Hello, I am working on implementing support for the RFC4314 ACL management commands and responses in the ACL plugin included with dovecot 1.1.2. (I verified the error persists with 1.1.3 though.) While the described objective is still in the works, I have stumbled upon what I believe to be a critical issue with the handling of negative rights in the present ACL plugin - to be precise, the cache component of it handles them in the exact same way as it does positive rights, thus granting rather than retracting the individual privileges. To fix this, go to src/plugins/acl/acl-cache.c:391. The line and the one following it should read p[j] | obj_cache->my_neg_rights[i]->mask[j]; Replace that to read p[j] & ~obj_cache->my_neg_rights[i]->mask[j]; I hope this information is useful. Regards, M. Soloviev
On Mon, 2008-09-08 at 15:14 +0200, Matvey Soloviev wrote:> Hello, > > I am working on implementing support for the RFC4314 ACL management commands > and responses in the ACL plugin included with dovecot 1.1.2.Sounds great. :) Did you also notice my "Initial support for shared mailboxes" message from yesterday?> (I verified the > error persists with 1.1.3 though.) While the described objective is still in > the works, I have stumbled upon what I believe to be a critical issue with > the handling of negative rights in the present ACL plugin - to be precise, > the cache component of it handles them in the exact same way as it does > positive rights, thus granting rather than retracting the individual > privileges.I think the ACL plugin has currently been used only for some very basic configurations and it's not very well tested. I guess test cases would be nice, but the framework for easily doing that is still missing. Once you've implemented support for the IMAP ACL commands I could add test cases to imaptest (http://imapwiki.org/ImapTest).> To fix this, go to src/plugins/acl/acl-cache.c:391. The line and the one > following it should read > p[j] |> obj_cache->my_neg_rights[i]->mask[j]; > Replace that to read > p[j] &> ~obj_cache->my_neg_rights[i]->mask[j];Thanks, fixed in v1.[012] code trees. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080908/dfaafc2b/attachment-0002.bin>
On 9/8/2008, Matvey Soloviev (blackhole89 at gmail.com) wrote:> Hello, > > I am working on implementing support for the RFC4314 ACL management commands > and responses in the ACL plugin included with dovecot 1.1.2.Yay! Thanks Matvey! Dovecot is just getting better and better, and soon will eclipse cyrus in features and performance - while it already is *vastly* easier to install/configure. -- Best regards, Charles
> Did you also notice my "Initial support for shared > mailboxes" message from yesterday?No, unfortunately I didn't; I only joined the mailing list on the day I sent this message. It sounds like it could be relevant to the topic though; could you provide me with a breakdown of what it is about?> not very well testedWell, I'll be inevitably running some stress tests myself, but yes, including it in the official test chain once it is done would be a fundamentally good thing to do. Would a facility to modify global ACLs through IMAP commands be required or of any use at all? From what I gather, nothing like that is mentioned anywhere in the RFC. As it is now, I am having the writing commands influence only the referenced mailboxes' local ACLs - however, should global ACLs be present, this is bound to result in somewhat irrational-seeming behaviour - should I go through with my current approach of storing the ACL data as present in acl_object_vfile.rights into the local dovecot-acl file, global ACLs would, on the one hand, wind up being copied into it - on the other hand, from the client's perspective, the ACLs defined by the global file would appear to be irremovable. What should I do about this? Regards, Matvey
"Matvey Soloviev" <blackhole89 at gmail.com> writes:> I am working on implementing support for the RFC4314 ACL management commands > and responses in the ACL plugin included with dovecot[...] Matvey finished a first version of the IMAP front end to the ACL plugin. You can find the changes for dovecot 1.1.3 here: http://hg.intevation.org/kolab/dovecot-1.1_acl-branch/ and as we decided to move on to 1.2, here: http://hg.intevation.org/kolab/dovecot-1.2_acl-branch/ As of writing this the changes for 1.1.3 and 1.2 are the same (but the 1.2 version isn't really tested yet). cheers sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabr?ck http://www.intevation.de/~wilde/ Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20081001/6f90ce84/attachment-0002.bin>