mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-01-09 16:34:45 -05:00
fix ITS#4522; imply "+0" when no access is given
This commit is contained in:
Pierangelo Masarati
parent
d79fd46f33
commit
fbbb8a5d93
2 changed files with 66 additions and 11 deletions
|
|
@ -66,13 +66,57 @@ brackets <>.
|
|||
.SH THE ACCESS DIRECTIVE
|
||||
The structure of the access control directives is
|
||||
.TP
|
||||
.B access to <what> "[ by <who> <access> [ <control> ] ]+"
|
||||
.B access to <what> "[ by <who> [ <access> ] [ <control> ] ]+"
|
||||
Grant access (specified by
|
||||
.BR <access> )
|
||||
to a set of entries and/or attributes (specified by
|
||||
.BR <what> )
|
||||
by one or more requestors (specified by
|
||||
.BR <who> ).
|
||||
|
||||
.LP
|
||||
Lists of access directives are evaluated in the order they appear
|
||||
in \fIslapd.conf\fP.
|
||||
When a
|
||||
.B <what>
|
||||
clause matches the datum whose access is being evaluated, its
|
||||
.B <who>
|
||||
clause list is checked.
|
||||
When a
|
||||
.B <who>
|
||||
clause matches the accessor's properties, its
|
||||
.B <access>
|
||||
and
|
||||
.B <control>
|
||||
clauses are evaluated.
|
||||
Access control checking stops at the first match of the
|
||||
.B <what>
|
||||
and
|
||||
.B <who>
|
||||
clause, unless otherwise dictated by the
|
||||
.B <control>
|
||||
clause.
|
||||
Each
|
||||
.B <who>
|
||||
clause list is implicitly terminated by a
|
||||
.LP
|
||||
.nf
|
||||
by * none stop
|
||||
.fi
|
||||
.LP
|
||||
clause that results in stopping the access control with no access
|
||||
privileges granted.
|
||||
Each
|
||||
.B <what>
|
||||
clause list is implicitly terminated by a
|
||||
.LP
|
||||
.nf
|
||||
access to *
|
||||
by * none
|
||||
.fi
|
||||
.LP
|
||||
clause that results in granting no access privileges to an otherwise
|
||||
unspecified datum.
|
||||
.SH THE <WHAT> FIELD
|
||||
The field
|
||||
.BR <what>
|
||||
|
|
@ -657,7 +701,7 @@ and
|
|||
set the minimum required Security Strength Factor (ssf) needed
|
||||
to grant access. The value should be positive integer.
|
||||
.SH THE <ACCESS> FIELD
|
||||
The field
|
||||
The optional field
|
||||
.B <access> ::= [[real]self]{<level>|<priv>}
|
||||
determines the access level or the specific access privileges the
|
||||
.B who
|
||||
|
|
@ -750,6 +794,7 @@ for disclose.
|
|||
More than one of the above privileges can be added in one statement.
|
||||
.B 0
|
||||
indicates no privileges and is used only by itself (e.g., +0).
|
||||
.LP
|
||||
If no access is given, it defaults to
|
||||
.BR +0 .
|
||||
.SH THE <CONTROL> FIELD
|
||||
|
|
|
|||
|
|
@ -1784,6 +1784,7 @@ parse_acl(
|
|||
/* out of arguments or plain stop */
|
||||
|
||||
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
|
||||
ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
|
||||
b->a_type = ACL_STOP;
|
||||
|
||||
access_append( &a->acl_access, b );
|
||||
|
|
@ -1794,6 +1795,7 @@ parse_acl(
|
|||
/* plain continue */
|
||||
|
||||
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
|
||||
ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
|
||||
b->a_type = ACL_CONTINUE;
|
||||
|
||||
access_append( &a->acl_access, b );
|
||||
|
|
@ -1804,6 +1806,7 @@ parse_acl(
|
|||
/* plain continue */
|
||||
|
||||
ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
|
||||
ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
|
||||
b->a_type = ACL_BREAK;
|
||||
|
||||
access_append( &a->acl_access, b );
|
||||
|
|
@ -1814,6 +1817,7 @@ parse_acl(
|
|||
/* we've gone too far */
|
||||
--i;
|
||||
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
|
||||
ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
|
||||
b->a_type = ACL_STOP;
|
||||
|
||||
access_append( &a->acl_access, b );
|
||||
|
|
@ -1821,16 +1825,19 @@ parse_acl(
|
|||
}
|
||||
|
||||
/* get <access> */
|
||||
if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
|
||||
b->a_dn_self = 1;
|
||||
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
|
||||
{
|
||||
char *lleft = left;
|
||||
|
||||
} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
|
||||
b->a_realdn_self = 1;
|
||||
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
|
||||
if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
|
||||
b->a_dn_self = 1;
|
||||
lleft = &left[ STRLENOF( "self" ) ];
|
||||
|
||||
} else {
|
||||
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
|
||||
} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
|
||||
b->a_realdn_self = 1;
|
||||
lleft = &left[ STRLENOF( "realself" ) ];
|
||||
}
|
||||
|
||||
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
|
||||
}
|
||||
|
||||
if ( ACL_IS_INVALID( b->a_access_mask ) ) {
|
||||
|
|
@ -2131,7 +2138,10 @@ str2accessmask( const char *str )
|
|||
} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
|
||||
ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
|
||||
|
||||
} else if( str[i] != '0' ) {
|
||||
} else if( str[i] == '0' ) {
|
||||
ACL_PRIV_SET(mask, ACL_PRIV_NONE);
|
||||
|
||||
} else {
|
||||
ACL_INVALIDATE(mask);
|
||||
return mask;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue