add restrictions related to listeners in form of file permissions

(see in slapd(8) the description on how to enforce file permissions
on sockets in ldapi schema); at present, only user permissions are
used as follows: the url extension x-mod=-rwxrwxrwx is used; only
the user permisisons are considered, e.g. the first set of rwx;
	"r" means read is allowed from that listener
	"w" means write is allowed on that listener
	"x" means bind is not required on that listener
these restrictions ADD to those already present, and are actually
checked AFTER the other restrictions, but BEFORE ACLs, so they can
be used to apply gross restrictions but should not be viewed as
a replacement of ACLs. To compile this, #define SLAP_X_LISTENER_MOD

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 04fac3ccec9825beb554a417f1bb59729d8d1540..c71e1df78c8414133d3cb927f8071248786ad3d5 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -914,6 +914,14 @@ backend_check_restrictions(
                                *text = "modifications require authentication";
                                return LDAP_STRONG_AUTH_REQUIRED;
                        }
+
+#ifdef SLAP_X_LISTENER_MOD
+                       if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) {
+                               /* no "w" mode means readonly */
+                               *text = "modifications not allowed on this listener";
+                               return LDAP_UNWILLING_TO_PERFORM;
+                       }
+#endif /* SLAP_X_LISTENER_MOD */
                }
        }
 
@@ -964,6 +972,25 @@ backend_check_restrictions(
                                return LDAP_OPERATIONS_ERROR;
                        }
                }
+
+#ifdef SLAP_X_LISTENER_MOD
+               if ( !starttls && op->o_dn.bv_len == 0 ) {
+                       if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) {
+                               /* no "x" mode means bind required */
+                               *text = "bind required on this listener";
+                               return LDAP_CONFIDENTIALITY_REQUIRED;
+                       }
+               }
+
+               if ( !starttls && !updateop ) {
+                       if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) {
+                               /* no "r" mode means no read */
+                               *text = "read not allowed on this listener";
+                               return LDAP_UNWILLING_TO_PERFORM;
+                       }
+               }
+#endif /* SLAP_X_LISTENER_MOD */
+
        }
 
        if( restrictops & opflag ) {

diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index fd1d84f8a9170295b0a00d99fdc998f5e3461116..128fe161196961e8079446953187641db639e0aa 100644 (file)
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -311,7 +311,7 @@ static void slap_free_listener_addresses(struct sockaddr **sal)
        ch_free(sal);
 }
 
-#ifdef LDAP_PF_LOCAL
+#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
 static int get_url_perms(
        char    **exts,
        mode_t  *perms,
@@ -392,7 +392,7 @@ static int get_url_perms(
 
        return LDAP_OTHER;
 }
-#endif /* LDAP_PF_LOCAL */
+#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
 
 /* port = 0 indicates AF_LOCAL */
 static int slap_get_listener_addresses(
@@ -587,13 +587,12 @@ static int slap_open_listener(
        struct sockaddr **sal, **psal;
        int socktype = SOCK_STREAM;     /* default to COTS */
 
-#ifdef LDAP_PF_LOCAL
+#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
        /*
         * use safe defaults
         */
-       mode_t  perms = S_IRWXU;
        int     crit = 1;
-#endif
+#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
 
        rc = ldap_url_parse( url, &lud );
 
@@ -648,10 +647,6 @@ static int slap_open_listener(
                } else {
                        err = slap_get_listener_addresses(lud->lud_host, 0, &sal);
                }
-
-               if ( lud->lud_exts ) {
-                       err = get_url_perms( lud->lud_exts, &perms, &crit );
-               }
 #else
 
 #ifdef NEW_LOGGING
@@ -677,6 +672,14 @@ static int slap_open_listener(
                }
        }
 
+#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
+       if ( lud->lud_exts ) {
+               err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
+       } else {
+               l.sl_perms = S_IRWXU;
+       }
+#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
+
        ldap_free_urldesc( lud );
        if ( err ) {
                return -1;
@@ -820,7 +823,7 @@ static int slap_open_listener(
 #ifdef LDAP_PF_LOCAL
        case AF_LOCAL: {
                char *addr = ((struct sockaddr_un *)*sal)->sun_path;
-               if ( chmod( addr, perms ) < 0 && crit ) {
+               if ( chmod( addr, l.sl_perms ) < 0 && crit ) {
                        int err = sock_errno();
 #ifdef NEW_LOGGING
                        LDAP_LOG( CONNECTION, INFO, 

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index da5530b06c8fea027dffa4ef7b8d668a340944e8..0a27ab8706bccbb98cbbc2dc918d57df2a3870e4 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1731,6 +1731,9 @@ typedef struct slap_conn {
 struct slap_listener {
        struct berval sl_url;
        struct berval sl_name;
+#ifdef SLAP_X_LISTENER_MOD
+       mode_t          sl_perms;
+#endif /* SLAP_X_LISTENER_MOD */
 #ifdef HAVE_TLS
        int             sl_is_tls;
 #endif