#47384 Plugin library path validation
Closed: Fixed None Opened 6 years ago by nkinder.

When specifying path to plugin library in DS console > configuration > plug-ins
the Plug-in module path field/value is not validated and allows to save any
value which can lead to a crash during the start of the directory server.

The bug is most probably related to #308221 where the check for filename was
removed to allow relative paths. Currently it supports only relative paths even
when tried to use an absolute one. The path is just appended to default plugin
location wich also leads to crash during startup.

E.g. with path '/qq/libcos-plugin'

[22/May/2013:15:22:20 +0200] - Netscape Portable Runtime error -5977:
/usr/lib/dirsrv/plugins//qq/libcos-plugin.so: cannot open shared object file:
No such file or directory
[22/May/2013:15:22:20 +0200] - Could not open library
"/usr/lib/dirsrv/plugins//qq/libcos-plugin.so" for plugin Class of Service
[22/May/2013:15:22:21 +0200] - Unable to load plugin "cn=Class of
Service,cn=plugins,cn=config"

Version-Release number of selected component (if applicable):
DS9.1

How reproducible:
Always

Steps to Reproduce:
1. In Console > configuration tab > plug-ins pick any plugin
2. change the plug-in module path to non existent path/filename. Either an
absolute path or relative path will do.
3. Try to save the change.

Actual results:
The value is saved to DS config file (dse.ldif) and on the next start it
crashes as the partiucular file does not exist.

Expected results:
The value should not be saved and some kind of error should be displayed.

We don't allow one to put plug-ins outside of the "plugins" directory (for various reasons, including SELinux). This is by design and will not be changed.

We could validate the plug-in path at the preop phase in the 389-ds-base package. If the path does not exist, we can reject the modify/add operation. This would cover both Console and changes made over LDAP. Direct modification of dse.ldif would still trigger the server to not start, but that is by design.


Copied from the original bug:
Nathan Kinder 2013-06-05 13:39:24 EDT
We don't allow one to put plug-ins outside of the "plugins" directory (for various reasons, including SELinux). This is by design and will not be changed.

We could validate the plug-in path at the preop phase in the 389-ds-base package. If the path does not exist, we can reject the modify/add operation. This would cover both Console and changes made over LDAP. Direct modification of dse.ldif would still trigger the server to not start, but that is by design.

I would also like to clarify that the server is not crashing. The server refuses to start if certain things are invalid in dse.ldif. This is by design. There are multiple ways that one can put invalid info in dse.ldif, including via Console, LDAP, or by manual editing. There is only so much we can do to prevent an admin from shooting themselves in the foot.

I'm changing this to a 389-ds-base bug, as the verification should be done there (not in Console).

Thank you for implementing the code which is a good proof of concept. After reading your code, I think we'd better move it to some other place such as in dse_callback. The layer of dse_modify and _add would not be a good place to handle the config entry specific data. I'll let you know when I find a good place.

Anupam,

Sorry, implementing the code as a callback is a bit too much for me to explain to you. So, I updated it myself based upon your patch.

Thanks,
--noriko

Bug description: ldapmodify could replace the plugin path with
an invalid path.

Fix description: This patch adds the validation code to dse
callback. If modify operation is requested for a plugin entry,
the registered callback check_plugin_path is called and check
the given plugin path.

This patch also has made get_plugin_name public as slapi_get_
plugin_name. Now, the following plugin paths are allowed:
/path/to/lib<plugin>.so, /path/to/lib<plugin>,
lib<plugin>.so, lib<plugin>

Reviewed by Rich (Thank you!!)

Pushed to master: commit a4b81c0

Description: commit a4b81c0
only checks the invalid plugin path when the value is modified.
This patch adds the check when a plugin entry is added.

Reviewed by Rich (Thank you!!)

Pushed to master: commit 1cd68bb

returntext was not set properly, patch out for review...

git merge ticket47384
Updating 7e9cae5..36f3f34
Fast-forward
ldap/servers/slapd/fedse.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

git push origin master
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 725 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
7e9cae5..36f3f34 master -> master

commit 36f3f34
Author: Mark Reynolds mreynolds@redhat.com
Date: Wed Aug 14 16:56:36 2013 -0400

Metadata Update from @mreynolds:
- Issue assigned to anjain
- Issue set to the milestone: 1.3.2 - 09/13 (September)

2 years ago

Login to comment on this ticket.

Metadata