diff options
Diffstat (limited to 'imap/docs/rfc/rfc4314.txt')
-rw-r--r-- | imap/docs/rfc/rfc4314.txt | 1515 |
1 files changed, 0 insertions, 1515 deletions
diff --git a/imap/docs/rfc/rfc4314.txt b/imap/docs/rfc/rfc4314.txt deleted file mode 100644 index e73a56f2..00000000 --- a/imap/docs/rfc/rfc4314.txt +++ /dev/null @@ -1,1515 +0,0 @@ - - - - - - -Network Working Group A. Melnikov -Request for Comments: 4314 Isode Ltd. -Obsoletes: 2086 December 2005 -Category: Standards Track - - - IMAP4 Access Control List (ACL) Extension - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2005). - -Abstract - - The Access Control List (ACL) extension (RFC 2086) of the Internet - Message Access Protocol (IMAP) permits mailbox access control lists - to be retrieved and manipulated through the IMAP protocol. - - This document is a revision of RFC 2086. It defines several new - access control rights and clarifies which rights are required for - different IMAP commands. - - - - - - - - - - - - - - - - - - - - - - -Melnikov Standards Track [Page 1] - -RFC 4314 IMAP ACL December 2005 - - -Table of Contents - - 1. Introduction and Overview .......................................3 - 1.1. Conventions Used in This Document ..........................3 - 2. Access Control ..................................................3 - 2.1. Standard Rights ............................................5 - 2.1.1. Obsolete Rights .....................................5 - 2.2. Rights Defined in RFC 2086 .................................8 - 3. Access control management commands and responses ................8 - 3.1. SETACL Command .............................................8 - 3.2. DELETEACL Command ..........................................9 - 3.3. GETACL Command ............................................10 - 3.4. LISTRIGHTS Command ........................................10 - 3.5. MYRIGHTS Command ..........................................11 - 3.6. ACL Response ..............................................11 - 3.7. LISTRIGHTS Response .......................................12 - 3.8. MYRIGHTS Response .........................................12 - 4. Rights Required to Perform Different IMAP4rev1 Commands ........12 - 5. Other Considerations ...........................................17 - 5.1. Additional Requirements and Implementation Notes ..........17 - 5.1.1. Servers ............................................17 - 5.1.2. Clients ............................................18 - 5.2. Mapping of ACL Rights to READ-WRITE and READ-ONLY - Response Codes ............................................19 - 6. Security Considerations ........................................20 - 7. Formal Syntax ..................................................21 - 8. IANA Considerations ............................................22 - 9. Internationalization Considerations ............................22 - Appendix A. Changes since RFC 2086 ................................23 - Appendix B. Compatibility with RFC 2086 ...........................24 - Appendix C. Known Deficiencies ....................................24 - Appendix D. Acknowledgements ......................................25 - Normative References ..............................................25 - Informative References ............................................25 - - - - - - - - - - - - - - - - - -Melnikov Standards Track [Page 2] - -RFC 4314 IMAP ACL December 2005 - - -1. Introduction and Overview - - The ACL (Access Control List) extension of the Internet Message - Access Protocol [IMAP4] permits mailbox access control lists to be - retrieved and manipulated through the IMAP protocol. - - This document is a revision of RFC 2086 [RFC2086]. It tries to - clarify different ambiguities in RFC 2086, in particular, the use of - UTF-8 [UTF-8] in access identifiers, which rights are required for - different IMAP4 commands, and how READ-WRITE/READ-ONLY response codes - are related to ACL. - -1.1. Conventions Used in This Document - - In examples, "C:" and "S:" indicate lines sent by the client and - server respectively. - - In all examples "/" character is used as hierarchy separator. - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119 [KEYWORDS]. - - The phrase "ACL server" is just a shortcut for saying "IMAP server - that supports ACL extension as defined in this document". - -2. Access Control - - The ACL extension is present in any IMAP4 implementation that returns - "ACL" as one of the supported capabilities to the CAPABILITY command. - - A server implementation conformant to this document MUST also return - rights (see below) not defined in Section 2.2 in the "RIGHTS=" - capability. - - An access control list is a set of <access identifier,rights> pairs. - An ACL applies to a mailbox name. - - Access identifier (or just "identifier") is a UTF-8 [UTF-8] string. - The identifier "anyone" is reserved to refer to the universal - identity (all authentications, including anonymous). All user name - strings accepted by the LOGIN or AUTHENTICATE commands to - authenticate to the IMAP server are reserved as identifiers for the - corresponding users. Identifiers starting with a dash ("-") are - reserved for "negative rights", described below. All other - identifier strings are interpreted in an implementation-defined - manner. - - - - -Melnikov Standards Track [Page 3] - -RFC 4314 IMAP ACL December 2005 - - - Rights is a string listing a (possibly empty) set of alphanumeric - characters, each character listing a set of operations that is being - controlled. Lowercase letters are reserved for "standard" rights, - listed in Section 2.1. (Note that for compatibility with deployed - clients and servers uppercase rights are not allowed.) The set of - standard rights can only be extended by a standards-track document. - Digits are reserved for implementation- or site-defined rights. - - An implementation MAY tie rights together or MAY force rights to - always or never be granted to particular identifiers. For example, - in an implementation that uses UNIX mode bits, the rights "swite" are - tied, the "a" right is always granted to the owner of a mailbox and - is never granted to another user. If rights are tied in an - implementation, the implementation must be conservative in granting - rights in response to SETACL commands--unless all rights in a tied - set are specified, none of that set should be included in the ACL - entry for that identifier. A client can discover the set of rights - that may be granted to a given identifier in the ACL for a given - mailbox name by using the LISTRIGHTS command. - - It is possible for multiple identifiers in an access control list to - apply to a given user. For example, an ACL may include rights to be - granted to the identifier matching the user, one or more - implementation-defined identifiers matching groups that include the - user, and/or the identifier "anyone". How these rights are combined - to determine the user's access is implementation defined. An - implementation may choose, for example, to use the union of the - rights granted to the applicable identifiers. An implementation may - instead choose, for example, to use only those rights granted to the - most specific identifier present in the ACL. A client can determine - the set of rights granted to the logged-in user for a given mailbox - name by using the MYRIGHTS command. - - When an identifier in an ACL starts with a dash ("-"), that indicates - that associated rights are to be removed from the identifier prefixed - by the dash. This is referred to as a "negative right". This - differs from DELETEACL in that a negative right is added to the ACL - and is a part of the calculation of the rights. - - Let's assume that an identifier "fred" refers to a user with login - "fred". If the identifier "-fred" is granted the "w" right, that - indicates that the "w" right is to be removed from users matching the - identifier "fred", even though the user "fred" might have the "w" - right as a consequence of some other identifier in the ACL. A - DELETEACL of "fred" simply deletes the identifier "fred" from the - ACL; it does not affect any rights that the user "fred" may get from - another entry in the ACL, in particular it doesn't affect rights - granted to the identifier "-fred". - - - -Melnikov Standards Track [Page 4] - -RFC 4314 IMAP ACL December 2005 - - - Server implementations are not required to support "negative right" - identifiers. - -2.1. Standard Rights - - The currently defined standard rights are (note that the list below - doesn't list all commands that use a particular right): - - l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE - mailbox) - r - read (SELECT the mailbox, perform STATUS) - s - keep seen/unseen information across sessions (set or clear - \SEEN flag via STORE, also set \SEEN during APPEND/COPY/ - FETCH BODY[...]) - w - write (set or clear flags other than \SEEN and \DELETED via - STORE, also set them during APPEND/COPY) - i - insert (perform APPEND, COPY into mailbox) - p - post (send mail to submission address for mailbox, - not enforced by IMAP4 itself) - k - create mailboxes (CREATE new sub-mailboxes in any - implementation-defined hierarchy, parent mailbox for the new - mailbox name in RENAME) - x - delete mailbox (DELETE mailbox, old mailbox name in RENAME) - t - delete messages (set or clear \DELETED flag via STORE, set - \DELETED flag during APPEND/COPY) - e - perform EXPUNGE and expunge as a part of CLOSE - a - administer (perform SETACL/DELETEACL/GETACL/LISTRIGHTS) - -2.1.1. Obsolete Rights - - Due to ambiguity in RFC 2086, some existing RFC 2086 server - implementations use the "c" right to control the DELETE command. - Others chose to use the "d" right to control the DELETE command. For - the former group, let's define the "create" right as union of the "k" - and "x" rights, and the "delete" right as union of the "e" and "t" - rights. For the latter group, let's define the "create" rights as a - synonym to the "k" right, and the "delete" right as union of the "e", - "t", and "x" rights. - - For compatibility with RFC 2086, this section defines two virtual - rights "d" and "c". - - If a client includes the "d" right in a rights list, then it MUST be - treated as if the client had included every member of the "delete" - right. (It is not an error for a client to specify both the "d" - right and one or more members of the "delete" right, but the effect - is no different than if just the "d" right or all members of the - "delete" right had been specified.) - - - -Melnikov Standards Track [Page 5] - -RFC 4314 IMAP ACL December 2005 - - - When any of the "delete" member rights is set in a list of rights, - the server MUST also include the "d" right when returning the list in - a MYRIGHTS or ACL response. This is to enable older clients - conforming to RFC 2086 to work with newer servers. (*) - - Example: C: A001 SeTacl INBOX/Drafts David lrswida - S: A001 OK Setacl complete - - The client has specified the "d" right in the SETACL command above - and it expands to "et" on the server: - - C: A002 getacl INBOX/Drafts - S: * ACL INBOX Fred rwipslxcetda David lrswideta - S: A002 OK Getacl complete - - If the identifier specified in the LISTRIGHTS command can be granted - any of the "delete" member rights on a mailbox, then the server MUST - include the "d" right in the corresponding LISTRIGHTS response. (*) - If the member rights aren't tied to non-member rights, then the "d" - right is returned by itself in the LISTRIGHTS response. If any of - the member rights needs to be tied to one (or more) non-member right, - then the "d" right and all of the member rights need to be tied to - the same non-member right(s) (**). - - If a client includes the "c" right in a rights list, then it MUST be - treated as if the client had included every member of the "create" - right. (It is not an error for a client to specify both the "c" - right and one or more members of the "create" right, but the effect - is no different than if just the "c" right or all members of the - "create" right had been specified.) - - When any of the "create" member rights is set in a list of rights, - the server MUST also include the "c" right when returning the list in - a MYRIGHTS or ACL response. This is to enable older clients - conforming to RFC 2086 to work with newer servers. (*) - - Example: C: A003 Setacl INBOX/Drafts Byron lrswikda - S: A001 OK Setacl complete - C: A002 getAcl INBOX/Drafts - S: * ACL INBOX Fred rwipslxcetda Byron lrswikcdeta - S: A002 OK Getacl complete - - The client has specified the "d" right in the SETACL command above - and it expands to "et" on the server: As the client has specified the - "k" right (which is a member of the "c" right), the server also - returns the "c" right. - - - - - -Melnikov Standards Track [Page 6] - -RFC 4314 IMAP ACL December 2005 - - - If the identifier specified in the LISTRIGHTS command can be granted - any of the "create" member rights on a mailbox, then the server MUST - include the "c" right in the corresponding LISTRIGHTS response. (*) - If the member rights aren't tied to non-member rights, then the "c" - right is returned by itself in the LISTRIGHTS response. If any of - the member rights needs to be tied to one (or more) non-member right, - then the "c" right and all of the member rights need to be tied to - the same non-member right(s) (**). - - Example: The server that ties the rights as follows: - - lr s w i p k x t - - and c=k - - will return: - - S: * LISTRIGHTS archive/imap anyone "" - lr s w i p k x t c d - - Example: The server that ties the rights as follows: - - lr s w i p k xte - - and c=k - - will return: - - S: * LISTRIGHTS archive/imap anyone "" - lr s w i p k xte c d - - Example: The server that ties the rights as follows: - - lr s w i p k x te - - and c=k - - will return: - - S: * LISTRIGHTS archive/imap anyone "" - lr s w i p k c x te d - - Example: The server that ties the rights as follows: - - lr swte i p k x - - and c=kx - - - - -Melnikov Standards Track [Page 7] - -RFC 4314 IMAP ACL December 2005 - - - will return: - - S: * LISTRIGHTS archive/imap anyone "" - lr swted i p k x c - - (*) Clients conforming to this document MUST ignore the virtual "d" - and "c" rights in MYRIGHTS, ACL, and LISTRIGHTS responses. - - (**) The IMAPEXT Working Group has debated this issue in great length - and after reviewing existing ACL implementations concluded that - this is a reasonable restriction. - -2.2. Rights Defined in RFC 2086 - - The "RIGHTS=" capability MUST NOT include any of the rights defined - in RFC 2086: "l", "r", "s", "w", "i", "p", "a", "c", "d", and the - digits ("0" .. "9"). - -3. Access control management commands and responses - - Servers, when processing a command that has an identifier as a - parameter (i.e., any of SETACL, DELETEACL, and LISTRIGHTS commands), - SHOULD first prepare the received identifier using "SASLprep" profile - [SASLprep] of the "stringprep" algorithm [Stringprep]. If the - preparation of the identifier fails or results in an empty string, - the server MUST refuse to perform the command with a BAD response. - Note that Section 6 recommends additional identifier's verification - steps. - -3.1. SETACL Command - - Arguments: mailbox name - identifier - access right modification - - Data: no specific data for this command - - Result: OK - setacl completed - NO - setacl failure: can't set acl - BAD - arguments invalid - - The SETACL command changes the access control list on the specified - mailbox so that the specified identifier is granted permissions as - specified in the third argument. - - The third argument is a string containing an optional plus ("+") or - minus ("-") prefix, followed by zero or more rights characters. If - the string starts with a plus, the following rights are added to any - - - -Melnikov Standards Track [Page 8] - -RFC 4314 IMAP ACL December 2005 - - - existing rights for the identifier. If the string starts with a - minus, the following rights are removed from any existing rights for - the identifier. If the string does not start with a plus or minus, - the rights replace any existing rights for the identifier. - - Note that an unrecognized right MUST cause the command to return the - BAD response. In particular, the server MUST NOT silently ignore - unrecognized rights. - - Example: C: A001 GETACL INBOX/Drafts - S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswi - S: A001 OK Getacl complete - C: A002 SETACL INBOX/Drafts Chris +cda - S: A002 OK Setacl complete - C: A003 GETACL INBOX/Drafts - S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswicdakxet - S: A003 OK Getacl complete - - - C: A035 SETACL INBOX/Drafts John lrQswicda - S: A035 BAD Uppercase rights are not allowed - - - C: A036 SETACL INBOX/Drafts John lrqswicda - S: A036 BAD The q right is not supported - -3.2. DELETEACL Command - - Arguments: mailbox name - identifier - - Data: no specific data for this command - - Result: OK - deleteacl completed - NO - deleteacl failure: can't delete acl - BAD - arguments invalid - - The DELETEACL command removes any <identifier,rights> pair for the - specified identifier from the access control list for the specified - mailbox. - - Example: C: B001 getacl INBOX - S: * ACL INBOX Fred rwipslxetad -Fred wetd $team w - S: B001 OK Getacl complete - C: B002 DeleteAcl INBOX Fred - S: B002 OK Deleteacl complete - - - - - -Melnikov Standards Track [Page 9] - -RFC 4314 IMAP ACL December 2005 - - - C: B003 GETACL INBOX - S: * ACL INBOX -Fred wetd $team w - S: B003 OK Getacl complete - -3.3. GETACL Command - - Arguments: mailbox name - - Data: untagged responses: ACL - - Result: OK - getacl completed - NO - getacl failure: can't get acl - BAD - arguments invalid - - The GETACL command returns the access control list for mailbox in an - untagged ACL response. - - Some implementations MAY permit multiple forms of an identifier to - reference the same IMAP account. Usually, such implementations will - have a canonical form that is stored internally. An ACL response - caused by a GETACL command MAY include a canonicalized form of the - identifier that might be different from the one used in the - corresponding SETACL command. - - Example: C: A002 GETACL INBOX - S: * ACL INBOX Fred rwipsldexta - S: A002 OK Getacl complete - -3.4. LISTRIGHTS Command - - Arguments: mailbox name - identifier - - Data: untagged responses: LISTRIGHTS - - Result: OK - listrights completed - NO - listrights failure: can't get rights list - BAD - arguments invalid - - The LISTRIGHTS command takes a mailbox name and an identifier and - returns information about what rights can be granted to the - identifier in the ACL for the mailbox. - - Some implementations MAY permit multiple forms of an identifier to - reference the same IMAP account. Usually, such implementations will - have a canonical form that is stored internally. A LISTRIGHTS - - - - - -Melnikov Standards Track [Page 10] - -RFC 4314 IMAP ACL December 2005 - - - response caused by a LISTRIGHTS command MUST always return the same - form of an identifier as specified by the client. This is to allow - the client to correlate the response with the command. - - Example: C: a001 LISTRIGHTS ~/Mail/saved smith - S: * LISTRIGHTS ~/Mail/saved smith la r swicdkxte - S: a001 OK Listrights completed - - Example: C: a005 listrights archive/imap anyone - S: * LISTRIGHTS archive.imap anyone "" - l r s w i p k x t e c d a 0 1 2 3 4 5 6 7 8 9 - S: a005 Listrights successful - -3.5. MYRIGHTS Command - - Arguments: mailbox name - - Data: untagged responses: MYRIGHTS - - Result: OK - myrights completed - NO - myrights failure: can't get rights - BAD - arguments invalid - - The MYRIGHTS command returns the set of rights that the user has to - mailbox in an untagged MYRIGHTS reply. - - Example: C: A003 MYRIGHTS INBOX - S: * MYRIGHTS INBOX rwiptsldaex - S: A003 OK Myrights complete - -3.6. ACL Response - - Data: mailbox name - zero or more identifier rights pairs - - The ACL response occurs as a result of a GETACL command. The first - string is the mailbox name for which this ACL applies. This is - followed by zero or more pairs of strings; each pair contains the - identifier for which the entry applies followed by the set of rights - that the identifier has. - - Section 2.1.1 details additional server requirements related to - handling of the virtual "d" and "c" rights. - - - - - - - - -Melnikov Standards Track [Page 11] - -RFC 4314 IMAP ACL December 2005 - - -3.7. LISTRIGHTS Response - - Data: mailbox name - identifier - required rights - list of optional rights - - The LISTRIGHTS response occurs as a result of a LISTRIGHTS command. - The first two strings are the mailbox name and identifier for which - this rights list applies. Following the identifier is a string - containing the (possibly empty) set of rights the identifier will - always be granted in the mailbox. - - Following this are zero or more strings each containing a set of - rights the identifier can be granted in the mailbox. Rights - mentioned in the same string are tied together. The server MUST - either grant all tied rights to the identifier in the mailbox or - grant none. Section 2.1.1 details additional server requirements - related to handling of the virtual "d" and "c" rights. - - The same right MUST NOT be listed more than once in the LISTRIGHTS - command. - -3.8. MYRIGHTS Response - - Data: mailbox name - rights - - The MYRIGHTS response occurs as a result of a MYRIGHTS command. The - first string is the mailbox name for which these rights apply. The - second string is the set of rights that the client has. - - Section 2.1.1 details additional server requirements related to - handling of the virtual "d" and "c" rights. - -4. Rights Required to Perform Different IMAP4rev1 Commands - - Before executing a command, an ACL-compliant server MUST check which - rights are required to perform it. This section groups command by - functions they perform and list the rights required. It also gives - the detailed description of any special processing required. - - For the purpose of this section the UID counterpart of a command is - considered to be the same command, e.g., both UID COPY and COPY - commands require the same set of rights. - - - - - - -Melnikov Standards Track [Page 12] - -RFC 4314 IMAP ACL December 2005 - - - The table below summarizes different rights or their combinations - that are required in order to perform different IMAP operations. As - it is not always possible to express complex right checking and - interactions, the description after the table should be used as the - primary reference. - - +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+ - |Operations\Rights | l | r | s | w | i | k | x | t | e | a |Any|Non| - +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+ - | commands in authenticated state | - +-------------------------------------------------------------------+ - | LIST | + | | | | | | | | | | | | - | SUBSCRIBE | * | | | | | | | | | | | * | - | UNSUBSCRIBE | | | | | | | | | | | | + | - | LSUB | * | | | | | | | | | | | * | - |CREATE (for parent)| | | | | | + | | | | | | | - | DELETE | | ? | | | | | + | ? | ? | | | | - | RENAME | | | | | | + | + | | | | | | - | SELECT/EXAMINE | | + | | | | | | | | | | | - | STATUS | | + | | | | | | | | | | | - | SETACL/DELETEACL | | | | | | | | | | + | | | - | GETACL/LISTRIGHTS | | | | | | | | | | + | | | - | MYRIGHTS | | | | | | | | | | | + | | - | APPEND | | | ? | ? | + | | | ? | | | | | - +-------------------------------------------------------------------+ - | commands in selected state | - +-------------------------------------------------------------------+ - | COPY | | | ? | ? | + | | | ? | | | | | - | EXPUNGE | | | | | | | | | + | | | | - | CLOSE | | | | | | | | | ? | | | | - | FETCH | | | ? | | | | | | | | | | - | STORE flags | | | ? | ? | | | | ? | | | | | - +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+ - - Note: for all commands in the selected state, the "r" is implied, - because it is required to SELECT/EXAMINE a mailbox. Servers are not - required to check presence of the "r" right once a mailbox is - successfully selected. - - Legend: - + - The right is required - * - Only one of the rights marked with * is required - (see description below) - ? - The right is OPTIONAL (see description below) - "Any" - at least one of the "l", "r", "i", "k", "x", "a" rights is - required - "Non" - No rights required to perform the command - - - - -Melnikov Standards Track [Page 13] - -RFC 4314 IMAP ACL December 2005 - - - Listing and subscribing/unsubscribing mailboxes: - LIST - "l" right is required. However, unlike other commands - (e.g., SELECT) the server MUST NOT return a NO response if it - can't list a mailbox. - Note that if the user has "l" right to a mailbox "A/B", but not to - its parent mailbox "A", the LIST command should behave as if the - mailbox "A" doesn't exist, for example: - - C: A777 LIST "" * - S: * LIST (\NoInferiors) "/" "A/B" - S: * LIST () "/" "C" - S: * LIST (\NoInferiors) "/" "C/D" - S: A777 OK LIST completed - - - SUBSCRIBE - "l" right is required only if the server checks for - mailbox existence when performing SUBSCRIBE. - - UNSUBSCRIBE - no rights required to perform this operation. - - LSUB - "l" right is required only if the server checks for mailbox - existence when performing SUBSCRIBE. However, unlike other - commands (e.g., SELECT) the server MUST NOT return a NO response - if it can't list a subscribed mailbox. - - Mailbox management: - CREATE - "k" right on a nearest existing parent mailbox. When a - new mailbox is created, it SHOULD inherit the ACL from the parent - mailbox (if one exists) in the defined hierarchy. - - DELETE - "x" right on the mailbox. Note that some servers don't - allow to delete a non-empty mailbox. If this is the case, the - user would also need "r", "e", and "t" rights, in order to open - the mailbox and empty it. - - The DELETE command MUST delete the ACL associated with the deleted - mailbox. - - RENAME - Moving a mailbox from one parent to another requires the - "x" right on the mailbox itself and the "k" right for the new - parent. For example, if the user wants to rename the mailbox - named "A/B/C" to "D/E", the user must have the "x" right for the - mailbox "A/B/C" and the "k" right for the mailbox "D". - The RENAME command SHOULD NOT change the ACLs on the renamed - mailbox and submailboxes. - - - - - - -Melnikov Standards Track [Page 14] - -RFC 4314 IMAP ACL December 2005 - - - Copying or appending messages: - Before performing a COPY/APPEND command, the server MUST check if - the user has "i" right for the target mailbox. If the user - doesn't have "i" right, the operation fails. Otherwise for each - copied/appended message the server MUST check if the user has - "t" right - when the message has \Deleted flag set - "s" right - when the message has \Seen flag set - "w" right - for all other message flags. - Only when the user has a particular right are the corresponding - flags stored for the newly created message. The server MUST NOT - fail a COPY/APPEND if the user has no rights to set a particular - flag. - - Example: C: A003 MYRIGHTS TargetMailbox - S: * MYRIGHTS TargetMailbox rwis - S: A003 OK Myrights complete - - C: A004 FETCH 1:3 (FLAGS) - S: * 1 FETCH (FLAGS (\Draft \Deleted) - S: * 2 FETCH (FLAGS (\Answered) - S: * 3 FETCH (FLAGS ($Forwarded \Seen) - S: A004 OK Fetch Completed - - C: A005 COPY 1:3 TargetMailbox - S: A005 OK Copy completed - - C: A006 SELECT TargetMailbox - ... - S: A006 Select Completed - - Let's assume that the copied messages received message numbers - 77:79. - - C: A007 FETCH 77:79 (FLAGS) - S: * 77 FETCH (FLAGS (\Draft)) - S: * 78 FETCH (FLAGS (\Answered)) - S: * 79 FETCH (FLAGS ($Forwarded \Seen)) - S: A007 OK Fetch Completed - - \Deleted flag was lost on COPY, as the user has no "t" right in - the target mailbox. - If the MYRIGHTS command with the tag A003 would have returned: - - S: * MYRIGHTS TargetMailbox rsti - - the response from the FETCH with the tag A007 would have been: - - C: A007 FETCH 77:79 (FLAGS) - - - -Melnikov Standards Track [Page 15] - -RFC 4314 IMAP ACL December 2005 - - - S: * 77 FETCH (FLAGS (\Deleted)) - S: * 78 FETCH (FLAGS ()) - S: * 79 FETCH (FLAGS (\Seen)) - S: A007 OK Fetch Completed - - In the latter case, \Answered, $Forwarded, and \Draft flags were - lost on COPY, as the user has no "w" right in the target mailbox. - - Expunging the selected mailbox: - EXPUNGE - "e" right on the selected mailbox. - - CLOSE - "e" right on the selected mailbox. If the server is - unable to expunge the mailbox because the user doesn't have the - "e" right, the server MUST ignore the expunge request, close the - mailbox, and return the tagged OK response. - - Fetch information about a mailbox and its messages: - SELECT/EXAMINE/STATUS - "r" right on the mailbox. - - FETCH - A FETCH request that implies setting \Seen flag MUST NOT - set it, if the current user doesn't have "s" right. - - Changing flags: - STORE - the server MUST check if the user has - "t" right - when the user modifies \Deleted flag - "s" right - when the user modifies \Seen flag - "w" right - for all other message flags. - STORE operation SHOULD NOT fail if the user has rights to modify - at least one flag specified in the STORE, as the tagged NO - response to a STORE command is not handled very well by deployed - clients. - - Changing ACLs: - SETACL/DELETEACL - "a" right on the mailbox. - - Reading ACLs: - GETACL - "a" right on the mailbox. - - MYRIGHTS - any of the following rights is required to perform the - operation: "l", "r", "i", "k", "x", "a". - - LISTRIGHTS - "a" right on the mailbox. - - - - - - - - - -Melnikov Standards Track [Page 16] - -RFC 4314 IMAP ACL December 2005 - - -5. Other Considerations - -5.1. Additional Requirements and Implementation Notes - -5.1.1. Servers - - This document defines an additional capability that is used to - announce the list of extra rights (excluding the ones defined in RFC - 2086) supported by the server. The set of rights MUST include "t", - "e", "x", and "k". Note that the extra rights can appear in any - order. - - Example: C: 1 capability - S: * CAPABILITY IMAP4REV1 STARTTLS LITERAL+ - ACL RIGHTS=texk - S: 1 OK completed - - Any server implementing an ACL extension MUST accurately reflect the - current user's rights in FLAGS and PERMANENTFLAGS responses. - - Example: C: A142 SELECT INBOX - S: * 172 EXISTS - S: * 1 RECENT - S: * OK [UNSEEN 12] Message 12 is first unseen - S: * OK [UIDVALIDITY 3857529045] UIDs valid - S: * OK [UIDNEXT 4392] Predicted next UID - S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) - S: * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \*)] L - S: A142 OK [READ-WRITE] SELECT completed - C: A143 MYRIGHTS INBOX - S: * MYRIGHTS INBOX lrwis - S: A143 OK completed - - Note that in order to get better performance the client MAY pipeline - SELECT and MYRIGHTS commands: - - C: A142 SELECT INBOX - C: A143 MYRIGHTS INBOX - S: * 172 EXISTS - S: * 1 RECENT - S: * OK [UNSEEN 12] Message 12 is first unseen - S: * OK [UIDVALIDITY 3857529045] UIDs valid - S: * OK [UIDNEXT 4392] Predicted next UID - S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) - S: * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \*)] L - S: A142 OK [READ-WRITE] SELECT completed - S: * MYRIGHTS INBOX lrwis - S: A143 OK completed - - - -Melnikov Standards Track [Page 17] - -RFC 4314 IMAP ACL December 2005 - - - Servers MAY cache the rights a user has on a mailbox when the mailbox - is selected, so that if a client's rights on a mailbox are changed - with SETACL or DELETEACL, commands specific to the selected state - (e.g., STORE, EXPUNGE) might not reflect the changed rights until the - mailbox is re-selected. If the server checks the rights on each - command, then it SHOULD send FLAGS and PERMANENTFLAGS responses if - they have changed. If such server detects that the user no longer - has read access to the mailbox, it MAY send an untagged BYE response - and close connection. It MAY also refuse to execute all commands - specific to the selected state until the mailbox is closed; however, - server implementors should note that most clients don't handle NO - responses very well. - - An ACL server MAY modify one or more ACLs for one or more identifiers - as a side effect of modifying the ACL specified in a - SETACL/DELETEACL. If the server does that, it MUST send untagged ACL - response(s) to notify the client about the changes made. - - An ACL server implementation MUST treat received ACL modification - commands as a possible ambiguity with respect to subsequent commands - affected by the ACL, as described in Section 5.5 of [IMAP4]. Hence a - pipeline SETACL + MYRIGHTS is an ambiguity with respect to the - server, meaning that the server must execute the SETACL command to - completion before the MYRIGHTS. However, clients are permitted to - send such a pipeline. - -5.1.2. Clients - - The following requirement is put on clients in order to allow for - future extensibility. A client implementation that allows a user to - read and update ACLs MUST preserve unrecognized rights that it - doesn't allow the user to change. That is, if the client - - 1) can read ACLs - and - 2) can update ACLs - but - 3) doesn't allow the user to change the rights the client doesn't - recognize, then it MUST preserve unrecognized rights. - - Otherwise the client could risk unintentionally removing permissions - it doesn't understand. - - - - - - - - - -Melnikov Standards Track [Page 18] - -RFC 4314 IMAP ACL December 2005 - - -5.2. Mapping of ACL Rights to READ-WRITE and READ-ONLY Response Codes - - A particular ACL server implementation MAY allow "shared multiuser - access" to some mailboxes. "Shared multiuser access" to a mailbox - means that multiple different users are able to access the same - mailbox, if they have proper access rights. "Shared multiuser - access" to the mailbox doesn't mean that the ACL for the mailbox is - currently set to allow access by multiple users. Let's denote a - "shared multiuser write access" as a "shared multiuser access" when a - user can be granted flag modification rights (any of "w", "s", or - "t"). - - Section 4 describes which rights are required for modifying different - flags. - - If the ACL server implements some flags as shared for a mailbox - (i.e., the ACL for the mailbox MAY be set up so that changes to those - flags are visible to another user), let's call the set of rights - associated with these flags (as described in Section 4) for that - mailbox collectively as "shared flag rights". Note that the "shared - flag rights" set MAY be different for different mailboxes. - - If the server doesn't support "shared multiuser write access" to a - mailbox or doesn't implement shared flags on the mailbox, "shared - flag rights" for the mailbox is defined to be the empty set. - - Example 1: Mailbox "banan" allows "shared multiuser write access" and - implements flags \Deleted, \Answered, and $MDNSent as - shared flags. "Shared flag rights" for the mailbox "banan" - is a set containing flags "t" (because system flag - \Deleted requires "t" right) and "w" (because both - \Answered and $MDNSent require "w" right). - - Example 2: Mailbox "apple" allows "shared multiuser write access" and - implements \Seen system flag as shared flag. "Shared flag - rights" for the mailbox "apple" contains "s" right - because system flag \Seen requires "s" right. - - Example 3: Mailbox "pear" allows "shared multiuser write access" and - implements flags \Seen, \Draft as shared flags. "Shared - flag rights" for the mailbox "apple" is a set containing - flags "s" (because system flag \Seen requires "s" right) - and "w" (because system flag \Draft requires "w" right). - - The server MUST include a READ-ONLY response code in the tagged OK - response to a SELECT command if none of the following rights is - granted to the current user: - - - - -Melnikov Standards Track [Page 19] - -RFC 4314 IMAP ACL December 2005 - - - "i", "e", and "shared flag rights"(***). - - The server SHOULD include a READ-WRITE response code in the tagged OK - response if at least one of the "i", "e", or "shared flag - rights"(***) is granted to the current user. - - (***) Note that a future extension to this document can extend the - list of rights that causes the server to return the READ-WRITE - response code. - - Example 1 (continued): The user that has "lrs" rights for the mailbox - "banan". The server returns READ-ONLY - response code on SELECT, as none of "iewt" - rights is granted to the user. - - Example 2 (continued): The user that has "rit" rights for the mailbox - "apple". The server returns READ-WRITE - response code on SELECT, as the user has "i" - right. - - Example 3 (continued): The user that has "rset" rights for the - mailbox "pear". The server returns READ-WRITE - response code on SELECT, as the user has "e" - and "s" rights. - -6. Security Considerations - - An implementation MUST make sure the ACL commands themselves do not - give information about mailboxes with appropriately restricted ACLs. - For example, when a user agent executes a GETACL command on a mailbox - that the user has no permission to LIST, the server would respond to - that request with the same error that would be used if the mailbox - did not exist, thus revealing no existence information, much less the - mailbox's ACL. - - IMAP clients implementing ACL that are able to modify ACLs SHOULD - warn a user that wants to give full access (or even just the "a" - right) to the special identifier "anyone". - - This document relies on [SASLprep] to describe steps required to - perform identifier canonicalization (preparation). The preparation - algorithm in SASLprep was specifically designed such that its output - is canonical, and it is well-formed. However, due to an anomaly - [PR29] in the specification of Unicode normalization, canonical - equivalence is not guaranteed for a select few character sequences. - Identifiers prepared with SASLprep can be stored and returned by an - ACL server. The anomaly affects ACL manipulation and evaluation of - identifiers containing the selected character sequences. These - - - -Melnikov Standards Track [Page 20] - -RFC 4314 IMAP ACL December 2005 - - - sequences, however, do not appear in well-formed text. In order to - address this problem, an ACL server MAY reject identifiers containing - sequences described in [PR29] by sending the tagged BAD response. - This is in addition to the requirement to reject identifiers that - fail SASLprep preparation as described in Section 3. - - Other security considerations described in [IMAP4] are relevant to - this document. In particular, ACL information is sent in the clear - over the network unless confidentiality protection is negotiated. - - This can be accomplished either by the use of STARTTLS, negotiated - privacy protection in the AUTHENTICATE command, or some other - protection mechanism. - -7. Formal Syntax - - Formal syntax is defined using ABNF [ABNF], extending the ABNF rules - in Section 9 of [IMAP4]. Elements not defined here can be found in - [ABNF] and [IMAP4]. - - Except as noted otherwise, all alphabetic characters are case - insensitive. The use of uppercase or lowercase characters to define - token strings is for editorial clarity only. Implementations MUST - accept these strings in a case-insensitive fashion. - - LOWER-ALPHA = %x61-7A ;; a-z - - acl-data = "ACL" SP mailbox *(SP identifier SP - rights) - - capability =/ rights-capa - ;;capability is defined in [IMAP4] - - command-auth =/ setacl / deleteacl / getacl / - listrights / myrights - ;;command-auth is defined in [IMAP4] - - deleteacl = "DELETEACL" SP mailbox SP identifier - - getacl = "GETACL" SP mailbox - - identifier = astring - - listrights = "LISTRIGHTS" SP mailbox SP identifier - - listrights-data = "LISTRIGHTS" SP mailbox SP identifier - SP rights *(SP rights) - - - - -Melnikov Standards Track [Page 21] - -RFC 4314 IMAP ACL December 2005 - - - mailbox-data =/ acl-data / listrights-data / myrights-data - ;;mailbox-data is defined in [IMAP4] - - mod-rights = astring - ;; +rights to add, -rights to remove - ;; rights to replace - - myrights = "MYRIGHTS" SP mailbox - - myrights-data = "MYRIGHTS" SP mailbox SP rights - - new-rights = 1*LOWER-ALPHA - ;; MUST include "t", "e", "x", and "k". - ;; MUST NOT include standard rights listed - ;; in section 2.2 - - rights = astring - ;; only lowercase ASCII letters and digits - ;; are allowed. - - rights-capa = "RIGHTS=" new-rights - ;; RIGHTS=... capability - - setacl = "SETACL" SP mailbox SP identifier - SP mod-rights - -8. IANA Considerations - - IMAP4 capabilities are registered by publishing a standards-track or - IESG-approved experimental RFC. The registry is currently located - at: - - http://www.iana.org/assignments/imap4-capabilities - - This document defines the RIGHTS= IMAP capability. IANA has added - this capability to the registry. - -9. Internationalization Considerations - - Section 3 states requirements on servers regarding - internationalization of identifiers. - - - - - - - - - - -Melnikov Standards Track [Page 22] - -RFC 4314 IMAP ACL December 2005 - - -Appendix A. Changes since RFC 2086 - - 1. Changed the charset of "identifier" from US-ASCII to UTF-8. - 2. Specified that mailbox deletion is controlled by the "x" right - and EXPUNGE is controlled by the "e" right. - 3. Added the "t" right that controls STORE \Deleted. Redefined the - "d" right to be a macro for "e", "t", and possibly "x". - 4. Added the "k" right that controls CREATE. Redefined the "c" - right to be a macro for "k" and possibly "x". - 5. Specified that the "a" right also controls DELETEACL. - 6. Specified that the "r" right also controls STATUS. - 7. Removed the requirement to check the "r" right for CHECK, SEARCH - and FETCH, as this is required for SELECT/EXAMINE to be - successful. - 8. LISTRIGHTS requires the "a" right on the mailbox (same as - SETACL). - 9. Deleted "PARTIAL", this is a deprecated feature of RFC 1730. - 10. Specified that the "w" right controls setting flags other than - \Seen and \Deleted on APPEND. Also specified that the "s" right - controls the \Seen flag and that the "t" right controls the - \Deleted flag. - 11. Specified that SUBSCRIBE is NOT allowed with the "r" right. - 12. Specified that the "l" right controls SUBSCRIBE. - 13. GETACL is NOT allowed with the "r" right, even though there are - several implementations that allows that. If a user only has - "r" right, GETACL can disclose information about identifiers - existing on the mail system. - 14. Clarified that RENAME requires the "k" right for the new parent - and the "x" right for the old name. - 15. Added new section that describes which rights are required - and/or checked when performing various IMAP commands. - 16. Added mail client security considerations when dealing with - special identifier "anyone". - 17. Clarified that negative rights are not the same as DELETEACL. - 18. Added "Compatibility with RFC 2086" section. - 19. Added section about mapping of ACL rights to READ-WRITE and - READ-ONLY response codes. - 20. Changed BNF to ABNF. - 21. Added "Implementation Notes" section. - 22. Updated "References" section. - 23. Added more examples. - 24. Clarified when the virtual "c" and "d" rights are returned in - ACL, MYRIGHTS, and LISTRIGHTS responses. - - - - - - - - -Melnikov Standards Track [Page 23] - -RFC 4314 IMAP ACL December 2005 - - -Appendix B. Compatibility with RFC 2086 - - This non-normative section gives guidelines as to how an existing RFC - 2086 server implementation may be updated to comply with this - document. - - This document splits the "d" right into several new different rights: - "t", "e", and possibly "x" (see Section 2.1.1 for more details). The - "d" right remains for backward-compatibility, but it is a virtual - right. There are two approaches for RFC 2086 server implementors to - handle the "d" right and the new rights that have replaced it: - - a. Tie "t", "e" (and possibly "x) together - almost no changes. - b. Implement separate "x", "t" and "e". Return the "d" right in a - MYRIGHTS response or an ACL response containing ACL information - when any of the "t", "e" (and "x") is granted. - - In a similar manner this document splits the "c" right into several - new different rights: "k" and possibly "x" (see Section 2.1.1 for - more details). The "c" right remains for backwards-compatibility but - it is a virtual right. Again, RFC 2086 server implementors can - choose to tie rights or to implement separate rights, as described - above. - - Also check Sections 5.1.1 and 5.1.2, as well as Appendix A, to see - other changes required. Server implementors should check which - rights are required to invoke different IMAP4 commands as described - in Section 4. - -Appendix C. Known Deficiencies - - This specification has some known deficiencies including: - - 1. This is inadequate to provide complete read-write access to - mailboxes protected by Unix-style rights bits because there is no - equivalent to "chown" and "chgrp" commands nor is there a good - way to discover such limitations are present. - 2. Because this extension leaves the specific semantics of how - rights are combined by the server as implementation defined, the - ability to build a user-friendly interface is limited. - 3. Users, groups, and special identifiers (e.g., anyone) exist in - the same namespace. - - The work-in-progress "ACL2" extension is intended to redesign this - extension to address these deficiencies without the constraint of - backward-compatibility and may eventually supercede this facility. - - - - - -Melnikov Standards Track [Page 24] - -RFC 4314 IMAP ACL December 2005 - - - However, RFC 2086 is deployed in multiple implementations so this - intermediate step, which fixes the straightforward deficiencies in a - backward-compatible fashion, is considered worthwhile. - -Appendix D. Acknowledgements - - This document is a revision of RFC 2086 written by John G. Myers. - - Editor appreciates comments received from Mark Crispin, Chris Newman, - Cyrus Daboo, John G. Myers, Dave Cridland, Ken Murchison, Steve Hole, - Vladimir Butenko, Larry Greenfield, Robert Siemborski, Harrie - Hazewinkel, Philip Guenther, Brian Candler, Curtis King, Lyndon - Nerenberg, Lisa Dusseault, Arnt Gulbrandsen, and other participants - of the IMAPEXT working group. - -Normative References - - [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax - Specifications: ABNF", RFC 4234, October 2005. - - [IMAP4] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION - 4rev1", RFC 3501, March 2003. - - [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO - 10646", STD 63, RFC 3629, November 2003. - - [Stringprep] Hoffman, P. and M. Blanchet, "Preparation of - Internationalized Strings ("stringprep")", RFC 3454, - December 2002. - - [SASLprep] Zeilenga, K., "SASLprep: Stringprep Profile for User - Names and Passwords", RFC 4013, February 2005. - -Informative References - - [RFC2086] Myers, J., "IMAP4 ACL extension", RFC 2086, - January 1997. - - [PR29] "Public Review Issue #29: Normalization Issue", - February 2004, - <http://www.unicode.org/review/pr-29.html>. - - - - - - - -Melnikov Standards Track [Page 25] - -RFC 4314 IMAP ACL December 2005 - - -Author's Address - - Alexey Melnikov - Isode Ltd. - 5 Castle Business Village - 36 Station Road - Hampton, Middlesex TW12 2BX - GB - - EMail: alexey.melnikov@isode.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Melnikov Standards Track [Page 26] - -RFC 4314 IMAP ACL December 2005 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2005). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors - retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Intellectual Property - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; nor does it represent that it has - made any independent effort to identify any such rights. Information - on the procedures with respect to rights in RFC documents can be - found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use of - such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at ietf- - ipr@ietf.org. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - -Melnikov Standards Track [Page 27] - |