mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
add restrictions related to listeners in form of file permissions
(see in slapd(8) the description on how to enforce file permissions on sockets in ldapi schema); at present, only user permissions are used as follows: the url extension x-mod=-rwxrwxrwx is used; only the user permisisons are considered, e.g. the first set of rwx; "r" means read is allowed from that listener "w" means write is allowed on that listener "x" means bind is not required on that listener these restrictions ADD to those already present, and are actually checked AFTER the other restrictions, but BEFORE ACLs, so they can be used to apply gross restrictions but should not be viewed as a replacement of ACLs. To compile this, #define SLAP_X_LISTENER_MOD
This commit is contained in:
parent
6d199506bb
commit
97e526cb2d
@ -914,6 +914,14 @@ backend_check_restrictions(
|
||||
*text = "modifications require authentication";
|
||||
return LDAP_STRONG_AUTH_REQUIRED;
|
||||
}
|
||||
|
||||
#ifdef SLAP_X_LISTENER_MOD
|
||||
if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) {
|
||||
/* no "w" mode means readonly */
|
||||
*text = "modifications not allowed on this listener";
|
||||
return LDAP_UNWILLING_TO_PERFORM;
|
||||
}
|
||||
#endif /* SLAP_X_LISTENER_MOD */
|
||||
}
|
||||
}
|
||||
|
||||
@ -964,6 +972,25 @@ backend_check_restrictions(
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef SLAP_X_LISTENER_MOD
|
||||
if ( !starttls && op->o_dn.bv_len == 0 ) {
|
||||
if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) {
|
||||
/* no "x" mode means bind required */
|
||||
*text = "bind required on this listener";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
}
|
||||
|
||||
if ( !starttls && !updateop ) {
|
||||
if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) {
|
||||
/* no "r" mode means no read */
|
||||
*text = "read not allowed on this listener";
|
||||
return LDAP_UNWILLING_TO_PERFORM;
|
||||
}
|
||||
}
|
||||
#endif /* SLAP_X_LISTENER_MOD */
|
||||
|
||||
}
|
||||
|
||||
if( restrictops & opflag ) {
|
||||
|
@ -311,7 +311,7 @@ static void slap_free_listener_addresses(struct sockaddr **sal)
|
||||
ch_free(sal);
|
||||
}
|
||||
|
||||
#ifdef LDAP_PF_LOCAL
|
||||
#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
|
||||
static int get_url_perms(
|
||||
char **exts,
|
||||
mode_t *perms,
|
||||
@ -392,7 +392,7 @@ static int get_url_perms(
|
||||
|
||||
return LDAP_OTHER;
|
||||
}
|
||||
#endif /* LDAP_PF_LOCAL */
|
||||
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
|
||||
|
||||
/* port = 0 indicates AF_LOCAL */
|
||||
static int slap_get_listener_addresses(
|
||||
@ -587,13 +587,12 @@ static int slap_open_listener(
|
||||
struct sockaddr **sal, **psal;
|
||||
int socktype = SOCK_STREAM; /* default to COTS */
|
||||
|
||||
#ifdef LDAP_PF_LOCAL
|
||||
#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
|
||||
/*
|
||||
* use safe defaults
|
||||
*/
|
||||
mode_t perms = S_IRWXU;
|
||||
int crit = 1;
|
||||
#endif
|
||||
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
|
||||
|
||||
rc = ldap_url_parse( url, &lud );
|
||||
|
||||
@ -648,10 +647,6 @@ static int slap_open_listener(
|
||||
} else {
|
||||
err = slap_get_listener_addresses(lud->lud_host, 0, &sal);
|
||||
}
|
||||
|
||||
if ( lud->lud_exts ) {
|
||||
err = get_url_perms( lud->lud_exts, &perms, &crit );
|
||||
}
|
||||
#else
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
@ -677,6 +672,14 @@ static int slap_open_listener(
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
|
||||
if ( lud->lud_exts ) {
|
||||
err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
|
||||
} else {
|
||||
l.sl_perms = S_IRWXU;
|
||||
}
|
||||
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
|
||||
|
||||
ldap_free_urldesc( lud );
|
||||
if ( err ) {
|
||||
return -1;
|
||||
@ -820,7 +823,7 @@ static int slap_open_listener(
|
||||
#ifdef LDAP_PF_LOCAL
|
||||
case AF_LOCAL: {
|
||||
char *addr = ((struct sockaddr_un *)*sal)->sun_path;
|
||||
if ( chmod( addr, perms ) < 0 && crit ) {
|
||||
if ( chmod( addr, l.sl_perms ) < 0 && crit ) {
|
||||
int err = sock_errno();
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( CONNECTION, INFO,
|
||||
|
@ -1731,6 +1731,9 @@ typedef struct slap_conn {
|
||||
struct slap_listener {
|
||||
struct berval sl_url;
|
||||
struct berval sl_name;
|
||||
#ifdef SLAP_X_LISTENER_MOD
|
||||
mode_t sl_perms;
|
||||
#endif /* SLAP_X_LISTENER_MOD */
|
||||
#ifdef HAVE_TLS
|
||||
int sl_is_tls;
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user