Unable to delete ACLs with invalid identifiers - security issue
Simon Matter
simon.matter at ch.sauter-bc.com
Mon Jul 18 12:09:56 EDT 2005
Sometime ago there was a discussion about ACLs which can not be removed
anymore because the identifier doesn't exist anymore.
Some people suggested workarounds like editing mailboxes db by hand. From
my point of view, it is clearly a bug. You can, as normal user, create an
ACL referencing an identifier which you can't control - like an LDAP
group. Someone, like an administrator, can then remove the identifier and
you are lost with an ACL which you can't remove anymore. It's easy to
understand why this is a security issue.
Christos Soulios from University of Athens was so kind to write a working
patch which is attached to the related bug #2544
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2544
Would be nice to get some feedback from the cyrus-imapd developers.
Simon
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list