[Date Prev][Date Next] [Chronological] [Thread] [Top]

Redundant and pointless use of ACL peername (ITS#1515)



Full_Name: Mark Blackman
Version: 2.0.19
OS: FreeBSD 4.4
URL: http://www.users.dircon.co.uk/~canyon/patches/peername.patch-2.0.19
Submission from: (NULL) (195.157.3.43)


Both the peername and sockname <who> clauses use exactly the same format and
thus one is redundant. (see servers/slapd/slap.h and servers/slapd/daemon.c
for construction of peername and sl_name )

Additionally as both peername and sockname include the port number of 
the client socket, its (nearly) impossible to actually predict what it
will look like and thus exact matching (as opposed to regex matching)
in ACLs is (nearly) impossible.

I propose that sockname retain this current behaviour but that peername
actually be a simple ASCII form of the IP address (IP4 or IP6) and
continue the current behaviour for the case of UNIX domain sockets
(i.e. peername = "PATH=/tmp/.unixdomainsocket). Thus peername will
look like one of 

PATH=/tmp/.unixdomainsocket
ffff:ffff:ffff:ffff:ffff:ffff
255.255.255.255

I've included the simple patches to servers/slapd/slap.h
and servers/slapd/daemon.c (RELEASE 2.0.19)