[Dovecot] ACLs are applied recursively to sub mailboxes
Sascha Wilde
wilde at intevation.de
Wed Mar 4 18:29:34 EET 2009
Timo Sirainen <tss at iki.fi> writes:
> On Wed, 2009-03-04 at 17:01 +0100, Sascha Wilde wrote:
>> Hi *,
>>
>> The problem is most noticeable when a user shares his INBOX[0][1] with
>> others:
>>
>> User A sets his INBOX acls to "eilprwtsd"
>>
>> Now User B can see _all_ sub mailboxes and sub sub [...] mailboxes and
>> their contents of User A:
>
> That shouldn't happen. There's no code for doing recursive ACLs. Sounds
> more like a bug somewhere. I'll check it later.
Thanks.
>> * ACL "INBOX" "A at example.com" akxeilprwtscd "B at example.com" eilprwtsd "A at example.com" lrwstipekxacd
>
> A at example.com is there twice?..
Oh, haven't noticed that, but yes its actually there twice. The
dovecot-acl file contains:
user=A at example.com akxeilprwts
user=B at example.com eilprwts
>> * LIST (\HasChildren) "/" "user/1 at aztec.intevation.de/foobar"
>
> How does user B see this mailbox's ACLs? Is the mailbox also selectable?
Well good question -- unfortunately I can't tell: both getacl and
myrights on "user/1 at aztec.intevation.de/foobar" make the imap process
die on SIGV... :-(
cheers
sascha
--
Sascha Wilde OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/ http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090304/8b6bf7df/attachment.bin
More information about the dovecot
mailing list