On 11/19/2013 11:06 AM, Nalin Dahyabhai wrote:
On Tue, Nov 19, 2013 at 10:05:13AM -0700, Rich Megginson wrote:
On 11/19/2013 09:44 AM, Nalin Dahyabhai wrote:
The language in the ticket description's pretty firm that this isn't
going to be changed, and while I can _probably_ work around it on my
end, I figured I'd ask here before going down that route: is there room
to expand this check to a whitelist, a search path, or some other method
that could be used to provide for my use case?
Sure. Please file a ticket. We can figure out some way to hack
this for testing. What would you suggest?
Great! I've opened ticket #47601 for this, and we can continue there if
you like.
Yes.
In case there's more to discuss on the list, here are the
options that come to mind:
* When checking a modify request, only check the nsslapd-pluginPath
value if it shows up in the mods list.
* Add a run-time-configurable whitelist of acceptable locations.
* Replace the check with logic to go ahead and try loading the module,
unloading it if the load succeeds.
I haven't tried any of these, but I think any of them would be enough.
Thanks,
Nalin
--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
