RFC patch: Deny removal of folder owner ACLs

Guilherme Maciel Ferreira guilherme.maciel.ferreira at intra2net.com
Thu Dec 30 04:45:18 EST 2010


Hi,

We were having problems with some users who deleted  all ACL rights
from a folder, rendering the mailbox inaccessible.

There's already a feature in cyrus that the folder owner can't
delete his own administration rights (implicit acls).

This left one hole in the protection which is still cumbersome to the users: 
If user A has admin rights over user B's mailbox, user A can remove the admin 
rights from user B, either by DELETEACL B, or by SETACL B with more 
restrictive access rights.

So we changed the imap server to avoid such kind of behavior. The patch was 
developed for version 2.3.16. It is possible to roll back to the default 
behavior through the imapd.conf variable "owneralwaysadmin=no".

Sincerely,
Guilherme Maciel Ferreira
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-imapd-2.3.16-keep-owner-rights.patch
Type: text/x-patch
Size: 4948 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20101230/42d06c24/attachment.bin 


More information about the Cyrus-devel mailing list