Re: ACL to deny move mailbox/folder

2008-10-08 Thread Ken Murchison
tarjei wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Ken Murchison wrote:
>> tarjei wrote:
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> I got a shared folder where I want users to be able to create
>>> subfolders, but where I want to restrict the users so they do not move
>>> or delete the shared folder. The folder is a top level shared folder.
>>>
>>> I read through the cyradm documentation, but it wasn't very clear on how
>>> to do this. Is it possible?
>> What version of Cyrus?  If you're using 2.3.x, removing the 'x' right
>> from your users will prevent them from deleting the mailbox.  I'd have
>> to check the ACL RFC, but I believe it will also prevent renaming (I
>> think RENAME need delete on the source and create on the destination).
>> 2.3.7.
> 
> Interestingly enough, it seems that removing the 'x' right isn't possible :

> 
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain> sam Fag anyone lrswipktecda
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain> sam Fag anyone write
> localhost.localdomain> lam Fag
> anyone lrswipkxtecd
> localhost.localdomain> sam Fag anyone lrswipktecda
> localhost.localdomain> lam Fag
> anyone lrswipkxtecda
> localhost.localdomain>
> 
> After some fooling around, I found out that the problem is that if you
> give the user the a right, then you also grant the e and t rights.

This would only be the case if you have 'deleteright' set to 'a'.


> Also, cyradm doesn't document what the c and d rights are.

They are legacy rights macros that are now macros.  If the 'deleteright' 
  option in imapd.conf is set to the default of 'c', the c='kx' and 
d='et'.  By explicitly granting 'd' above, you're implicitly granting 'x'.

-- 
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


Re: ACL to deny move mailbox/folder

2008-10-08 Thread tarjei
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ken Murchison wrote:
> tarjei wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Hi,
>>
>> I got a shared folder where I want users to be able to create
>> subfolders, but where I want to restrict the users so they do not move
>> or delete the shared folder. The folder is a top level shared folder.
>>
>> I read through the cyradm documentation, but it wasn't very clear on how
>> to do this. Is it possible?
> 
> What version of Cyrus?  If you're using 2.3.x, removing the 'x' right
> from your users will prevent them from deleting the mailbox.  I'd have
> to check the ACL RFC, but I believe it will also prevent renaming (I
> think RENAME need delete on the source and create on the destination).
> 2.3.7.

Interestingly enough, it seems that removing the 'x' right isn't possible :

localhost.localdomain> lam Fag
anyone lrswipkxtecda
localhost.localdomain> sam Fag anyone lrswipktecda
localhost.localdomain> lam Fag
anyone lrswipkxtecda
localhost.localdomain> sam Fag anyone write
localhost.localdomain> lam Fag
anyone lrswipkxtecd
localhost.localdomain> sam Fag anyone lrswipktecda
localhost.localdomain> lam Fag
anyone lrswipkxtecda
localhost.localdomain>

After some fooling around, I found out that the problem is that if you
give the user the a right, then you also grant the e and t rights.

Also, cyradm doesn't document what the c and d rights are.

A small documentation update would be nice here.

Anyhow, thanks for the tip - it solves my problem I think.

Kind regards,
Tarjei
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI7H2LYVRKCnSvzfIRAiwGAJ9VItud/O1CGvJGwNP1cJaD8y3MxwCgul26
vp1Bg7KB7OGVWwue9WJ/ovE=
=Dqmo
-END PGP SIGNATURE-

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


Re: ACL to deny move mailbox/folder

2008-10-07 Thread Ken Murchison
tarjei wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi,
> 
> I got a shared folder where I want users to be able to create
> subfolders, but where I want to restrict the users so they do not move
> or delete the shared folder. The folder is a top level shared folder.
> 
> I read through the cyradm documentation, but it wasn't very clear on how
> to do this. Is it possible?

What version of Cyrus?  If you're using 2.3.x, removing the 'x' right 
from your users will prevent them from deleting the mailbox.  I'd have 
to check the ACL RFC, but I believe it will also prevent renaming (I 
think RENAME need delete on the source and create on the destination).

-- 
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


ACL to deny move mailbox/folder

2008-10-06 Thread tarjei
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I got a shared folder where I want users to be able to create
subfolders, but where I want to restrict the users so they do not move
or delete the shared folder. The folder is a top level shared folder.

I read through the cyradm documentation, but it wasn't very clear on how
to do this. Is it possible?

Should I consider other ways to do this - for example change the file
permissions of the mailbox directory directly?

All tips are welcome.

Kind regards,
Tarjei
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI6glAYVRKCnSvzfIRAsvfAJ95/s+vO/Pb37SQJkYGgGg2PZC26ACeJdEL
PaqZg6SjMVPV6XJ/mp7BdUM=
=+ywm
-END PGP SIGNATURE-

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html