[Dovecot] ACLs are applied recursively to sub mailboxes

Bernhard Herzog bh at intevation.de
Mon Mar 16 21:33:09 EET 2009 

On 13.03.2009, Bernhard Herzog wrote:
> On 10.03.2009, Timo Sirainen wrote:
> > I've been a bit busy (or lazy) recently and I'm not focusing on trying
> > to get the new dbox code working. I'll look at the ACL bugs at some
> > point, but you can probably get them fixed sooner if you do it yourself.
>
> I'm going to look into this.

OK.  So far I've concentrated on the problem that ACLs set on the INBOX are 
applied to all children of INBOX.  E.g. if you have users frodo and bilbo, 
and frodo does
  x SETACL "INBOX" "bilbo" lsr
then bilbo will not only see frodo's INBOX as intended, but also all 
subfolders.  More precisely the ACL of the INBOX is used for all folders that 
do not have their own ACL settings for bilbo.

Here's what I've found out so far:

The reason for the behavior is an aclobj with name "" which takes its actual 
rights from the dovecot-acl file in the other user's INBOX.  That aclobj is 
used for the default ACLs used for mailboxes with ACL entry for the user and 
for non-owners should normally be no rights at all and not taken from the ACL 
of the INBOX.

That pathological aclobj is created in acl_backend_init:
  backend->default_aclobj = acl_object_init_from_name(backend, NULL, "").  
acl_object_init_from_name calls acl_backend_vfile_object_init, which sets the 
aclobj's local_path.  In this particular case -- name == "" and storage == 
NULL -- local_path will become the concatenation of the directory name 
returned by 
    mailbox_list_get_path(_backend->list, NULL,
                          MAILBOX_LIST_PATH_TYPE_DIR)
and "/dovecot-acl", which at least in the case of maildir is in the owner's 
INBOX directory.  Later, when the user lists mailboxes, this file is actually 
read to determine the rights. 

That explains the observed behavior.  I'm not sure yet how to fix it.  I'll 
look into that next.

  Bernhard

-- 
Bernhard Herzog  |  ++49-541-335 08 30  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20090316/10b8b264/attachment.bin

More information about the dovecot mailing list