[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3639) Inconsistent access checking in back-shell?
Here's some discussion of this change in the thread:
http://www.openldap.org/lists/openldap-devel/200210/msg00008.html
At 02:37 AM 4/8/2005, ando@sys-net.it wrote:
>> I forget why this check was added, but (as I recall) it
>> was purposely added. The reasons to why likely can be
>> found in the commit log and/or -bugs/-devel list archives.
>> I'll try to dig about later...
>
>I've found back-shell/modify.c 1.23 -> 1.24 introduced this change;
>there's no explanation, besides a comment that the same should be done for
>back-perl and other scriptiong backends. I think this is incorrect for
>two reasons:
>
>1) it is inconsistent with other backends and the difference is undocumented
>
>2) the check is done using a dummy entry, built by placing the DN into an
>empty Entry structure, which causes all access clauses that depend on the
>contents of the object to behave unexpectedly; this is undocumented as
>well.
>
>I've fixed this type of problems in back-sql recently, to restore a
>consistent behavior; the same could be done in back-shell and so, but I
>fear there might be issues related to fetching the required objects, and
>it might not be worth the effort. In any case, this point should be
>clarified in the docs, regardless of how it's fixed. I think we should
>make access checking aware of the fact that it's working on a dummy
>target; this should cause clauses that require the real data to take
>appropriate measures (e.g. fail, or just do not apply, or at least issue a
>warning that access checking might be incomplete or inappropriate for that
>backend).
>
>Maybe we need to discuss this in -devel. In any case, there seems to be a
>wide class of backends that do not honor access control as described in
>the docs; there might be very good reasons for this, but they should be
>made explicit.
>
>p.
>
>--
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it
>
>
> SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497