Timo Sirainen <tss@iki.fi> writes:
On Thu, 2009-02-12 at 13:10 +0100, Sascha Wilde wrote:
- cyrus imapd actually tries[1] to implement a variant of this possibility in that it does not allow to remove the 'a' right from the owner:
I implemented this to Dovecot now too.
Good. :)
I just gave it a try. I was a little worried when I saw that I was able to remove all admin rights from an folder by giving "a" to another user and let this user first remove "a" from the owner and then from him self -- fortunately the owner was still able to edit the acls (despite the missing administrator flag.), so everything is fine:
OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. lo login bar secret lo OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in li list "" "*"
LIST (\Noselect \HasChildren) "/" "user"
LIST (\Noselect \HasChildren) "/" "user/foo@example.com"
LIST (\HasChildren) "/" "INBOX"
LIST (\HasNoChildren) "/" "user/foo@example.com/test-share" li OK List completed. g getacl "user/foo@example.com/test-share"
ACL "user/foo@example.com/test-share" "foo@example.com" akxeilprwtscd "bar@example.com" akxeilprwtscd g OK Getacl completed. s setacl "user/foo@example.com/test-share" "foo@example.com" -a s OK Setacl complete. g getacl "user/foo@example.com/test-share"
ACL "user/foo@example.com/test-share" "foo@example.com" kxeilprwtscd "bar@example.com" akxeilprwtscd g OK Getacl completed. s setacl "user/foo@example.com/test-share" "bar@example.com" kxeilprwtscd s OK Setacl complete. getacl "user/foo@example.com/test-share" getacl BAD Error in IMAP command "USER/foo@EXAMPLE.COM/TEST-SHARE": Unknown command. lo logout
BYE Logging out lo OK Logout completed.
OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. loginb foo secret loginb BAD Error in IMAP command received by server. lo login elf 11 lo OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in li list "" "*"
LIST (\HasChildren) "/" "INBOX"
LIST (\HasNoChildren) "/" "INBOX/test-share" li OK List completed. g getacl "INBOX/test-share"
ACL "INBOX/test-share" "foo@example.com" kxeilprwtscd "bar@example.com" kxeilprwtscd g OK Getacl completed. s setacl "INBOX/test-share" "foo@example.com" +a s OK Setacl complete. g getacl "INBOX/test-share"
ACL "INBOX/test-share" "foo@example.com" akxeilprwtscd "bar@example.com" kxeilprwtscd g OK Getacl completed.
I'm not sure if every detail here is intended, but I think its an good solution.
I think the owner ACLs are usually in global ACL files, so it's probably not possible to remove or change it, only add a new user=x.
I think that it would be best to always map the owners user name to the keyword "owner" and vice versa between the IMAP front end and the acl back end. This way user=x where x is the owners user name should never appear in an dovecot-acl file.
I did consider this too, but then I thought that it could cause wrong results in some special situations. For example if another user's mailbox is symlinked to your private namespace and you change your own rights, it really should change them and not the owner's.
I haven't thought of that. I agree that in such cases the mapping would fail. However I think there are many setups where such symlink hacks are not used (and I guess with the new shared user namespaces and IMAP ACL front end there will be even fewer cases in which such tricks are useful) -- so maybe this could be configure able?
So it boils down to the question if the individual acl-files should take precedence over the global one -- without having checked I assume this decision already has been made.
IIRC in v1.1 mailbox ACL files take precedence, but in v1.2 globals take precedence. I changed it because users shouldn't be able to override admin's decisions.
I guess it's mainly a question if you see these global ACLs as mere defaults (in which case it should be possible to overwrite them) or as an administrative instrument. I don't really have any opinion which is more useful... :)
Once again many thanks for putting all this into 1.2!
cheers sascha
Sascha Wilde OpenPGP key: 4BB86568 http://www.intevation.de/~wilde/ http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner