[Dovecot] "list" ACL privilege ignored for LSUB command?
Hello, I am new to this list, so feel free to correct me if I do something wrong. I don't have a problem, just a question.
The RFC which covers IMAP ACLs [1] states that one of the standard rights is: l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE mailbox)
If I have a shared or public namespace and have a mailbox for which I do not have lookup rights, Dovecot seems to do great with the LIST commands at not showing it to me.
Two things I noticed though: SUBSCRIBE-ing to the mailbox is still successful LSUB will list mailboxes which I do not have lookup rights to
I imagine the first issue is easy enough to correct since it's just another check before actually subscribing. The second issue seems a little more difficult in my mind since Dovecot seems to just dump the subscription files to the client without checking whether the mailbox is allowed or not. I imagine a similar issue popped up with the LIST command and that's why the dovecot-acl-list files exist.
Anyway, am I right in my observations, or am I completely overlooking something obvious?
Thanks!
Willie
[1] http://tools.ietf.org/html/rfc4314#section-2.1 Dovecot's wiki also indicates support for this in http://wiki1.dovecot.org/ACL#ACL_files
I'm using version 1.2.9 with the acl and imap_acl mail_plugins in case that matters.
On Mon, 2010-11-22 at 12:22 -0700, Willie Gillespie wrote:
Hello, I am new to this list, so feel free to correct me if I do something wrong. I don't have a problem, just a question.
The RFC which covers IMAP ACLs [1] states that one of the standard rights is: l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE mailbox)
If I have a shared or public namespace and have a mailbox for which I do not have lookup rights, Dovecot seems to do great with the LIST commands at not showing it to me.
Two things I noticed though: SUBSCRIBE-ing to the mailbox is still successful
Hmm. I kind of disagree with the RFC there.. If you have 'r' rights to the mailbox, you can select it. You know that it exists then. Why couldn't you be able to subscribe to it? It even makes sense to me that if there are mailboxes that +r-l that user should be able to subscribe to them to make it easier to access them.
LSUB will list mailboxes which I do not have lookup rights to
This is intentional. If you have ever subscribed to a mailbox, it's in your subscriptions list and it won't go away until UNSUBSCRIBE. It doesn't matter if the mailbox is deleted or its ACLs change.
But, yes, I should restrict the SUBSCRIBE more. Currently it's possible to subscribe as long as there is any rights to the mailbox. (But if there are no rights, it's not possible to subscribe, so I don't really consider this a security hole.) I should probably change it to "l" or "r". I'll anyway ask what other IMAP people think about this.
Timo Sirainen wrote:
On Mon, 2010-11-22 at 12:22 -0700, Willie Gillespie wrote:
Two things I noticed though: SUBSCRIBE-ing to the mailbox is still successful
Hmm. I kind of disagree with the RFC there.. If you have 'r' rights to the mailbox, you can select it. You know that it exists then. Why couldn't you be able to subscribe to it? It even makes sense to me that if there are mailboxes that +r-l that user should be able to subscribe to them to make it easier to access them.
Makes sense. And it's strange because the RFC states that SUBSCRIBE and LSUB only require rights "if the server checks for mailbox existence when performing SUBSCRIBE." (page 14 of RFC 4314)
So the fact that you can SUBSCRIBE/LSUB to mailboxes without the lookup ACL isn't too far off anyway.
LSUB will list mailboxes which I do not have lookup rights to
This is intentional. If you have ever subscribed to a mailbox, it's in your subscriptions list and it won't go away until UNSUBSCRIBE. It doesn't matter if the mailbox is deleted or its ACLs change.
But, yes, I should restrict the SUBSCRIBE more. Currently it's possible to subscribe as long as there is any rights to the mailbox. (But if there are no rights, it's not possible to subscribe, so I don't really consider this a security hole.) I should probably change it to "l" or "r". I'll anyway ask what other IMAP people think about this.
I actually ran into this originally with an unusual setup: We wanted a public namespace which handled it's own subscriptions... but then we wanted to restrict the namespace to a subset of users. ACLs restricted this properly for the most part, but LSUB still listed all the mailboxes to everyone regardless of whether or not they had any rights.
So that didn't work for us. =) Not a big deal, we have other ways we can make things work for our situation. If somehow LSUB filtered out mailboxes for which it had no rights to, it would fix that unique problem though.
Is there a better way to provide a set of mailboxes to a subset of users with a shared subscription list (subscriptions = yes)?
participants (2)
-
Timo Sirainen
-
Willie Gillespie