Your Cyrus imapd ACL patch
Greg Banks
gnb at fastmail.fm
Thu Aug 18 23:51:33 EDT 2011
On 19/08/11 00:24, Kristóf Katus wrote:
>
> Patch attached for this commit (cyrus-imapd-acl-patch-correction-2.patch),
> this should work fine, hope you do not get valgrind errors this time :)
Excellent, thanks :) The patch fixes the Valgrind issues and passes the
existing tests. I adjusted it to remove the C99isms (mixed declarations
and code) and pushed it to master.
> Kristóf
>
> PS Something else came up during manual testing, which is most probably beyond
> the scope of this patch and the original commit.
>
> I enabled virtual domains, relevant lines of the imapd.conf file:
>
> virtdomains: yes
> defaultdomain: net.lan
> admins: admin admin at thedomain.here
>
> Playing around with cyradm, I get the following:
>
> [root at intradevel-aiesec cyrus-imapd]# cyradm localhost --user
> admin at thedomain.here
> Password:
> intradevel-aiesec.net.lan> listmailbox
> admin (\HasNoChildren)
> intradevel-aiesec.net.lan> createmailbox user/base
> intradevel-aiesec.net.lan> listmailbox
> admin (\HasNoChildren) user/base (\HasNoChildren)
> intradevel-aiesec.net.lan> listacl user/base
> base at thedomain.here lrswipkxtecdan
> intradevel-aiesec.net.lan> setacl user/base base all
> intradevel-aiesec.net.lan> listacl user/base
> base lrswipkxtecda
> base at thedomain.here lrswipkxtecdan
> intradevel-aiesec.net.lan> setacl user/base base none
> intradevel-aiesec.net.lan> listacl user/base
> base lkxca
> base at thedomain.here lrswipkxtecdan
> intradevel-aiesec.net.lan>
> intradevel-aiesec.net.lan> setacl user/base base at thedomain.here none
> intradevel-aiesec.net.lan> listacl user/base
> base lkxca
> base at thedomain.here lkxca
>
> My question: who is this "base" user without a domain part in this case?
> Someone from the default domain? That should not happen, I guess.
Hmm. I'm kinda surprised mboxlist_setacl() allows cross-domain ACLs.
At first glance it seems that the code after the comment "canonify
identifier..." isn't taking account of config_defdomain when
config_virtdomains is enabled but neither the mboxname nor the
identifier have explict domains. Looks like you need to do a bit more
testing.
--
Greg.
More information about the Cyrus-devel
mailing list