partially revert previous commit

2025-02-05 13:40:08 +08:00 · 2003-04-02 23:01:21 +00:00 · 2003-04-02 23:01:21 +00:00 · 430077e2ed
commit 430077e2ed
parent 09b92f0aeb
3 changed files with 28 additions and 19 deletions
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@ -124,10 +124,9 @@ INADDR_ANY.
 A space separated list of URLs is expected.  The URLs should be of
 LDAP (ldap://) or LDAP over TLS (ldaps://) or LDAP over IPC (ldapi://)
 scheme without a DN or other optional parameters, except an experimental
-extension to indicate the permissions of the underlying socket, on those
-OSes that honor them.  Support for the
-latter two schemes depends on selected configuration options.  Hosts
-may be specified by name or IPv4 and IPv6 address formats.
+extension to indicate the permissions of the underlying listeners.
+Support for the latter two schemes depends on selected configuration 
+options.  Hosts may be specified by name or IPv4 and IPv6 address formats.
 Ports, if specified, must be numeric.  The default ldap:// port is 389
 and the default ldaps:// port is 636.
 The socket permissions for LDAP over IPC are indicated by
@ -135,14 +134,14 @@ The socket permissions for LDAP over IPC are indicated by
 of the "rwx" can be "-" to suppress the related permission (note, 
 however, that sockets only honor the "w" permission), while any 
 of the "7" can be any legal octal digit, according to chmod(1).
-The usage is a bit awkward: since on some systems write permission
-("w") is required to be able to operate on the socket, it must always
-be set to allow operations on the socket.  As a consequence,
-the meaning of the "r" field is to negate write access if present;
-e.g., "x-mod=--wx---rw-" means "owner" can access read/write even
-without binding (and subject to regular ACLs), while for "others"
-bind is required, and the listener is read-only.  "Group" permissions
-are not considered at present.
+While LDAP over IPC requires write permissions on the socket to allow
+any operation, the other listeners can take advantage of the "x-mod"
+extension to apply rough limitations to users, e.g. allow read operations
+("r", which applies to search and compare), write operations ("w", 
+which applies to add, delete, modify and modrdn), and execute operations
+("x", which means bind is required).
+"User" permissions apply to bound users, while "other" apply
+to anonymous users.
 .TP
 .BI \-r " directory"
 Specifies a chroot "jail" directory.  slapd will
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@ -957,9 +957,8 @@ backend_check_restrictions(
 			}

 #ifdef SLAP_X_LISTENER_MOD
-			if ( op->o_conn->c_listener && ( op->o_conn->c_listener->sl_perms & S_IRUSR ) ) {
-				/* "r" mode means readonly ( "w" is required
-				 * to operate on a socket ...) */
+			if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_ndn.bv_len > 0 ? S_IWUSR : S_IWOTH ) ) ) {
+				/* no "w" mode means readonly */
 				rs->sr_text = "modifications not allowed on this listener";
 				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
 				return rs->sr_err;
@ -1023,13 +1022,22 @@ backend_check_restrictions(

 #ifdef SLAP_X_LISTENER_MOD
 		if ( !starttls && op->o_dn.bv_len == 0 ) {
-			if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IXUSR ) ) {
+			if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IXOTH ) ) {
 				/* no "x" mode means bind required */
 				rs->sr_text = "bind required on this listener";
 				rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
 				return rs->sr_err;
 			}
 		}
+
+		if ( !starttls && !updateop ) {
+			if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_dn.bv_len > 0 ? S_IRUSR : S_IROTH ) ) ) {
+				/* no "r" mode means no read */
+				rs->sr_text = "read not allowed on this listener";
+				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+				return rs->sr_err;
+			}
+		}
 #endif /* SLAP_X_LISTENER_MOD */

 	}
@ -1102,7 +1110,7 @@ backend_group(
 {
 	Entry *e;
 	Attribute *a;
-	int i, j, rc;
+	int rc;
 	GroupAssertion *g;

 	if ( op->o_abandon ) return SLAPD_ABANDON;
@ -1177,7 +1185,7 @@ backend_attribute(
 {
 	Entry *e;
 	Attribute *a;
-	int i, j, rc;
+	int i, j, rc = LDAP_SUCCESS;
 	AccessControlState acl_state = ACL_STATE_INIT;

 	if ( target && dn_match( &target->e_nname, edn ) ) {
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@ -679,7 +679,7 @@ static int slap_open_listener(
 	if ( lud->lud_exts ) {
 		err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
 	} else {
-		l.sl_perms = S_IWUSR | S_IXUSR; /* "r" means readonly ... */
+		l.sl_perms = S_IRWXU;
 	}
 #endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */

@ -826,6 +826,7 @@ static int slap_open_listener(
 #ifdef LDAP_PF_LOCAL
 	case AF_LOCAL: {
 		char *addr = ((struct sockaddr_un *)*sal)->sun_path;
+#if 0 /* don't muck with socket perms */
 		if ( chmod( addr, l.sl_perms ) < 0 && crit ) {
 			int err = sock_errno();
 #ifdef NEW_LOGGING
@ -840,6 +841,7 @@ static int slap_open_listener(
 			slap_free_listener_addresses(psal);
 			return -1;
 		}
+#endif
 		l.sl_name.bv_len = strlen(addr) + sizeof("PATH=") - 1;
 		l.sl_name.bv_val = ber_memalloc( l.sl_name.bv_len + 1 );
 		snprintf( l.sl_name.bv_val, l.sl_name.bv_len + 1,