From 5d9026cf3f93f95dd6f80ad209013e30bbb0d8e6 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Tue, 18 Oct 2011 17:08:05 +0200 Subject: ITS#7066 reworked default deny ACL for cn=config Dynamically adding ACL for cn=config didn't work correctly, when no ACLs where present for that database upon startup. Delete the last ACL from the DB could also lead to unexpected results. diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 309668e..7097d72 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -84,6 +84,7 @@ static char *logfileName; #ifdef SLAP_AUTH_REWRITE static BerVarray authz_rewrites; #endif +static AccessControl *defacl_parsed = NULL; static struct berval cfdir; @@ -1297,6 +1298,12 @@ config_generic(ConfigArgs *c) { *prev = a->acl_next; acl_free( a ); } + if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) { + Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): " + "Last explicit ACL for back-config removed. " + "Using hardcoded default\n", 0, 0, 0 ); + c->be->be_acl = defacl_parsed; + } break; case CFG_OC: { @@ -1792,6 +1799,9 @@ sortval_reject: break; case CFG_ACL: + if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) { + c->be->be_acl = NULL; + } /* Don't append to the global ACL if we're on a specific DB */ i = c->valx; if ( c->valx == -1 ) { @@ -1801,6 +1811,9 @@ sortval_reject: i++; } if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) { + if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) { + c->be->be_acl = defacl_parsed; + } return 1; } break; @@ -6637,14 +6650,23 @@ config_back_db_open( BackendDB *be, ConfigReply *cr ) slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; SlapReply rs = {REP_RESULT}; void *thrctx = NULL; + AccessControl *save_access; Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0); /* If we have no explicitly configured ACLs, don't just use * the global ACLs. Explicitly deny access to everything. */ - if ( !be->bd_self->be_acl ) { - parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 ); + save_access = be->bd_self->be_acl; + be->bd_self->be_acl = NULL; + parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 ); + defacl_parsed = be->bd_self->be_acl; + if ( save_access ) { + be->bd_self->be_acl = save_access; + } else { + Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: " + "No explicit ACL for back-config configured. " + "Using hardcoded default\n", 0, 0, 0 ); } thrctx = ldap_pvt_thread_pool_context(); @@ -6889,6 +6911,11 @@ config_back_db_close( BackendDB *be, ConfigReply *cr ) backend_shutdown( &cfb->cb_db ); } + if ( defacl_parsed && be->be_acl != defacl_parsed ) { + acl_free( defacl_parsed ); + defacl_parsed = NULL; + } + return 0; } -- 1.7.6.4