From 97e526cb2dcf5e485f0e130636afefeaf5b57447 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Fri, 25 Oct 2002 16:43:44 +0000 Subject: [PATCH] add restrictions related to listeners in form of file permissions (see in slapd(8) the description on how to enforce file permissions on sockets in ldapi schema); at present, only user permissions are used as follows: the url extension x-mod=-rwxrwxrwx is used; only the user permisisons are considered, e.g. the first set of rwx; "r" means read is allowed from that listener "w" means write is allowed on that listener "x" means bind is not required on that listener these restrictions ADD to those already present, and are actually checked AFTER the other restrictions, but BEFORE ACLs, so they can be used to apply gross restrictions but should not be viewed as a replacement of ACLs. To compile this, #define SLAP_X_LISTENER_MOD --- servers/slapd/backend.c | 27 +++++++++++++++++++++++++++ servers/slapd/daemon.c | 23 +++++++++++++---------- servers/slapd/slap.h | 3 +++ 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 04fac3ccec..c71e1df78c 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -914,6 +914,14 @@ backend_check_restrictions( *text = "modifications require authentication"; return LDAP_STRONG_AUTH_REQUIRED; } + +#ifdef SLAP_X_LISTENER_MOD + if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) { + /* no "w" mode means readonly */ + *text = "modifications not allowed on this listener"; + return LDAP_UNWILLING_TO_PERFORM; + } +#endif /* SLAP_X_LISTENER_MOD */ } } @@ -964,6 +972,25 @@ backend_check_restrictions( return LDAP_OPERATIONS_ERROR; } } + +#ifdef SLAP_X_LISTENER_MOD + if ( !starttls && op->o_dn.bv_len == 0 ) { + if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) { + /* no "x" mode means bind required */ + *text = "bind required on this listener"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + } + + if ( !starttls && !updateop ) { + if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) { + /* no "r" mode means no read */ + *text = "read not allowed on this listener"; + return LDAP_UNWILLING_TO_PERFORM; + } + } +#endif /* SLAP_X_LISTENER_MOD */ + } if( restrictops & opflag ) { diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c index fd1d84f8a9..128fe16119 100644 --- a/servers/slapd/daemon.c +++ b/servers/slapd/daemon.c @@ -311,7 +311,7 @@ static void slap_free_listener_addresses(struct sockaddr **sal) ch_free(sal); } -#ifdef LDAP_PF_LOCAL +#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD) static int get_url_perms( char **exts, mode_t *perms, @@ -392,7 +392,7 @@ static int get_url_perms( return LDAP_OTHER; } -#endif /* LDAP_PF_LOCAL */ +#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */ /* port = 0 indicates AF_LOCAL */ static int slap_get_listener_addresses( @@ -587,13 +587,12 @@ static int slap_open_listener( struct sockaddr **sal, **psal; int socktype = SOCK_STREAM; /* default to COTS */ -#ifdef LDAP_PF_LOCAL +#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD) /* * use safe defaults */ - mode_t perms = S_IRWXU; int crit = 1; -#endif +#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */ rc = ldap_url_parse( url, &lud ); @@ -648,10 +647,6 @@ static int slap_open_listener( } else { err = slap_get_listener_addresses(lud->lud_host, 0, &sal); } - - if ( lud->lud_exts ) { - err = get_url_perms( lud->lud_exts, &perms, &crit ); - } #else #ifdef NEW_LOGGING @@ -677,6 +672,14 @@ static int slap_open_listener( } } +#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD) + if ( lud->lud_exts ) { + err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit ); + } else { + l.sl_perms = S_IRWXU; + } +#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */ + ldap_free_urldesc( lud ); if ( err ) { return -1; @@ -820,7 +823,7 @@ static int slap_open_listener( #ifdef LDAP_PF_LOCAL case AF_LOCAL: { char *addr = ((struct sockaddr_un *)*sal)->sun_path; - if ( chmod( addr, perms ) < 0 && crit ) { + if ( chmod( addr, l.sl_perms ) < 0 && crit ) { int err = sock_errno(); #ifdef NEW_LOGGING LDAP_LOG( CONNECTION, INFO, diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index da5530b06c..0a27ab8706 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1731,6 +1731,9 @@ typedef struct slap_conn { struct slap_listener { struct berval sl_url; struct berval sl_name; +#ifdef SLAP_X_LISTENER_MOD + mode_t sl_perms; +#endif /* SLAP_X_LISTENER_MOD */ #ifdef HAVE_TLS int sl_is_tls; #endif