mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-30 13:30:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add SLAP_MOD_INTERNAL flag to Modifications, allow internal ops to bypass

Browse Source 
ACL checks when modifying user-modifiable attributes as non-root user.
This commit is contained in:
Howard Chu 2005-06-04 09:44:39 +00:00
parent 43ffb3f235
commit 8f58409749
14 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
servers/slapd/acl.c
View File

@ -2259,6 +2259,16 @@ acl_check_modlist(
}
for ( ; mlist != NULL; mlist = mlist->sml_next ) {
/*
* Internal mods are ignored by ACL_WRITE checking
*/
if ( mlist->sml_flags & SLAP_MOD_INTERNAL ) {
Debug( LDAP_DEBUG_ACL, "acl: internal mod %s:"
" modify access granted\n",
mlist->sml_desc->ad_cname.bv_val, 0, 0 );
continue;
}
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided

2
servers/slapd/add.c
View File

@ -120,6 +120,7 @@ do_add( Operation *op, SlapReply *rs )
mod = (Modifications *) ch_malloc( sizeof(Modifications) );
mod->sml_op = LDAP_MOD_ADD;
mod->sml_flags = 0;
mod->sml_next = NULL;
mod->sml_desc = NULL;
mod->sml_type = tmp.sml_type;
@ -612,6 +613,7 @@ slap_entry2mods(
mod = (Modifications *) malloc( sizeof( Modifications ));
mod->sml_op = LDAP_MOD_REPLACE;
mod->sml_flags = 0;
mod->sml_type = a_new_desc->ad_cname;

8
servers/slapd/modify.c
View File

@ -104,6 +104,7 @@ do_modify(
mod = (Modifications *) ch_malloc( sizeof(Modifications) );
mod->sml_op = mop;
mod->sml_flags = 0;
mod->sml_type = tmp.sml_type;
mod->sml_values = tmp.sml_values;
mod->sml_nvalues = NULL;
@ -894,6 +895,7 @@ int slap_mods_opattrs(
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_type.bv_val = NULL;
mod->sml_desc = slap_schema.si_ad_structuralObjectClass;
mod->sml_values =
@ -920,6 +922,7 @@ int slap_mods_opattrs(
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_type.bv_val = NULL;
mod->sml_desc = slap_schema.si_ad_entryUUID;
mod->sml_values =
@ -942,6 +945,7 @@ int slap_mods_opattrs(
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_type.bv_val = NULL;
mod->sml_desc = slap_schema.si_ad_creatorsName;
mod->sml_values =
@ -961,6 +965,7 @@ int slap_mods_opattrs(
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_type.bv_val = NULL;
mod->sml_desc = slap_schema.si_ad_createTimestamp;
mod->sml_values =
@ -978,6 +983,7 @@ int slap_mods_opattrs(
if ( SLAP_LASTMOD( op->o_bd )) {
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_type.bv_val = NULL;
mod->sml_desc = slap_schema.si_ad_entryCSN;
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
@ -991,6 +997,7 @@ int slap_mods_opattrs(
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_type.bv_val = NULL;
mod->sml_desc = slap_schema.si_ad_modifiersName;
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
@ -1009,6 +1016,7 @@ int slap_mods_opattrs(
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
mod->sml_type.bv_val = NULL;
mod->sml_desc = slap_schema.si_ad_modifyTimestamp;
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );

2
servers/slapd/modrdn.c
View File

@ -480,6 +480,7 @@ slap_modrdn2mods(
mod_tmp->sml_nvalues = NULL;
}
mod_tmp->sml_op = SLAP_MOD_SOFTADD;
mod_tmp->sml_flags = SLAP_MOD_INTERNAL;
mod_tmp->sml_next = mod;
mod = mod_tmp;
}
@ -534,6 +535,7 @@ slap_modrdn2mods(
mod_tmp->sml_nvalues = NULL;
}
mod_tmp->sml_op = LDAP_MOD_DELETE;
mod_tmp->sml_flags = SLAP_MOD_INTERNAL;
mod_tmp->sml_next = mod;
mod = mod_tmp;
}

1
servers/slapd/overlays/pcache.c
View File

@ -854,6 +854,7 @@ remove_query_data (
vals[1].bv_val = NULL;
vals[1].bv_len = 0;
mod.sml_op = LDAP_MOD_DELETE;
mod.sml_flags = 0;
mod.sml_desc = ad_queryid;
mod.sml_type = ad_queryid->ad_cname;
mod.sml_values = vals;

11
servers/slapd/overlays/ppolicy.c
View File

@ -238,6 +238,7 @@ account_locked( Operation *op, Entry *e,
m = ch_calloc( sizeof(Modifications), 1 );
m->sml_op = LDAP_MOD_DELETE;
m->sml_flags = 0;
m->sml_type = ad_pwdAccountLockedTime->ad_cname;
m->sml_desc = ad_pwdAccountLockedTime;
m->sml_next = *mod;
@ -713,6 +714,7 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs )
m = ch_calloc( sizeof(Modifications), 1 );
m->sml_op = LDAP_MOD_ADD;
m->sml_flags = 0;
m->sml_type = ad_pwdFailureTime->ad_cname;
m->sml_desc = ad_pwdFailureTime;
m->sml_values = ch_calloc( sizeof(struct berval), 2 );
@ -759,6 +761,7 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs )
*/
m = ch_calloc( sizeof(Modifications), 1 );
m->sml_op = LDAP_MOD_REPLACE;
m->sml_flags = 0;
m->sml_type = ad_pwdAccountLockedTime->ad_cname;
m->sml_desc = ad_pwdAccountLockedTime;
m->sml_values = ch_calloc( sizeof(struct berval), 2 );
@ -774,6 +777,7 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs )
if ( attr_find( e->e_attrs, ad_pwdFailureTime )) {
m = ch_calloc( sizeof(Modifications), 1 );
m->sml_op = LDAP_MOD_DELETE;
m->sml_flags = 0;
m->sml_type = ad_pwdFailureTime->ad_cname;
m->sml_desc = ad_pwdFailureTime;
m->sml_next = mod;
@ -859,6 +863,7 @@ grace:
*/
m = ch_calloc( sizeof(Modifications), 1 );
m->sml_op = LDAP_MOD_ADD;
m->sml_flags = 0;
m->sml_type = ad_pwdGraceUseTime->ad_cname;
m->sml_desc = ad_pwdGraceUseTime;
m->sml_values = ch_calloc( sizeof(struct berval), 2 );
@ -1299,6 +1304,7 @@ ppolicy_modify( Operation *op, SlapReply *rs )
if (pp.pwdSafeModify && oldpw.bv_val ) {
ml = (Modifications *) ch_malloc( sizeof( Modifications ) );
ml->sml_op = LDAP_MOD_DELETE;
ml->sml_flags = SLAP_MOD_INTERNAL;
ml->sml_desc = pp.ad;
ml->sml_type = pp.ad->ad_cname;
ml->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
@ -1467,6 +1473,7 @@ do_modify:
mods->sml_op = LDAP_MOD_DELETE;
mods->sml_values = NULL;
}
mods->sml_flags = SLAP_MOD_INTERNAL;
mods->sml_nvalues = NULL;
mods->sml_next = NULL;
modtail->sml_next = mods;
@ -1475,6 +1482,7 @@ do_modify:
if (attr_find(e->e_attrs, ad_pwdGraceUseTime )) {
mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
mods->sml_op = LDAP_MOD_DELETE;
mods->sml_flags = SLAP_MOD_INTERNAL;
mods->sml_type.bv_val = NULL;
mods->sml_desc = ad_pwdGraceUseTime;
mods->sml_values = NULL;
@ -1488,6 +1496,7 @@ do_modify:
if ((zapReset) && (attr_find(e->e_attrs, ad_pwdReset ))) {
mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
mods->sml_op = LDAP_MOD_DELETE;
mods->sml_flags = SLAP_MOD_INTERNAL;
mods->sml_type.bv_val = NULL;
mods->sml_desc = ad_pwdReset;
mods->sml_values = NULL;
@ -1517,6 +1526,7 @@ do_modify:
*/
mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
mods->sml_op = LDAP_MOD_DELETE;
mods->sml_flags = SLAP_MOD_INTERNAL;
mods->sml_type.bv_val = NULL;
mods->sml_desc = ad_pwdHistory;
mods->sml_nvalues = NULL;
@ -1549,6 +1559,7 @@ do_modify:
if ((pa = attr_find( e->e_attrs, pp.ad )) != NULL) {
mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
mods->sml_op = LDAP_MOD_ADD;
mods->sml_flags = SLAP_MOD_INTERNAL;
mods->sml_type.bv_val = NULL;
mods->sml_desc = ad_pwdHistory;
mods->sml_nvalues = NULL;

4
servers/slapd/overlays/refint.c
View File

@ -291,6 +291,7 @@ refint_delete_cb(
mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
mp->sml_op = LDAP_MOD_ADD;
mp->sml_flags = 0;
ber_dupbv(&mp->sml_values[0], &dd->nothing);
ber_dupbv(&mp->sml_nvalues[0], &dd->nnothing);
mp->sml_next = ma;
@ -305,6 +306,7 @@ refint_delete_cb(
mp->sml_values[1].bv_len = mp->sml_nvalues[1].bv_len = 0;
mp->sml_values[1].bv_val = mp->sml_nvalues[1].bv_val = NULL;
mp->sml_op = LDAP_MOD_DELETE;
mp->sml_flags = 0;
ber_dupbv(&mp->sml_values[0], &dd->dn);
ber_dupbv(&mp->sml_nvalues[0], &mp->sml_values[0]);
mp->sml_next = ma;
@ -389,6 +391,7 @@ refint_modrdn_cb(
}
mp = ch_malloc(sizeof(Modifications));
mp->sml_op = LDAP_MOD_ADD;
mp->sml_flags = 0;
mp->sml_desc = ia->attr; /* XXX */
mp->sml_type = ia->attr->ad_cname;
mp->sml_values = ch_malloc(2 * sizeof(BerValue));
@ -401,6 +404,7 @@ refint_modrdn_cb(
ip->mm = mp;
mp = ch_malloc(sizeof(Modifications));
mp->sml_op = LDAP_MOD_DELETE;
mp->sml_flags = 0;
mp->sml_desc = ia->attr; /* XXX */
mp->sml_type = ia->attr->ad_cname;
mp->sml_values = ch_malloc(2 * sizeof(BerValue));

1
servers/slapd/overlays/syncprov.c
View File

@ -1151,6 +1151,7 @@ syncprov_checkpoint( Operation *op, SlapReply *rs, slap_overinst *on )
mod.sml_nvalues = NULL;
mod.sml_desc = slap_schema.si_ad_contextCSN;
mod.sml_op = LDAP_MOD_REPLACE;
mod.sml_flags = 0;
mod.sml_next = NULL;
cb.sc_response = slap_null_cb;

1
servers/slapd/passwd.c
View File

@ -213,6 +213,7 @@ int passwd_extop(
ml->sml_nvalues = NULL;
ml->sml_desc = slap_schema.si_ad_userPassword;
ml->sml_op = LDAP_MOD_REPLACE;
ml->sml_flags = 0;
ml->sml_next = qpw->rs_mods;
qpw->rs_mods = ml;

1
servers/slapd/sasl.c
View File

@ -369,6 +369,7 @@ slap_auxprop_store(
for (i=0; pr[i].name; i++) {
mod = (Modifications *)ch_malloc( sizeof(Modifications) );
mod->sml_op = LDAP_MOD_REPLACE;
mod->sml_flags = 0;
ber_str2bv( pr[i].name, 0, 0, &mod->sml_type );
mod->sml_values = (struct berval *)ch_malloc( (pr[i].nvalues + 1) *
sizeof(struct berval));

9
servers/slapd/slap.h
View File

@ -1145,7 +1145,13 @@ typedef struct slap_entry {
* A list of LDAPMods
*/
typedef struct slap_mod {
int sm_op;
short sm_op;
short sm_flags;
/* Set for internal mods, will bypass ACL checks. Only needed when
* running as non-root user, for user modifiable attributes.
*/
#define SLAP_MOD_INTERNAL 0x01
AttributeDescription *sm_desc;
struct berval sm_type;
BerVarray sm_values;
@ -1155,6 +1161,7 @@ typedef struct slap_mod {
typedef struct slap_mod_list {
Modification sml_mod;
#define sml_op sml_mod.sm_op
#define sml_flags sml_mod.sm_flags
#define sml_desc sml_mod.sm_desc
#define sml_type sml_mod.sm_type
#define sml_values sml_mod.sm_values

4
servers/slapd/slapi/slapi_ops.c
View File

@ -406,6 +406,7 @@ slapi_int_ldapmod_to_entry(
mod = (Modifications *) ch_malloc( sizeof(Modifications) );
mod->sml_op = LDAP_MOD_ADD;
mod->sml_flags = 0;
mod->sml_next = NULL;
mod->sml_desc = NULL;
mod->sml_type = tmp.sml_type;
@ -431,6 +432,7 @@ slapi_int_ldapmod_to_entry(
mod = (Modifications *) ch_malloc( sizeof(Modifications) );
mod->sml_op = LDAP_MOD_ADD;
mod->sml_flags = 0;
mod->sml_next = NULL;
mod->sml_desc = NULL;
mod->sml_type = tmp.sml_type;
@ -965,6 +967,7 @@ slapi_modify_internal(
mod = (Modifications *)ch_malloc( sizeof(Modifications) );
mod->sml_op = pMod->mod_op & LDAP_MOD_OP;
mod->sml_flags = 0;
mod->sml_next = NULL;
mod->sml_desc = NULL;
mod->sml_type = tmp.sml_type;
@ -982,6 +985,7 @@ slapi_modify_internal(
mod = (Modifications *) ch_malloc( sizeof(Modifications) );
mod->sml_op = pMod->mod_op & LDAP_MOD_OP;
mod->sml_flags = 0;
mod->sml_next = NULL;
mod->sml_desc = NULL;
mod->sml_type = tmp.sml_type;

3
servers/slapd/slapi/slapi_utils.c
View File

@ -604,6 +604,7 @@ slapi_entry_add_values( Slapi_Entry *e, const char *type, struct berval **vals )
char textbuf[SLAP_TEXT_BUFLEN];
mod.sm_op = LDAP_MOD_ADD;
mod.sm_flags = 0;
mod.sm_desc = NULL;
mod.sm_type.bv_val = (char *)type;
mod.sm_type.bv_len = strlen( type );
@ -676,6 +677,7 @@ slapi_entry_delete_values( Slapi_Entry *e, const char *type, struct berval **val
char textbuf[SLAP_TEXT_BUFLEN];
mod.sm_op = LDAP_MOD_DELETE;
mod.sm_flags = 0;
mod.sm_desc = NULL;
mod.sm_type.bv_val = (char *)type;
mod.sm_type.bv_len = strlen( type );
@ -3524,6 +3526,7 @@ Modifications *slapi_int_ldapmods2modifications (LDAPMod **mods)
mod = (Modifications *) ch_malloc( sizeof(Modifications) );
mod->sml_op = (*modp)->mod_op & (~LDAP_MOD_BVALUES);
mod->sml_flags = 0;
mod->sml_type.bv_val = (*modp)->mod_type;
mod->sml_type.bv_len = strlen( mod->sml_type.bv_val );
mod->sml_desc = NULL;

5
servers/slapd/syncrepl.c
View File

@ -1094,6 +1094,7 @@ syncrepl_message_to_entry(
mod = (Modifications *) ch_malloc( sizeof( Modifications ));
mod->sml_op = LDAP_MOD_REPLACE;
mod->sml_flags = 0;
mod->sml_next = NULL;
mod->sml_desc = NULL;
mod->sml_type = tmp.sml_type;
@ -1470,6 +1471,7 @@ retry_add:;
for ( i = 0; i < dni.attrs; i++ ) {
mod = ch_malloc( sizeof( Modifications ) );
mod->sml_op = LDAP_MOD_DELETE;
mod->sml_flags = 0;
mod->sml_desc = dni.ads[i];
mod->sml_type = mod->sml_desc->ad_cname;
mod->sml_values = NULL;
@ -1496,6 +1498,7 @@ retry_add:;
mod = (Modifications *)ch_calloc(1, sizeof(Modifications));
mod->sml_op = LDAP_MOD_REPLACE;
mod->sml_flags = 0;
mod->sml_desc = slap_schema.si_ad_entryUUID;
mod->sml_type = mod->sml_desc->ad_cname;
ber_dupbv( &uuid_bv, &syncUUID_strrep );
@ -1676,6 +1679,7 @@ syncrepl_del_nonpresent(
if ( rs_delete.sr_err == LDAP_NOT_ALLOWED_ON_NONLEAF ) {
Modifications mod1, mod2;
mod1.sml_op = LDAP_MOD_REPLACE;
mod1.sml_flags = 0;
mod1.sml_desc = slap_schema.si_ad_objectClass;
mod1.sml_type = mod1.sml_desc->ad_cname;
mod1.sml_values = &gcbva[0];
@ -1683,6 +1687,7 @@ syncrepl_del_nonpresent(
mod1.sml_next = &mod2;
mod2.sml_op = LDAP_MOD_REPLACE;
mod2.sml_flags = 0;
mod2.sml_desc = slap_schema.si_ad_structuralObjectClass;
mod2.sml_type = mod2.sml_desc->ad_cname;
mod2.sml_values = &gcbva[1];