[Dovecot] Plan: ACL changes

Robert Schetterer robert at schetterer.org
Tue Nov 30 09:33:34 EET 2010

Am 30.11.2010 01:03, schrieb Timo Sirainen:
> On 28.11.2010, at 17.01, Charles Marcus wrote:
>> It 'kind of' sounds like you're referring ("Probably they should be
>> merged...") to something that has been discussed previously, namely, ACL
>> 'inheritance'. Any chance that true ACL inheritance (change the parent,
>> ACLs propogate to all sub-folders that have the 'inherit' flag set)
>> could be added to this list? Or would that constitute more invasive changes?
> ACL inheritance would require much more thinking about how exactly it should work. Otherwise it's just going to cause unexpected results.

a wided spreaded unexpected result might be
users forget to set "list" acl on a top folder, so they cant see
subfolder whatever acl permission is set there for them

>> For large/complex environments, it would also be *really* nice if there
>> was a tool available to get a resulting tree 'view' of the ACLs and
>> where each got set, to make sure that what you set is what you wanted -
>> something like Microsoft's GPResult tool for checking the results of
>> Group Policies in a Windows Domain environment. The tool could give a
>> broad overview of an entire mail system, or on a more granular level,
>> who has access to any given users folders, or, show all access rights to
>> all folders that any given user has access to, etc... maybe even check
>> ACLs against file-system permissions to make sure there are no conflicts
>> there... anyway, just thinking out loud...
> I have no idea about GPResult, but yeah, I've been thinking about some day adding "doveadm acl" command for manipulating ACLs and also giving a human-readable output of what ACLs exist for mailbox and asking what rights to what mailboxes different specific users would have.

Best Regards

MfG Robert Schetterer


More information about the dovecot mailing list