Archiveopteryx supports fine-grained access control. A mailbox, a tree of mailboxes, or the entire server can be controlled, and there are many rights, all of which can be granted or denied individually.
In this example, we deny all users the right to see each other's mailboxes, but we allow everyone the ability to see /shared/…, and one user may also administer /shared/… access using an IMAP client.
First, we set up the basic default:
aox setacl / anyone ""
This says that anyone has no rights to any child of
/. Since all mailboxes are children of that mailbox,
this takes away everyone's rights.
Next, we grant different rights on /shared/…:
aox setacl /shared anyone lr
This grants the l and r rights to anyone on /shared and all subordinate mailboxes. When someone tries to open e.g. /shared/nemesis, Archiveopteryx looks for...
1: That user's rights on /shared/nemesis
2: Anyone's rights on /shared/nemesis
3: That user's rights on /shared
4: Anyone's rights on /shared
5: That user's rights on /
6: Anyone's rights on /
7. Constant l
The search terminates in step 4, since we explicitly set a right for that. Next, Archiveopteryx checks whether the set rights include r (read) and a few other rights. In this case r is there, so the attempt to open /shared/nemesis succeeds. Since none of the other rights are present, the access is read-only.
Finally, we want to grant user Nirmala additional rights on /shared/…:
aox setacl /shared nirmala lrakx
In addition to these explicit rights, each user has full rights to his/her own mailboxes, of course.
The documentation for aox setacl contains more examples, showing other syntax.
To hide something completely: "" (the empty string).
To show that a mailbox exists, yet grant no access: l.
To grant read-only access: lr.
As above, plus the ability to change flags: lrswn.
As above, plus the ability to copy mail to the mailbox: lrswni.
As above, plus the ability to delete: lrswnte or lrswnite.
The full list of rights is:
By default everyone has the l (lookup) right, and the mailbox owner also has all other rights.
We only know about one attack against this system, and it's rather weak:
The l (lookup) right is subject to
timing attacks. If an attacker wants to know which of the mailboxes
/x/1, /x/2, /x/3 and /x/4 exist, it is possible to issue many LIST
commands and analyse the response timings statistically. This attack
only works for logged-in IMAP users, and it cannot be used to ask
which mailboxes exist?, only
which mailboxes in
this list exist?.
In case of questions, please write to email@example.com.
Last modified: 2010-11-19