Re: More granular privileges in ACLs (now ITS#3631)

[Pierangelo Masarati <ando@sys-net.it>]

Kurt D. Zeilenga wrote:

> In your patch, it appears that modify/replace only requires
> add.  However, as modify/replace deletes existing values,
> it should require delete as well.
>  

I'm missing the point where this happens.  As far as I can see, access 
for ldap_modify is checked in acl_check_modlist().  In fact I see a 
problem, but different from the one you mention: in case of replace 
(case LDAP_MOD_REPLACE), first ACL_WRITE (which implies both ADD and 
DELETE) is checked; then the control falls thru LDAP_MOD_ADD which 
checks again for ACL_WADD.  It would be more appropriate to check for 
ACL_WDEL the first time.  One thing I forgot, which I've placed in a 
follow-on to that patch, is acess control to modifications occurring 
because of a modrdn.  I've applied the above patch to all backends and 
to all occurrences of ACL_WRITE.

Also, I think the syntax is cumbersome, because to have an access 
corresponding to the "read" level plus "a" or "z" capability requires 
extra configurtion and run-time overhead.  So I added a configuration 
directive, and a level-like form of "add" and "delete" which in terms of 
level corresponds to "write" (i.e. all levels below are implied) but 
only adds respectively the "add" and the "delete" capability at write 
level.  I'll post the patch ASAP.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497