[Dovecot] IMAP ACLs and global ACLs in v1.2

Timo Sirainen tss at iki.fi
Sun Nov 16 05:09:25 EET 2008


I just committed code for IMAP ACL support based on the code from Kolab
people. I did quite large changes though.

I also changed how global ACLs are handled. Previously local ACLs could
override global ACLs, but now that users are able to modify the ACLs I
think it should be the other way around. From what I've heard global
ACLs are typically added for things like 1) disallowing user from doing
something in specific mailboxes such as expunge messages, 2) giving a
specific master user access to some mailboxes ONLY, such as voicemail.

For 1) case a user really shouldn't be able to grant himself privileges
back but still should be able to share the mailbox to others (so the
global ACL should have 'a' privilege). For 2) case a user shouldn't be
able to remove privileges from the voicemail.

So now the user can freely update the local ACLs in whatever way he
wants. But in the end if there are any global ACLs, all the local ACLs
for those identifiers are ignored. Also local negative identifiers are
ignored, so that e.g. global "user=foo lr" can't be disabled by a local
"-user=foo lr" ACL.

I guess I should update the Wiki ACL page about how exactly the ACLs are
applied now that they're well in my memory. :)

One thing I'm not really sure about is the "owner" handling. IMAP ACL
specifications have no such concept. I think many/most other servers
simply add a default ACL for the user name directly. It's a useful
concept though, especially with the global ACLs. So currently Dovecot
replies:

x getacl inbox
* ACL "inbox" "owner" lrwstiekxacd
x OK Getacl completed.

But should it just internally convert "owner" to "username" when
replying? But then again if there's a separate rule directly for the
"username" it breaks.

Do any of the existing ACL-capable IMAP clients want to see the username
in the ACL reply or can they handle "owner" just fine?

Also what about global ACLs? The current code just lists them twice with
local ACLs, which is definitely wrong:

x getacl foo
* ACL "foo" "xx" w "xx" lr "owner" lrwstiekxacd
x OK Getacl completed.

Perhaps the global ACLs could have a prefix character? Maybe '#'? Which
reminds me, the current dovecot-acl file is mapped to IMAP ACLs like
this:

dovecot-acl : IMAP ACL
 - anyone : anyone
 - authenticated : authenticated
 - owner : owner
 - user=name : name
 - group=name : $name
 - group-override=name : !$name

So all global ACLs would get the # prefix, like #anyone, #name, #!$name.

Any thoughts?

BTW. Listing shared mailboxes still doesn't work. I guess we'll see
tomorrow if I still have energy to get that done.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081116/a4c88f29/attachment.bin 


More information about the dovecot mailing list