[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5637) dynacl broken when an access mask has been already applied by previous ACL rule

Full_Name: Kostantinos Koukopoulos
Version: 2.4.11
OS: Solaris
URL: ftp://ftp.openldap.org/incoming/kostantinos-koukopoulos-080801.diff
Submission from: (NULL) (

There is a bug in the function 'slap_acl_mask' in servers/slapd/acl.c that
affects the processing of dynacls. In particular the code attempts to apply
ACL_ACCESS2PRIV to a variable already containing a slap_mask_t value. By chance
this does not make a difference except when the dynacl rule is applied after a
'break' in a previous rule that has altered the default mask. It appears that
the intention was to check whether the requested access level applies to the
dynacl rule access mask. Instead the check is made against the current applied
mask. The referenced patch fixes this issue by passing the requested access
level as an extra parameter to the function and using it for the check.