[Date Prev][Date Next]
Re: More granular privileges in ACLs (now ITS#3631)
Kurt D. Zeilenga wrote:
In your patch, it appears that modify/replace only requires
add. However, as modify/replace deletes existing values,
it should require delete as well.
I'm missing the point where this happens. As far as I can see, access
for ldap_modify is checked in acl_check_modlist(). In fact I see a
problem, but different from the one you mention: in case of replace
(case LDAP_MOD_REPLACE), first ACL_WRITE (which implies both ADD and
DELETE) is checked; then the control falls thru LDAP_MOD_ADD which
checks again for ACL_WADD. It would be more appropriate to check for
ACL_WDEL the first time. One thing I forgot, which I've placed in a
follow-on to that patch, is acess control to modifications occurring
because of a modrdn. I've applied the above patch to all backends and
to all occurrences of ACL_WRITE.
Also, I think the syntax is cumbersome, because to have an access
corresponding to the "read" level plus "a" or "z" capability requires
extra configurtion and run-time overhead. So I added a configuration
directive, and a level-like form of "add" and "delete" which in terms of
level corresponds to "write" (i.e. all levels below are implied) but
only adds respectively the "add" and the "delete" capability at write
level. I'll post the patch ASAP.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497