setting acl on autocreate folders

Anatoli me at anatoli.ws
Thu May 24 23:36:18 EDT 2018


Ellie,

Thanks for your feedback. I've just created a new feature request issue 
for this: https://github.com/cyrusimap/cyrus-imapd/issues/2372. I don't 
have time now to implement it myself, though I'd definitely prefer to 
spend time on expanding Cyrus than writing custom scripts if I had the 
same need as 4 years ago.

Maybe some new Cyrus user would have time to make it happen, or maybe 
I'd find some time later. So the issue is to document the intention and 
to have defined some implementation details. Probably, it could have the 
"help wanted" tag attached.

Regards,
Anatoli

*From:* Ellie Timoney
*Sent:* Tuesday, May 15, 2018 00:46
*To:* Anatoli
*Cc:* Info-cyrus
*Subject:* Re: setting acl on autocreate folders

> Something like: autocreate_acl <folder> <user> <acl> (multiple 
> autocreate_acl entries could be specified)

That's roughly what I'd expect such a feature to look like (without 
having thought about it in much depth).  It seems like it would be very 
useful for admins who don't already have their own provisioning 
infrastructure.

> Ellie, do you think this is something of low complexity?

In my opinion, any new feature for ACL's is inherently high complexity 
-- even if it's just a two line patch -- just because of the amount of 
work involved in checking for side effects, error handling, and making 
sure the documentation is up to scratch (so that people don't 
accidentally configure it wrong and get into trouble).

That said, the code for reading config settings already exists, as does 
the code for parsing and applying ACL's.  So in theory it should be a 
"simple" matter of bolting these bits together in the right place(s). 
  I'd be happy to review/advise on a pull request along these lines!

Cheers,

ellie

On Sat, May 12, 2018, at 7:40 AM, Anatoli wrote:
> > I think it's good that you have to explicitly set "anyone p", 
> because otherwise people would be able to send plus+adressed mails to 
> any mailbox whose name they can guess.
>
> As the default behavior, I agree.
>
> I've just made a couple of tests: remove "anyone p" then add "postman 
> p" or add postman as "admins: postman" but none of these worked for 
> plus+addressing (P+A), so the /postman/ user appears to be some 
> hardcoded way of dealing with LMTP delivery and has nothing in common 
> with the normal users and operations.
>
> If my assumptions are correct, I guess what Chen (OP) was asking would 
> be useful, i.e. to be able to define "anyone p" (either as a toggle 
> aimed at P+A or as a free-form for any user/ACL) for some auto-created 
> folders along the other auto-configuration features (autocreate_XXX, 
> x-list, etc.). The idea is to be able to setup most common settings 
> for new users without any external scripts talking to cyradm or 
> imtest. In my case the "anyone p" permission is the only thing pending.
>
> Something like: autocreate_acl <folder> <user> <acl> (multiple 
> autocreate_acl entries could be specified)
>
> Ellie, do you think this is something of low complexity?
>
> *From:* Sebastian Hagedorn
> *Sent:* Friday, May 11, 2018 04:36
> *To:* Anatoli
> *Cc:* Info-cyrus
> *Subject:* Re: setting acl on autocreate folders
>
>
>> So what I'm observing in practice is that the "-a" option is not enough
>> to deliver plus+addressed mails without the "anyone p" ACL permission in
>> the folder, which makes me think that the user for "-a" option is not
>> from the admins group, though it probably should be, right? I.e. 
>> lmtpd -a
>> should be delivering plus+addressed mails without the "anyone p" ACL
>> permission?
>
> I think it's good that you have to explicitly set "anyone p", because 
> otherwise people would be able to send plus-adressed mails to any 
> mailbox whose name they can guess.
> -- 
> Sebastian Hagedorn - Weyertal 121, Zimmer 2.02
> Regionales Rechenzentrum (RRZK)
> Universität zu Köln / Cologne University - Tel. +49-221-470-89578
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20180525/0b883149/attachment.html>


More information about the Info-cyrus mailing list