[Dovecot] acl flag to limit imap_acl based acl changes
Timo Sirainen
tss at iki.fi
Mon Jan 25 20:43:53 EET 2010
On Mon, 2010-01-25 at 11:57 +0100, Amon Ott wrote:
> http://wiki.dovecot.org/ACL says that "a" or "admin" covers "Administration
> rights to the mailbox". However, removing "a" from owner acl (using "lr")
> does not help, the user can still change all acl flags for all users with
> imap. Write accesses to mails are forbidden as they should.
>
> Is this intended or a bug?
Looks like it was intended, to avoid users from accidentally removing
admin privileges from their own mailboxes. But there's already other
code in SETACL handling that tries to prevent the same thing, so that
should be enough.
v2.0 now allows removing admin right manually from dovecot-acl file:
http://hg.dovecot.org/dovecot-2.0/rev/667fea930ec3
I probably don't want to do the same change to v1.2, since it might
break someone's setup.. Maybe you could use global ACLs to remove the
admin right? If it's always the same mailbox name for every user.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20100125/5e15b439/attachment.bin
More information about the dovecot
mailing list