mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
non-root add/delete of entries rooted at '' checks children write permission
This commit is contained in:
parent
90a60edef9
commit
8c2ed9c809
@ -209,24 +209,57 @@ ldbm_back_add(
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* no parent, must be adding entry to root */
|
/* no parent, must be adding entry to root */
|
||||||
if ( !be_isroot( be, op->o_ndn ) && !be_issuffix( be, "" ) ) {
|
if ( !be_isroot( be, op->o_ndn ) ) {
|
||||||
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
|
if ( be_issuffix( be, "" ) ) {
|
||||||
|
static const Entry rootp = { NOID, "", "", NULL, NULL };
|
||||||
|
p = (Entry *)&rootp;
|
||||||
|
|
||||||
|
rc = access_allowed( be, conn, op, p,
|
||||||
|
children, NULL, ACL_WRITE );
|
||||||
|
p = NULL;
|
||||||
|
|
||||||
|
if ( ! rc ) {
|
||||||
|
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
|
||||||
|
|
||||||
#ifdef NEW_LOGGING
|
#ifdef NEW_LOGGING
|
||||||
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||||
"ldbm_back_add: %s add denied.\n",
|
"ldbm_back_add: No write "
|
||||||
pdn == NULL ? "suffix" : "entry at root" ));
|
"access to parent (\"\").\n" ));
|
||||||
#else
|
#else
|
||||||
Debug( LDAP_DEBUG_TRACE, "%s add denied\n",
|
Debug( LDAP_DEBUG_TRACE,
|
||||||
pdn == NULL ? "suffix" : "entry at root",
|
"no write access to parent\n",
|
||||||
0, 0 );
|
0, 0, 0 );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
send_ldap_result( conn, op,
|
||||||
|
LDAP_INSUFFICIENT_ACCESS,
|
||||||
|
NULL,
|
||||||
|
"no write access to parent",
|
||||||
|
NULL, NULL );
|
||||||
|
|
||||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
return -1;
|
||||||
NULL, NULL, NULL, NULL );
|
}
|
||||||
|
|
||||||
return -1;
|
} else {
|
||||||
|
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
|
||||||
|
|
||||||
|
#ifdef NEW_LOGGING
|
||||||
|
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||||
|
"ldbm_back_add: %s add denied.\n",
|
||||||
|
pdn == NULL ? "suffix"
|
||||||
|
: "entry at root" ));
|
||||||
|
#else
|
||||||
|
Debug( LDAP_DEBUG_TRACE, "%s add denied\n",
|
||||||
|
pdn == NULL ? "suffix"
|
||||||
|
: "entry at root", 0, 0 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
send_ldap_result( conn, op,
|
||||||
|
LDAP_INSUFFICIENT_ACCESS,
|
||||||
|
NULL, NULL, NULL, NULL );
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -153,20 +153,49 @@ ldbm_back_delete(
|
|||||||
|
|
||||||
} else {
|
} else {
|
||||||
/* no parent, must be root to delete */
|
/* no parent, must be root to delete */
|
||||||
if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) {
|
if( ! be_isroot( be, op->o_ndn ) ) {
|
||||||
|
if ( be_issuffix( be, "" ) ) {
|
||||||
|
static const Entry rootp = { NOID, "", "", NULL, NULL };
|
||||||
|
p = (Entry *)&rootp;
|
||||||
|
|
||||||
|
rc = access_allowed( be, conn, op, p,
|
||||||
|
children, NULL, ACL_WRITE );
|
||||||
|
p = NULL;
|
||||||
|
|
||||||
|
/* check parent for "children" acl */
|
||||||
|
if ( ! rc ) {
|
||||||
#ifdef NEW_LOGGING
|
#ifdef NEW_LOGGING
|
||||||
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||||
"ldbm_back_delete: (%s) has no parent & not a root.\n",
|
"ldbm_back_delete: no access "
|
||||||
dn ));
|
"to parent of ("")\n" ));
|
||||||
#else
|
#else
|
||||||
Debug( LDAP_DEBUG_TRACE,
|
Debug( LDAP_DEBUG_TRACE,
|
||||||
"<=- ldbm_back_delete: no parent & not root\n",
|
"<=- ldbm_back_delete: no "
|
||||||
0, 0, 0);
|
"access to parent\n", 0, 0, 0 );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
send_ldap_result( conn, op,
|
||||||
NULL, NULL, NULL, NULL );
|
LDAP_INSUFFICIENT_ACCESS,
|
||||||
goto return_results;
|
NULL, NULL, NULL, NULL );
|
||||||
|
goto return_results;
|
||||||
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
|
#ifdef NEW_LOGGING
|
||||||
|
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||||
|
"ldbm_back_delete: (%s) has no "
|
||||||
|
"parent & not a root.\n", dn ));
|
||||||
|
#else
|
||||||
|
Debug( LDAP_DEBUG_TRACE,
|
||||||
|
"<=- ldbm_back_delete: no parent & "
|
||||||
|
"not root\n", 0, 0, 0);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
send_ldap_result( conn, op,
|
||||||
|
LDAP_INSUFFICIENT_ACCESS,
|
||||||
|
NULL, NULL, NULL, NULL );
|
||||||
|
goto return_results;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ldap_pvt_thread_mutex_lock(&li->li_root_mutex);
|
ldap_pvt_thread_mutex_lock(&li->li_root_mutex);
|
||||||
|
Loading…
Reference in New Issue
Block a user