[Dovecot] ACLs are applied recursively to sub mailboxes
Sascha Wilde
wilde at intevation.de
Wed Mar 4 18:01:21 EET 2009
Hi *,
The problem is most noticeable when a user shares his INBOX[0][1] with
others:
User A sets his INBOX acls to "eilprwtsd"
Now User B can see _all_ sub mailboxes and sub sub [...] mailboxes and
their contents of User A:
User A:
g getacl INBOX
* ACL "INBOX" "A at example.com" akxeilprwtscd "B at example.com" eilprwtsd "A at example.com" lrwstipekxacd
g OK Getacl completed.
g getacl INBOX/foobar
* ACL "INBOX/foobar" "1 at aztec.intevation.de" lrwstipekxacd
User B:
l list "" "*"
* LIST (\Noselect \HasChildren) "/" "user"
* LIST (\Noselect \HasChildren) "/" "user/1 at aztec.intevation.de"
* LIST (\HasChildren) "/" "INBOX"
* LIST (\HasNoChildren) "/" "INBOX/Gesendet"
* LIST (\HasChildren) "/" "user/1 at aztec.intevation.de/foobar"
* LIST (\HasNoChildren) "/" "user/1 at aztec.intevation.de/foobar/barbaaz"
* LIST (\HasNoChildren) "/" "user/1 at aztec.intevation.de/INBOX"
l OK List completed.
The RfC is not to verbose on this topic of scope, but I think the
following excerpt from RfC4314:
2. Access Control
[...]
An access control list is a set of <access identifier,rights>
pairs. An ACL applies to a mailbox name.
indicates that ACLs are only valid for individual mailboxes (name) and
not for sub mailboxes.
cheers
sascha
[0] Yes, there are really actual users wanting to do this.
[1] There is actually another bug in this context I'll report in my next
mail...
--
Sascha Wilde OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/ http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090304/b6563bde/attachment-0001.bin
More information about the dovecot
mailing list