[Dovecot] ACL changes not respected by already loged in clients

Sascha Wilde wilde at intevation.de
Thu Mar 5 19:18:59 EET 2009 

Hi *,

and yet another ACL problem.  ;-)

User A allows User B to access his mailbox foobar:

  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
  l login userA secret
  l OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in
  s setacl "INBOX/foobar" "B at example.com" eilprwtsd
  s OK Setacl complete.
  g getacl INBOX/foobar
  * ACL "INBOX/foobar" "B at example.com" eilprwtsd "A at example.com" lrwstipekxacd

User B logs in to dovecot and sees the newly accessible mailbox:

  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
  l login zwei 2
  l OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH ACL RIGHTS=texk ANNOTATEMORE] Logged in
  l list "" "*"
  * LIST (\Noselect \HasChildren) "/" "user"
  * LIST (\Noselect \HasChildren) "/" "user/A at example.com"
  * LIST (\HasChildren) "/" "INBOX"
  * LIST (\HasNoChildren) "/" "INBOX/Gesendet"
  * LIST (\HasChildren) "/" "user/A at example.com/foobar"
  l OK List completed.
  se select  "user/A at example.com/foobar"
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
  * 1 EXISTS
  * 1 RECENT
  * OK [UIDVALIDITY 1236104897] UIDs valid
  * OK [UIDNEXT 2] Predicted next UID
  * OK [HIGHESTMODSEQ 1]

Now User A changes his mind:

  s setacl "INBOX/foobar" "B at example.com" ""
  s OK Setacl complete.
  g getacl INBOX/foobar
  * ACL "INBOX/foobar" "A at example.com" lrwstipekxacd
  g OK Getacl completed.

but as long as User B stays loged in, he is not affected, in fact he
still can read A's mails:

  se select  "user/A at example.com/foobar"
  * OK [CLOSED]
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
  * 1 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1236104897] UIDs valid
  * OK [UIDNEXT 2] Predicted next UID
  * OK [HIGHESTMODSEQ 1]
  se OK [READ-WRITE] Select completed.
  f101 fetch 1 FAST
  * 1 FETCH (FLAGS (\Seen) INTERNALDATE "04-Mar-2009 13:11:06 +0100" RFC822.SIZE 3652)
  f101 OK Fetch completed.

I think ACL changes should take immediate effect, or at least should be
re-checked in reasonable intervals (which imo shouldn't exceed a few
seconds).

cheers
sascha
-- 
Sascha Wilde                                          OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/                  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090305/3c7731ba/attachment.bin

More information about the dovecot mailing list