From ef7421b87ddcc9566410f6fa166d104cdb330081 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Thu, 18 Aug 2005 02:25:10 +0000 Subject: [PATCH] more on manage access level --- servers/slapd/acl.c | 61 +++++++++++++++++++++++-------- servers/slapd/add.c | 2 + servers/slapd/backend.c | 3 ++ servers/slapd/modify.c | 81 ++++++++++++++++++++--------------------- 4 files changed, 89 insertions(+), 58 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index d6bc21d311..cb6c91ba80 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -192,8 +192,12 @@ slap_access_allowed( * no-user-modification operational attributes are ignored * by ACL_WRITE checking as any found here are not provided * by the user + * + * NOTE: but they are not ignored for ACL_MANAGE, because + * if we get here it means a non-root user is trying to + * manage data, so we need to check its privileges. */ - if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) + if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type ) && desc != slap_schema.si_ad_entry && desc != slap_schema.si_ad_children ) { @@ -384,10 +388,17 @@ access_allowed_mask( assert( attr != NULL ); - if ( op && op->o_is_auth_check && - ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) - { - access = ACL_AUTH; + if ( op ) { + if ( op->o_is_auth_check && + ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) + { + access = ACL_AUTH; + + } else if ( get_manageDIT( op ) && access_level == ACL_WRITE && + desc == slap_schema.si_ad_entry ) + { + access = ACL_MANAGE; + } } if ( state ) { @@ -528,10 +539,17 @@ access_allowed_mask( assert( attr != NULL ); - if ( op && op->o_is_auth_check && - ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) - { - access = ACL_AUTH; + if ( op ) { + if ( op->o_is_auth_check && + ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) + { + access = ACL_AUTH; + + } else if ( get_manageDIT( op ) && access_level == ACL_WRITE && + desc == slap_schema.si_ad_entry ) + { + access = ACL_MANAGE; + } } if ( state ) { @@ -595,8 +613,12 @@ access_allowed_mask( * no-user-modification operational attributes are ignored * by ACL_WRITE checking as any found here are not provided * by the user + * + * NOTE: but they are not ignored for ACL_MANAGE, because + * if we get here it means a non-root user is trying to + * manage data, so we need to check its privileges. */ - if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) + if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type ) && desc != slap_schema.si_ad_entry && desc != slap_schema.si_ad_children ) { @@ -2237,8 +2259,7 @@ int acl_check_modlist( Operation *op, Entry *e, - Modifications *mlist -) + Modifications *mlist ) { struct berval *bv; AccessControlState state = ACL_STATE_INIT; @@ -2307,7 +2328,9 @@ acl_check_modlist( * This prevents abuse from selfwriters. */ if ( ! access_allowed( op, e, - mlist->sml_desc, NULL, ACL_WDEL, &state ) ) + mlist->sml_desc, NULL, + mlist->sml_managing ? ACL_MANAGE : ACL_WDEL, + &state ) ) { ret = 0; goto done; @@ -2325,7 +2348,9 @@ acl_check_modlist( bv->bv_val != NULL; bv++ ) { if ( ! access_allowed( op, e, - mlist->sml_desc, bv, ACL_WADD, &state ) ) + mlist->sml_desc, bv, + mlist->sml_managing ? ACL_MANAGE : ACL_WADD, + &state ) ) { ret = 0; goto done; @@ -2336,7 +2361,9 @@ acl_check_modlist( case LDAP_MOD_DELETE: if ( mlist->sml_values == NULL ) { if ( ! access_allowed( op, e, - mlist->sml_desc, NULL, ACL_WDEL, NULL ) ) + mlist->sml_desc, NULL, + mlist->sml_managing ? ACL_MANAGE : ACL_WDEL, + NULL ) ) { ret = 0; goto done; @@ -2348,7 +2375,9 @@ acl_check_modlist( bv->bv_val != NULL; bv++ ) { if ( ! access_allowed( op, e, - mlist->sml_desc, bv, ACL_WDEL, &state ) ) + mlist->sml_desc, bv, + mlist->sml_managing ? ACL_MANAGE : ACL_WDEL, + &state ) ) { ret = 0; goto done; diff --git a/servers/slapd/add.c b/servers/slapd/add.c index 7df87348aa..e446eaf248 100644 --- a/servers/slapd/add.c +++ b/servers/slapd/add.c @@ -110,6 +110,7 @@ do_add( Operation *op, SlapReply *rs ) } mod = (Modifications *) ch_malloc( sizeof(Modifications) ); + mod->sml_managing = 0; mod->sml_op = LDAP_MOD_ADD; mod->sml_flags = 0; mod->sml_next = NULL; @@ -577,6 +578,7 @@ slap_entry2mods( while ( a_new != NULL ) { a_new_desc = a_new->a_desc; mod = (Modifications *) malloc( sizeof( Modifications )); + mod->sml_managing = 0; mod->sml_op = LDAP_MOD_REPLACE; mod->sml_flags = 0; diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 63a3d00a98..7577bac1a0 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -835,11 +835,14 @@ backend_check_controls( } } + /* temporarily removed */ +#if 0 /* check should be generalized */ if( get_manageDIT(op) && !be_isroot(op)) { rs->sr_text = "requires manager authorization"; rs->sr_err = LDAP_UNWILLING_TO_PERFORM; } +#endif done:; return rs->sr_err; diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 9dd1061f7f..e25b40b81f 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -106,6 +106,7 @@ do_modify( mod->sml_values = tmp.sml_values; mod->sml_nvalues = NULL; mod->sml_desc = NULL; + mod->sml_managing = 0; mod->sml_next = NULL; *modtail = mod; @@ -140,7 +141,7 @@ do_modify( goto cleanup; } - if( mod->sml_values[1].bv_val ) { + if ( !BER_BVISNULL( &mod->sml_values[ 1 ] ) ) { Debug( LDAP_DEBUG_ANY, "do_modify: modify/increment " "operation (%ld) requires single value\n", (long) mop, 0, 0 ); @@ -251,10 +252,10 @@ fe_op_modify( Operation *op, SlapReply *rs ) if ( tmp->sml_values == NULL ) { Debug( LDAP_DEBUG_ARGS, "%s\n", "\t\tno values", NULL, NULL ); - } else if ( tmp->sml_values[0].bv_val == NULL ) { + } else if ( BER_BVISNULL( &tmp->sml_values[ 0 ] ) ) { Debug( LDAP_DEBUG_ARGS, "%s\n", "\t\tzero values", NULL, NULL ); - } else if ( tmp->sml_values[1].bv_val == NULL ) { + } else if ( BER_BVISNULL( &tmp->sml_values[ 1 ] ) ) { Debug( LDAP_DEBUG_ARGS, "%s, length %ld\n", "\t\tone value", (long) tmp->sml_values[0].bv_len, NULL ); } else { @@ -883,22 +884,21 @@ int slap_mods_opattrs( if( rc != LDAP_SUCCESS ) return rc; mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_managing = 0; mod->sml_op = mop; mod->sml_flags = SLAP_MOD_INTERNAL; - mod->sml_type.bv_val = NULL; + BER_BVZERO( &mod->sml_type ); mod->sml_desc = slap_schema.si_ad_structuralObjectClass; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_values[0], &tmpval ); - mod->sml_values[1].bv_len = 0; - mod->sml_values[1].bv_val = NULL; - assert( mod->sml_values[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_values[1] ); + assert( !BER_BVISNULL( &mod->sml_values[0] ) ); mod->sml_nvalues = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_nvalues[0], &tmpval ); - mod->sml_nvalues[1].bv_len = 0; - mod->sml_nvalues[1].bv_val = NULL; - assert( mod->sml_nvalues[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_nvalues[1] ); + assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) ); *modtail = mod; modtail = &mod->sml_next; } @@ -920,16 +920,16 @@ int slap_mods_opattrs( tmpval.bv_val = uuidbuf; mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_managing = 0; mod->sml_op = mop; mod->sml_flags = SLAP_MOD_INTERNAL; - mod->sml_type.bv_val = NULL; + BER_BVZERO( &mod->sml_type ); mod->sml_desc = slap_schema.si_ad_entryUUID; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_values[0], &tmpval ); - mod->sml_values[1].bv_len = 0; - mod->sml_values[1].bv_val = NULL; - assert( mod->sml_values[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_values[1] ); + assert( !BER_BVISNULL( &mod->sml_values[0] ) ); mod->sml_nvalues = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); (*mod->sml_desc->ad_type->sat_equality->smr_normalize)( @@ -937,8 +937,7 @@ int slap_mods_opattrs( mod->sml_desc->ad_type->sat_syntax, mod->sml_desc->ad_type->sat_equality, mod->sml_values, mod->sml_nvalues, NULL ); - mod->sml_nvalues[1].bv_len = 0; - mod->sml_nvalues[1].bv_val = NULL; + BER_BVZERO( &mod->sml_nvalues[1] ); *modtail = mod; modtail = &mod->sml_next; } @@ -954,22 +953,21 @@ int slap_mods_opattrs( if ( mod == *modtail ) { mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_managing = 0; mod->sml_op = mop; mod->sml_flags = SLAP_MOD_INTERNAL; - mod->sml_type.bv_val = NULL; + BER_BVZERO( &mod->sml_type ); mod->sml_desc = slap_schema.si_ad_creatorsName; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_values[0], &name ); - mod->sml_values[1].bv_len = 0; - mod->sml_values[1].bv_val = NULL; - assert( mod->sml_values[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_values[1] ); + assert( !BER_BVISNULL( &mod->sml_values[0] ) ); mod->sml_nvalues = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_nvalues[0], &nname ); - mod->sml_nvalues[1].bv_len = 0; - mod->sml_nvalues[1].bv_val = NULL; - assert( mod->sml_nvalues[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_nvalues[1] ); + assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) ); *modtail = mod; modtail = &mod->sml_next; } @@ -985,16 +983,16 @@ int slap_mods_opattrs( if ( mod == *modtail ) { mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_managing = 0; mod->sml_op = mop; mod->sml_flags = SLAP_MOD_INTERNAL; - mod->sml_type.bv_val = NULL; + BER_BVZERO( &mod->sml_type ); mod->sml_desc = slap_schema.si_ad_createTimestamp; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_values[0], ×tamp ); - mod->sml_values[1].bv_len = 0; - mod->sml_values[1].bv_val = NULL; - assert( mod->sml_values[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_values[1] ); + assert( !BER_BVISNULL( &mod->sml_values[0] ) ); mod->sml_nvalues = NULL; *modtail = mod; modtail = &mod->sml_next; @@ -1004,15 +1002,15 @@ int slap_mods_opattrs( if ( SLAP_LASTMOD( op->o_bd ) ) { mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_managing = 0; mod->sml_op = mop; mod->sml_flags = SLAP_MOD_INTERNAL; - mod->sml_type.bv_val = NULL; + BER_BVZERO( &mod->sml_type ); mod->sml_desc = slap_schema.si_ad_entryCSN; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_values[0], &csn ); - mod->sml_values[1].bv_len = 0; - mod->sml_values[1].bv_val = NULL; - assert( mod->sml_values[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_values[1] ); + assert( !BER_BVISNULL( &mod->sml_values[0] ) ); mod->sml_nvalues = NULL; *modtail = mod; modtail = &mod->sml_next; @@ -1028,21 +1026,20 @@ int slap_mods_opattrs( if ( mod == *modtail ) { mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_managing = 0; mod->sml_op = mop; mod->sml_flags = SLAP_MOD_INTERNAL; - mod->sml_type.bv_val = NULL; + BER_BVZERO( &mod->sml_type ); mod->sml_desc = slap_schema.si_ad_modifiersName; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_values[0], &name ); - mod->sml_values[1].bv_len = 0; - mod->sml_values[1].bv_val = NULL; - assert( mod->sml_values[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_values[1] ); + assert( !BER_BVISNULL( &mod->sml_values[0] ) ); mod->sml_nvalues = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_nvalues[0], &nname ); - mod->sml_nvalues[1].bv_len = 0; - mod->sml_nvalues[1].bv_val = NULL; - assert( mod->sml_nvalues[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_nvalues[1] ); + assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) ); *modtail = mod; modtail = &mod->sml_next; } @@ -1058,15 +1055,15 @@ int slap_mods_opattrs( if ( mod == *modtail ) { mod = (Modifications *) ch_malloc( sizeof( Modifications ) ); + mod->sml_managing = 0; mod->sml_op = mop; mod->sml_flags = SLAP_MOD_INTERNAL; - mod->sml_type.bv_val = NULL; + BER_BVZERO( &mod->sml_type ); mod->sml_desc = slap_schema.si_ad_modifyTimestamp; mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mod->sml_values[0], ×tamp ); - mod->sml_values[1].bv_len = 0; - mod->sml_values[1].bv_val = NULL; - assert( mod->sml_values[0].bv_val != NULL ); + BER_BVZERO( &mod->sml_values[1] ); + assert( !BER_BVISNULL( &mod->sml_values[0] ) ); mod->sml_nvalues = NULL; *modtail = mod; modtail = &mod->sml_next; -- 2.39.5