]# /usr/lib64/dirsrv/slapd-dhcp201-126/stop-slapd 
[root@dhcp201-126 ~]# /usr/lib64/dirsrv/slapd-dhcp201-126/start-slapd 
[root@dhcp201-126 ~]# 

Hence VERIFIED.

Comment 8 errata-xmlrpc 2015-03-05 09:32:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html


Note You need to log in before you can comment on or make changes to this bug.