From a67b41eb69423577b75a5432fe9cd3f2000b1e2c Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Wed, 2 Apr 2003 20:27:58 +0000
Subject: [PATCH] fix listener mod handling

---
 doc/man/man8/slapd.8    | 10 +++++++++-
 servers/slapd/backend.c | 14 +++-----------
 servers/slapd/daemon.c  |  2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index 63b457e496..072e7072c9 100644
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -128,13 +128,21 @@ extension to indicate the permissions of the underlying socket, on those
 OSes that honor them.  Support for the
 latter two schemes depends on selected configuration options.  Hosts
 may be specified by name or IPv4 and IPv6 address formats.
-Ports, if specfied, must be numeric.  The default ldap:// port is 389
+Ports, if specified, must be numeric.  The default ldap:// port is 389
 and the default ldaps:// port is 636.
 The socket permissions for LDAP over IPC are indicated by
 "x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any 
 of the "rwx" can be "-" to suppress the related permission (note, 
 however, that sockets only honor the "w" permission), while any 
 of the "7" can be any legal octal digit, according to chmod(1).
+The usage is a bit awkward: since on some systems write permission
+("w") is required to be able to operate on the socket, it must always
+be set to allow operations on the socket.  As a consequence,
+the meaning of the "r" field is to negate write access if present;
+e.g., "x-mod=--wx---rw-" means "owner" can access read/write even
+without binding (and subject to regular ACLs), while for "others"
+bind is required, and the listener is read-only.  "Group" permissions
+are not considered at present.
 .TP
 .BI \-r " directory"
 Specifies a chroot "jail" directory.  slapd will
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 7634429d03..a6370cbf71 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -957,8 +957,9 @@ backend_check_restrictions(
 			}
 
 #ifdef SLAP_X_LISTENER_MOD
-			if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IWUSR ) ) {
-				/* no "w" mode means readonly */
+			if ( op->o_conn->c_listener && ( op->o_conn->c_listener->sl_perms & S_IRUSR ) ) {
+				/* "r" mode means readonly ( "w" is required
+				 * to operate on a socket ...) */
 				rs->sr_text = "modifications not allowed on this listener";
 				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
 				return rs->sr_err;
@@ -1029,15 +1030,6 @@ backend_check_restrictions(
 				return rs->sr_err;
 			}
 		}
-
-		if ( !starttls && !updateop ) {
-			if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IRUSR ) ) {
-				/* no "r" mode means no read */
-				rs->sr_text = "read not allowed on this listener";
-				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
-				return rs->sr_err;
-			}
-		}
 #endif /* SLAP_X_LISTENER_MOD */
 
 	}
diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index e61feceb12..a12a166819 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -679,7 +679,7 @@ static int slap_open_listener(
 	if ( lud->lud_exts ) {
 		err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
 	} else {
-		l.sl_perms = S_IRWXU;
+		l.sl_perms = S_IWUSR | S_IXUSR; /* "r" means readonly ... */
 	}
 #endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
 
-- 
2.39.5