Access control lists

Archiveopteryx supports fine-grained access control. A mailbox, a tree of mailboxes, or the entire server can be controlled, and there are many rights, all of which can be granted or denied individually.

Access control is adjusted using the aox setacl command, or using IMAP clients such as Squirrelmail or Mulberry.

Example

In this example, we deny all users the right to see each other's mailboxes, but we allow everyone the ability to see /shared/…, and one user may also administer /shared/… access using an IMAP client.

First, we set up the basic default:

aox setacl / anyone ""

This says that anyone has no rights to any child of /. Since all mailboxes are children of that mailbox, this takes away everyone's rights.

Next, we grant different rights on /shared/…:

aox setacl /shared anyone lr

This grants the l and r rights to anyone on /shared and all subordinate mailboxes. When someone tries to open e.g. /shared/nemesis, Archiveopteryx looks for...

1: That user's rights on /shared/nemesis
2: Anyone's rights on /shared/nemesis
3: That user's rights on /shared
4: Anyone's rights on /shared
5: That user's rights on /
6: Anyone's rights on /
7. Constant l

The search terminates in step 4, since we explicitly set a right for that. Next, Archiveopteryx checks whether the set rights include r (read) and a few other rights. In this case r is there, so the attempt to open /shared/nemesis succeeds. Since none of the other rights are present, the access is read-only.

Finally, we want to grant user Nirmala additional rights on /shared/…:

aox setacl /shared nirmala lrakx

With the a (admin) right Nirmala can use e.g. Squirrelmail to grant additional rights via the IMAP ACL extension, and with k (create) and a (delete) she can create and delete mailboxes.

In addition to these explicit rights, each user has full rights to his/her own mailboxes, of course.

The documentation for aox setacl contains more examples, showing other syntax.

Typical usage

To hide something completely: "" (the empty string).

To show that a mailbox exists, yet grant no access: l.

To grant read-only access: lr.

As above, plus the ability to change flags: lrswn.

As above, plus the ability to copy mail to the mailbox: lrswni.

As above, plus the ability to delete: lrswnte or lrswnite.

Rights

The full list of rights is:

By default everyone has the l (lookup) right, and the mailbox owner also has all other rights.

Weaknesses

We only know about one attack against this system, and it's rather weak:

The l (lookup) right is subject to timing attacks. If an attacker wants to know which of the mailboxes /x/1, /x/2, /x/3 and /x/4 exist, it is possible to issue many LIST commands and analyse the response timings statistically. This attack only works for logged-in IMAP users, and it cannot be used to ask which mailboxes exist?, only which mailboxes in this list exist?.

In case of questions, please write to info@aox.org.

Relevant links

About this page

Last modified: 2010-11-19
Location: aox.org/acl/