Access Control Lists Rights Reference¶
Additional documentation on Access Control is available in the following documents:
Individual Rights Reference¶
Stands for lookup.
The ACI subject can lookup this folder, and see that the folder exists, meaning the folder will appear in the response to a
LIST "" "*"command issued by a client.
Folders to which the ACI subject has no lookup rights may still be subscribed to. The lookup right is only required if Cyrus IMAP has been configured with the
This setting defaults to
0. In a Cyrus IMAP Murder, this setting is typically set to
RFC 4314, states the following example in section 4:
Note that if the user has l right to a mailbox
A/B, but not to its parent mailbox
LISTcommand should behave as if the mailbox
Adoesn’t exist, for example:C: A777 LIST "" * S: * LIST (\NoInferiors) "/" "A/B" S: * LIST () "/" "C" S: * LIST (\NoInferiors) "/" "C/D" S: A777 OK LIST completed
Stands for read.
The ACI subject can read the contents of this folder, meaning that the ACI subject is allowed to
EXAMINEthe folder, query its
SEARCHthe contents, and
COPYcontents from the folder.
Stands for seen.
The ACI subject is permitted to maintain the ACI subject’s seen state for this folder, or the shared seen state in case the
/vendor/cmu/cyrus-imapd/sharedseenhas been set to
\Recentflags are preserved for the ACI subject.
Stands for write.
The ACI subject is permitted to write to the folder, actually meaning the ACI subject is permitted to maintain flags and keywords other then
\Deleted, which are controlled using the s and t rights respectively.
IMAP clients may expect to be able to set flags other than
\Deletedand attempt to set those flags immediately along with a “Mark as read” action, but without the ACI subject actually being permitted to set some of those flags through the w right.
RFC 4314, section 4., page 15, states that the server SHOULD NOT fail, as the tagged NO response is not handled very well by deployed clients.
In order to comply, we have Bug #1375, as Cyrus IMAP currently does seem to issue a tagged
Stands for insert.
The ACI subject is permitted to insert content into a folder, meaning the ACI subject may
COPYmessages with this folder as the target folder, and may
APPENDmessages to this folder.
Stands for post.
The post right currently is exclusive to Cyrus IMAP, and allows the ACI subject to send email to the submission address for the mailbox.
This right differs from the i right in that the delivery system inserts trace information into submitted messages.
Example implementations using the p right include shared folders to which specific recipient addresses are delivered through LMTP pre-authorized as the
postuser, which must then also have the p right on the target folder.
Stands for create.
The create right is a right introduced with RFC 2086, indicating the ACI subject’s right to create new sub-folders in the parent folder on which this right has been assigned, but also to delete the same folder.
The c right should no longer be used. It will be deprecated completely in version 3.0.
While Cyrus IMAP is backwards compatible when it comes to the c right, which it implements as implying as the k right, implementations should not count on the c right backwards compability to be around forever, and fully implement the successor rights k and x.
The ACI subject has the right to
CREATEa new folder if the k right exists on the parent folder of the folder to be created.
The rights required for a
RENAMEto be successful could be illustrated by describing a
CREATEof the new folder, not exactly followed by a
COPYon the old folder’s contents, but more like a move like on a filesystem, and finally a
DELETEon the old folder.
Stands for administer.
The ACI subject is allowed to administer the folder, meaning the ACI subject is allowed to perform administrative operations on the folder.
The a right is needed to successfully execute
SETACL "") and to execute
IMAP clients may issue a
GETACLin order to obtain the ACI subject’s rights on the folder, where they should be using
LISTRIGHTSreturn the full Access Control List, including other ACI subject’s identifiers.
However unless the ACI subject has the a right on a folder, issuing a
LISTRIGHTSwill cause Cyrus IMAP to send a tagged
NO: Permission deniedresponse if the ACI subject has the l right on the folder, and a
NO: No Such Mailboxresponse otherwise, as per section 8 of RFC 2086 and section 6 of RFC 4314 – both conveniently called Security Considerations – which state that the IMAP server must not inadvertently admit the mailbox exists.
The ACI subject is allowed to delete messages from this folder, meaning that the ACI subject is allowed to flag messages as
In IMAP, messages are only actually deleted (i.e. in a way that makes them invisble to users of the folder) after the folder’s contents have been expunged.
For the corresponding
EXPUNGEcommand however, the e right is required.
The ACI subject is allowed to annotate individual messages in this folder, in compliance with RFC 5257.
Stands for expunge.
The ACI subject is allowed to expunge messages in this folder, meaning the ACI subject has the right to remove all messages that have been flagged as
\Deletedfrom all visibility.
In IMAP, expunging messages only applies to messages flagged as
\Deleted. For the ACI subject to be able to flag messages as
\Deletedhowever, the t right is required.
We say “remove from all visibility”, because the implementation of expunging messages in Cyrus IMAP is subject to the
expunge_modesetting in imapd.conf(5), which when set to
delayedonly causes the reference to the expunged messages to be deleted from the folder index database – effectively removing the expunged message(s) from all visibility, while the individual message files remain in place on the Cyrus IMAP server filesystem.
IMAP clients may expect to be able to
EXPUNGEa folder regardless of the availability of the e right to the current user.
Stands for delete.
This is the legacy RFC 2086 access control right for the
In versions of Cyrus IMAP implementing only this right (prior to 2.3.7), ACI subjects were allowed to flag messages as
deleterightsetting in imapd.conf(5) controls the RFC 2086 right which controls whether or not the ACI subject may delete a folder. However, this setting (as the original specification for the delete right was considered ambiguous) is ignored, and if it is set to c, is automatically converted to the x right.
Even though Cyrus IMAP is backwards compatible when it comes to the d right, which it implements as implying as the e and t rights, implementations should not count on the d right backwards compability to be around forever, and instead fully implement the successor rights e, t and x rights.