[Dovecot] Public namespace permissions documentation/questions

Timo Sirainen tss at iki.fi
Fri Feb 6 21:57:11 EET 2009 

On Wed, 2009-01-28 at 18:43 +0100, Thomas Hummel wrote:
> Hello Timo,
> 
> In my trials to setup a shared namespace with dovecot-1.1.8/LDAP passdb/userdb
> (prefetch)/Maildir, I found out that :
> 
> 1) ACL are mandatory (at least if the acl plugin is triggered in dovecot.conf)
> 
>    Am I correct ?
>    I'm still not sure if we can do without ACL at all (only with unix permissions and system_user userdb extra field).

I don't really understand. ACLs are not required if UNIX permissions are
enough for you. ACLs only add extra restrictions.

> 2) the system_user userdb extra field is supposed to be ...the logname of the user the secondary groups
>    of whom we want to check !
..
>   Seems obvious now and said this way, but looking at the wiki :
> 
>     "system_user: If this is given, the user's groups are read from /etc/group (or wherever NSS is configured to taken them from)."
> 
>   I thought 'system_user' was a flag (a boolean) which, when triggered made
>   dovecot look for the secondaries group of the user (user whose name is already
>   known).

Updated wiki.

> b) why isn't system_user such a boolean ? Is there a case where we'd want
>    system_user to be different than the user dovecot runs as at the moment the
>    check takes place ?

Maybe. But there's no way to change that now without breaking backwards
compatibility.

> 3) same idea with acl_groups : since this extra_field holds a list of groups
>    for the ACL plugin, why not rely on the native unix groups of the system the
>    user belong to ? 

Do you mean the ACL plugin would use the user's current UNIX groups?
That might be useful as an extra option, but virtual users won't have
any UNIX groups, so it can't work for everyone.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090206/49cfe9f5/attachment.bin

More information about the dovecot mailing list