Add "entry" ACL checks for add/delete/rename ops

servers/slapd/back-bdb/add.c

@@ -28,6 +28,7 @@ bdb_add(
 	char textbuf[SLAP_TEXT_BUFLEN];
 	size_t textlen = sizeof textbuf;
 	AttributeDescription *children = slap_schema.si_ad_children;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
 	DB_TXN		*ltid = NULL;
 	struct bdb_op_info opinfo;
 #ifdef BDB_SUBENTRIES
@@ -86,6 +87,11 @@ bdb_add(
 
 	if( 0 ) {
 retry:	/* transaction retry */
+		if( p ) {
+			/* free parent and reader lock */
+			bdb_unlocked_cache_return_entry_r( &bdb->bi_cache, p );
+			p = NULL;
+		}
 		rc = TXN_ABORT( ltid );
 		ltid = NULL;
 		op->o_private = NULL;
@@ -208,9 +214,6 @@ retry:	/* transaction retry */
 		switch( opinfo.boi_err ) {
 		case DB_LOCK_DEADLOCK:
 		case DB_LOCK_NOTGRANTED:
-			/* free parent and reader lock */
-			bdb_unlocked_cache_return_entry_r( &bdb->bi_cache, p );
-			p = NULL;
 			goto retry;
 		}
 
@@ -298,12 +301,14 @@ retry:	/* transaction retry */
 		 */
 		if ( !be_isroot( be, &op->o_ndn )) {
 			if ( be_issuffix( be, (struct berval *)&slap_empty_bv )
-				|| be_isupdate( be, &op->o_ndn ) ) {
+				|| be_isupdate( be, &op->o_ndn ) )
+			{
 				p = (Entry *)&slap_entry_root;
 
 				/* check parent for "children" acl */
 				rc = access_allowed( be, conn, op, p,
 					children, NULL, ACL_WRITE, NULL );
+
 				p = NULL;
 
 				switch( opinfo.boi_err ) {
@@ -366,6 +371,28 @@ retry:	/* transaction retry */
 #endif
 	}
 
+	rc = access_allowed( be, conn, op, e,
+		entry, NULL, ACL_WRITE, NULL );
+
+	switch( opinfo.boi_err ) {
+	case DB_LOCK_DEADLOCK:
+	case DB_LOCK_NOTGRANTED:
+		goto retry;
+	}
+
+	if ( ! rc ) {
+#ifdef NEW_LOGGING
+		LDAP_LOG ( OPERATION, DETAIL1, 
+			"bdb_add: no write access to entry\n", 0, 0, 0 );
+#else
+		Debug( LDAP_DEBUG_TRACE, "bdb_add: no write access to entry\n",
+			0, 0, 0 );
+#endif
+		rc = LDAP_INSUFFICIENT_ACCESS;
+		text = "no write access to entry";
+		goto return_results;;
+	}
+
 	/* dn2id index */
 	rc = bdb_dn2id_add( be, ltid, &pdn, e );
 	if ( rc != 0 ) {

servers/slapd/back-bdb/delete.c

@@ -31,6 +31,7 @@ bdb_delete(
 	const char *text;
 	int		manageDSAit = get_manageDSAit( op );
 	AttributeDescription *children = slap_schema.si_ad_children;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
 	DB_TXN		*ltid = NULL;
 	struct bdb_op_info opinfo;
 
@@ -185,6 +186,7 @@ retry:	/* transaction retry */
 				/* check parent for "children" acl */
 				rc = access_allowed( be, conn, op, p,
 					children, NULL, ACL_WRITE, NULL );
+
 				p = NULL;
 
 				switch( opinfo.boi_err ) {
@@ -231,6 +233,15 @@ retry:	/* transaction retry */
 #endif
 	}
 
+	rc = access_allowed( be, conn, op, e,
+		entry, NULL, ACL_WRITE, NULL );
+
+	switch( opinfo.boi_err ) {
+	case DB_LOCK_DEADLOCK:
+	case DB_LOCK_NOTGRANTED:
+		goto retry;
+	}
+
 	/* get entry for read/modify/write */
 	rc = bdb_dn2entry_w( be, ltid, ndn, &e, &matched, DB_RMW, locker, &lock );
 

servers/slapd/back-bdb/modrdn.c

@@ -28,6 +28,7 @@ bdb_modrdn(
 {
 	struct bdb_info *bdb = (struct bdb_info *) be->be_private;
 	AttributeDescription *children = slap_schema.si_ad_children;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
 	struct berval	p_dn, p_ndn;
 	struct berval	new_dn = {0, NULL}, new_ndn = {0, NULL};
 	int		isroot = -1;
@@ -536,7 +537,31 @@ retry:	/* transaction retry */
 
 		new_parent_dn = np_dn;
 	}
-	
+
+	/* check write on old entry */
+	rc = access_allowed( be, conn, op, e,
+		entry, NULL, ACL_WRITE, NULL );
+
+	switch( opinfo.boi_err ) {
+	case DB_LOCK_DEADLOCK:
+	case DB_LOCK_NOTGRANTED:
+		goto retry;
+	}
+
+	if ( rc ) {
+#ifdef NEW_LOGGING
+		LDAP_LOG ( OPERATION, ERR, 
+			"==>bdb_modrdn: no access to entry\n", 0, 0, 0 );
+#else
+		Debug( LDAP_DEBUG_TRACE, "no access to entry\n", 0,
+			0, 0 );
+#endif
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, NULL, NULL, NULL );
+		goto return_results;
+	}
+
+
 	/* Build target dn and make sure target entry doesn't exist already. */
 	build_new_dn( &new_dn, new_parent_dn, newrdn );