[Dovecot] Plan: ACL changes

Timo Sirainen tss at iki.fi
Fri Nov 26 07:49:16 EET 2010 

Global ACLs are intended to apply to a few mailboxes for all users. For example you could have a master user called "spam" that would have access to each user's "spam" mailbox, but nothing else.

Global ACLs are kind of ugly. A mailbox's ACL is found from exactly the same name as what the mailbox's virtual name is. So for example if you have

namespace {
  separator = /
  prefix = foo/
}

And you have a mailbox called foo/bar, the global ACL is looked up from the <global dir>/foo/bar. The problem there of course is what if you want to set global ACLs for "foo". You can't have both directory and a file called "foo". So if this happens, Dovecot instead looks up the ACLs from <global dir>/foo/.DEFAULT file. The name for this file is slightly confusing, and also of course if there really is a mailbox called ".DEFAULT" it won't really work well.

Global acl is currently configured by giving its path to acl setting, such as:

plugin {
  acl = vfile:/etc/dovecot/global-acls
}

So plan #1: deprecate this usage. If global-acls is a directory, keep using the old method. But the new preferred method would be for it to be a file that contains all of the global ACLs. Typically there should be very few entries, so this should also be more efficient. Also this would allow setting default ACLs for namespaces by using wildcards. For example you could have:

* masteruser +lrw
spam spamuser +lr
test/* testuser +lr
etc.

The * would match only within a single namespace, so if you had more than one, the * entry would match only the one having prefix="". The * entry would be especially helpful for master users who you intend to have access to user's all mailboxes. Currently there is no good way to implement this.

Plan #2: Add support for per-user default namespace ACLs. In the mail root directory if "dovecot-default-acl" file exists, it's used as the default ACLs. I'm not entirely sure what should happen if it conflicts with the global ACLs. Probably they both should be simply merged, since both can only be created by an admin. Probably the per-user ACL should be allowed to override the global ACLs.

Any thoughts? Since neither of these would break backwards compatibility, I could add them to v2.0.x.

More information about the dovecot mailing list