From: Howard Chu Date: Sat, 4 Jun 2005 09:44:39 +0000 (+0000) Subject: Add SLAP_MOD_INTERNAL flag to Modifications, allow internal ops to bypass X-Git-Tag: OPENLDAP_AC_BP~572 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=8f58409749f270fb02ad5dd2b66159600e8eb272;p=openldap Add SLAP_MOD_INTERNAL flag to Modifications, allow internal ops to bypass ACL checks when modifying user-modifiable attributes as non-root user. --- diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index e71d14fcca..0276f35075 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -2259,6 +2259,16 @@ acl_check_modlist( } for ( ; mlist != NULL; mlist = mlist->sml_next ) { + /* + * Internal mods are ignored by ACL_WRITE checking + */ + if ( mlist->sml_flags & SLAP_MOD_INTERNAL ) { + Debug( LDAP_DEBUG_ACL, "acl: internal mod %s:" + " modify access granted\n", + mlist->sml_desc->ad_cname.bv_val, 0, 0 ); + continue; + } + /* * no-user-modification operational attributes are ignored * by ACL_WRITE checking as any found here are not provided diff --git a/servers/slapd/add.c b/servers/slapd/add.c index 39480b5c93..537129fdd4 100644 --- a/servers/slapd/add.c +++ b/servers/slapd/add.c @@ -120,6 +120,7 @@ do_add( Operation *op, SlapReply *rs ) mod = (Modifications *) ch_malloc( sizeof(Modifications) ); mod->sml_op = LDAP_MOD_ADD; + mod->sml_flags = 0; mod->sml_next = NULL; mod->sml_desc = NULL; mod->sml_type = tmp.sml_type; @@ -612,6 +613,7 @@ slap_entry2mods( mod = (Modifications *) malloc( sizeof( Modifications )); mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_flags = 0; mod->sml_type = a_new_desc->ad_cname; diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 77b0d5013a..fe7d7aae78 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -104,6 +104,7 @@ do_modify( mod = (Modifications *) ch_malloc( sizeof(Modifications) ); mod->sml_op = mop; + mod->sml_flags = 0; mod->sml_type = tmp.sml_type; mod->sml_values = tmp.sml_values; mod->sml_nvalues = NULL; @@ -894,6 +895,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); mod->sml_op = mop; + mod->sml_flags = SLAP_MOD_INTERNAL; mod->sml_type.bv_val = NULL; mod->sml_desc = slap_schema.si_ad_structuralObjectClass; mod->sml_values = @@ -920,6 +922,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); mod->sml_op = mop; + mod->sml_flags = SLAP_MOD_INTERNAL; mod->sml_type.bv_val = NULL; mod->sml_desc = slap_schema.si_ad_entryUUID; mod->sml_values = @@ -942,6 +945,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); mod->sml_op = mop; + mod->sml_flags = SLAP_MOD_INTERNAL; mod->sml_type.bv_val = NULL; mod->sml_desc = slap_schema.si_ad_creatorsName; mod->sml_values = @@ -961,6 +965,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); mod->sml_op = mop; + mod->sml_flags = SLAP_MOD_INTERNAL; mod->sml_type.bv_val = NULL; mod->sml_desc = slap_schema.si_ad_createTimestamp; mod->sml_values = @@ -978,6 +983,7 @@ int slap_mods_opattrs( if ( SLAP_LASTMOD( op->o_bd )) { mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); mod->sml_op = mop; + mod->sml_flags = SLAP_MOD_INTERNAL; mod->sml_type.bv_val = NULL; mod->sml_desc = slap_schema.si_ad_entryCSN; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); @@ -991,6 +997,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); mod->sml_op = mop; + mod->sml_flags = SLAP_MOD_INTERNAL; mod->sml_type.bv_val = NULL; mod->sml_desc = slap_schema.si_ad_modifiersName; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); @@ -1009,6 +1016,7 @@ int slap_mods_opattrs( mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); mod->sml_op = mop; + mod->sml_flags = SLAP_MOD_INTERNAL; mod->sml_type.bv_val = NULL; mod->sml_desc = slap_schema.si_ad_modifyTimestamp; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index b0f8d3e028..c2ceab26bb 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -480,6 +480,7 @@ slap_modrdn2mods( mod_tmp->sml_nvalues = NULL; } mod_tmp->sml_op = SLAP_MOD_SOFTADD; + mod_tmp->sml_flags = SLAP_MOD_INTERNAL; mod_tmp->sml_next = mod; mod = mod_tmp; } @@ -534,6 +535,7 @@ slap_modrdn2mods( mod_tmp->sml_nvalues = NULL; } mod_tmp->sml_op = LDAP_MOD_DELETE; + mod_tmp->sml_flags = SLAP_MOD_INTERNAL; mod_tmp->sml_next = mod; mod = mod_tmp; } diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c index 0e1349a181..a8d8a2c6b8 100644 --- a/servers/slapd/overlays/pcache.c +++ b/servers/slapd/overlays/pcache.c @@ -854,6 +854,7 @@ remove_query_data ( vals[1].bv_val = NULL; vals[1].bv_len = 0; mod.sml_op = LDAP_MOD_DELETE; + mod.sml_flags = 0; mod.sml_desc = ad_queryid; mod.sml_type = ad_queryid->ad_cname; mod.sml_values = vals; diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 2937ae3cf9..87c643aaff 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -238,6 +238,7 @@ account_locked( Operation *op, Entry *e, m = ch_calloc( sizeof(Modifications), 1 ); m->sml_op = LDAP_MOD_DELETE; + m->sml_flags = 0; m->sml_type = ad_pwdAccountLockedTime->ad_cname; m->sml_desc = ad_pwdAccountLockedTime; m->sml_next = *mod; @@ -713,6 +714,7 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs ) m = ch_calloc( sizeof(Modifications), 1 ); m->sml_op = LDAP_MOD_ADD; + m->sml_flags = 0; m->sml_type = ad_pwdFailureTime->ad_cname; m->sml_desc = ad_pwdFailureTime; m->sml_values = ch_calloc( sizeof(struct berval), 2 ); @@ -759,6 +761,7 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs ) */ m = ch_calloc( sizeof(Modifications), 1 ); m->sml_op = LDAP_MOD_REPLACE; + m->sml_flags = 0; m->sml_type = ad_pwdAccountLockedTime->ad_cname; m->sml_desc = ad_pwdAccountLockedTime; m->sml_values = ch_calloc( sizeof(struct berval), 2 ); @@ -774,6 +777,7 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs ) if ( attr_find( e->e_attrs, ad_pwdFailureTime )) { m = ch_calloc( sizeof(Modifications), 1 ); m->sml_op = LDAP_MOD_DELETE; + m->sml_flags = 0; m->sml_type = ad_pwdFailureTime->ad_cname; m->sml_desc = ad_pwdFailureTime; m->sml_next = mod; @@ -859,6 +863,7 @@ grace: */ m = ch_calloc( sizeof(Modifications), 1 ); m->sml_op = LDAP_MOD_ADD; + m->sml_flags = 0; m->sml_type = ad_pwdGraceUseTime->ad_cname; m->sml_desc = ad_pwdGraceUseTime; m->sml_values = ch_calloc( sizeof(struct berval), 2 ); @@ -1299,6 +1304,7 @@ ppolicy_modify( Operation *op, SlapReply *rs ) if (pp.pwdSafeModify && oldpw.bv_val ) { ml = (Modifications *) ch_malloc( sizeof( Modifications ) ); ml->sml_op = LDAP_MOD_DELETE; + ml->sml_flags = SLAP_MOD_INTERNAL; ml->sml_desc = pp.ad; ml->sml_type = pp.ad->ad_cname; ml->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); @@ -1467,6 +1473,7 @@ do_modify: mods->sml_op = LDAP_MOD_DELETE; mods->sml_values = NULL; } + mods->sml_flags = SLAP_MOD_INTERNAL; mods->sml_nvalues = NULL; mods->sml_next = NULL; modtail->sml_next = mods; @@ -1475,6 +1482,7 @@ do_modify: if (attr_find(e->e_attrs, ad_pwdGraceUseTime )) { mods = (Modifications *) ch_malloc( sizeof( Modifications ) ); mods->sml_op = LDAP_MOD_DELETE; + mods->sml_flags = SLAP_MOD_INTERNAL; mods->sml_type.bv_val = NULL; mods->sml_desc = ad_pwdGraceUseTime; mods->sml_values = NULL; @@ -1488,6 +1496,7 @@ do_modify: if ((zapReset) && (attr_find(e->e_attrs, ad_pwdReset ))) { mods = (Modifications *) ch_malloc( sizeof( Modifications ) ); mods->sml_op = LDAP_MOD_DELETE; + mods->sml_flags = SLAP_MOD_INTERNAL; mods->sml_type.bv_val = NULL; mods->sml_desc = ad_pwdReset; mods->sml_values = NULL; @@ -1517,6 +1526,7 @@ do_modify: */ mods = (Modifications *) ch_malloc( sizeof( Modifications ) ); mods->sml_op = LDAP_MOD_DELETE; + mods->sml_flags = SLAP_MOD_INTERNAL; mods->sml_type.bv_val = NULL; mods->sml_desc = ad_pwdHistory; mods->sml_nvalues = NULL; @@ -1549,6 +1559,7 @@ do_modify: if ((pa = attr_find( e->e_attrs, pp.ad )) != NULL) { mods = (Modifications *) ch_malloc( sizeof( Modifications ) ); mods->sml_op = LDAP_MOD_ADD; + mods->sml_flags = SLAP_MOD_INTERNAL; mods->sml_type.bv_val = NULL; mods->sml_desc = ad_pwdHistory; mods->sml_nvalues = NULL; diff --git a/servers/slapd/overlays/refint.c b/servers/slapd/overlays/refint.c index 991b82b28f..a233fec070 100644 --- a/servers/slapd/overlays/refint.c +++ b/servers/slapd/overlays/refint.c @@ -291,6 +291,7 @@ refint_delete_cb( mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL; mp->sml_op = LDAP_MOD_ADD; + mp->sml_flags = 0; ber_dupbv(&mp->sml_values[0], &dd->nothing); ber_dupbv(&mp->sml_nvalues[0], &dd->nnothing); mp->sml_next = ma; @@ -305,6 +306,7 @@ refint_delete_cb( mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0; mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL; mp->sml_op = LDAP_MOD_DELETE; + mp->sml_flags = 0; ber_dupbv(&mp->sml_values[0], &dd->dn); ber_dupbv(&mp->sml_nvalues[0], &mp->sml_values[0]); mp->sml_next = ma; @@ -389,6 +391,7 @@ refint_modrdn_cb( } mp = ch_malloc(sizeof(Modifications)); mp->sml_op = LDAP_MOD_ADD; + mp->sml_flags = 0; mp->sml_desc = ia->attr; /* XXX */ mp->sml_type = ia->attr->ad_cname; mp->sml_values = ch_malloc(2 * sizeof(BerValue)); @@ -401,6 +404,7 @@ refint_modrdn_cb( ip->mm = mp; mp = ch_malloc(sizeof(Modifications)); mp->sml_op = LDAP_MOD_DELETE; + mp->sml_flags = 0; mp->sml_desc = ia->attr; /* XXX */ mp->sml_type = ia->attr->ad_cname; mp->sml_values = ch_malloc(2 * sizeof(BerValue)); diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c index 5c51f03c2d..74d428c4bc 100644 --- a/servers/slapd/overlays/syncprov.c +++ b/servers/slapd/overlays/syncprov.c @@ -1151,6 +1151,7 @@ syncprov_checkpoint( Operation *op, SlapReply *rs, slap_overinst *on ) mod.sml_nvalues = NULL; mod.sml_desc = slap_schema.si_ad_contextCSN; mod.sml_op = LDAP_MOD_REPLACE; + mod.sml_flags = 0; mod.sml_next = NULL; cb.sc_response = slap_null_cb; diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index 270b1148b2..0917bd2273 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -213,6 +213,7 @@ int passwd_extop( ml->sml_nvalues = NULL; ml->sml_desc = slap_schema.si_ad_userPassword; ml->sml_op = LDAP_MOD_REPLACE; + ml->sml_flags = 0; ml->sml_next = qpw->rs_mods; qpw->rs_mods = ml; diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 87fce497a5..10b17ca62f 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -369,6 +369,7 @@ slap_auxprop_store( for (i=0; pr[i].name; i++) { mod = (Modifications *)ch_malloc( sizeof(Modifications) ); mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_flags = 0; ber_str2bv( pr[i].name, 0, 0, &mod->sml_type ); mod->sml_values = (struct berval *)ch_malloc( (pr[i].nvalues + 1) * sizeof(struct berval)); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index b4e7e187a3..4b761747ec 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1145,7 +1145,13 @@ typedef struct slap_entry { * A list of LDAPMods */ typedef struct slap_mod { - int sm_op; + short sm_op; + short sm_flags; +/* Set for internal mods, will bypass ACL checks. Only needed when + * running as non-root user, for user modifiable attributes. + */ +#define SLAP_MOD_INTERNAL 0x01 + AttributeDescription *sm_desc; struct berval sm_type; BerVarray sm_values; @@ -1155,6 +1161,7 @@ typedef struct slap_mod { typedef struct slap_mod_list { Modification sml_mod; #define sml_op sml_mod.sm_op +#define sml_flags sml_mod.sm_flags #define sml_desc sml_mod.sm_desc #define sml_type sml_mod.sm_type #define sml_values sml_mod.sm_values diff --git a/servers/slapd/slapi/slapi_ops.c b/servers/slapd/slapi/slapi_ops.c index 5a95c62fc3..5e85fe80b8 100644 --- a/servers/slapd/slapi/slapi_ops.c +++ b/servers/slapd/slapi/slapi_ops.c @@ -406,6 +406,7 @@ slapi_int_ldapmod_to_entry( mod = (Modifications *) ch_malloc( sizeof(Modifications) ); mod->sml_op = LDAP_MOD_ADD; + mod->sml_flags = 0; mod->sml_next = NULL; mod->sml_desc = NULL; mod->sml_type = tmp.sml_type; @@ -431,6 +432,7 @@ slapi_int_ldapmod_to_entry( mod = (Modifications *) ch_malloc( sizeof(Modifications) ); mod->sml_op = LDAP_MOD_ADD; + mod->sml_flags = 0; mod->sml_next = NULL; mod->sml_desc = NULL; mod->sml_type = tmp.sml_type; @@ -965,6 +967,7 @@ slapi_modify_internal( mod = (Modifications *)ch_malloc( sizeof(Modifications) ); mod->sml_op = pMod->mod_op & LDAP_MOD_OP; + mod->sml_flags = 0; mod->sml_next = NULL; mod->sml_desc = NULL; mod->sml_type = tmp.sml_type; @@ -982,6 +985,7 @@ slapi_modify_internal( mod = (Modifications *) ch_malloc( sizeof(Modifications) ); mod->sml_op = pMod->mod_op & LDAP_MOD_OP; + mod->sml_flags = 0; mod->sml_next = NULL; mod->sml_desc = NULL; mod->sml_type = tmp.sml_type; diff --git a/servers/slapd/slapi/slapi_utils.c b/servers/slapd/slapi/slapi_utils.c index 1adeb85086..ca7e8c45da 100644 --- a/servers/slapd/slapi/slapi_utils.c +++ b/servers/slapd/slapi/slapi_utils.c @@ -604,6 +604,7 @@ slapi_entry_add_values( Slapi_Entry *e, const char *type, struct berval **vals ) char textbuf[SLAP_TEXT_BUFLEN]; mod.sm_op = LDAP_MOD_ADD; + mod.sm_flags = 0; mod.sm_desc = NULL; mod.sm_type.bv_val = (char *)type; mod.sm_type.bv_len = strlen( type ); @@ -676,6 +677,7 @@ slapi_entry_delete_values( Slapi_Entry *e, const char *type, struct berval **val char textbuf[SLAP_TEXT_BUFLEN]; mod.sm_op = LDAP_MOD_DELETE; + mod.sm_flags = 0; mod.sm_desc = NULL; mod.sm_type.bv_val = (char *)type; mod.sm_type.bv_len = strlen( type ); @@ -3524,6 +3526,7 @@ Modifications *slapi_int_ldapmods2modifications (LDAPMod **mods) mod = (Modifications *) ch_malloc( sizeof(Modifications) ); mod->sml_op = (*modp)->mod_op & (~LDAP_MOD_BVALUES); + mod->sml_flags = 0; mod->sml_type.bv_val = (*modp)->mod_type; mod->sml_type.bv_len = strlen( mod->sml_type.bv_val ); mod->sml_desc = NULL; diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c index ff49fc7df9..118e7771b5 100644 --- a/servers/slapd/syncrepl.c +++ b/servers/slapd/syncrepl.c @@ -1094,6 +1094,7 @@ syncrepl_message_to_entry( mod = (Modifications *) ch_malloc( sizeof( Modifications )); mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_flags = 0; mod->sml_next = NULL; mod->sml_desc = NULL; mod->sml_type = tmp.sml_type; @@ -1470,6 +1471,7 @@ retry_add:; for ( i = 0; i < dni.attrs; i++ ) { mod = ch_malloc( sizeof( Modifications ) ); mod->sml_op = LDAP_MOD_DELETE; + mod->sml_flags = 0; mod->sml_desc = dni.ads[i]; mod->sml_type = mod->sml_desc->ad_cname; mod->sml_values = NULL; @@ -1496,6 +1498,7 @@ retry_add:; mod = (Modifications *)ch_calloc(1, sizeof(Modifications)); mod->sml_op = LDAP_MOD_REPLACE; + mod->sml_flags = 0; mod->sml_desc = slap_schema.si_ad_entryUUID; mod->sml_type = mod->sml_desc->ad_cname; ber_dupbv( &uuid_bv, &syncUUID_strrep ); @@ -1676,6 +1679,7 @@ syncrepl_del_nonpresent( if ( rs_delete.sr_err == LDAP_NOT_ALLOWED_ON_NONLEAF ) { Modifications mod1, mod2; mod1.sml_op = LDAP_MOD_REPLACE; + mod1.sml_flags = 0; mod1.sml_desc = slap_schema.si_ad_objectClass; mod1.sml_type = mod1.sml_desc->ad_cname; mod1.sml_values = &gcbva[0]; @@ -1683,6 +1687,7 @@ syncrepl_del_nonpresent( mod1.sml_next = &mod2; mod2.sml_op = LDAP_MOD_REPLACE; + mod2.sml_flags = 0; mod2.sml_desc = slap_schema.si_ad_structuralObjectClass; mod2.sml_type = mod2.sml_desc->ad_cname; mod2.sml_values = &gcbva[1];