[Dovecot] acl flag to limit imap_acl based acl changes
Amon Ott
ao at m-privacy.de
Tue Jan 26 09:56:59 EET 2010
On Monday 25 January 2010 wrote Timo Sirainen:
> On Mon, 2010-01-25 at 11:57 +0100, Amon Ott wrote:
> > http://wiki.dovecot.org/ACL says that "a" or "admin" covers
> > "Administration rights to the mailbox". However, removing "a" from owner
> > acl (using "lr") does not help, the user can still change all acl flags
> > for all users with imap. Write accesses to mails are forbidden as they
> > should.
> >
> > Is this intended or a bug?
>
> Looks like it was intended, to avoid users from accidentally removing
> admin privileges from their own mailboxes. But there's already other
> code in SETACL handling that tries to prevent the same thing, so that
> should be enough.
Yes, that should be. If users edit acl files by hand, they can always change
them again.
> v2.0 now allows removing admin right manually from dovecot-acl file:
> http://hg.dovecot.org/dovecot-2.0/rev/667fea930ec3
Thank you for that patch, it also applies cleanly against 1.2.10. Will test
that. :)
> I probably don't want to do the same change to v1.2, since it might
> break someone's setup.. Maybe you could use global ACLs to remove the
> admin right? If it's always the same mailbox name for every user.
It is the inbox among others for some archiving accounts, so a global acl does
not work. Could you maybe make it an option in 1.2? Otherwise I will maintain
a separate patch in our .deb package here.
Amon Ott
--
Dr. Amon Ott - m-privacy GmbH
Am Köllnischen Park 1, 10179 Berlin
Tel: +49 30 24342334
Fax: +49 30 24342336
Web: http://www.m-privacy.de
Handelsregister:
Amtsgericht Charlottenburg HRB 84946
Geschäftsführer:
Dipl.-Kfm. Holger Maczkowsky,
Roman Maczkowsky
GnuPG-Key-ID: EA898571
More information about the dovecot
mailing list