Lrswipkxtecda in Cyrus

cyrusimap

What exactly is lrswipkxtecda in Cyrus? I've gathered from here that it has something to do with ACLs for the mailboxes in Cyrus but can someone shed some more light on it? Do the individual letters stand for something?

I found this the first time I took the dump of mailboxes.db and then subsequently when I tried to do some operation which wasn't permitted (example, it'd show up in the verbose output while trying to delete a mailbox without applying delete permission to the cyrus user).

PS: I don't know if such a small question is going to be answered but googling didn't yield anything specific, so I thought it'd be better to ask.

Best Answer

IMAP4 allows the use of shared mailboxes. Therefore it makes sense to have some control over the rights a user has on a mailbox. Those rights are defined with access control lists (ACL). Cyrus IMAPd uses ACLs to control access to any type of mailbox, be it private, shared or public.

Every mailbox contains an ACL, which is a list of access control entries. Those entries consists of a userid and the rights, the user has on the particular mailbox.

The rights are (RFC4314):

l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE
    mailbox)
r - read (SELECT the mailbox, perform STATUS)
s - keep seen/unseen information across sessions (set or clear
    \SEEN flag via STORE, also set \SEEN during APPEND/COPY/
    FETCH BODY[...])
w - write (set or clear flags other than \SEEN and \DELETED via
    STORE, also set them during APPEND/COPY)
i - insert (perform APPEND, COPY into mailbox)
p - post (send mail to submission address for mailbox,
    not enforced by IMAP4 itself)
k - create mailboxes (CREATE new sub-mailboxes in any
    implementation-defined hierarchy, parent mailbox for the new
    mailbox name in RENAME)
x - delete mailbox (DELETE mailbox, old mailbox name in RENAME)
t - delete messages (set or clear \DELETED flag via STORE, set
    \DELETED flag during APPEND/COPY)
e - perform EXPUNGE and expunge as a part of CLOSE
a - administer (perform SETACL/DELETEACL/GETACL/LISTRIGHTS)

"c" and "d" are obsolete as of RFC4314 (section 2.1.1.).

To administer ACLs in cyrus, you can use cyradm:

setaclmailbox shared.questions jenny lrs
listaclmailbox shared.questions
deleteaclmailbox shared.questions jenny

Some optimizations:

  • Use shorter command names: sam, lam, dam
  • Use wildcards for mailboxes: sam shared.* jenny lrs
  • Use anyone to set rights for all users: sam shared.* anyone lrswipkxtecda
  • Use all to allow everything: sam shared.* anyone all
  • Prefixing the user name with a dash can be used to "remove" rights to a mailbox: sam shared.secret -edgar all
Related Topic