[Dovecot] Public namespace permissions documentation/questions
Thomas Hummel
hummel at pasteur.fr
Wed Jan 28 19:43:36 EET 2009
Hello Timo,
In my trials to setup a shared namespace with dovecot-1.1.8/LDAP passdb/userdb
(prefetch)/Maildir, I found out that :
1) ACL are mandatory (at least if the acl plugin is triggered in dovecot.conf)
Am I correct ?
I'm still not sure if we can do without ACL at all (only with unix permissions and system_user userdb extra field).
2) the system_user userdb extra field is supposed to be ...the logname of the user the secondary groups
of whom we want to check !
i.e. if user foobar belongs to secondary groups foogid, zgid, wgid and doveshared
uid=xxx(foobar) gid=yyy(foogid) groups=zzz(zgid),www(wgid),vvv(doveshared)
and we dovecot to take them into account, we have to make the usedb return the
system_user extra field with the value foobar.
Seems obvious now and said this way, but looking at the wiki :
"system_user: If this is given, the user's groups are read from /etc/group (or wherever NSS is configured to taken them from)."
I thought 'system_user' was a flag (a boolean) which, when triggered made
dovecot look for the secondaries group of the user (user whose name is already
known).
a) am I correct ?
b) why isn't system_user such a boolean ? Is there a case where we'd want
system_user to be different than the user dovecot runs as at the moment the
check takes place ?
3) same idea with acl_groups : since this extra_field holds a list of groups
for the ACL plugin, why not rely on the native unix groups of the system the
user belong to ?
Thanks (and sorry for the 2 previous threads where I was blindly confused by the system_user thing).
--
Thomas Hummel | Institut Pasteur
<hummel at pasteur.fr> | Pôle informatique - systèmes et réseau
More information about the dovecot
mailing list