[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3963) [development] ACIs design seems incompatible with "disclose" access privilege

To: openldap-its@OpenLDAP.org
Subject: (ITS#3963) [development] ACIs design seems incompatible with "disclose" access privilege
From: ando@sys-net.it
Date: Tue, 23 Aug 2005 13:26:10 GMT

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.56)
Submitted by: ando


ACIs currently don't have any notion of the "disclose" privilege.  In HEAD code,
the character 'd' has been recently allowed in ACI privileges.  However, ACI's
design does not allow to collect the real access a target is granted, so,
although checking for "disclose" access could be possible by means of a direct
request, e.g. calling access_allowed(ACL_DISCLOSE), current code calls
access_allowed_mask(<access>, &mask) to check if <access> is allowed and
simultaneously get the actual permissions in mask, where the access to
ACL_DISCLOSE is checked by the caller.  ACIs (and possibl the dynacl API) need
be reworked to comply with this usage.

NOTE: in the original draft ACIs are loosely inspired on, 'd' was used for
"delete" permissions; I used 'd' for "dislose" for consistency with the rest of
slapd's access control, since there's no reason to stick with tha expired
document.

p.

Prev by Date: Re: (ITS#3960) slaptest changes ownership of ldap-data files
Next by Date: (ITS#3964) test041 with ldbm - ldapsearch failed (32)!
Index(es):
- Chronological
- Thread