[Dovecot] ACLs are applied recursively to sub mailboxes
Timo Sirainen
tss at iki.fi
Mon Mar 16 22:12:40 EET 2009
On Mon, 2009-03-16 at 20:33 +0100, Bernhard Herzog wrote:
> That pathological aclobj is created in acl_backend_init:
> backend->default_aclobj = acl_object_init_from_name(backend, NULL, "").
> acl_object_init_from_name calls acl_backend_vfile_object_init, which sets the
> aclobj's local_path. In this particular case -- name == "" and storage ==
> NULL -- local_path will become the concatenation of the directory name
> returned by
> mailbox_list_get_path(_backend->list, NULL,
> MAILBOX_LIST_PATH_TYPE_DIR)
> and "/dovecot-acl", which at least in the case of maildir is in the owner's
> INBOX directory. Later, when the user lists mailboxes, this file is actually
> read to determine the rights.
>
> That explains the observed behavior. I'm not sure yet how to fix it. I'll
> look into that next.
Hmm. I'm not sure if there's a reason for the existence of the default
ACLs being looked up from dovecot-acl file. I think the initial fix
could be to simply not do that. If someone really wants to have
different default ACLs they could perhaps be stored in a file with
different name.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090316/2a928413/attachment.bin
More information about the dovecot
mailing list