add restrictions related to listeners in form of file permissions

(see in slapd(8) the description on how to enforce file permissions
on sockets in ldapi schema); at present, only user permissions are
used as follows: the url extension x-mod=-rwxrwxrwx is used; only
the user permisisons are considered, e.g. the first set of rwx;
	"r" means read is allowed from that listener
	"w" means write is allowed on that listener
	"x" means bind is not required on that listener
these restrictions ADD to those already present, and are actually
checked AFTER the other restrictions, but BEFORE ACLs, so they can
be used to apply gross restrictions but should not be viewed as
a replacement of ACLs. To compile this, #define SLAP_X_LISTENER_MOD
This commit is contained in:
Pierangelo Masarati 2002-10-25 16:43:44 +00:00
parent 6d199506bb
commit 97e526cb2d
3 changed files with 43 additions and 10 deletions

View File

@ -914,6 +914,14 @@ backend_check_restrictions(
*text = "modifications require authentication";
return LDAP_STRONG_AUTH_REQUIRED;
}
#ifdef SLAP_X_LISTENER_MOD
if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) {
/* no "w" mode means readonly */
*text = "modifications not allowed on this listener";
return LDAP_UNWILLING_TO_PERFORM;
}
#endif /* SLAP_X_LISTENER_MOD */
}
}
@ -964,6 +972,25 @@ backend_check_restrictions(
return LDAP_OPERATIONS_ERROR;
}
}
#ifdef SLAP_X_LISTENER_MOD
if ( !starttls && op->o_dn.bv_len == 0 ) {
if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) {
/* no "x" mode means bind required */
*text = "bind required on this listener";
return LDAP_CONFIDENTIALITY_REQUIRED;
}
}
if ( !starttls && !updateop ) {
if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) {
/* no "r" mode means no read */
*text = "read not allowed on this listener";
return LDAP_UNWILLING_TO_PERFORM;
}
}
#endif /* SLAP_X_LISTENER_MOD */
}
if( restrictops & opflag ) {

View File

@ -311,7 +311,7 @@ static void slap_free_listener_addresses(struct sockaddr **sal)
ch_free(sal);
}
#ifdef LDAP_PF_LOCAL
#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
static int get_url_perms(
char **exts,
mode_t *perms,
@ -392,7 +392,7 @@ static int get_url_perms(
return LDAP_OTHER;
}
#endif /* LDAP_PF_LOCAL */
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
/* port = 0 indicates AF_LOCAL */
static int slap_get_listener_addresses(
@ -587,13 +587,12 @@ static int slap_open_listener(
struct sockaddr **sal, **psal;
int socktype = SOCK_STREAM; /* default to COTS */
#ifdef LDAP_PF_LOCAL
#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
/*
* use safe defaults
*/
mode_t perms = S_IRWXU;
int crit = 1;
#endif
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
rc = ldap_url_parse( url, &lud );
@ -648,10 +647,6 @@ static int slap_open_listener(
} else {
err = slap_get_listener_addresses(lud->lud_host, 0, &sal);
}
if ( lud->lud_exts ) {
err = get_url_perms( lud->lud_exts, &perms, &crit );
}
#else
#ifdef NEW_LOGGING
@ -677,6 +672,14 @@ static int slap_open_listener(
}
}
#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
if ( lud->lud_exts ) {
err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
} else {
l.sl_perms = S_IRWXU;
}
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
ldap_free_urldesc( lud );
if ( err ) {
return -1;
@ -820,7 +823,7 @@ static int slap_open_listener(
#ifdef LDAP_PF_LOCAL
case AF_LOCAL: {
char *addr = ((struct sockaddr_un *)*sal)->sun_path;
if ( chmod( addr, perms ) < 0 && crit ) {
if ( chmod( addr, l.sl_perms ) < 0 && crit ) {
int err = sock_errno();
#ifdef NEW_LOGGING
LDAP_LOG( CONNECTION, INFO,

View File

@ -1731,6 +1731,9 @@ typedef struct slap_conn {
struct slap_listener {
struct berval sl_url;
struct berval sl_name;
#ifdef SLAP_X_LISTENER_MOD
mode_t sl_perms;
#endif /* SLAP_X_LISTENER_MOD */
#ifdef HAVE_TLS
int sl_is_tls;
#endif