mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
non-root add/delete of entries rooted at '' checks children write permission
This commit is contained in:
parent
90a60edef9
commit
8c2ed9c809
@ -209,25 +209,58 @@ ldbm_back_add(
|
||||
}
|
||||
|
||||
/* no parent, must be adding entry to root */
|
||||
if ( !be_isroot( be, op->o_ndn ) && !be_issuffix( be, "" ) ) {
|
||||
if ( !be_isroot( be, op->o_ndn ) ) {
|
||||
if ( be_issuffix( be, "" ) ) {
|
||||
static const Entry rootp = { NOID, "", "", NULL, NULL };
|
||||
p = (Entry *)&rootp;
|
||||
|
||||
rc = access_allowed( be, conn, op, p,
|
||||
children, NULL, ACL_WRITE );
|
||||
p = NULL;
|
||||
|
||||
if ( ! rc ) {
|
||||
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||
"ldbm_back_add: No write "
|
||||
"access to parent (\"\").\n" ));
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"no write access to parent\n",
|
||||
0, 0, 0 );
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op,
|
||||
LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL,
|
||||
"no write access to parent",
|
||||
NULL, NULL );
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
} else {
|
||||
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||
"ldbm_back_add: %s add denied.\n",
|
||||
pdn == NULL ? "suffix" : "entry at root" ));
|
||||
pdn == NULL ? "suffix"
|
||||
: "entry at root" ));
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, "%s add denied\n",
|
||||
pdn == NULL ? "suffix" : "entry at root",
|
||||
0, 0 );
|
||||
pdn == NULL ? "suffix"
|
||||
: "entry at root", 0, 0 );
|
||||
#endif
|
||||
|
||||
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
send_ldap_result( conn, op,
|
||||
LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* no parent, acquire the root write lock
|
||||
|
@ -153,22 +153,51 @@ ldbm_back_delete(
|
||||
|
||||
} else {
|
||||
/* no parent, must be root to delete */
|
||||
if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) {
|
||||
if( ! be_isroot( be, op->o_ndn ) ) {
|
||||
if ( be_issuffix( be, "" ) ) {
|
||||
static const Entry rootp = { NOID, "", "", NULL, NULL };
|
||||
p = (Entry *)&rootp;
|
||||
|
||||
rc = access_allowed( be, conn, op, p,
|
||||
children, NULL, ACL_WRITE );
|
||||
p = NULL;
|
||||
|
||||
/* check parent for "children" acl */
|
||||
if ( ! rc ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||
"ldbm_back_delete: (%s) has no parent & not a root.\n",
|
||||
dn ));
|
||||
"ldbm_back_delete: no access "
|
||||
"to parent of ("")\n" ));
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"<=- ldbm_back_delete: no parent & not root\n",
|
||||
0, 0, 0);
|
||||
"<=- ldbm_back_delete: no "
|
||||
"access to parent\n", 0, 0, 0 );
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
send_ldap_result( conn, op,
|
||||
LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
} else {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
|
||||
"ldbm_back_delete: (%s) has no "
|
||||
"parent & not a root.\n", dn ));
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"<=- ldbm_back_delete: no parent & "
|
||||
"not root\n", 0, 0, 0);
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op,
|
||||
LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
}
|
||||
|
||||
ldap_pvt_thread_mutex_lock(&li->li_root_mutex);
|
||||
rootlock = 1;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user