[Dovecot] Users w/o acl access appear to be subscribed to public folders (1.1b8)
Adam McDougall
mcdouga9 at egr.msu.edu
Mon Nov 26 06:41:41 EET 2007
On Tue, Nov 20, 2007 at 10:20:49PM -0500, Adam McDougall wrote:
I noticed this today, I had a user outside of our department test out
dovecot. They were using squirrelmail and I noticed that dovecot thinks
this user is subscribed to ALL public folders even though a dovecot
ACL prevents all access. I'm pretty sure access is still denied.
I was able to reproduce this with a guest account I added:
l lsub "" "#shared/decs/%"
* LSUB (\Noselect) "/" "#shared/decs/linuxadmin"
* LSUB (\Noselect) "/" "#shared/decs/jbossadmin"
* LSUB () "/" "#shared/decs/support"
* LSUB () "/" "#shared/decs/receipts"
* LSUB (\Noselect) "/" "#shared/decs/pcadmin"
* LSUB () "/" "#shared/decs/network"
* LSUB (\Noselect) "/" "#shared/decs/printmaster"
* LSUB () "/" "#shared/decs/postmaster"
* LSUB (\Noselect) "/" "#shared/decs/unixadmin"
* LSUB () "/" "#shared/decs/security"
* LSUB (\Noselect) "/" "#shared/decs/webmaster"
l OK Lsub completed.
This only seems to happen when the acl plugin is enabled. Without the acl
plugin, these are not listed as subscriptions.
After deleting /egr/mail/shared/decs/dovecot-acl-list and re-enabling the
acl plugin, I get this:
l lsub "" "#shared/decs/%"
* LSUB () "/" "#shared/decs/unixadmin"
* LSUB () "/" "#shared/decs/support"
* LSUB () "/" "#shared/decs/security"
* LSUB () "/" "#shared/decs/printmaster"
* LSUB () "/" "#shared/decs/postmaster"
* LSUB () "/" "#shared/decs/pcadmin"
* LSUB () "/" "#shared/decs/network"
* LSUB () "/" "#shared/decs/linuxadmin"
* LSUB () "/" "#shared/decs/webmaster"
* LSUB () "/" "#shared/decs/jbossadmin"
l OK Lsub completed.
Is it related, or is it different just because a new dovecot-acl-list got
created by another user already (but is mode 700?)
I found a workaround, if I add "authenticated l" to the top level acl in
each namespace (currently only have one enabled) then users aren't force-subscribed
to every public folder. It does however grant them the ability to subscribe to
my empty top level fake folder which they have no permissions for anyway. This
doesn't seem to reduce the level of access by any valid users.
More information about the dovecot
mailing list