non-root add/delete of entries rooted at '' checks children write permission

This commit is contained in:
Pierangelo Masarati 2001-11-14 16:08:59 +00:00
parent 90a60edef9
commit 8c2ed9c809
2 changed files with 83 additions and 21 deletions

View File

@ -209,24 +209,57 @@ ldbm_back_add(
} }
/* no parent, must be adding entry to root */ /* no parent, must be adding entry to root */
if ( !be_isroot( be, op->o_ndn ) && !be_issuffix( be, "" ) ) { if ( !be_isroot( be, op->o_ndn ) ) {
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); if ( be_issuffix( be, "" ) ) {
static const Entry rootp = { NOID, "", "", NULL, NULL };
p = (Entry *)&rootp;
rc = access_allowed( be, conn, op, p,
children, NULL, ACL_WRITE );
p = NULL;
if ( ! rc ) {
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR, LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_add: %s add denied.\n", "ldbm_back_add: No write "
pdn == NULL ? "suffix" : "entry at root" )); "access to parent (\"\").\n" ));
#else #else
Debug( LDAP_DEBUG_TRACE, "%s add denied\n", Debug( LDAP_DEBUG_TRACE,
pdn == NULL ? "suffix" : "entry at root", "no write access to parent\n",
0, 0 ); 0, 0, 0 );
#endif #endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL,
"no write access to parent",
NULL, NULL );
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, return -1;
NULL, NULL, NULL, NULL ); }
return -1; } else {
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_add: %s add denied.\n",
pdn == NULL ? "suffix"
: "entry at root" ));
#else
Debug( LDAP_DEBUG_TRACE, "%s add denied\n",
pdn == NULL ? "suffix"
: "entry at root", 0, 0 );
#endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
} }
/* /*

View File

@ -153,20 +153,49 @@ ldbm_back_delete(
} else { } else {
/* no parent, must be root to delete */ /* no parent, must be root to delete */
if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) { if( ! be_isroot( be, op->o_ndn ) ) {
if ( be_issuffix( be, "" ) ) {
static const Entry rootp = { NOID, "", "", NULL, NULL };
p = (Entry *)&rootp;
rc = access_allowed( be, conn, op, p,
children, NULL, ACL_WRITE );
p = NULL;
/* check parent for "children" acl */
if ( ! rc ) {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR, LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_delete: (%s) has no parent & not a root.\n", "ldbm_back_delete: no access "
dn )); "to parent of ("")\n" ));
#else #else
Debug( LDAP_DEBUG_TRACE, Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no parent & not root\n", "<=- ldbm_back_delete: no "
0, 0, 0); "access to parent\n", 0, 0, 0 );
#endif #endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, send_ldap_result( conn, op,
NULL, NULL, NULL, NULL ); LDAP_INSUFFICIENT_ACCESS,
goto return_results; NULL, NULL, NULL, NULL );
goto return_results;
}
} else {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_delete: (%s) has no "
"parent & not a root.\n", dn ));
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no parent & "
"not root\n", 0, 0, 0);
#endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
goto return_results;
}
} }
ldap_pvt_thread_mutex_lock(&li->li_root_mutex); ldap_pvt_thread_mutex_lock(&li->li_root_mutex);