[Dovecot] "list" ACL privilege ignored for LSUB command?

Timo Sirainen tss at iki.fi
Mon Nov 22 21:39:21 EET 2010


On Mon, 2010-11-22 at 12:22 -0700, Willie Gillespie wrote:
> Hello, I am new to this list, so feel free to correct me if I do 
> something wrong.  I don't have a problem, just a question.
> 
> The RFC which covers IMAP ACLs [1] states that one of the standard 
> rights is:
>   l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE
>         mailbox)
> 
> If I have a shared or public namespace and have a mailbox for which I do 
> not have lookup rights, Dovecot seems to do great with the LIST commands 
> at not showing it to me.
> 
> Two things I noticed though:
> SUBSCRIBE-ing to the mailbox is still successful

Hmm. I kind of disagree with the RFC there.. If you have 'r' rights to
the mailbox, you can select it. You know that it exists then. Why
couldn't you be able to subscribe to it? It even makes sense to me that
if there are mailboxes that +r-l that user should be able to subscribe
to them to make it easier to access them.

> LSUB will list mailboxes which I do not have lookup rights to

This is intentional. If you have ever subscribed to a mailbox, it's in
your subscriptions list and it won't go away until UNSUBSCRIBE. It
doesn't matter if the mailbox is deleted or its ACLs change.

But, yes, I should restrict the SUBSCRIBE more. Currently it's possible
to subscribe as long as there is any rights to the mailbox. (But if
there are no rights, it's not possible to subscribe, so I don't really
consider this a security hole.) I should probably change it to "l" or
"r". I'll anyway ask what other IMAP people think about this.



More information about the dovecot mailing list