[Dovecot] ACL changes not respected by already loged in clients
Hi *,
and yet another ACL problem. ;-)
User A allows User B to access his mailbox foobar:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. l login userA secret l OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in s setacl "INBOX/foobar" "B@example.com" eilprwtsd s OK Setacl complete. g getacl INBOX/foobar
- ACL "INBOX/foobar" "B@example.com" eilprwtsd "A@example.com" lrwstipekxacd
User B logs in to dovecot and sees the newly accessible mailbox:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. l login zwei 2 l OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in l list "" "*"
- LIST (\Noselect \HasChildren) "/" "user"
- LIST (\Noselect \HasChildren) "/" "user/A@example.com"
- LIST (\HasChildren) "/" "INBOX"
- LIST (\HasNoChildren) "/" "INBOX/Gesendet"
- LIST (\HasChildren) "/" "user/A@example.com/foobar" l OK List completed. se select "user/A@example.com/foobar"
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
- OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
- 1 EXISTS
- 1 RECENT
- OK [UIDVALIDITY 1236104897] UIDs valid
- OK [UIDNEXT 2] Predicted next UID
- OK [HIGHESTMODSEQ 1]
Now User A changes his mind:
s setacl "INBOX/foobar" "B@example.com" "" s OK Setacl complete. g getacl INBOX/foobar
- ACL "INBOX/foobar" "A@example.com" lrwstipekxacd g OK Getacl completed.
but as long as User B stays loged in, he is not affected, in fact he still can read A's mails:
se select "user/A@example.com/foobar"
- OK [CLOSED]
- FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
- OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
- 1 EXISTS
- 0 RECENT
- OK [UIDVALIDITY 1236104897] UIDs valid
- OK [UIDNEXT 2] Predicted next UID
- OK [HIGHESTMODSEQ 1] se OK [READ-WRITE] Select completed. f101 fetch 1 FAST
- 1 FETCH (FLAGS (\Seen) INTERNALDATE "04-Mar-2009 13:11:06 +0100" RFC822.SIZE 3652) f101 OK Fetch completed.
I think ACL changes should take immediate effect, or at least should be re-checked in reasonable intervals (which imo shouldn't exceed a few seconds).
cheers sascha
Sascha Wilde OpenPGP key: 4BB86568 http://www.intevation.de/~wilde/ http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 5 Mar 2009, Sascha Wilde wrote:
I think ACL changes should take immediate effect, or at least should be re-checked in reasonable intervals (which imo shouldn't exceed a few seconds).
Although I see the problem in your scenario, it is rather uncommon to recalculate ACLs for already running processes, esp. not in intervals of seconds. Did you tried it in Windows or Unix?
Maybe, some "ACL push" plugin would help, that pushes ACL changes to processes that are logged in currently.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSbDLwHWSIuGy1ktrAQJvLQgAi0YF5kgTOurFTEHja7Fma+GgENdpVhz3 KrXiPez4Y6ifa66/d9AuYV9pJLy3MpajvI3pFJyPiNbexfzimDc38pOD9Hebge8I x15lpl6LRGIWSIUCHWMZXpylQUd6lRQG5UYDSYtemS64ebdPDJCzhPaHFCcbAjB9 Azy28E+Yar5LqeIh1hJajnB3ZKbhdevgc/6hZ7oM9KZXZkJnmQXyduhaXVYoQDf4 TPrNvK4c9FgehgPVQWiZKxQqSTlz/N5Oo5LOkCfeuhyGuqvObQMhmY6AVg6LhxSJ e4n+adJtCu02+p6vJllWHlBBcypNmO4KJOxxbxwlcZuksBOBj/KI2w== =YOhz -----END PGP SIGNATURE-----
Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> writes:
On Thu, 5 Mar 2009, Sascha Wilde wrote:
I think ACL changes should take immediate effect, or at least should be re-checked in reasonable intervals (which imo shouldn't exceed a few seconds).
Although I see the problem in your scenario, it is rather uncommon to recalculate ACLs for already running processes, esp. not in intervals of seconds.
When you say "uncommon", which references are you referring to?
There are not too many other imap server implementations implementing this features (imap acl and shared user mailboxes). I only tested the (widely used) cyrus imapd, which promotes ACL changes immediately.
Did you tried it in Windows or Unix?
Afaik dovecot doesn't even run on Windows systems.
Maybe, some "ACL push" plugin would help, that pushes ACL changes to processes that are logged in currently.
This might be a good way to implement things efficiently but before doing so I would prefer to evaluate if simply rechecking the relevant ACLs on each IMAP command has such a big performance impact that this kind of optimization is really needed.
cheers sascha
Sascha Wilde OpenPGP key: 4BB86568 http://www.intevation.de/~wilde/ http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
On Thu, 2009-03-05 at 18:18 +0100, Sascha Wilde wrote:
I think ACL changes should take immediate effect, or at least should be re-checked in reasonable intervals (which imo shouldn't exceed a few seconds).
I think this should work:
acl = vfile:/etc/dovecot/acls:cache_secs=1
The default is 5 minutes. I suppose it could be lower. 30 seconds maybe?
On 4/2/2009 6:24 PM, Timo Sirainen wrote:
I think ACL changes should take immediate effect, or at least should be re-checked in reasonable intervals (which imo shouldn't exceed a few seconds).
I think this should work:
acl = vfile:/etc/dovecot/acls:cache_secs=1
The default is 5 minutes. I suppose it could be lower. 30 seconds maybe?
I guess the answer to that depends on the extra load it puts on the system... I'm guessing you were caching it for a reason?
--
Best regards,
Charles
On Fri, 2009-04-03 at 06:12 -0400, Charles Marcus wrote:
On 4/2/2009 6:24 PM, Timo Sirainen wrote:
I think ACL changes should take immediate effect, or at least should be re-checked in reasonable intervals (which imo shouldn't exceed a few seconds).
I think this should work:
acl = vfile:/etc/dovecot/acls:cache_secs=1
The default is 5 minutes. I suppose it could be lower. 30 seconds maybe?
I guess the answer to that depends on the extra load it puts on the system... I'm guessing you were caching it for a reason?
Yeah, but the 5 minutes was just a guess. stating files is pretty cheap.
participants (4)
-
Charles Marcus
-
Sascha Wilde
-
Steffen Kaiser
-
Timo Sirainen