mailing list archives

Anyone else think that these aren't quite right?

>       SUBSCRIBE - "l" right is required only if the server checks for
>       mailbox existence when performing SUBSCRIBE.

If user has other rights than "l" to a mailbox that makes it visible
(e.g. "r" or "i"), why should SUBSCRIBE not be allowed? It would even
make sense to me that if user has +r-l that subscribing to it would make
it easier to access via clients.

>       LSUB - "l" right is required only if the server checks for mailbox
>       existence when performing SUBSCRIBE.  However, unlike other
>       commands (e.g., SELECT) the server MUST NOT return a NO response
>       if it can't list a subscribed mailbox.

LSUB command lists whatever subscriptions user has set. If a mailbox is
deleted, its subscription isn't deleted. Why would it be different with
ACLs? Does this RFC really intend that if "l" right is removed from a
mailbox, its subscription should be hidden (and if "l" right is given
back, it would appear back)?

On Mon, 22 Nov 2010, Timo Sirainen wrote:
> Anyone else think that these aren't quite right?

I think that ACL itself is completely broken.

I actually implemented ACL in the new MA server.  It's even worse than I
thought.  I knew that ACL is unfeasible to map to filesystem protections
(if you believe otherwise, think carefully what UNIX mode 707 means), but
I was stunned to see what problems exist in an implementation where the
entire space is defined by ACL with no need to map to another space.

Even with no mapping, there are lovely ambiguities in the ACL
specification that could only be resolved by not implementating anything
that the ACL specification made optional (e.g., negative rights).  Then
there is the "k" right.

The best thing to do with ACL is to discard it in its entirety and start
over.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.