From 4f2ff1c10861e634b211694add54075a7cd68583 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Mon, 28 Jan 2002 20:26:55 +0000 Subject: [PATCH] uses URL extensions to set socket permissions other than default URL Syntax: ldapi://[[/????[!]x-mod=]] where is the URL-encoded path of the socket (i.e. use %2F instead of '/' for UNIX filenames!) and is 3*[w|-] (all we need is write permission to the socket, read/execute permissions are ignored; however, they're set when opening the listener). The critical flag (the optional '!' if not used ignores the result of the chmod() operation. --- servers/slapd/daemon.c | 176 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 174 insertions(+), 2 deletions(-) diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c index 098f7bc87f..6180e391b5 100644 --- a/servers/slapd/daemon.c +++ b/servers/slapd/daemon.c @@ -30,6 +30,8 @@ int deny_severity = LOG_NOTICE; #ifdef LDAP_PF_LOCAL #include +/* this should go in as soon as it is accepted */ +#define LDAPI_MOD_URLEXT "x-mod" #endif /* LDAP_PF_LOCAL */ /* globals */ @@ -303,6 +305,171 @@ static void slap_free_listener_addresses(struct sockaddr **sal) ch_free(sal); } +#ifdef LDAP_PF_LOCAL +static int get_url_perms( + char **exts, + mode_t *perms, + int *crit ) +{ + int i; + + assert( exts ); + assert( perms ); + assert( crit ); + + *crit = 0; + for ( i = 0; exts[ i ]; i++ ) { + char *type = exts[ i ]; + int c = 0; + + if ( type[ 0 ] == '!' ) { + c = 1; + type++; + } + + if ( strncasecmp( type, LDAPI_MOD_URLEXT "=", sizeof(LDAPI_MOD_URLEXT "=") - 1 ) == 0 ) { + char *value = type + sizeof(LDAPI_MOD_URLEXT "=") - 1; + mode_t p = 0; + +#if 0 + if ( strlen( value ) != 9 ) { + return LDAP_OTHER; + } + + switch ( value[ 0 ] ) { + case 'r': + p |= S_IRUSR; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 1 ] ) { + case 'w': + p |= S_IWUSR; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 2 ] ) { + case 'x': + p |= S_IXUSR; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 3 ] ) { + case 'r': + p |= S_IRGRP; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 4 ] ) { + case 'w': + p |= S_IWGRP; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 5 ] ) { + case 'x': + p |= S_IXGRP; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 6 ] ) { + case 'r': + p |= S_IROTH; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 7 ] ) { + case 'w': + p |= S_IWOTH; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 8 ] ) { + case 'x': + p |= S_IXOTH; + break; + case '-': + break; + default: + return LDAP_OTHER; + } +#else + if ( strlen(value) != 3 ) { + return LDAP_OTHER; + } + + switch ( value[ 0 ] ) { + case 'w': + p |= S_IRWXU; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 1 ] ) { + case 'w': + p |= S_IRWXG; + break; + case '-': + break; + default: + return LDAP_OTHER; + } + + switch ( value[ 2 ] ) { + case 'w': + p |= S_IRWXO; + break; + case '-': + break; + default: + return LDAP_OTHER; + } +#endif + + *crit = c; + *perms = p; + + return LDAP_SUCCESS; + } + } +} +#endif /* LDAP_PF_LOCAL */ + /* port = 0 indicates AF_LOCAL */ static int slap_get_listener_addresses( const char *host, @@ -487,7 +654,8 @@ static Listener * slap_open_listener( struct sockaddr **sal, **psal; int socktype = SOCK_STREAM; /* default to COTS */ #ifdef LDAP_PF_LOCAL - mode_t perms = S_IRWXU; + mode_t perms = S_IRWXU; + int crit = 1; #endif rc = ldap_url_parse( url, &lud ); @@ -542,6 +710,10 @@ static Listener * slap_open_listener( } else { err = slap_get_listener_addresses(lud->lud_host, 0, &sal); } + + if ( lud->lud_exts ) { + err = get_url_perms( lud->lud_exts, &perms, &crit ); + } #else #ifdef NEW_LOGGING @@ -696,7 +868,7 @@ static Listener * slap_open_listener( #ifdef LDAP_PF_LOCAL case AF_LOCAL: { char *addr = ((struct sockaddr_un *)*sal)->sun_path; - if ( chmod( addr, perms ) < 0 ) { + if ( chmod( addr, perms ) < 0 && crit ) { int err = sock_errno(); #ifdef NEW_LOGGING LDAP_LOG(( "connection", LDAP_LEVEL_INFO, -- 2.39.5