cyrus autorization identifier trick

Andrew Morgan morgan at orst.edu
Fri Apr 20 16:12:40 EDT 2007


On Thu, 19 Apr 2007, Nestor A. Diaz wrote:

> Andrew Morgan wrote:
>> Easy.  When you want to look at another user's mail, just modify the 
>> permissions on their mailbox.  You can do this with cyradm like so:
>>
>>   sam user.foo adminuser all
>> 
>> We use a perl script that does this recursively for each folder that 
>> belongs to a specify user, and a second script that recursively removes the 
>> permission when we are finished.
>> 
>> After granting these permissions, you'll see the user's mailbox in your 
>> IMAP namespace as "Other Users.foo".
> Ok, that's clear for me, but since i am going to have a huge mailstore i 
> don't like the idea of the person having to subscribe to each user mailbox, 
> or modifying the user mailbox acl each time the person want to access data, 
> so as an easy way i was thinking on using sasl as a helper, if that's not 
> possible what i am thinking to create at first time, is that when the admin 
> (which is really a supervisor with just read privilegies) wants to see others 
> users mailbox, it just open a web application, that ask for their password, 
> if validation went ok, then ask for the mailbox he wants to see and 
> recurisvely change permissions, this way the Supervisor can see what others 
> user have into their mailbox without using cyradm command line.

You don't want to have these permissions set for all users, continuously. 
It is also a bad idea to have any of your Cyrus admin users (ones defined 
in imapd.conf as admins) have mailboxes.

Your idea of using a web page to temporarily grant access sounds like a 
reasonable idea to me.

 	Andy


More information about the Info-cyrus mailing list