[Dovecot] ACL plugin

Timo Sirainen tss at iki.fi
Thu Sep 11 20:46:21 EEST 2008 

On Thu, 2008-09-11 at 18:18 +0200, Matvey Soloviev wrote:
> > Did you also notice my "Initial support for shared
> > mailboxes" message from yesterday?
> No, unfortunately I didn't; I only joined the mailing list on the day I sent
> this message. It sounds like it could be relevant to the topic though; could
> you provide me with a breakdown of what it is about?

http://dovecot.org/list/dovecot/2008-September/033464.html - basically
the ability to access other users' mailboxes.

> Would a facility to modify global ACLs through IMAP commands be required or
> of any use at all?

I'd say it wouldn't be of any use.

> From what I gather, nothing like that is mentioned
> anywhere in the RFC. As it is now, I am having the writing commands
> influence only the referenced mailboxes' local ACLs - however, should global
> ACLs be present, this is bound to result in somewhat irrational-seeming
> behaviour - should I go through with my current approach of storing the ACL
> data as present in acl_object_vfile.rights into the local dovecot-acl file,
> global ACLs would, on the one hand, wind up being copied into it - on the
> other hand, from the client's perspective, the ACLs defined by the global
> file would appear to be irremovable. What should I do about this?

Hmm. Let's think about the use cases for global ACLs:

1) ACLs that actually restrict what user can do, for example force the
mailbox to be read-only. These would also remove the admin-right from
the user and this wouldn't be an issue.

2) ACLs that allow a special account to access the mailbox (e.g. backup,
voicemail, ..). A user must not be able to remove these rights.

3) Default ACLs for some mailbox that tries to prevent user from doing
something accidentally, but allows a user to override the behavior by
overriding the ACL.

I don't know if anyone uses 3) for anything. I'm not really even sure
what it could be used for really. For 1) and 2) I'd actually argue that
the user shouldn't even see the global ACLs (and certainly not override
them), only how they affect the user's rights. 2) might actually need to
be some kind of a "global for all mailbxes" ACL, at least for backup.

So I'm thinking that if possible don't let the user see or override the
global ACLs. If that's too much work just ignore the problem for now and
assume the user won't have admin-right to such mailboxes anyway.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080911/31a83ec7/attachment.bin

More information about the dovecot mailing list