From 8c2ed9c8090f01c61e30189370582ffcd3eba4de Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Wed, 14 Nov 2001 16:08:59 +0000 Subject: [PATCH] non-root add/delete of entries rooted at '' checks children write permission --- servers/slapd/back-ldbm/add.c | 55 +++++++++++++++++++++++++------- servers/slapd/back-ldbm/delete.c | 49 ++++++++++++++++++++++------ 2 files changed, 83 insertions(+), 21 deletions(-) diff --git a/servers/slapd/back-ldbm/add.c b/servers/slapd/back-ldbm/add.c index 71fb24b185..c09502b16b 100644 --- a/servers/slapd/back-ldbm/add.c +++ b/servers/slapd/back-ldbm/add.c @@ -209,24 +209,57 @@ ldbm_back_add( } /* no parent, must be adding entry to root */ - if ( !be_isroot( be, op->o_ndn ) && !be_issuffix( be, "" ) ) { - ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); + if ( !be_isroot( be, op->o_ndn ) ) { + if ( be_issuffix( be, "" ) ) { + static const Entry rootp = { NOID, "", "", NULL, NULL }; + p = (Entry *)&rootp; + + rc = access_allowed( be, conn, op, p, + children, NULL, ACL_WRITE ); + p = NULL; + + if ( ! rc ) { + ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); #ifdef NEW_LOGGING - LDAP_LOG(( "backend", LDAP_LEVEL_ERR, - "ldbm_back_add: %s add denied.\n", - pdn == NULL ? "suffix" : "entry at root" )); + LDAP_LOG(( "backend", LDAP_LEVEL_ERR, + "ldbm_back_add: No write " + "access to parent (\"\").\n" )); #else - Debug( LDAP_DEBUG_TRACE, "%s add denied\n", - pdn == NULL ? "suffix" : "entry at root", - 0, 0 ); + Debug( LDAP_DEBUG_TRACE, + "no write access to parent\n", + 0, 0, 0 ); #endif + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, + "no write access to parent", + NULL, NULL ); - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); + return -1; + } - return -1; + } else { + ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); + +#ifdef NEW_LOGGING + LDAP_LOG(( "backend", LDAP_LEVEL_ERR, + "ldbm_back_add: %s add denied.\n", + pdn == NULL ? "suffix" + : "entry at root" )); +#else + Debug( LDAP_DEBUG_TRACE, "%s add denied\n", + pdn == NULL ? "suffix" + : "entry at root", 0, 0 ); +#endif + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + + return -1; + } } /* diff --git a/servers/slapd/back-ldbm/delete.c b/servers/slapd/back-ldbm/delete.c index 3c64c1f932..c2f4e3f378 100644 --- a/servers/slapd/back-ldbm/delete.c +++ b/servers/slapd/back-ldbm/delete.c @@ -153,20 +153,49 @@ ldbm_back_delete( } else { /* no parent, must be root to delete */ - if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) { + if( ! be_isroot( be, op->o_ndn ) ) { + if ( be_issuffix( be, "" ) ) { + static const Entry rootp = { NOID, "", "", NULL, NULL }; + p = (Entry *)&rootp; + + rc = access_allowed( be, conn, op, p, + children, NULL, ACL_WRITE ); + p = NULL; + + /* check parent for "children" acl */ + if ( ! rc ) { #ifdef NEW_LOGGING - LDAP_LOG(( "backend", LDAP_LEVEL_ERR, - "ldbm_back_delete: (%s) has no parent & not a root.\n", - dn )); + LDAP_LOG(( "backend", LDAP_LEVEL_ERR, + "ldbm_back_delete: no access " + "to parent of ("")\n" )); #else - Debug( LDAP_DEBUG_TRACE, - "<=- ldbm_back_delete: no parent & not root\n", - 0, 0, 0); + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_delete: no " + "access to parent\n", 0, 0, 0 ); #endif - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); - goto return_results; + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } + + } else { +#ifdef NEW_LOGGING + LDAP_LOG(( "backend", LDAP_LEVEL_ERR, + "ldbm_back_delete: (%s) has no " + "parent & not a root.\n", dn )); +#else + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_delete: no parent & " + "not root\n", 0, 0, 0); +#endif + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } } ldap_pvt_thread_mutex_lock(&li->li_root_mutex); -- 2.39.5