From 090faaccf9a18ca04ced4fed56d6ec446e418a94 Mon Sep 17 00:00:00 2001 From: Travis McArthur Date: Mon, 1 Jun 2015 02:53:41 -0400 Subject: [PATCH] Fix raw entry logic, fix descent logic --- src/operclass.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/src/operclass.c b/src/operclass.c index 50c7505c4..ca2b7bd04 100644 --- a/src/operclass.c +++ b/src/operclass.c @@ -196,11 +196,17 @@ unsigned char OperClass_evaluateACLEntry(OperClassACLEntry* entry, OperClassACLP OperClass_CallbackNode *callbackNode = NULL; unsigned char eval = 0; + /* If no variables, always match */ + if (!entry->variables) + { + return 1; + } + /* Go as deep as possible */ while (path->next && node) { node = OperClass_findPathNodeForIdentifier(path->identifier,node); - /* If we can't find a node we need, no match */ + /* If we can't find a node we need, and we have vars, no match */ if (!node) { return 0; @@ -215,11 +221,6 @@ unsigned char OperClass_evaluateACLEntry(OperClassACLEntry* entry, OperClassACLP return 0; } - /* If we just have allow or deny then we match it */ - if (!node->callbacks) - { - return 1; - } /* We have a valid node, execute all callback nodes */ for (callbackNode = node->callbacks; callbackNode; callbackNode = callbackNode->next) @@ -239,16 +240,24 @@ OperPermission OperClass_evaluateACLPathEx(OperClassACL* acl, OperClassACLPath* OperClassACLEntry* entry; unsigned char allow = 0; unsigned char deny = 0; - while (path && path->next && acl->acls) + unsigned char aclNotFound = 0; + while (path && acl->acls) { tmp = OperClass_FindACL(acl->acls,path->identifier); if (!tmp) { + aclNotFound = 1; break; } path = path->next; acl = tmp; } + /** If node does not exist, but most specific one has other ACLs, deny **/ + if (acl->acls && aclNotFound) + { + return OPER_DENY; + } + /** If node exists for this but has no ACL entries, allow **/ if (!acl->entries) { @@ -268,7 +277,10 @@ OperPermission OperClass_evaluateACLPathEx(OperClassACL* acl, OperClassACLPath* { allow = result; } - deny = result; + else + { + deny = result; + } } /** We only permit if an allow matched AND no deny matched **/