From df6c69ffd64e9ae7668f1167c64e829f6bbce3be Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 7 Oct 2002 21:56:43 +0000
Subject: [PATCH] More entry level access control for back-shell (should be
 applied to back-perl and other programmable backends)

---
 servers/slapd/back-shell/bind.c    | 19 +++++++++++++++++++
 servers/slapd/back-shell/compare.c | 19 +++++++++++++++++++
 servers/slapd/back-shell/modify.c  | 19 +++++++++++++++++++
 3 files changed, 57 insertions(+)

diff --git a/servers/slapd/back-shell/bind.c b/servers/slapd/back-shell/bind.c
index 6c4ec9ab48..ad1b9c80c1 100644
--- a/servers/slapd/back-shell/bind.c
+++ b/servers/slapd/back-shell/bind.c
@@ -28,6 +28,8 @@ shell_back_bind(
 )
 {
 	struct shellinfo	*si = (struct shellinfo *) be->be_private;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
+	Entry e;
 	FILE			*rfp, *wfp;
 	int			rc;
 
@@ -37,6 +39,23 @@ shell_back_bind(
 		return( -1 );
 	}
 
+	e.e_id = NOID;
+	e.e_name = *dn;
+	e.e_nname = *ndn;
+	e.e_attrs = NULL;
+	e.e_ocflags = 0;
+	e.e_bv.bv_len = 0;
+	e.e_bv.bv_val = NULL;
+	e.e_private = NULL;
+
+	if ( ! access_allowed( be, conn, op, &e,
+		entry, NULL, ACL_AUTH, NULL ) )
+	{
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, NULL, NULL, NULL );
+		return -1;
+	}
+
 	if ( (op->o_private = (void *) forkandexec( si->si_bind, &rfp, &wfp ))
 	    == (void *) -1 ) {
 		send_ldap_result( conn, op, LDAP_OTHER, NULL,
diff --git a/servers/slapd/back-shell/compare.c b/servers/slapd/back-shell/compare.c
index 19a3498c96..c70edd530d 100644
--- a/servers/slapd/back-shell/compare.c
+++ b/servers/slapd/back-shell/compare.c
@@ -26,6 +26,8 @@ shell_back_compare(
 )
 {
 	struct shellinfo	*si = (struct shellinfo *) be->be_private;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
+	Entry e;
 	FILE			*rfp, *wfp;
 
 	if ( IS_NULLCMD( si->si_compare ) ) {
@@ -34,6 +36,23 @@ shell_back_compare(
 		return( -1 );
 	}
 
+	e.e_id = NOID;
+	e.e_name = *dn;
+	e.e_nname = *ndn;
+	e.e_attrs = NULL;
+	e.e_ocflags = 0;
+	e.e_bv.bv_len = 0;
+	e.e_bv.bv_val = NULL;
+	e.e_private = NULL;
+
+	if ( ! access_allowed( be, conn, op, &e,
+		entry, NULL, ACL_READ, NULL ) )
+	{
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, NULL, NULL, NULL );
+		return -1;
+	}
+
 	if ( (op->o_private = (void *) forkandexec( si->si_compare, &rfp, &wfp ))
 	    == (void *) -1 ) {
 		send_ldap_result( conn, op, LDAP_OTHER, NULL,
diff --git a/servers/slapd/back-shell/modify.c b/servers/slapd/back-shell/modify.c
index 69ad41d740..9b82f70be4 100644
--- a/servers/slapd/back-shell/modify.c
+++ b/servers/slapd/back-shell/modify.c
@@ -27,6 +27,8 @@ shell_back_modify(
 {
 	Modification *mod;
 	struct shellinfo	*si = (struct shellinfo *) be->be_private;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
+	Entry e;
 	FILE			*rfp, *wfp;
 	int			i;
 
@@ -36,6 +38,23 @@ shell_back_modify(
 		return( -1 );
 	}
 
+	e.e_id = NOID;
+	e.e_name = *dn;
+	e.e_nname = *ndn;
+	e.e_attrs = NULL;
+	e.e_ocflags = 0;
+	e.e_bv.bv_len = 0;
+	e.e_bv.bv_val = NULL;
+	e.e_private = NULL;
+
+	if ( ! access_allowed( be, conn, op, &e,
+		entry, NULL, ACL_WRITE, NULL ) )
+	{
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, NULL, NULL, NULL );
+		return -1;
+	}
+
 	if ( (op->o_private = (void *) forkandexec( si->si_modify, &rfp, &wfp ))
 	    == (void *) -1 ) {
 		send_ldap_result( conn, op, LDAP_OTHER, NULL,
-- 
2.39.5