mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-21 03:10:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

non-root add/delete of entries rooted at '' checks children write permission

Browse Source
This commit is contained in:
Pierangelo Masarati 2001-11-14 16:08:59 +00:00
parent 90a60edef9
commit 8c2ed9c809
2 changed files with 83 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
servers/slapd/back-ldbm/add.c
View File

@ -209,25 +209,58 @@ ldbm_back_add(
} }
/* no parent, must be adding entry to root */ /* no parent, must be adding entry to root */
if ( !be_isroot( be, op->o_ndn ) && !be_issuffix( be, "" ) ) { if ( !be_isroot( be, op->o_ndn ) ) {
if ( be_issuffix( be, "" ) ) {
static const Entry rootp = { NOID, "", "", NULL, NULL };
p = (Entry *)&rootp;
rc = access_allowed( be, conn, op, p,
children, NULL, ACL_WRITE );
p = NULL;
if ( ! rc ) {
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_add: No write "
"access to parent (\"\").\n" ));
#else
Debug( LDAP_DEBUG_TRACE,
"no write access to parent\n",
0, 0, 0 );
#endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL,
"no write access to parent",
NULL, NULL );
return -1;
}
} else {
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR, LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_add: %s add denied.\n", "ldbm_back_add: %s add denied.\n",
pdn == NULL ? "suffix" : "entry at root" )); pdn == NULL ? "suffix"
: "entry at root" ));
#else #else
Debug( LDAP_DEBUG_TRACE, "%s add denied\n", Debug( LDAP_DEBUG_TRACE, "%s add denied\n",
pdn == NULL ? "suffix" : "entry at root", pdn == NULL ? "suffix"
0, 0 ); : "entry at root", 0, 0 );
#endif #endif
send_ldap_result( conn, op,
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL ); NULL, NULL, NULL, NULL );
return -1; return -1;
} }
}
/* /*
* no parent, acquire the root write lock * no parent, acquire the root write lock

41
servers/slapd/back-ldbm/delete.c
View File

@ -153,22 +153,51 @@ ldbm_back_delete(
} else { } else {
/* no parent, must be root to delete */ /* no parent, must be root to delete */
if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) { if( ! be_isroot( be, op->o_ndn ) ) {
if ( be_issuffix( be, "" ) ) {
static const Entry rootp = { NOID, "", "", NULL, NULL };
p = (Entry *)&rootp;
rc = access_allowed( be, conn, op, p,
children, NULL, ACL_WRITE );
p = NULL;
/* check parent for "children" acl */
if ( ! rc ) {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR, LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_delete: (%s) has no parent & not a root.\n", "ldbm_back_delete: no access "
dn )); "to parent of ("")\n" ));
#else #else
Debug( LDAP_DEBUG_TRACE, Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no parent & not root\n", "<=- ldbm_back_delete: no "
0, 0, 0); "access to parent\n", 0, 0, 0 );
#endif #endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL ); NULL, NULL, NULL, NULL );
goto return_results; goto return_results;
} }
} else {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_delete: (%s) has no "
"parent & not a root.\n", dn ));
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no parent & "
"not root\n", 0, 0, 0);
#endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
goto return_results;
}
}
ldap_pvt_thread_mutex_lock(&li->li_root_mutex); ldap_pvt_thread_mutex_lock(&li->li_root_mutex);
rootlock = 1; rootlock = 1;
} }