Your Cyrus imapd ACL patch

Greg Banks gnb at fastmail.fm
Thu Aug 18 23:51:33 EDT 2011 

On 19/08/11 00:24, Kristóf Katus wrote:
>
> Patch attached for this commit (cyrus-imapd-acl-patch-correction-2.patch),
> this should work fine, hope you do not get valgrind errors this time :)

Excellent, thanks :) The patch fixes the Valgrind issues and passes the 
existing tests.  I adjusted it to remove the C99isms (mixed declarations 
and code) and pushed it to master.

> Kristóf
>
> PS Something else came up during manual testing, which is most probably beyond
> the scope of this patch and the original commit.
>
> I enabled virtual domains, relevant lines of the imapd.conf file:
>
> virtdomains: yes
> defaultdomain: net.lan
> admins: admin admin at thedomain.here
>
> Playing around with cyradm, I get the following:
>
> [root at intradevel-aiesec cyrus-imapd]# cyradm localhost --user
> admin at thedomain.here
> Password:
> intradevel-aiesec.net.lan>  listmailbox
> admin (\HasNoChildren)
> intradevel-aiesec.net.lan>  createmailbox user/base
> intradevel-aiesec.net.lan>  listmailbox
> admin (\HasNoChildren)      user/base (\HasNoChildren)
> intradevel-aiesec.net.lan>  listacl user/base
> base at thedomain.here lrswipkxtecdan
> intradevel-aiesec.net.lan>  setacl user/base base all
> intradevel-aiesec.net.lan>  listacl user/base
> base lrswipkxtecda
> base at thedomain.here lrswipkxtecdan
> intradevel-aiesec.net.lan>  setacl user/base base none
> intradevel-aiesec.net.lan>  listacl user/base
> base lkxca
> base at thedomain.here lrswipkxtecdan
> intradevel-aiesec.net.lan>
> intradevel-aiesec.net.lan>  setacl user/base base at thedomain.here none
> intradevel-aiesec.net.lan>  listacl user/base
> base lkxca
> base at thedomain.here lkxca
>
> My question: who is this "base" user without a domain part in this case?
> Someone from the default domain? That should not happen, I guess.

Hmm.  I'm kinda surprised mboxlist_setacl() allows cross-domain ACLs.  
At first glance it seems that the code after the comment "canonify 
identifier..." isn't taking account of config_defdomain when 
config_virtdomains is enabled but neither the mboxname nor the 
identifier have explict domains.  Looks like you need to do a bit more 
testing.

-- 
Greg.

More information about the Cyrus-devel mailing list