Can't SELECT mailbox as admin on frontend (Murder)

Rob Siemborski rjs3 at andrew.cmu.edu
Wed Dec 17 17:43:26 EST 2003


On Wed, 17 Dec 2003, Etienne Goyer wrote:

> Since nobody answered yet, I guess this one is a little thorny.  I'll
> resume the symptom to make the big picture clearer :
>
> SELECTing INBOX as a user on frontend: work
> SELECTing user/<user> as a user on frontend: _don't_ work
> SELECTing user/<user> as an admin on frontend: _don't_ work
> SELECTing user/<user> as an admin on backend: work !
>
> Cyrus imapd and sasl 2.1.15, altnamespace and unixhierarchysep == yes.
>
> Any idea about what could cause such a situation ?  Even if it is just
> hypothesis, I am willing to investigate.  I am also willing to read
> code, if one can point me toward the file that may contain the possible
> source of my problem.
>
> The strange thing is that I have another Murder that does not show these
> behavior.  The configuration are pretty much similar, except for the
> version (2.1.13), and altnamespace and unixhierarchysep being set to
> "no".
>
> All your insights welcome ...

You lose many of the privs of being an 'admin' when you are being proxied.
(namely, the ones that don't come directly from an ACL).

This behavior originated from the belief that proxy users shouldn't be
able to become admins.  It becomes less clear that this is actually the
desired behavior to me all the time (and, indeed, the security benefits
are marginal at best).

But this is likely the source of your problem.  If you want to do this,
you can either patch cyrus to not make the isadmin/isproxyadmin
distinction, or act like a referrals-capable client and follow the
referral (e.g. issue an 'RLIST "" ""' before you issue the SELECT).

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper





More information about the Info-cyrus mailing list