non-root add/delete of entries rooted at '' checks children write permission (forward port from back-ldbm)

2026-01-01 20:49:35 -05:00 · 2001-11-14 16:09:33 +00:00 · 2001-11-14 16:09:33 +00:00 · a8437c2038
commit a8437c2038
parent 8c2ed9c809
2 changed files with 52 additions and 12 deletions
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@ -148,7 +148,7 @@ retry:	rc = txn_abort( ltid );
 			Debug( LDAP_DEBUG_TRACE, "bdb_add: no write access to parent\n",
 				0, 0, 0 );
 			rc = LDAP_INSUFFICIENT_ACCESS;
-			text = "no write access to parent", NULL, NULL;
+			text = "no write access to parent";
 			goto return_results;;
 		}

@ -195,11 +195,31 @@ retry:	rc = txn_abort( ltid );
 		 *  or with parent ""
 		 */
 		if ( !be_isroot( be, op->o_ndn )) {
-			Debug( LDAP_DEBUG_TRACE, "bdb_add: %s denied\n",
-				pdn == NULL ? "suffix" : "entry at root",
-				0, 0 );
-			rc = LDAP_INSUFFICIENT_ACCESS;
-			goto return_results;
+			if ( be_issuffix( be, "" ) ) {
+				static const Entry rootp = { NOID, "", "", NULL, NULL };
+
+				p = (Entry *)&rootp;
+
+				/* check parent for "children" acl */
+				rc = access_allowed( be, conn, op, p,
+					children, NULL, ACL_WRITE );
+				p = NULL;
+
+				if ( ! rc ) {
+					Debug( LDAP_DEBUG_TRACE, "bdb_add: no write access to parent\n",
+						0, 0, 0 );
+					rc = LDAP_INSUFFICIENT_ACCESS;
+					text = "no write access to parent";
+					goto return_results;;
+				}
+
+			} else {
+				Debug( LDAP_DEBUG_TRACE, "bdb_add: %s denied\n",
+					pdn == NULL ? "suffix" : "entry at root",
+					0, 0 );
+				rc = LDAP_INSUFFICIENT_ACCESS;
+				goto return_results;
+			}
 		}
 	}

--- a/servers/slapd/back-bdb/delete.c
+++ b/servers/slapd/back-bdb/delete.c
@ -162,12 +162,32 @@ retry:	/* transaction retry */
 		ch_free( pdn );

 		/* no parent, must be root to delete */
-		if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) {
-			Debug( LDAP_DEBUG_TRACE,
-				"<=- bdb_delete: no parent and not root\n",
-				0, 0, 0);
-			rc = LDAP_INSUFFICIENT_ACCESS;
-			goto return_results;
+		if( ! be_isroot( be, op->o_ndn ) ) {
+			if ( be_issuffix( be, "" ) ) {
+				static const Entry rootp = { NOID, "", "", NULL, NULL };
+
+				p = (Entry *)&rootp;
+
+				/* check parent for "children" acl */
+				rc = access_allowed( be, conn, op, p,
+					children, NULL, ACL_WRITE );
+				p = NULL;
+
+				if ( !rc  ) {
+					Debug( LDAP_DEBUG_TRACE,
+						"<=- bdb_delete: no access "
+						"to parent\n", 0, 0, 0 );
+					rc = LDAP_INSUFFICIENT_ACCESS;
+					goto return_results;
+				}
+
+			} else {
+				Debug( LDAP_DEBUG_TRACE,
+					"<=- bdb_delete: no parent "
+					"and not root\n", 0, 0, 0);
+				rc = LDAP_INSUFFICIENT_ACCESS;
+				goto return_results;
+			}
 		}
 	}