ACL to deny move mailbox/folder

Ken Murchison murch at andrew.cmu.edu
Wed Oct 8 06:33:22 EDT 2008


tarjei wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ken Murchison wrote:
>> tarjei wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> I got a shared folder where I want users to be able to create
>>> subfolders, but where I want to restrict the users so they do not move
>>> or delete the shared folder. The folder is a top level shared folder.
>>>
>>> I read through the cyradm documentation, but it wasn't very clear on how
>>> to do this. Is it possible?
>> What version of Cyrus?  If you're using 2.3.x, removing the 'x' right
>> from your users will prevent them from deleting the mailbox.  I'd have
>> to check the ACL RFC, but I believe it will also prevent renaming (I
>> think RENAME need delete on the source and create on the destination).
>> 2.3.7.
> 
> Interestingly enough, it seems that removing the 'x' right isn't possible :

> 
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain> sam Fag anyone lrswipktecda
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain> sam Fag anyone write
> localhost.localdomain> lam Fag
> anyone lrswipkxtecd
> localhost.localdomain> sam Fag anyone lrswipktecda
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain>
> 
> After some fooling around, I found out that the problem is that if you
> give the user the a right, then you also grant the e and t rights.

This would only be the case if you have 'deleteright' set to 'a'.


> Also, cyradm doesn't document what the c and d rights are.

They are legacy rights macros that are now macros.  If the 'deleteright' 
  option in imapd.conf is set to the default of 'c', the c='kx' and 
d='et'.  By explicitly granting 'd' above, you're implicitly granting 'x'.

-- 
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University


More information about the Info-cyrus mailing list