[Dovecot] ACLs are applied recursively to sub mailboxes

Bernhard Herzog bh at intevation.de
Tue Mar 17 16:07:38 EET 2009


On 16.03.2009, Timo Sirainen wrote:
> On Mon, 2009-03-16 at 20:33 +0100, Bernhard Herzog wrote:
> > That pathological aclobj is created in acl_backend_init:
> >   backend->default_aclobj = acl_object_init_from_name(backend, NULL, "").
> > acl_object_init_from_name calls acl_backend_vfile_object_init, which sets
> > the aclobj's local_path.  In this particular case -- name == "" and
> > storage == NULL -- local_path will become the concatenation of the
> > directory name returned by
> >     mailbox_list_get_path(_backend->list, NULL,
> >                           MAILBOX_LIST_PATH_TYPE_DIR)
> > and "/dovecot-acl", which at least in the case of maildir is in the
> > owner's INBOX directory.  Later, when the user lists mailboxes, this file
> > is actually read to determine the rights.
[...]
> Hmm. I'm not sure if there's a reason for the existence of the default
> ACLs being looked up from dovecot-acl file. I think the initial fix
> could be to simply not do that. If someone really wants to have
> different default ACLs they could perhaps be stored in a file with
> different name.

As an attempt to fix the problem, I modified acl_backend_vfile_object_init so 
that local_path will be set to NULL in the default aclobj (see patch below).  
My tests so far, show that it works as expected.  The ACL of the INBOX is no 
longer the default ACL.

Regards,

   Bernhard


diff -r 5284f45c249a src/plugins/acl/acl-backend-vfile.c
--- a/src/plugins/acl/acl-backend-vfile.c	Sun Mar 15 20:06:45 2009 -0400
+++ b/src/plugins/acl/acl-backend-vfile.c	Tue Mar 17 14:42:58 2009 +0100
@@ -152,8 +152,7 @@ acl_backend_vfile_object_init(struct acl
 
 	if (storage == NULL) {
 		/* the default ACL for mailbox list */
-		dir = mailbox_list_get_path(_backend->list, NULL,
-					    MAILBOX_LIST_PATH_TYPE_DIR);
+		dir = NULL;
 	} else {
 		dir = acl_backend_vfile_get_local_dir(storage, name);
 	}


-- 
Bernhard Herzog  |  ++49-541-335 08 30  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20090317/de5093a2/attachment.bin 


More information about the dovecot mailing list