diff options
Diffstat (limited to 'doc/rfc/rfc4314.txt')
-rw-r--r-- | doc/rfc/rfc4314.txt | 1515 |
1 files changed, 1515 insertions, 0 deletions
diff --git a/doc/rfc/rfc4314.txt b/doc/rfc/rfc4314.txt new file mode 100644 index 0000000..e73a56f --- /dev/null +++ b/doc/rfc/rfc4314.txt @@ -0,0 +1,1515 @@ + + + + + + +Network Working Group A. Melnikov +Request for Comments: 4314 Isode Ltd. +Obsoletes: 2086 December 2005 +Category: Standards Track + + + IMAP4 Access Control List (ACL) Extension + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + The Access Control List (ACL) extension (RFC 2086) of the Internet + Message Access Protocol (IMAP) permits mailbox access control lists + to be retrieved and manipulated through the IMAP protocol. + + This document is a revision of RFC 2086. It defines several new + access control rights and clarifies which rights are required for + different IMAP commands. + + + + + + + + + + + + + + + + + + + + + + +Melnikov Standards Track [Page 1] + +RFC 4314 IMAP ACL December 2005 + + +Table of Contents + + 1. Introduction and Overview .......................................3 + 1.1. Conventions Used in This Document ..........................3 + 2. Access Control ..................................................3 + 2.1. Standard Rights ............................................5 + 2.1.1. Obsolete Rights .....................................5 + 2.2. Rights Defined in RFC 2086 .................................8 + 3. Access control management commands and responses ................8 + 3.1. SETACL Command .............................................8 + 3.2. DELETEACL Command ..........................................9 + 3.3. GETACL Command ............................................10 + 3.4. LISTRIGHTS Command ........................................10 + 3.5. MYRIGHTS Command ..........................................11 + 3.6. ACL Response ..............................................11 + 3.7. LISTRIGHTS Response .......................................12 + 3.8. MYRIGHTS Response .........................................12 + 4. Rights Required to Perform Different IMAP4rev1 Commands ........12 + 5. Other Considerations ...........................................17 + 5.1. Additional Requirements and Implementation Notes ..........17 + 5.1.1. Servers ............................................17 + 5.1.2. Clients ............................................18 + 5.2. Mapping of ACL Rights to READ-WRITE and READ-ONLY + Response Codes ............................................19 + 6. Security Considerations ........................................20 + 7. Formal Syntax ..................................................21 + 8. IANA Considerations ............................................22 + 9. Internationalization Considerations ............................22 + Appendix A. Changes since RFC 2086 ................................23 + Appendix B. Compatibility with RFC 2086 ...........................24 + Appendix C. Known Deficiencies ....................................24 + Appendix D. Acknowledgements ......................................25 + Normative References ..............................................25 + Informative References ............................................25 + + + + + + + + + + + + + + + + + +Melnikov Standards Track [Page 2] + +RFC 4314 IMAP ACL December 2005 + + +1. Introduction and Overview + + The ACL (Access Control List) extension of the Internet Message + Access Protocol [IMAP4] permits mailbox access control lists to be + retrieved and manipulated through the IMAP protocol. + + This document is a revision of RFC 2086 [RFC2086]. It tries to + clarify different ambiguities in RFC 2086, in particular, the use of + UTF-8 [UTF-8] in access identifiers, which rights are required for + different IMAP4 commands, and how READ-WRITE/READ-ONLY response codes + are related to ACL. + +1.1. Conventions Used in This Document + + In examples, "C:" and "S:" indicate lines sent by the client and + server respectively. + + In all examples "/" character is used as hierarchy separator. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [KEYWORDS]. + + The phrase "ACL server" is just a shortcut for saying "IMAP server + that supports ACL extension as defined in this document". + +2. Access Control + + The ACL extension is present in any IMAP4 implementation that returns + "ACL" as one of the supported capabilities to the CAPABILITY command. + + A server implementation conformant to this document MUST also return + rights (see below) not defined in Section 2.2 in the "RIGHTS=" + capability. + + An access control list is a set of <access identifier,rights> pairs. + An ACL applies to a mailbox name. + + Access identifier (or just "identifier") is a UTF-8 [UTF-8] string. + The identifier "anyone" is reserved to refer to the universal + identity (all authentications, including anonymous). All user name + strings accepted by the LOGIN or AUTHENTICATE commands to + authenticate to the IMAP server are reserved as identifiers for the + corresponding users. Identifiers starting with a dash ("-") are + reserved for "negative rights", described below. All other + identifier strings are interpreted in an implementation-defined + manner. + + + + +Melnikov Standards Track [Page 3] + +RFC 4314 IMAP ACL December 2005 + + + Rights is a string listing a (possibly empty) set of alphanumeric + characters, each character listing a set of operations that is being + controlled. Lowercase letters are reserved for "standard" rights, + listed in Section 2.1. (Note that for compatibility with deployed + clients and servers uppercase rights are not allowed.) The set of + standard rights can only be extended by a standards-track document. + Digits are reserved for implementation- or site-defined rights. + + An implementation MAY tie rights together or MAY force rights to + always or never be granted to particular identifiers. For example, + in an implementation that uses UNIX mode bits, the rights "swite" are + tied, the "a" right is always granted to the owner of a mailbox and + is never granted to another user. If rights are tied in an + implementation, the implementation must be conservative in granting + rights in response to SETACL commands--unless all rights in a tied + set are specified, none of that set should be included in the ACL + entry for that identifier. A client can discover the set of rights + that may be granted to a given identifier in the ACL for a given + mailbox name by using the LISTRIGHTS command. + + It is possible for multiple identifiers in an access control list to + apply to a given user. For example, an ACL may include rights to be + granted to the identifier matching the user, one or more + implementation-defined identifiers matching groups that include the + user, and/or the identifier "anyone". How these rights are combined + to determine the user's access is implementation defined. An + implementation may choose, for example, to use the union of the + rights granted to the applicable identifiers. An implementation may + instead choose, for example, to use only those rights granted to the + most specific identifier present in the ACL. A client can determine + the set of rights granted to the logged-in user for a given mailbox + name by using the MYRIGHTS command. + + When an identifier in an ACL starts with a dash ("-"), that indicates + that associated rights are to be removed from the identifier prefixed + by the dash. This is referred to as a "negative right". This + differs from DELETEACL in that a negative right is added to the ACL + and is a part of the calculation of the rights. + + Let's assume that an identifier "fred" refers to a user with login + "fred". If the identifier "-fred" is granted the "w" right, that + indicates that the "w" right is to be removed from users matching the + identifier "fred", even though the user "fred" might have the "w" + right as a consequence of some other identifier in the ACL. A + DELETEACL of "fred" simply deletes the identifier "fred" from the + ACL; it does not affect any rights that the user "fred" may get from + another entry in the ACL, in particular it doesn't affect rights + granted to the identifier "-fred". + + + +Melnikov Standards Track [Page 4] + +RFC 4314 IMAP ACL December 2005 + + + Server implementations are not required to support "negative right" + identifiers. + +2.1. Standard Rights + + The currently defined standard rights are (note that the list below + doesn't list all commands that use a particular right): + + l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE + mailbox) + r - read (SELECT the mailbox, perform STATUS) + s - keep seen/unseen information across sessions (set or clear + \SEEN flag via STORE, also set \SEEN during APPEND/COPY/ + FETCH BODY[...]) + w - write (set or clear flags other than \SEEN and \DELETED via + STORE, also set them during APPEND/COPY) + i - insert (perform APPEND, COPY into mailbox) + p - post (send mail to submission address for mailbox, + not enforced by IMAP4 itself) + k - create mailboxes (CREATE new sub-mailboxes in any + implementation-defined hierarchy, parent mailbox for the new + mailbox name in RENAME) + x - delete mailbox (DELETE mailbox, old mailbox name in RENAME) + t - delete messages (set or clear \DELETED flag via STORE, set + \DELETED flag during APPEND/COPY) + e - perform EXPUNGE and expunge as a part of CLOSE + a - administer (perform SETACL/DELETEACL/GETACL/LISTRIGHTS) + +2.1.1. Obsolete Rights + + Due to ambiguity in RFC 2086, some existing RFC 2086 server + implementations use the "c" right to control the DELETE command. + Others chose to use the "d" right to control the DELETE command. For + the former group, let's define the "create" right as union of the "k" + and "x" rights, and the "delete" right as union of the "e" and "t" + rights. For the latter group, let's define the "create" rights as a + synonym to the "k" right, and the "delete" right as union of the "e", + "t", and "x" rights. + + For compatibility with RFC 2086, this section defines two virtual + rights "d" and "c". + + If a client includes the "d" right in a rights list, then it MUST be + treated as if the client had included every member of the "delete" + right. (It is not an error for a client to specify both the "d" + right and one or more members of the "delete" right, but the effect + is no different than if just the "d" right or all members of the + "delete" right had been specified.) + + + +Melnikov Standards Track [Page 5] + +RFC 4314 IMAP ACL December 2005 + + + When any of the "delete" member rights is set in a list of rights, + the server MUST also include the "d" right when returning the list in + a MYRIGHTS or ACL response. This is to enable older clients + conforming to RFC 2086 to work with newer servers. (*) + + Example: C: A001 SeTacl INBOX/Drafts David lrswida + S: A001 OK Setacl complete + + The client has specified the "d" right in the SETACL command above + and it expands to "et" on the server: + + C: A002 getacl INBOX/Drafts + S: * ACL INBOX Fred rwipslxcetda David lrswideta + S: A002 OK Getacl complete + + If the identifier specified in the LISTRIGHTS command can be granted + any of the "delete" member rights on a mailbox, then the server MUST + include the "d" right in the corresponding LISTRIGHTS response. (*) + If the member rights aren't tied to non-member rights, then the "d" + right is returned by itself in the LISTRIGHTS response. If any of + the member rights needs to be tied to one (or more) non-member right, + then the "d" right and all of the member rights need to be tied to + the same non-member right(s) (**). + + If a client includes the "c" right in a rights list, then it MUST be + treated as if the client had included every member of the "create" + right. (It is not an error for a client to specify both the "c" + right and one or more members of the "create" right, but the effect + is no different than if just the "c" right or all members of the + "create" right had been specified.) + + When any of the "create" member rights is set in a list of rights, + the server MUST also include the "c" right when returning the list in + a MYRIGHTS or ACL response. This is to enable older clients + conforming to RFC 2086 to work with newer servers. (*) + + Example: C: A003 Setacl INBOX/Drafts Byron lrswikda + S: A001 OK Setacl complete + C: A002 getAcl INBOX/Drafts + S: * ACL INBOX Fred rwipslxcetda Byron lrswikcdeta + S: A002 OK Getacl complete + + The client has specified the "d" right in the SETACL command above + and it expands to "et" on the server: As the client has specified the + "k" right (which is a member of the "c" right), the server also + returns the "c" right. + + + + + +Melnikov Standards Track [Page 6] + +RFC 4314 IMAP ACL December 2005 + + + If the identifier specified in the LISTRIGHTS command can be granted + any of the "create" member rights on a mailbox, then the server MUST + include the "c" right in the corresponding LISTRIGHTS response. (*) + If the member rights aren't tied to non-member rights, then the "c" + right is returned by itself in the LISTRIGHTS response. If any of + the member rights needs to be tied to one (or more) non-member right, + then the "c" right and all of the member rights need to be tied to + the same non-member right(s) (**). + + Example: The server that ties the rights as follows: + + lr s w i p k x t + + and c=k + + will return: + + S: * LISTRIGHTS archive/imap anyone "" + lr s w i p k x t c d + + Example: The server that ties the rights as follows: + + lr s w i p k xte + + and c=k + + will return: + + S: * LISTRIGHTS archive/imap anyone "" + lr s w i p k xte c d + + Example: The server that ties the rights as follows: + + lr s w i p k x te + + and c=k + + will return: + + S: * LISTRIGHTS archive/imap anyone "" + lr s w i p k c x te d + + Example: The server that ties the rights as follows: + + lr swte i p k x + + and c=kx + + + + +Melnikov Standards Track [Page 7] + +RFC 4314 IMAP ACL December 2005 + + + will return: + + S: * LISTRIGHTS archive/imap anyone "" + lr swted i p k x c + + (*) Clients conforming to this document MUST ignore the virtual "d" + and "c" rights in MYRIGHTS, ACL, and LISTRIGHTS responses. + + (**) The IMAPEXT Working Group has debated this issue in great length + and after reviewing existing ACL implementations concluded that + this is a reasonable restriction. + +2.2. Rights Defined in RFC 2086 + + The "RIGHTS=" capability MUST NOT include any of the rights defined + in RFC 2086: "l", "r", "s", "w", "i", "p", "a", "c", "d", and the + digits ("0" .. "9"). + +3. Access control management commands and responses + + Servers, when processing a command that has an identifier as a + parameter (i.e., any of SETACL, DELETEACL, and LISTRIGHTS commands), + SHOULD first prepare the received identifier using "SASLprep" profile + [SASLprep] of the "stringprep" algorithm [Stringprep]. If the + preparation of the identifier fails or results in an empty string, + the server MUST refuse to perform the command with a BAD response. + Note that Section 6 recommends additional identifier's verification + steps. + +3.1. SETACL Command + + Arguments: mailbox name + identifier + access right modification + + Data: no specific data for this command + + Result: OK - setacl completed + NO - setacl failure: can't set acl + BAD - arguments invalid + + The SETACL command changes the access control list on the specified + mailbox so that the specified identifier is granted permissions as + specified in the third argument. + + The third argument is a string containing an optional plus ("+") or + minus ("-") prefix, followed by zero or more rights characters. If + the string starts with a plus, the following rights are added to any + + + +Melnikov Standards Track [Page 8] + +RFC 4314 IMAP ACL December 2005 + + + existing rights for the identifier. If the string starts with a + minus, the following rights are removed from any existing rights for + the identifier. If the string does not start with a plus or minus, + the rights replace any existing rights for the identifier. + + Note that an unrecognized right MUST cause the command to return the + BAD response. In particular, the server MUST NOT silently ignore + unrecognized rights. + + Example: C: A001 GETACL INBOX/Drafts + S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswi + S: A001 OK Getacl complete + C: A002 SETACL INBOX/Drafts Chris +cda + S: A002 OK Setacl complete + C: A003 GETACL INBOX/Drafts + S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswicdakxet + S: A003 OK Getacl complete + + + C: A035 SETACL INBOX/Drafts John lrQswicda + S: A035 BAD Uppercase rights are not allowed + + + C: A036 SETACL INBOX/Drafts John lrqswicda + S: A036 BAD The q right is not supported + +3.2. DELETEACL Command + + Arguments: mailbox name + identifier + + Data: no specific data for this command + + Result: OK - deleteacl completed + NO - deleteacl failure: can't delete acl + BAD - arguments invalid + + The DELETEACL command removes any <identifier,rights> pair for the + specified identifier from the access control list for the specified + mailbox. + + Example: C: B001 getacl INBOX + S: * ACL INBOX Fred rwipslxetad -Fred wetd $team w + S: B001 OK Getacl complete + C: B002 DeleteAcl INBOX Fred + S: B002 OK Deleteacl complete + + + + + +Melnikov Standards Track [Page 9] + +RFC 4314 IMAP ACL December 2005 + + + C: B003 GETACL INBOX + S: * ACL INBOX -Fred wetd $team w + S: B003 OK Getacl complete + +3.3. GETACL Command + + Arguments: mailbox name + + Data: untagged responses: ACL + + Result: OK - getacl completed + NO - getacl failure: can't get acl + BAD - arguments invalid + + The GETACL command returns the access control list for mailbox in an + untagged ACL response. + + Some implementations MAY permit multiple forms of an identifier to + reference the same IMAP account. Usually, such implementations will + have a canonical form that is stored internally. An ACL response + caused by a GETACL command MAY include a canonicalized form of the + identifier that might be different from the one used in the + corresponding SETACL command. + + Example: C: A002 GETACL INBOX + S: * ACL INBOX Fred rwipsldexta + S: A002 OK Getacl complete + +3.4. LISTRIGHTS Command + + Arguments: mailbox name + identifier + + Data: untagged responses: LISTRIGHTS + + Result: OK - listrights completed + NO - listrights failure: can't get rights list + BAD - arguments invalid + + The LISTRIGHTS command takes a mailbox name and an identifier and + returns information about what rights can be granted to the + identifier in the ACL for the mailbox. + + Some implementations MAY permit multiple forms of an identifier to + reference the same IMAP account. Usually, such implementations will + have a canonical form that is stored internally. A LISTRIGHTS + + + + + +Melnikov Standards Track [Page 10] + +RFC 4314 IMAP ACL December 2005 + + + response caused by a LISTRIGHTS command MUST always return the same + form of an identifier as specified by the client. This is to allow + the client to correlate the response with the command. + + Example: C: a001 LISTRIGHTS ~/Mail/saved smith + S: * LISTRIGHTS ~/Mail/saved smith la r swicdkxte + S: a001 OK Listrights completed + + Example: C: a005 listrights archive/imap anyone + S: * LISTRIGHTS archive.imap anyone "" + l r s w i p k x t e c d a 0 1 2 3 4 5 6 7 8 9 + S: a005 Listrights successful + +3.5. MYRIGHTS Command + + Arguments: mailbox name + + Data: untagged responses: MYRIGHTS + + Result: OK - myrights completed + NO - myrights failure: can't get rights + BAD - arguments invalid + + The MYRIGHTS command returns the set of rights that the user has to + mailbox in an untagged MYRIGHTS reply. + + Example: C: A003 MYRIGHTS INBOX + S: * MYRIGHTS INBOX rwiptsldaex + S: A003 OK Myrights complete + +3.6. ACL Response + + Data: mailbox name + zero or more identifier rights pairs + + The ACL response occurs as a result of a GETACL command. The first + string is the mailbox name for which this ACL applies. This is + followed by zero or more pairs of strings; each pair contains the + identifier for which the entry applies followed by the set of rights + that the identifier has. + + Section 2.1.1 details additional server requirements related to + handling of the virtual "d" and "c" rights. + + + + + + + + +Melnikov Standards Track [Page 11] + +RFC 4314 IMAP ACL December 2005 + + +3.7. LISTRIGHTS Response + + Data: mailbox name + identifier + required rights + list of optional rights + + The LISTRIGHTS response occurs as a result of a LISTRIGHTS command. + The first two strings are the mailbox name and identifier for which + this rights list applies. Following the identifier is a string + containing the (possibly empty) set of rights the identifier will + always be granted in the mailbox. + + Following this are zero or more strings each containing a set of + rights the identifier can be granted in the mailbox. Rights + mentioned in the same string are tied together. The server MUST + either grant all tied rights to the identifier in the mailbox or + grant none. Section 2.1.1 details additional server requirements + related to handling of the virtual "d" and "c" rights. + + The same right MUST NOT be listed more than once in the LISTRIGHTS + command. + +3.8. MYRIGHTS Response + + Data: mailbox name + rights + + The MYRIGHTS response occurs as a result of a MYRIGHTS command. The + first string is the mailbox name for which these rights apply. The + second string is the set of rights that the client has. + + Section 2.1.1 details additional server requirements related to + handling of the virtual "d" and "c" rights. + +4. Rights Required to Perform Different IMAP4rev1 Commands + + Before executing a command, an ACL-compliant server MUST check which + rights are required to perform it. This section groups command by + functions they perform and list the rights required. It also gives + the detailed description of any special processing required. + + For the purpose of this section the UID counterpart of a command is + considered to be the same command, e.g., both UID COPY and COPY + commands require the same set of rights. + + + + + + +Melnikov Standards Track [Page 12] + +RFC 4314 IMAP ACL December 2005 + + + The table below summarizes different rights or their combinations + that are required in order to perform different IMAP operations. As + it is not always possible to express complex right checking and + interactions, the description after the table should be used as the + primary reference. + + +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+ + |Operations\Rights | l | r | s | w | i | k | x | t | e | a |Any|Non| + +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+ + | commands in authenticated state | + +-------------------------------------------------------------------+ + | LIST | + | | | | | | | | | | | | + | SUBSCRIBE | * | | | | | | | | | | | * | + | UNSUBSCRIBE | | | | | | | | | | | | + | + | LSUB | * | | | | | | | | | | | * | + |CREATE (for parent)| | | | | | + | | | | | | | + | DELETE | | ? | | | | | + | ? | ? | | | | + | RENAME | | | | | | + | + | | | | | | + | SELECT/EXAMINE | | + | | | | | | | | | | | + | STATUS | | + | | | | | | | | | | | + | SETACL/DELETEACL | | | | | | | | | | + | | | + | GETACL/LISTRIGHTS | | | | | | | | | | + | | | + | MYRIGHTS | | | | | | | | | | | + | | + | APPEND | | | ? | ? | + | | | ? | | | | | + +-------------------------------------------------------------------+ + | commands in selected state | + +-------------------------------------------------------------------+ + | COPY | | | ? | ? | + | | | ? | | | | | + | EXPUNGE | | | | | | | | | + | | | | + | CLOSE | | | | | | | | | ? | | | | + | FETCH | | | ? | | | | | | | | | | + | STORE flags | | | ? | ? | | | | ? | | | | | + +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+ + + Note: for all commands in the selected state, the "r" is implied, + because it is required to SELECT/EXAMINE a mailbox. Servers are not + required to check presence of the "r" right once a mailbox is + successfully selected. + + Legend: + + - The right is required + * - Only one of the rights marked with * is required + (see description below) + ? - The right is OPTIONAL (see description below) + "Any" - at least one of the "l", "r", "i", "k", "x", "a" rights is + required + "Non" - No rights required to perform the command + + + + +Melnikov Standards Track [Page 13] + +RFC 4314 IMAP ACL December 2005 + + + Listing and subscribing/unsubscribing mailboxes: + LIST - "l" right is required. However, unlike other commands + (e.g., SELECT) the server MUST NOT return a NO response if it + can't list a mailbox. + Note that if the user has "l" right to a mailbox "A/B", but not to + its parent mailbox "A", the LIST command should behave as if the + mailbox "A" doesn't exist, for example: + + C: A777 LIST "" * + S: * LIST (\NoInferiors) "/" "A/B" + S: * LIST () "/" "C" + S: * LIST (\NoInferiors) "/" "C/D" + S: A777 OK LIST completed + + + SUBSCRIBE - "l" right is required only if the server checks for + mailbox existence when performing SUBSCRIBE. + + UNSUBSCRIBE - no rights required to perform this operation. + + LSUB - "l" right is required only if the server checks for mailbox + existence when performing SUBSCRIBE. However, unlike other + commands (e.g., SELECT) the server MUST NOT return a NO response + if it can't list a subscribed mailbox. + + Mailbox management: + CREATE - "k" right on a nearest existing parent mailbox. When a + new mailbox is created, it SHOULD inherit the ACL from the parent + mailbox (if one exists) in the defined hierarchy. + + DELETE - "x" right on the mailbox. Note that some servers don't + allow to delete a non-empty mailbox. If this is the case, the + user would also need "r", "e", and "t" rights, in order to open + the mailbox and empty it. + + The DELETE command MUST delete the ACL associated with the deleted + mailbox. + + RENAME - Moving a mailbox from one parent to another requires the + "x" right on the mailbox itself and the "k" right for the new + parent. For example, if the user wants to rename the mailbox + named "A/B/C" to "D/E", the user must have the "x" right for the + mailbox "A/B/C" and the "k" right for the mailbox "D". + The RENAME command SHOULD NOT change the ACLs on the renamed + mailbox and submailboxes. + + + + + + +Melnikov Standards Track [Page 14] + +RFC 4314 IMAP ACL December 2005 + + + Copying or appending messages: + Before performing a COPY/APPEND command, the server MUST check if + the user has "i" right for the target mailbox. If the user + doesn't have "i" right, the operation fails. Otherwise for each + copied/appended message the server MUST check if the user has + "t" right - when the message has \Deleted flag set + "s" right - when the message has \Seen flag set + "w" right - for all other message flags. + Only when the user has a particular right are the corresponding + flags stored for the newly created message. The server MUST NOT + fail a COPY/APPEND if the user has no rights to set a particular + flag. + + Example: C: A003 MYRIGHTS TargetMailbox + S: * MYRIGHTS TargetMailbox rwis + S: A003 OK Myrights complete + + C: A004 FETCH 1:3 (FLAGS) + S: * 1 FETCH (FLAGS (\Draft \Deleted) + S: * 2 FETCH (FLAGS (\Answered) + S: * 3 FETCH (FLAGS ($Forwarded \Seen) + S: A004 OK Fetch Completed + + C: A005 COPY 1:3 TargetMailbox + S: A005 OK Copy completed + + C: A006 SELECT TargetMailbox + ... + S: A006 Select Completed + + Let's assume that the copied messages received message numbers + 77:79. + + C: A007 FETCH 77:79 (FLAGS) + S: * 77 FETCH (FLAGS (\Draft)) + S: * 78 FETCH (FLAGS (\Answered)) + S: * 79 FETCH (FLAGS ($Forwarded \Seen)) + S: A007 OK Fetch Completed + + \Deleted flag was lost on COPY, as the user has no "t" right in + the target mailbox. + If the MYRIGHTS command with the tag A003 would have returned: + + S: * MYRIGHTS TargetMailbox rsti + + the response from the FETCH with the tag A007 would have been: + + C: A007 FETCH 77:79 (FLAGS) + + + +Melnikov Standards Track [Page 15] + +RFC 4314 IMAP ACL December 2005 + + + S: * 77 FETCH (FLAGS (\Deleted)) + S: * 78 FETCH (FLAGS ()) + S: * 79 FETCH (FLAGS (\Seen)) + S: A007 OK Fetch Completed + + In the latter case, \Answered, $Forwarded, and \Draft flags were + lost on COPY, as the user has no "w" right in the target mailbox. + + Expunging the selected mailbox: + EXPUNGE - "e" right on the selected mailbox. + + CLOSE - "e" right on the selected mailbox. If the server is + unable to expunge the mailbox because the user doesn't have the + "e" right, the server MUST ignore the expunge request, close the + mailbox, and return the tagged OK response. + + Fetch information about a mailbox and its messages: + SELECT/EXAMINE/STATUS - "r" right on the mailbox. + + FETCH - A FETCH request that implies setting \Seen flag MUST NOT + set it, if the current user doesn't have "s" right. + + Changing flags: + STORE - the server MUST check if the user has + "t" right - when the user modifies \Deleted flag + "s" right - when the user modifies \Seen flag + "w" right - for all other message flags. + STORE operation SHOULD NOT fail if the user has rights to modify + at least one flag specified in the STORE, as the tagged NO + response to a STORE command is not handled very well by deployed + clients. + + Changing ACLs: + SETACL/DELETEACL - "a" right on the mailbox. + + Reading ACLs: + GETACL - "a" right on the mailbox. + + MYRIGHTS - any of the following rights is required to perform the + operation: "l", "r", "i", "k", "x", "a". + + LISTRIGHTS - "a" right on the mailbox. + + + + + + + + + +Melnikov Standards Track [Page 16] + +RFC 4314 IMAP ACL December 2005 + + +5. Other Considerations + +5.1. Additional Requirements and Implementation Notes + +5.1.1. Servers + + This document defines an additional capability that is used to + announce the list of extra rights (excluding the ones defined in RFC + 2086) supported by the server. The set of rights MUST include "t", + "e", "x", and "k". Note that the extra rights can appear in any + order. + + Example: C: 1 capability + S: * CAPABILITY IMAP4REV1 STARTTLS LITERAL+ + ACL RIGHTS=texk + S: 1 OK completed + + Any server implementing an ACL extension MUST accurately reflect the + current user's rights in FLAGS and PERMANENTFLAGS responses. + + Example: C: A142 SELECT INBOX + S: * 172 EXISTS + S: * 1 RECENT + S: * OK [UNSEEN 12] Message 12 is first unseen + S: * OK [UIDVALIDITY 3857529045] UIDs valid + S: * OK [UIDNEXT 4392] Predicted next UID + S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) + S: * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \*)] L + S: A142 OK [READ-WRITE] SELECT completed + C: A143 MYRIGHTS INBOX + S: * MYRIGHTS INBOX lrwis + S: A143 OK completed + + Note that in order to get better performance the client MAY pipeline + SELECT and MYRIGHTS commands: + + C: A142 SELECT INBOX + C: A143 MYRIGHTS INBOX + S: * 172 EXISTS + S: * 1 RECENT + S: * OK [UNSEEN 12] Message 12 is first unseen + S: * OK [UIDVALIDITY 3857529045] UIDs valid + S: * OK [UIDNEXT 4392] Predicted next UID + S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) + S: * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \*)] L + S: A142 OK [READ-WRITE] SELECT completed + S: * MYRIGHTS INBOX lrwis + S: A143 OK completed + + + +Melnikov Standards Track [Page 17] + +RFC 4314 IMAP ACL December 2005 + + + Servers MAY cache the rights a user has on a mailbox when the mailbox + is selected, so that if a client's rights on a mailbox are changed + with SETACL or DELETEACL, commands specific to the selected state + (e.g., STORE, EXPUNGE) might not reflect the changed rights until the + mailbox is re-selected. If the server checks the rights on each + command, then it SHOULD send FLAGS and PERMANENTFLAGS responses if + they have changed. If such server detects that the user no longer + has read access to the mailbox, it MAY send an untagged BYE response + and close connection. It MAY also refuse to execute all commands + specific to the selected state until the mailbox is closed; however, + server implementors should note that most clients don't handle NO + responses very well. + + An ACL server MAY modify one or more ACLs for one or more identifiers + as a side effect of modifying the ACL specified in a + SETACL/DELETEACL. If the server does that, it MUST send untagged ACL + response(s) to notify the client about the changes made. + + An ACL server implementation MUST treat received ACL modification + commands as a possible ambiguity with respect to subsequent commands + affected by the ACL, as described in Section 5.5 of [IMAP4]. Hence a + pipeline SETACL + MYRIGHTS is an ambiguity with respect to the + server, meaning that the server must execute the SETACL command to + completion before the MYRIGHTS. However, clients are permitted to + send such a pipeline. + +5.1.2. Clients + + The following requirement is put on clients in order to allow for + future extensibility. A client implementation that allows a user to + read and update ACLs MUST preserve unrecognized rights that it + doesn't allow the user to change. That is, if the client + + 1) can read ACLs + and + 2) can update ACLs + but + 3) doesn't allow the user to change the rights the client doesn't + recognize, then it MUST preserve unrecognized rights. + + Otherwise the client could risk unintentionally removing permissions + it doesn't understand. + + + + + + + + + +Melnikov Standards Track [Page 18] + +RFC 4314 IMAP ACL December 2005 + + +5.2. Mapping of ACL Rights to READ-WRITE and READ-ONLY Response Codes + + A particular ACL server implementation MAY allow "shared multiuser + access" to some mailboxes. "Shared multiuser access" to a mailbox + means that multiple different users are able to access the same + mailbox, if they have proper access rights. "Shared multiuser + access" to the mailbox doesn't mean that the ACL for the mailbox is + currently set to allow access by multiple users. Let's denote a + "shared multiuser write access" as a "shared multiuser access" when a + user can be granted flag modification rights (any of "w", "s", or + "t"). + + Section 4 describes which rights are required for modifying different + flags. + + If the ACL server implements some flags as shared for a mailbox + (i.e., the ACL for the mailbox MAY be set up so that changes to those + flags are visible to another user), let's call the set of rights + associated with these flags (as described in Section 4) for that + mailbox collectively as "shared flag rights". Note that the "shared + flag rights" set MAY be different for different mailboxes. + + If the server doesn't support "shared multiuser write access" to a + mailbox or doesn't implement shared flags on the mailbox, "shared + flag rights" for the mailbox is defined to be the empty set. + + Example 1: Mailbox "banan" allows "shared multiuser write access" and + implements flags \Deleted, \Answered, and $MDNSent as + shared flags. "Shared flag rights" for the mailbox "banan" + is a set containing flags "t" (because system flag + \Deleted requires "t" right) and "w" (because both + \Answered and $MDNSent require "w" right). + + Example 2: Mailbox "apple" allows "shared multiuser write access" and + implements \Seen system flag as shared flag. "Shared flag + rights" for the mailbox "apple" contains "s" right + because system flag \Seen requires "s" right. + + Example 3: Mailbox "pear" allows "shared multiuser write access" and + implements flags \Seen, \Draft as shared flags. "Shared + flag rights" for the mailbox "apple" is a set containing + flags "s" (because system flag \Seen requires "s" right) + and "w" (because system flag \Draft requires "w" right). + + The server MUST include a READ-ONLY response code in the tagged OK + response to a SELECT command if none of the following rights is + granted to the current user: + + + + +Melnikov Standards Track [Page 19] + +RFC 4314 IMAP ACL December 2005 + + + "i", "e", and "shared flag rights"(***). + + The server SHOULD include a READ-WRITE response code in the tagged OK + response if at least one of the "i", "e", or "shared flag + rights"(***) is granted to the current user. + + (***) Note that a future extension to this document can extend the + list of rights that causes the server to return the READ-WRITE + response code. + + Example 1 (continued): The user that has "lrs" rights for the mailbox + "banan". The server returns READ-ONLY + response code on SELECT, as none of "iewt" + rights is granted to the user. + + Example 2 (continued): The user that has "rit" rights for the mailbox + "apple". The server returns READ-WRITE + response code on SELECT, as the user has "i" + right. + + Example 3 (continued): The user that has "rset" rights for the + mailbox "pear". The server returns READ-WRITE + response code on SELECT, as the user has "e" + and "s" rights. + +6. Security Considerations + + An implementation MUST make sure the ACL commands themselves do not + give information about mailboxes with appropriately restricted ACLs. + For example, when a user agent executes a GETACL command on a mailbox + that the user has no permission to LIST, the server would respond to + that request with the same error that would be used if the mailbox + did not exist, thus revealing no existence information, much less the + mailbox's ACL. + + IMAP clients implementing ACL that are able to modify ACLs SHOULD + warn a user that wants to give full access (or even just the "a" + right) to the special identifier "anyone". + + This document relies on [SASLprep] to describe steps required to + perform identifier canonicalization (preparation). The preparation + algorithm in SASLprep was specifically designed such that its output + is canonical, and it is well-formed. However, due to an anomaly + [PR29] in the specification of Unicode normalization, canonical + equivalence is not guaranteed for a select few character sequences. + Identifiers prepared with SASLprep can be stored and returned by an + ACL server. The anomaly affects ACL manipulation and evaluation of + identifiers containing the selected character sequences. These + + + +Melnikov Standards Track [Page 20] + +RFC 4314 IMAP ACL December 2005 + + + sequences, however, do not appear in well-formed text. In order to + address this problem, an ACL server MAY reject identifiers containing + sequences described in [PR29] by sending the tagged BAD response. + This is in addition to the requirement to reject identifiers that + fail SASLprep preparation as described in Section 3. + + Other security considerations described in [IMAP4] are relevant to + this document. In particular, ACL information is sent in the clear + over the network unless confidentiality protection is negotiated. + + This can be accomplished either by the use of STARTTLS, negotiated + privacy protection in the AUTHENTICATE command, or some other + protection mechanism. + +7. Formal Syntax + + Formal syntax is defined using ABNF [ABNF], extending the ABNF rules + in Section 9 of [IMAP4]. Elements not defined here can be found in + [ABNF] and [IMAP4]. + + Except as noted otherwise, all alphabetic characters are case + insensitive. The use of uppercase or lowercase characters to define + token strings is for editorial clarity only. Implementations MUST + accept these strings in a case-insensitive fashion. + + LOWER-ALPHA = %x61-7A ;; a-z + + acl-data = "ACL" SP mailbox *(SP identifier SP + rights) + + capability =/ rights-capa + ;;capability is defined in [IMAP4] + + command-auth =/ setacl / deleteacl / getacl / + listrights / myrights + ;;command-auth is defined in [IMAP4] + + deleteacl = "DELETEACL" SP mailbox SP identifier + + getacl = "GETACL" SP mailbox + + identifier = astring + + listrights = "LISTRIGHTS" SP mailbox SP identifier + + listrights-data = "LISTRIGHTS" SP mailbox SP identifier + SP rights *(SP rights) + + + + +Melnikov Standards Track [Page 21] + +RFC 4314 IMAP ACL December 2005 + + + mailbox-data =/ acl-data / listrights-data / myrights-data + ;;mailbox-data is defined in [IMAP4] + + mod-rights = astring + ;; +rights to add, -rights to remove + ;; rights to replace + + myrights = "MYRIGHTS" SP mailbox + + myrights-data = "MYRIGHTS" SP mailbox SP rights + + new-rights = 1*LOWER-ALPHA + ;; MUST include "t", "e", "x", and "k". + ;; MUST NOT include standard rights listed + ;; in section 2.2 + + rights = astring + ;; only lowercase ASCII letters and digits + ;; are allowed. + + rights-capa = "RIGHTS=" new-rights + ;; RIGHTS=... capability + + setacl = "SETACL" SP mailbox SP identifier + SP mod-rights + +8. IANA Considerations + + IMAP4 capabilities are registered by publishing a standards-track or + IESG-approved experimental RFC. The registry is currently located + at: + + http://www.iana.org/assignments/imap4-capabilities + + This document defines the RIGHTS= IMAP capability. IANA has added + this capability to the registry. + +9. Internationalization Considerations + + Section 3 states requirements on servers regarding + internationalization of identifiers. + + + + + + + + + + +Melnikov Standards Track [Page 22] + +RFC 4314 IMAP ACL December 2005 + + +Appendix A. Changes since RFC 2086 + + 1. Changed the charset of "identifier" from US-ASCII to UTF-8. + 2. Specified that mailbox deletion is controlled by the "x" right + and EXPUNGE is controlled by the "e" right. + 3. Added the "t" right that controls STORE \Deleted. Redefined the + "d" right to be a macro for "e", "t", and possibly "x". + 4. Added the "k" right that controls CREATE. Redefined the "c" + right to be a macro for "k" and possibly "x". + 5. Specified that the "a" right also controls DELETEACL. + 6. Specified that the "r" right also controls STATUS. + 7. Removed the requirement to check the "r" right for CHECK, SEARCH + and FETCH, as this is required for SELECT/EXAMINE to be + successful. + 8. LISTRIGHTS requires the "a" right on the mailbox (same as + SETACL). + 9. Deleted "PARTIAL", this is a deprecated feature of RFC 1730. + 10. Specified that the "w" right controls setting flags other than + \Seen and \Deleted on APPEND. Also specified that the "s" right + controls the \Seen flag and that the "t" right controls the + \Deleted flag. + 11. Specified that SUBSCRIBE is NOT allowed with the "r" right. + 12. Specified that the "l" right controls SUBSCRIBE. + 13. GETACL is NOT allowed with the "r" right, even though there are + several implementations that allows that. If a user only has + "r" right, GETACL can disclose information about identifiers + existing on the mail system. + 14. Clarified that RENAME requires the "k" right for the new parent + and the "x" right for the old name. + 15. Added new section that describes which rights are required + and/or checked when performing various IMAP commands. + 16. Added mail client security considerations when dealing with + special identifier "anyone". + 17. Clarified that negative rights are not the same as DELETEACL. + 18. Added "Compatibility with RFC 2086" section. + 19. Added section about mapping of ACL rights to READ-WRITE and + READ-ONLY response codes. + 20. Changed BNF to ABNF. + 21. Added "Implementation Notes" section. + 22. Updated "References" section. + 23. Added more examples. + 24. Clarified when the virtual "c" and "d" rights are returned in + ACL, MYRIGHTS, and LISTRIGHTS responses. + + + + + + + + +Melnikov Standards Track [Page 23] + +RFC 4314 IMAP ACL December 2005 + + +Appendix B. Compatibility with RFC 2086 + + This non-normative section gives guidelines as to how an existing RFC + 2086 server implementation may be updated to comply with this + document. + + This document splits the "d" right into several new different rights: + "t", "e", and possibly "x" (see Section 2.1.1 for more details). The + "d" right remains for backward-compatibility, but it is a virtual + right. There are two approaches for RFC 2086 server implementors to + handle the "d" right and the new rights that have replaced it: + + a. Tie "t", "e" (and possibly "x) together - almost no changes. + b. Implement separate "x", "t" and "e". Return the "d" right in a + MYRIGHTS response or an ACL response containing ACL information + when any of the "t", "e" (and "x") is granted. + + In a similar manner this document splits the "c" right into several + new different rights: "k" and possibly "x" (see Section 2.1.1 for + more details). The "c" right remains for backwards-compatibility but + it is a virtual right. Again, RFC 2086 server implementors can + choose to tie rights or to implement separate rights, as described + above. + + Also check Sections 5.1.1 and 5.1.2, as well as Appendix A, to see + other changes required. Server implementors should check which + rights are required to invoke different IMAP4 commands as described + in Section 4. + +Appendix C. Known Deficiencies + + This specification has some known deficiencies including: + + 1. This is inadequate to provide complete read-write access to + mailboxes protected by Unix-style rights bits because there is no + equivalent to "chown" and "chgrp" commands nor is there a good + way to discover such limitations are present. + 2. Because this extension leaves the specific semantics of how + rights are combined by the server as implementation defined, the + ability to build a user-friendly interface is limited. + 3. Users, groups, and special identifiers (e.g., anyone) exist in + the same namespace. + + The work-in-progress "ACL2" extension is intended to redesign this + extension to address these deficiencies without the constraint of + backward-compatibility and may eventually supercede this facility. + + + + + +Melnikov Standards Track [Page 24] + +RFC 4314 IMAP ACL December 2005 + + + However, RFC 2086 is deployed in multiple implementations so this + intermediate step, which fixes the straightforward deficiencies in a + backward-compatible fashion, is considered worthwhile. + +Appendix D. Acknowledgements + + This document is a revision of RFC 2086 written by John G. Myers. + + Editor appreciates comments received from Mark Crispin, Chris Newman, + Cyrus Daboo, John G. Myers, Dave Cridland, Ken Murchison, Steve Hole, + Vladimir Butenko, Larry Greenfield, Robert Siemborski, Harrie + Hazewinkel, Philip Guenther, Brian Candler, Curtis King, Lyndon + Nerenberg, Lisa Dusseault, Arnt Gulbrandsen, and other participants + of the IMAPEXT working group. + +Normative References + + [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", RFC 4234, October 2005. + + [IMAP4] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION + 4rev1", RFC 3501, March 2003. + + [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", STD 63, RFC 3629, November 2003. + + [Stringprep] Hoffman, P. and M. Blanchet, "Preparation of + Internationalized Strings ("stringprep")", RFC 3454, + December 2002. + + [SASLprep] Zeilenga, K., "SASLprep: Stringprep Profile for User + Names and Passwords", RFC 4013, February 2005. + +Informative References + + [RFC2086] Myers, J., "IMAP4 ACL extension", RFC 2086, + January 1997. + + [PR29] "Public Review Issue #29: Normalization Issue", + February 2004, + <http://www.unicode.org/review/pr-29.html>. + + + + + + + +Melnikov Standards Track [Page 25] + +RFC 4314 IMAP ACL December 2005 + + +Author's Address + + Alexey Melnikov + Isode Ltd. + 5 Castle Business Village + 36 Station Road + Hampton, Middlesex TW12 2BX + GB + + EMail: alexey.melnikov@isode.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Melnikov Standards Track [Page 26] + +RFC 4314 IMAP ACL December 2005 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2005). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Melnikov Standards Track [Page 27] + |