Commit 1f6bb31d authored by Howard Chu's avatar Howard Chu
Browse files

Honor ACLs, don't just require root any more

parent f5558876
......@@ -86,7 +86,7 @@ static ConfigFile *cfn;
static Avlnode *CfOcTree;
static int config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca,
SlapReply *rs, int *renumber );
SlapReply *rs, int *renumber, Operation *op );
static ConfigDriver config_fname;
static ConfigDriver config_cfdir;
......@@ -2937,7 +2937,7 @@ config_ldif_resp( Operation *op, SlapReply *rs )
setup_cookie *sc = op->o_callback->sc_private;
sc->cfb->cb_got_ldif = 1;
rs->sr_err = config_add_internal( sc->cfb, rs->sr_entry, sc->ca, NULL, NULL );
rs->sr_err = config_add_internal( sc->cfb, rs->sr_entry, sc->ca, NULL, NULL, NULL );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "config error processing %s: %s\n",
rs->sr_entry->e_name.bv_val, sc->ca->msg, 0 );
......@@ -3559,7 +3559,8 @@ cfAddOverlay( CfEntryInfo *p, Entry *e, struct config_args_s *ca )
/* Parse an LDAP entry into config directives */
static int
config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, int *renum )
config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs,
int *renum, Operation *op )
{
CfEntryInfo *ce, *last;
ConfigOCs **colst;
......@@ -3585,6 +3586,15 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, i
return LDAP_NO_SUCH_OBJECT;
}
if ( op ) {
/* No parent, must be root. This will never happen... */
if ( !last && !be_isroot( op ) && !be_shadow_update( op ))
return LDAP_NO_SUCH_OBJECT;
if ( !access_allowed( op, last->ce_entry, slap_schema.si_ad_children,
NULL, ACL_WADD, NULL ))
return LDAP_INSUFFICIENT_ACCESS;
}
oc_at = attr_find( e->e_attrs, slap_schema.si_ad_objectClass );
if ( !oc_at ) return LDAP_OBJECT_CLASS_VIOLATION;
......@@ -3766,7 +3776,8 @@ config_back_add( Operation *op, SlapReply *rs )
int renumber;
ConfigArgs ca;
if ( !be_isroot( op ) ) {
if ( !access_allowed( op, op->ora_e, slap_schema.si_ad_entry,
NULL, ACL_WADD, NULL )) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto out;
}
......@@ -3784,7 +3795,7 @@ config_back_add( Operation *op, SlapReply *rs )
*/
/* NOTE: by now we do not accept adds that require renumbering */
renumber = -1;
rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber );
rs->sr_err = config_add_internal( cfb, op->ora_e, &ca, rs, &renumber, op );
if ( rs->sr_err != LDAP_SUCCESS ) {
rs->sr_text = ca.msg;
goto out2;
......@@ -4103,11 +4114,6 @@ config_back_modify( Operation *op, SlapReply *rs )
char *ptr;
AttributeDescription *rad = NULL;
if ( !be_isroot( op ) ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto out;
}
cfb = (CfBackInfo *)op->o_bd->be_private;
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last );
......@@ -4118,6 +4124,11 @@ config_back_modify( Operation *op, SlapReply *rs )
goto out;
}
if ( !acl_check_modlist( op, ce->ce_entry, op->orm_modlist )) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto out;
}
/* Get type of RDN */
rdn = ce->ce_entry->e_nname;
ptr = strchr( rdn.bv_val, '=' );
......@@ -4178,11 +4189,6 @@ config_back_modrdn( Operation *op, SlapReply *rs )
CfBackInfo *cfb;
CfEntryInfo *ce, *last;
if ( !be_isroot( op ) ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto out;
}
cfb = (CfBackInfo *)op->o_bd->be_private;
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last );
......@@ -4192,6 +4198,22 @@ config_back_modrdn( Operation *op, SlapReply *rs )
rs->sr_err = LDAP_NO_SUCH_OBJECT;
goto out;
}
if ( !access_allowed( op, ce->ce_entry, slap_schema.si_ad_entry,
NULL, ACL_WRITE, NULL )) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto out;
}
{ Entry *parent;
if ( ce->ce_parent )
parent = ce->ce_parent->ce_entry;
else
parent = (Entry *)&slap_entry_root;
if ( !access_allowed( op, parent, slap_schema.si_ad_children,
NULL, ACL_WRITE, NULL )) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto out;
}
}
/* We don't allow moving objects to new parents.
* Generally we only allow reordering a set of ordered entries.
......@@ -4216,11 +4238,7 @@ config_back_search( Operation *op, SlapReply *rs )
{
CfBackInfo *cfb;
CfEntryInfo *ce, *last;
if ( !be_isroot( op ) ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto out;
}
slap_mask_t mask;
cfb = (CfBackInfo *)op->o_bd->be_private;
......@@ -4231,6 +4249,16 @@ config_back_search( Operation *op, SlapReply *rs )
rs->sr_err = LDAP_NO_SUCH_OBJECT;
goto out;
}
if ( !access_allowed_mask( op, ce->ce_entry, slap_schema.si_ad_entry, NULL,
ACL_SEARCH, NULL, &mask ))
{
if ( !ACL_GRANT( mask, ACL_DISCLOSE )) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto out;
}
switch ( op->ors_scope ) {
case LDAP_SCOPE_BASE:
case LDAP_SCOPE_SUBTREE:
......@@ -4847,7 +4875,7 @@ config_tool_entry_put( BackendDB *be, Entry *e, struct berval *text )
ConfigArgs ca;
if ( bi && bi->bi_tool_entry_put &&
config_add_internal( cfb, e, &ca, NULL, NULL ) == 0 )
config_add_internal( cfb, e, &ca, NULL, NULL, NULL ) == 0 )
return bi->bi_tool_entry_put( &cfb->cb_db, e, text );
else
return NOID;
......@@ -4930,7 +4958,7 @@ config_back_initialize( BackendInfo *bi )
bi->bi_chk_referrals = 0;
bi->bi_access_allowed = slap_access_always_allowed;
bi->bi_access_allowed = slap_access_allowed;
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment