Lars Uhlmann
2013-Sep-04 14:20 UTC
[Dovecot] permission problem when using public namespace and "subscription = yes"
I have configured an public namespace "Test" for a group of users:
| namespace public {
| separator = .
| prefix = Test.
| location = maildir:/mailroot/public/Test
| hidden = no
| list = yes
| subscriptions = yes
| }
Using each users own subscription file for a public mailbox doesn't
make sense when the mailbox is heavily used. Every directory operation
(create/rename) needs to be synced between all subscribers
automatically and immediately. So I set "subscriptions = yes".
My ACLS look like this:
| user=mark lrwstiekx
| user=tim lrwstiekx
| user=max lr
| user=jenny lrwstiekx
| user=louis lr
Nevertheless _all_ my mail users still have access to the namespace's
directory tree.
It is my understanding that when a user doesn't has 'lookup' access,
he
should not be able to subscribe to this mailbox.
In my opinion this is a security problem. ACLs must be processed
_before_ a shared subscrition file is parsed.
regards
Lars
Timo Sirainen
2013-Sep-22 00:46 UTC
[Dovecot] permission problem when using public namespace and "subscription = yes"
On 4.9.2013, at 17.20, Lars Uhlmann <dovecot at lars-uhlmann.de> wrote:> I have configured an public namespace "Test" for a group of users: > > | namespace public { > | separator = . > | prefix = Test. > | location = maildir:/mailroot/public/Test > | hidden = no > | list = yes > | subscriptions = yes > | } > > Using each users own subscription file for a public mailbox doesn't > make sense when the mailbox is heavily used. Every directory operation > (create/rename) needs to be synced between all subscribers > automatically and immediately. So I set "subscriptions = yes". > > My ACLS look like this: > > | user=mark lrwstiekx > | user=tim lrwstiekx > | user=max lr > | user=jenny lrwstiekx > | user=louis lr > > > Nevertheless _all_ my mail users still have access to the namespace's > directory tree. > It is my understanding that when a user doesn't has 'lookup' access, he > should not be able to subscribe to this mailbox. > In my opinion this is a security problem. ACLs must be processed > _before_ a shared subscrition file is parsed.Well, it shouldn't happen in all situations. It's comparable to deleting a subscribed mailbox, which also doesn't remove the subscription automatically. But yeah, I guess the behavior can be changed for your use case: http://hg.dovecot.org/dovecot-2.2/rev/1cf67db75455 I think a better solution would be to still have a per-user subscriptions file, but automatically subscribe to newly seen shared folders that are marked with autosubscribe-flag. Of course, there's currently no way to do that.