ACL to deny move mailbox/folder
Ken Murchison
murch at andrew.cmu.edu
Wed Oct 8 06:33:22 EDT 2008
tarjei wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ken Murchison wrote:
>> tarjei wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> I got a shared folder where I want users to be able to create
>>> subfolders, but where I want to restrict the users so they do not move
>>> or delete the shared folder. The folder is a top level shared folder.
>>>
>>> I read through the cyradm documentation, but it wasn't very clear on how
>>> to do this. Is it possible?
>> What version of Cyrus? If you're using 2.3.x, removing the 'x' right
>> from your users will prevent them from deleting the mailbox. I'd have
>> to check the ACL RFC, but I believe it will also prevent renaming (I
>> think RENAME need delete on the source and create on the destination).
>> 2.3.7.
>
> Interestingly enough, it seems that removing the 'x' right isn't possible :
>
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain> sam Fag anyone lrswipktecda
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain> sam Fag anyone write
> localhost.localdomain> lam Fag
> anyone lrswipkxtecd
> localhost.localdomain> sam Fag anyone lrswipktecda
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain>
>
> After some fooling around, I found out that the problem is that if you
> give the user the a right, then you also grant the e and t rights.
This would only be the case if you have 'deleteright' set to 'a'.
> Also, cyradm doesn't document what the c and d rights are.
They are legacy rights macros that are now macros. If the 'deleteright'
option in imapd.conf is set to the default of 'c', the c='kx' and
d='et'. By explicitly granting 'd' above, you're implicitly granting 'x'.
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
More information about the Info-cyrus
mailing list