From a8437c203858e579c4d6c96d4feedb4647d8aca2 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Wed, 14 Nov 2001 16:09:33 +0000
Subject: [PATCH] non-root add/delete of entries rooted at '' checks children
 write permission (forward port from back-ldbm)

---
 servers/slapd/back-bdb/add.c    | 32 ++++++++++++++++++++++++++------
 servers/slapd/back-bdb/delete.c | 32 ++++++++++++++++++++++++++------
 2 files changed, 52 insertions(+), 12 deletions(-)

diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c
index a2e55d0180..c0469f78a8 100644
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@@ -148,7 +148,7 @@ retry:	rc = txn_abort( ltid );
 			Debug( LDAP_DEBUG_TRACE, "bdb_add: no write access to parent\n",
 				0, 0, 0 );
 			rc = LDAP_INSUFFICIENT_ACCESS;
-			text = "no write access to parent", NULL, NULL;
+			text = "no write access to parent";
 			goto return_results;;
 		}
 
@@ -195,11 +195,31 @@ retry:	rc = txn_abort( ltid );
 		 *  or with parent ""
 		 */
 		if ( !be_isroot( be, op->o_ndn )) {
-			Debug( LDAP_DEBUG_TRACE, "bdb_add: %s denied\n",
-				pdn == NULL ? "suffix" : "entry at root",
-				0, 0 );
-			rc = LDAP_INSUFFICIENT_ACCESS;
-			goto return_results;
+			if ( be_issuffix( be, "" ) ) {
+				static const Entry rootp = { NOID, "", "", NULL, NULL };
+
+				p = (Entry *)&rootp;
+
+				/* check parent for "children" acl */
+				rc = access_allowed( be, conn, op, p,
+					children, NULL, ACL_WRITE );
+				p = NULL;
+
+				if ( ! rc ) {
+					Debug( LDAP_DEBUG_TRACE, "bdb_add: no write access to parent\n",
+						0, 0, 0 );
+					rc = LDAP_INSUFFICIENT_ACCESS;
+					text = "no write access to parent";
+					goto return_results;;
+				}
+
+			} else {
+				Debug( LDAP_DEBUG_TRACE, "bdb_add: %s denied\n",
+					pdn == NULL ? "suffix" : "entry at root",
+					0, 0 );
+				rc = LDAP_INSUFFICIENT_ACCESS;
+				goto return_results;
+			}
 		}
 	}
 
diff --git a/servers/slapd/back-bdb/delete.c b/servers/slapd/back-bdb/delete.c
index 1aa089e66c..4dff6517e7 100644
--- a/servers/slapd/back-bdb/delete.c
+++ b/servers/slapd/back-bdb/delete.c
@@ -162,12 +162,32 @@ retry:	/* transaction retry */
 		ch_free( pdn );
 
 		/* no parent, must be root to delete */
-		if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) {
-			Debug( LDAP_DEBUG_TRACE,
-				"<=- bdb_delete: no parent and not root\n",
-				0, 0, 0);
-			rc = LDAP_INSUFFICIENT_ACCESS;
-			goto return_results;
+		if( ! be_isroot( be, op->o_ndn ) ) {
+			if ( be_issuffix( be, "" ) ) {
+				static const Entry rootp = { NOID, "", "", NULL, NULL };
+
+				p = (Entry *)&rootp;
+
+				/* check parent for "children" acl */
+				rc = access_allowed( be, conn, op, p,
+					children, NULL, ACL_WRITE );
+				p = NULL;
+
+				if ( !rc  ) {
+					Debug( LDAP_DEBUG_TRACE,
+						"<=- bdb_delete: no access "
+						"to parent\n", 0, 0, 0 );
+					rc = LDAP_INSUFFICIENT_ACCESS;
+					goto return_results;
+				}
+
+			} else {
+				Debug( LDAP_DEBUG_TRACE,
+					"<=- bdb_delete: no parent "
+					"and not root\n", 0, 0, 0);
+				rc = LDAP_INSUFFICIENT_ACCESS;
+				goto return_results;
+			}
 		}
 	}
 
-- 
2.39.5