Change replace ACL semantics from U-Mich historical behavior.

U-Mich allows someone with selfwrite to use replace all values
of an attribute with a value containing their DN.  Which, of course,
could than be deleted.  This behavior was carried forward in all
versions of OpenLDAP.

The new semantics separate checks for deleting all existing values
and adding new values.  It is more logical and more inline with
the common use of selfwrite.

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index feca8df8ae4fa124e22d2d078136a424a4afa05d..5895ad1b75422766356e6a195cb4c125a2096bbc 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -1091,16 +1091,20 @@ acl_check_modlist(
 
                switch ( mlist->sml_op ) {
                case LDAP_MOD_REPLACE:
-                       if ( mlist->sml_bvalues == NULL ) {
-                               if ( ! access_allowed( be, conn, op, e,
-                                       mlist->sml_desc, NULL, ACL_WRITE ) )
-                               {
-                                       return( 0 );
-                               }
-                               break;
+                       /*
+                        * We must check both permission to delete the whole
+                        * attribute and permission to add the specific attributes.
+                        * This prevents abuse from selfwriters.
+                        */
+                       if ( ! access_allowed( be, conn, op, e,
+                               mlist->sml_desc, NULL, ACL_WRITE ) )
+                       {
+                               return( 0 );
                        }
 
-                       /* fall thru */
+                       if ( mlist->sml_bvalues == NULL ) break;
+
+                       /* fall thru to check value to add */
 
                case LDAP_MOD_ADD:
                        assert( mlist->sml_bvalues != NULL );