[Dovecot] Plan: ACL changes

Robert Schetterer robert at schetterer.org
Tue Nov 30 09:33:34 EET 2010


Am 30.11.2010 01:03, schrieb Timo Sirainen:
> On 28.11.2010, at 17.01, Charles Marcus wrote:
> 
>> It 'kind of' sounds like you're referring ("Probably they should be
>> merged...") to something that has been discussed previously, namely, ACL
>> 'inheritance'. Any chance that true ACL inheritance (change the parent,
>> ACLs propogate to all sub-folders that have the 'inherit' flag set)
>> could be added to this list? Or would that constitute more invasive changes?
> 
> ACL inheritance would require much more thinking about how exactly it should work. Otherwise it's just going to cause unexpected results.

a wided spreaded unexpected result might be
users forget to set "list" acl on a top folder, so they cant see
subfolder whatever acl permission is set there for them

> 
>> For large/complex environments, it would also be *really* nice if there
>> was a tool available to get a resulting tree 'view' of the ACLs and
>> where each got set, to make sure that what you set is what you wanted -
>> something like Microsoft's GPResult tool for checking the results of
>> Group Policies in a Windows Domain environment. The tool could give a
>> broad overview of an entire mail system, or on a more granular level,
>> who has access to any given users folders, or, show all access rights to
>> all folders that any given user has access to, etc... maybe even check
>> ACLs against file-system permissions to make sure there are no conflicts
>> there... anyway, just thinking out loud...
> 
> 
> I have no idea about GPResult, but yeah, I've been thinking about some day adding "doveadm acl" command for manipulating ACLs and also giving a human-readable output of what ACLs exist for mailbox and asking what rights to what mailboxes different specific users would have.


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria


More information about the dovecot mailing list