[Dovecot] ACL changes not respected by already loged in clients

5 Mar 2009

      Hi *,
and yet another ACL problem.  ;-)
User A allows User B to access his mailbox foobar:

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
l login userA secret
l OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in
s setacl "INBOX/foobar" "B@example.com" eilprwtsd
s OK Setacl complete.
g getacl INBOX/foobar
ACL "INBOX/foobar" "B@example.com" eilprwtsd "A@example.com" lrwstipekxacd

User B logs in to dovecot and sees the newly accessible mailbox:

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
l login zwei 2
l OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in
l list "" "*"
LIST (\Noselect \HasChildren) "/" "user"
LIST (\Noselect \HasChildren) "/" "user/A@example.com"
LIST (\HasChildren) "/" "INBOX"
LIST (\HasNoChildren) "/" "INBOX/Gesendet"
LIST (\HasChildren) "/" "user/A@example.com/foobar"
l OK List completed.
se select  "user/A@example.com/foobar"
FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
1 EXISTS
1 RECENT
OK [UIDVALIDITY 1236104897] UIDs valid
OK [UIDNEXT 2] Predicted next UID
OK [HIGHESTMODSEQ 1]

Now User A changes his mind:
s setacl "INBOX/foobar" "B@example.com" ""
s OK Setacl complete.
g getacl INBOX/foobar

ACL "INBOX/foobar" "A@example.com" lrwstipekxacd
g OK Getacl completed.

but as long as User B stays loged in, he is not affected, in fact he
still can read A's mails:
se select  "user/A@example.com/foobar"

OK [CLOSED]
FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
1 EXISTS
0 RECENT
OK [UIDVALIDITY 1236104897] UIDs valid
OK [UIDNEXT 2] Predicted next UID
OK [HIGHESTMODSEQ 1]
se OK [READ-WRITE] Select completed.
f101 fetch 1 FAST
1 FETCH (FLAGS (\Seen) INTERNALDATE "04-Mar-2009 13:11:06 +0100" RFC822.SIZE 3652)
f101 OK Fetch completed.

I think ACL changes should take immediate effect, or at least should be
re-checked in reasonable intervals (which imo shouldn't exceed a few
seconds).
cheers
sascha
Sascha Wilde                                          OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/                  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner

Sascha Wilde

cheers sascha

Steffen Kaiser

Sascha Wilde

cheers sascha

Timo Sirainen

Charles Marcus

Timo Sirainen

tags

participants (4)