Disallow addition of system schema via config files.

2025-12-24 00:29:35 -05:00 · 2002-05-30 05:23:37 +00:00 · 2002-05-30 05:23:37 +00:00 · bdad40c696
commit bdad40c696
parent aecf4033f6
6 changed files with 65 additions and 43 deletions
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -1651,7 +1651,6 @@ read_config( const char *fname )
 				       "%s: line %d: old objectclass format not supported.\n",
 				       fname, lineno, 0 );
 #endif
-
 			}

 		/* specify an attribute type */
--- a/servers/slapd/oc.c
+++ b/servers/slapd/oc.c
@ -163,6 +163,7 @@ static int
 oc_create_required(
    ObjectClass		*soc,
    char		**attrs,
+	int			*op,
    const char		**err )
 {
 	char		**attrs1;
@ -178,6 +179,9 @@ oc_create_required(
 				*err = *attrs1;
 				return SLAP_SCHERR_ATTR_NOT_FOUND;
 			}
+
+			if( is_at_operational( sat )) (*op)++;
+
 			if ( at_find_in_list(sat, soc->soc_required) < 0) {
 				if ( at_append_to_list(sat, &soc->soc_required) ) {
 					*err = *attrs1;
@ -201,6 +205,7 @@ static int
 oc_create_allowed(
    ObjectClass		*soc,
    char		**attrs,
+	int			*op,
    const char		**err )
 {
 	char		**attrs1;
@ -214,6 +219,9 @@ oc_create_allowed(
 				*err = *attrs1;
 				return SLAP_SCHERR_ATTR_NOT_FOUND;
 			}
+
+			if( is_at_operational( sat )) (*op)++;
+
 			if ( at_find_in_list(sat, soc->soc_required) < 0 &&
 			     at_find_in_list(sat, soc->soc_allowed) < 0 ) {
 				if ( at_append_to_list(sat, &soc->soc_allowed) ) {
@ -231,6 +239,7 @@ static int
 oc_add_sups(
    ObjectClass		*soc,
    char			**sups,
+	int			*op,
    const char		**err )
 {
 	int		code;
@ -274,16 +283,19 @@ oc_add_sups(
 				return SLAP_SCHERR_CLASS_BAD_USAGE;
 			}

-			if ( add_sups )
+			if( soc->soc_flags & SLAP_OC_OPERATIONAL ) (*op)++;
+
+			if ( add_sups ) {
 				soc->soc_sups[nsups] = soc1;
+			}

-			code = oc_add_sups( soc, soc1->soc_sup_oids, err );
+			code = oc_add_sups( soc, soc1->soc_sup_oids, op, err );
 			if ( code ) return code;

-			code = oc_create_required( soc, soc1->soc_at_oids_must, err );
+			code = oc_create_required( soc, soc1->soc_at_oids_must, op, err );
 			if ( code ) return code;

-			code = oc_create_allowed( soc, soc1->soc_at_oids_may, err );
+			code = oc_create_allowed( soc, soc1->soc_at_oids_may, op, err );
 			if ( code ) return code;

 			nsups++;
@ -382,11 +394,13 @@ oc_insert(
 int
 oc_add(
    LDAPObjectClass	*oc,
+	int user,
    const char		**err
 )
 {
 	ObjectClass	*soc;
 	int		code;
+	int		op = 0;

 	if ( oc->oc_names != NULL ) {
 		int i;
@ -419,19 +433,21 @@ oc_add(
 	{
 		/* structural object classes implicitly inherit from 'top' */
 		static char *top_oids[] = { SLAPD_TOP_OID, NULL };
-		code = oc_add_sups( soc, top_oids, err );
+		code = oc_add_sups( soc, top_oids, &op, err );
 	} else {
-		code = oc_add_sups( soc, soc->soc_sup_oids, err );
+		code = oc_add_sups( soc, soc->soc_sup_oids, &op, err );
 	}

 	if ( code != 0 ) return code;

-	code = oc_create_required( soc, soc->soc_at_oids_must, err );
+	code = oc_create_required( soc, soc->soc_at_oids_must, &op, err );
 	if ( code != 0 ) return code;

-	code = oc_create_allowed( soc, soc->soc_at_oids_may, err );
+	code = oc_create_allowed( soc, soc->soc_at_oids_may, &op, err );
 	if ( code != 0 ) return code;

+	if( user && op ) return SLAP_SCHERR_CLASS_OPERATIONAL;
+
 	code = oc_insert(soc,err);
 	return code;
 }
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -626,6 +626,7 @@ LDAP_SLAPD_F (void) mra_free LDAP_P((
 /* oc.c */
 LDAP_SLAPD_F (int) oc_add LDAP_P((
 	LDAPObjectClass *oc,
+	int user,
 	const char **err));
 LDAP_SLAPD_F (void) oc_destroy LDAP_P(( void ));

--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@ -162,28 +162,29 @@ static struct slap_schema_oc_map {
 			"NAME 'extensibleObject' "
 			"DESC 'RFC2252: extensible object' "
 			"SUP top AUXILIARY )",
-		0, 0, offsetof(struct slap_internal_schema, si_oc_extensibleObject) },
+		0, SLAP_OC_OPERATIONAL,
+		offsetof(struct slap_internal_schema, si_oc_extensibleObject) },
 	{ "alias", "( 2.5.6.1 NAME 'alias' "
 			"DESC 'RFC2256: an alias' "
 			"SUP top STRUCTURAL "
 			"MUST aliasedObjectName )",
-		aliasObjectClass, SLAP_OC_ALIAS,
+		aliasObjectClass, SLAP_OC_ALIAS|SLAP_OC_OPERATIONAL,
 		offsetof(struct slap_internal_schema, si_oc_alias) },
 	{ "referral", "( 2.16.840.1.113730.3.2.6 NAME 'referral' "
 			"DESC 'namedref: named subordinate referral' "
 			"SUP top STRUCTURAL MUST ref )",
-		referralObjectClass, SLAP_OC_REFERRAL,
+		referralObjectClass, SLAP_OC_REFERRAL|SLAP_OC_OPERATIONAL,
 		offsetof(struct slap_internal_schema, si_oc_referral) },
 	{ "LDAProotDSE", "( 1.3.6.1.4.1.4203.1.4.1 "
 			"NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) "
 			"DESC 'OpenLDAP Root DSE object' "
 			"SUP top STRUCTURAL MAY cn )",
-		rootDseObjectClass, 0,
+		rootDseObjectClass, SLAP_OC_OPERATIONAL,
 		offsetof(struct slap_internal_schema, si_oc_rootdse) },
 	{ "subentry", "( 2.5.20.0 NAME 'subentry' "
 			"SUP top STRUCTURAL "
 			"MUST ( cn $ subtreeSpecification ) )",
-		subentryObjectClass, SLAP_OC_SUBENTRY,
+		subentryObjectClass, SLAP_OC_SUBENTRY|SLAP_OC_OPERATIONAL,
 		offsetof(struct slap_internal_schema, si_oc_subentry) },
 	{ "subschema", "( 2.5.20.1 NAME 'subschema' "
 		"DESC 'RFC2252: controlling subschema (sub)entry' "
@ -191,17 +192,19 @@ static struct slap_schema_oc_map {
 		"MAY ( dITStructureRules $ nameForms $ ditContentRules $ "
 			"objectClasses $ attributeTypes $ matchingRules $ "
 			"matchingRuleUse ) )",
-		subentryObjectClass, 0,
+		subentryObjectClass, SLAP_OC_OPERATIONAL,
 		offsetof(struct slap_internal_schema, si_oc_subschema) },
 	{ "monitor", "( 1.3.6.1.4.1.4203.666.3.2 NAME 'monitor' "
 		"DESC 'OpenLDAP system monitoring' "
 		"STRUCTURAL "
 		"MUST cn )",
-		0, 0, offsetof(struct slap_internal_schema, si_oc_monitor) },
+		0, SLAP_OC_OPERATIONAL,
+		offsetof(struct slap_internal_schema, si_oc_monitor) },
 	{ "collectiveAttributeSubentry", "( 2.5.20.2 "
 			"NAME 'collectiveAttributeSubentry' "
 			"AUXILIARY )",
-		subentryObjectClass, SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY|SLAP_OC_HIDE,
+		subentryObjectClass,
+		SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY|SLAP_OC_OPERATIONAL|SLAP_OC_HIDE,
 		offsetof(struct slap_internal_schema, si_oc_collectiveAttributeSubentry) },
 	{ "dynamicObject", "( 1.3.6.1.4.1.1466.101.119.2 "
 			"NAME 'dynamicObject' "
@ -307,14 +310,14 @@ static struct slap_schema_ad_map {
 			"EQUALITY octetStringMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
 			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-		NULL, 0, NULL, NULL, NULL,
+		NULL, SLAP_AT_HIDE, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_entryUUID) },
 	{ "entryCSN", "( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' "
 			"DESC 'LCUP/LDUP: change sequence number' "
 			"EQUALITY octetStringMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
 			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-		NULL, 0, NULL, NULL, NULL,
+		NULL, SLAP_AT_HIDE, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_entryCSN) },

 	/* root DSE attributes */
@ -715,7 +718,7 @@ slap_schema_load( void )
 				return LDAP_OTHER;
 			}

-			code = oc_add(oc,&err);
+			code = oc_add(oc,0,&err);
 			if ( code ) {
 				fprintf( stderr, "slap_schema_load: "
 					"%s: %s: \"%s\"\n",
--- a/servers/slapd/schemaparse.c
+++ b/servers/slapd/schemaparse.c
@ -26,6 +26,7 @@ static char *const err2text[SLAP_SCHERR_LAST+1] = {
 	"Out of memory",
 	"ObjectClass not found",
 	"ObjectClass inappropriate SUPerior",
+	"ObjectClass operational",
 	"AttributeType not found",
 	"AttributeType inappropriate USAGE",
 	"Duplicate objectClass",
@ -118,7 +119,7 @@ parse_oc(
 		return 1;
 	}

-	code = oc_add(oc,&err);
+	code = oc_add(oc,1,&err);
 	if ( code ) {
 		fprintf( stderr, "%s: line %d: %s: \"%s\"\n",
 			 fname, lineno, scherr2str(code), err);
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -221,20 +221,21 @@ typedef struct slap_ssf_set {
 #define SLAP_SCHERR_OUTOFMEM		1
 #define SLAP_SCHERR_CLASS_NOT_FOUND	2
 #define SLAP_SCHERR_CLASS_BAD_USAGE	3
-#define SLAP_SCHERR_ATTR_NOT_FOUND	4
-#define SLAP_SCHERR_ATTR_BAD_USAGE	5
-#define SLAP_SCHERR_DUP_CLASS		6
-#define SLAP_SCHERR_DUP_ATTR		7
-#define SLAP_SCHERR_DUP_SYNTAX		8
-#define SLAP_SCHERR_DUP_RULE		9
-#define SLAP_SCHERR_NO_NAME		10
-#define SLAP_SCHERR_ATTR_INCOMPLETE	11
-#define SLAP_SCHERR_MR_NOT_FOUND	12
-#define SLAP_SCHERR_SYN_NOT_FOUND	13
-#define SLAP_SCHERR_MR_INCOMPLETE	14
-#define SLAP_SCHERR_NOT_SUPPORTED	15
-#define SLAP_SCHERR_BAD_DESCR		16
-#define SLAP_SCHERR_OIDM			17
+#define SLAP_SCHERR_CLASS_OPERATIONAL 4
+#define SLAP_SCHERR_ATTR_NOT_FOUND	5
+#define SLAP_SCHERR_ATTR_BAD_USAGE	6
+#define SLAP_SCHERR_DUP_CLASS		7
+#define SLAP_SCHERR_DUP_ATTR		8
+#define SLAP_SCHERR_DUP_SYNTAX		9
+#define SLAP_SCHERR_DUP_RULE		10
+#define SLAP_SCHERR_NO_NAME			11
+#define SLAP_SCHERR_ATTR_INCOMPLETE	12
+#define SLAP_SCHERR_MR_NOT_FOUND	13
+#define SLAP_SCHERR_SYN_NOT_FOUND	14
+#define SLAP_SCHERR_MR_INCOMPLETE	15
+#define SLAP_SCHERR_NOT_SUPPORTED	16
+#define SLAP_SCHERR_BAD_DESCR		17
+#define SLAP_SCHERR_OIDM			18
 #define SLAP_SCHERR_LAST			SLAP_SCHERR_OIDM

 typedef union slap_sockaddr {
@ -492,14 +493,15 @@ typedef struct slap_object_class {
 	struct slap_object_class	*soc_next;
 } ObjectClass;

-#define	SLAP_OC_ALIAS		0x01
-#define	SLAP_OC_REFERRAL	0x02
-#define	SLAP_OC_SUBENTRY	0x04
-#define	SLAP_OC_DYNAMICOBJECT	0x08
-#define	SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY	0x10
-#define	SLAP_OC__MASK		0x1F
-#define	SLAP_OC__END		0x20
-#define SLAP_OC_HIDE		0x80
+#define	SLAP_OC_ALIAS		0x0001
+#define	SLAP_OC_REFERRAL	0x0002
+#define	SLAP_OC_SUBENTRY	0x0004
+#define	SLAP_OC_DYNAMICOBJECT	0x0008
+#define	SLAP_OC_COLLECTIVEATTRIBUTESUBENTRY	0x0010
+#define	SLAP_OC__MASK		0x001F
+#define	SLAP_OC__END		0x0020
+#define SLAP_OC_OPERATIONAL	0x4000
+#define SLAP_OC_HIDE		0x8000

 #ifdef LDAP_EXTENDED_SCHEMA
 /*