Re: RFC patch: Deny removal of folder owner ACLs

[Guilherme Maciel Ferreira]

Hi,

We found a bug in the cyrus-imapd-2.4.6-keep-owner-rights patch. That occur in 
the SETACL command, when trying to remove the admin rights. Thus, the 
following command should work, but does not:
    SETACL mailbox mailboxowner -xi

And this one should not work, but actually works:
    SETACL mailbox mailboxowner -a

Attached is a patch to fix this issue.

Kind regards,

On Friday 04 February 2011 10:38:44 you wrote:
> Guilherme Maciel Ferreira wrote:
> > Hi,
> > 
> > here is the patch against the master.
> 
> Applied and pushed, with full attribution, thanks!
> 
> Kind regards,
> 
> Jeroen van Meeuwen

-- 
Guilherme Maciel Ferreira
Intra2net AG | Mömpelgarder Weg 8 | 72072 Tübingen | DE

Telefon   +49-7071-56510-0
Telefax   +49-7071-56510-50
Internet  www.intra2net.com

Vorstand | Steffen Jarosch
Aufsichtsrat | Ulrich Emmert | Vorsitzender
Handelsregister | HRB 382770 | Amtsgericht Stuttgart
Identnummern | USt-Id DE216036710 | WEEE DE72185423

-----------------------------------------
-- 
Guilherme Maciel Ferreira
Intra2net AG | Mömpelgarder Weg 8 | 72072 Tübingen | DE

Telefon   +49-7071-56510-0
Telefax   +49-7071-56510-50
Internet  www.intra2net.com

Vorstand | Steffen Jarosch
Aufsichtsrat | Ulrich Emmert | Vorsitzender
Handelsregister | HRB 382770 | Amtsgericht Stuttgart
Identnummern | USt-Id DE216036710 | WEEE DE72185423

From 3c926bac416a3c8fe651e92b36e9149b8a837397 Mon Sep 17 00:00:00 2001
From: Guilherme Maciel Ferreira <guilherme.maciel.ferre...@intra2net.com>
Date: Thu, 17 Mar 2011 09:54:00 +0100
Subject: [PATCH] Fixed a BUG that causes "SETACL ... -a" to fail when it should be successful.
 - the setacl command DOES accept "SETACL mailbox mb_owner -a", removing the admin rights from the folder owner, but DOES NOT accept "SETACL mailbox mb_owner -xi".
 - this BUG was introduced by my patch in the commit 4412656e218a42559964ccdce06e8daefb8197c5.

---
 imap/mboxlist.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/imap/mboxlist.c b/imap/mboxlist.c
index 9e3c11f..b9d799e 100644
--- a/imap/mboxlist.c
+++ b/imap/mboxlist.c
@@ -1298,7 +1298,7 @@ static int mboxlist_is_owner(const char *name, int domainlen,
 /*
  * Check if the admin rights are present in the 'rights'
  */
-static int mboxlist_have_admin_rights(const char* rights) {
+static int mboxlist_contains_admin_rights(const char* rights) {
     int access = cyrus_acl_strtomask(rights);
     int have_admin_access = access & ACL_ADMIN;
 
@@ -1471,9 +1471,13 @@ int mboxlist_setacl(const char *name, const char *identifier,
 		rights++;
 		mode = ACL_MODE_REMOVE;
 	    }
+
 	    /* do not allow to remove the admin rights from mailbox owner */
-	    if (isidentifiermbox && (mode != ACL_MODE_ADD) &&
-		!mboxlist_have_admin_rights(rights)) {
+	    if (isidentifiermbox &&
+			( (mode == ACL_MODE_SET && !mboxlist_contains_admin_rights(rights)) ||
+			  (mode == ACL_MODE_REMOVE && mboxlist_contains_admin_rights(rights))
+			)
+		   ) {
 		syslog(LOG_ERR,"Denied to change admin access rights for "
 		       "folder \"%s\" (owner: %s) by user \"%s\"", name,
 		       mailbox_owner, userid);
-- 
1.7.4