>> Josh Whitver on Tuesday, June 21, 2005 at 3:13 PM -0600 wrote:
>>>Hello all,
>>>
>>>I'm setting up group-based ACLs
>> [for shared mailboxes]
>>>on my Tiger server box, and at one point I made an oopsie. So I'm
>>> trying
>>> to
>>>delete those ACLs but it's
>> [cyrus]
>>>not letting me. A sample cyradm transcript is as follows:
>>>
>>>localhost> lam UHS/News
>>>cyrusadmin lrswipcda
>>>group:uhs lrsp
>>>anyone p
>>>localhost> dam UHS/News group:uhs
>>>deleteaclmailbox: group:uhs: Invalid identifier
>>
>> Sorry to be a bother, but does anyone have some ideas on what's going on
>> here?
>
> The group uhs doesn't exist. Looks like a bug to me that you can't remove
> an ACL if the identifier doesn't exist. Does someone know more about this?
I tried to fix it with attached patch but it doesn't work at all - which
is what I expected, bash is the only thing I really understand. From what
I can think of, with every ACL operation except remove, it's okay to check
whether an identifier really exists. But for remove, it should be possible
to remove an ACL even if the identifier has been removed before.
Anyone out there to help?
Simon
>
>> Thanks!
>> --
>> Josh Whitver
>> [EMAIL PROTECTED] / [EMAIL PROTECTED]
>> The best way to make a fire with two sticks is to make sure one of them
>> is
>> a
>> match.
>>
>> ---
>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
>>
>
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
diff -Naur cyrus-imapd-2.2.12.orig/lib/acl_afs.c cyrus-imapd-2.2.12/lib/acl_afs.c
--- cyrus-imapd-2.2.12.orig/lib/acl_afs.c 2004-03-05 20:19:21.000000000 +0100
+++ cyrus-imapd-2.2.12/lib/acl_afs.c 2005-06-24 11:26:58.000000000 +0200
@@ -105,6 +105,9 @@
* Modify the ACL pointed to by 'acl' to make the rights granted to
* 'identifier' the set specified in the mask 'access'. The pointer
* pointed to by 'acl' must have been obtained from malloc().
+ * We allow removing of the ACL even if auth_canonifyid() failed,
+ * otherwise the ACL for an already removed identifier can not be
+ * removed anymore.
*/
int cyrus_acl_set(acl, identifier, mode, access, canonproc, canonrock)
char **acl;
@@ -115,16 +118,25 @@
void *canonrock;
{
char *newidentifier = 0;
+ char *oldidentifier = 0;
char *newacl;
char *thisid, *nextid;
int oldaccess = 0;
char *rights;
/* Convert 'identifier' into canonical form */
+ if (mode == ACL_MODE_REMOVE) {
+ oldidentifier = xmalloc(strlen(identifier)+1);
+ strcpy(oldidentifier, identifier);
+ }
if (*identifier == '-') {
char *canonid = auth_canonifyid(identifier+1, 0);
if (!canonid) {
- return -1;
+ if (mode == ACL_MODE_REMOVE) {
+ strcpy(canonid, oldidentifier+1);
+ } else {
+ return -1;
+ }
}
newidentifier = xmalloc(strlen(canonid)+2);
newidentifier[0] = '-';
@@ -137,7 +149,11 @@
else {
identifier = auth_canonifyid(identifier, 0);
if (!identifier) {
- return -1;
+ if (mode == ACL_MODE_REMOVE) {
+ strcpy(identifier, oldidentifier);
+ } else {
+ return -1;
+ }
}
if (canonproc) {
access = canonproc(canonrock, identifier, access);
@@ -204,6 +220,7 @@
}
if (newidentifier) free(newidentifier);
+ if (oldidentifier) free(oldidentifier);
return 0;
}
