Access Control Lists Rights Reference¶
Access rights in Cyrus IMAP are fully compatible with RFC 4314, IMAP4 Access Control List (ACL) Extension, which has obsoleted RFC 2086.
Additional documentation on Access Control is available in the following documents:
Individual Rights Reference¶
l
¶
Stands for lookup.
The ACI subject can lookup this folder, and see that the folder exists, meaning the folder will appear in the response to a
LIST "" "*"
command issued by a client.Folders to which the ACI subject has no lookup rights may still be subscribed to. The lookup right is only required if Cyrus IMAP has been configured with the
allowallsubscribe
setting to0
.This setting defaults to
0
. In a Cyrus IMAP Murder, this setting is typically set to1
.The l right can be assigned to a folder, without the l right having been given out for the parent folder. Cyrus IMAP will pretend the parent folder does not exist;
RFC 4314, states the following example in section 4:
Note that if the user has l right to a mailbox
A/B
, but not to its parent mailboxA
, theLIST
command should behave as if the mailboxA
doesn’t exist, for example:C: A777 LIST "" * S: * LIST (\NoInferiors) "/" "A/B" S: * LIST () "/" "C" S: * LIST (\NoInferiors) "/" "C/D" S: A777 OK LIST completed
r
¶
Stands for read.
The ACI subject can read the contents of this folder, meaning that the ACI subject is allowed to
SELECT
orEXAMINE
the folder, query itsSTATUS
,FETCH
data,SEARCH
the contents, andCOPY
contents from the folder.The r right also allows the user to
GETMETADATA
when used in conjunction with the l right, as defined in RFC 5464.
s
¶
Stands for seen.
The ACI subject is permitted to maintain the ACI subject’s seen state for this folder, or the shared seen state in case the
/vendor/cmu/cyrus-imapd/sharedseen
has been set to1
(see imap-admin-systemcommands-cyradm).Additionally, the
\Recent
flags are preserved for the ACI subject.
w
¶
Stands for write.
The ACI subject is permitted to write to the folder, actually meaning the ACI subject is permitted to maintain flags and keywords other then
\Seen
and\Deleted
, which are controlled using the s and t rights respectively.The w right also allows the user to
SETMETADATA
when used in conjunction with the l and r rights, as defined in RFC 5464.Note
IMAP clients may expect to be able to set flags other than
\Seen
and\Deleted
and attempt to set those flags immediately along with a “Mark as read” action, but without the ACI subject actually being permitted to set some of those flags through the w right.RFC 4314, section 4., page 15, states that the server SHOULD NOT fail, as the tagged NO response is not handled very well by deployed clients.
In order to comply, we have Bug #3488, as Cyrus IMAP currently does seem to issue a tagged
NO
response.
i
¶
Stands for insert.
The ACI subject is permitted to insert content into a folder, meaning the ACI subject may
COPY
messages with this folder as the target folder, and mayAPPEND
messages to this folder.
p
¶
Stands for post.
The post right currently is exclusive to Cyrus IMAP, and allows the ACI subject to send email to the submission address for the mailbox.
This right differs from the i right in that the delivery system inserts trace information into submitted messages.
Example implementations using the p right include shared folders to which specific recipient addresses are delivered through LMTP pre-authorized as the
postuser
, which must then also have the p right on the target folder.
c
¶
Stands for create.
The create right is a right introduced with RFC 2086, indicating the ACI subject’s right to create new sub-folders in the parent folder on which this right has been assigned, but also to delete the same folder.
Since RFC 4314, the c right has been replaced with the k right to allow the ACI subject to
CREATE
folders, and the x right to allow the ACI subject toDELETE
folders.Important
The c right should no longer be used. It will be deprecated completely in version 3.0.
While Cyrus IMAP is backwards compatible when it comes to the c right, which it implements as implying as the k right, implementations should not count on the c right backwards compability to be around forever, and fully implement the successor rights k and x.
k
¶
The ACI subject has the right to
CREATE
a new folder if the k right exists on the parent folder of the folder to be created.The rights required for a
RENAME
to be successful could be illustrated by describing aRENAME
as aCREATE
of the new folder, not exactly followed by aCOPY
on the old folder’s contents, but more like a move like on a filesystem, and finally aDELETE
on the old folder.As such, the k is the right required on the parent folder of the target folder, and the x right on the source folder.
To further illustrate, suppose the ACI subject has the k right on folder
C/
, and the x right on folderA/B
. The execution of the commandRENAME A/B C/B
would succeed.
a
¶
Stands for administer.
The ACI subject is allowed to administer the folder, meaning the ACI subject is allowed to perform administrative operations on the folder.
The a right is needed to successfully execute
SETACL
,DELETEACL
(short forSETACL ""
) and to executeGETACL
orLISTRIGHTS
.Note
IMAP clients may issue a
GETACL
in order to obtain the ACI subject’s rights on the folder, where they should be usingMYRIGHTS
, asGETACL
orLISTRIGHTS
return the full Access Control List, including other ACI subject’s identifiers.However unless the ACI subject has the a right on a folder, issuing a
GETACL
orLISTRIGHTS
will cause Cyrus IMAP to send a taggedNO: Permission denied
response if the ACI subject has the l right on the folder, and aNO: No Such Mailbox
response otherwise, as per section 8 of RFC 2086 and section 6 of RFC 4314 – both conveniently called Security Considerations – which state that the IMAP server must not inadvertently admit the mailbox exists.
x
¶
t
¶
The ACI subject is allowed to delete messages from this folder, meaning that the ACI subject is allowed to flag messages as
\Deleted
.In IMAP, messages are only actually deleted (i.e. in a way that makes them invisble to users of the folder) after the folder’s contents have been expunged.
For the corresponding
EXPUNGE
command however, the e right is required.
n
¶
The ACI subject is allowed to annotate individual messages in this folder, in compliance with RFC 5257.
e
¶
Stands for expunge.
The ACI subject is allowed to expunge messages in this folder, meaning the ACI subject has the right to remove all messages that have been flagged as
\Deleted
from all visibility.In IMAP, expunging messages only applies to messages flagged as
\Deleted
. For the ACI subject to be able to flag messages as\Deleted
however, the t right is required.We say “remove from all visibility”, because the implementation of expunging messages in Cyrus IMAP is subject to the
expunge_mode
setting in imapd.conf(5), which when set todelayed
only causes the reference to the expunged messages to be deleted from the folder index database – effectively removing the expunged message(s) from all visibility, while the individual message files remain in place on the Cyrus IMAP server filesystem.Note
IMAP clients may expect to be able to
EXPUNGE
a folder regardless of the availability of the e right to the current user.
d
¶
Stands for delete.
This is the legacy RFC 2086 access control right for the
DELETE
command.In versions of Cyrus IMAP implementing only this right (prior to 2.3.7), ACI subjects were allowed to flag messages as
\Deleted
, andEXPUNGE
andDELETE
folders.The delete right has been split in to three separate rights, t (flag messages as
\Deleted
), e (EXPUNGE
folder) and x (DELETE
folder).Note
The
deleteright
setting in imapd.conf(5) controls the RFC 2086 right which controls whether or not the ACI subject may delete a folder. However, this setting (as the original specification for the delete right was considered ambiguous) is ignored, and if it is set to c, is automatically converted to the x right.Important
Even though Cyrus IMAP is backwards compatible when it comes to the d right, which it implements as implying as the e and t rights, implementations should not count on the d right backwards compability to be around forever, and instead fully implement the successor rights e, t and x rights.