Different behavior of ACLs in MUA and doveadm

Thomas Leuxner tlx at leuxner.net
Wed Dec 31 21:10:45 UTC 2014


I have noticed a difference in the behavior of ACLs. When used in a MUA the following global ACL works fine and has the desired effect - new mailboxes can be created by a user being part of the 'PublicMailboxAdmins' group: 

[ global-acl: ]
INBOX owner lrwstiekxap
Public/* group=PublicMailboxAdmins lrwsipk
Public/* anyone lr
Public/* authenticated lrws

Creating the same mailbox via doveadm however fails with a permission problem:

doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public
doveadm(tlx at leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt=
doveadm(tlx at leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 0
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual
doveadm(tlx at leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt=
doveadm(tlx at leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 1
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/dovecot-acl not found
doveadm(tlx at leuxner.net): Error: Can't create mailbox Public/Archive/Newsletters/heise-security/2014: Permission denied

Interestingly, doveadm succeeds when dovecot-acl is present in the namespace root - which of course is not desirable in the light of the global ACL:

[ dovecot-acl: ] 
group=PublicMailboxAdmins lrwsipk

doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public
doveadm(tlx at leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt=
doveadm(tlx at leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 0
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual
doveadm(tlx at leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt=
doveadm(tlx at leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 1
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: acl vfile: reading file /var/vmail/public/mailboxes/dovecot-acl
doveadm(tlx at leuxner.net): Debug: Namespace Public/: /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014 doesn't exist yet, using default permissions
doveadm(tlx at leuxner.net): Debug: Namespace Public/: Using permissions from /var/vmail/public: mode=0700 gid=default
doveadm(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/dbox-Mails/dovecot-acl not found
doveadm(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found
doveadm(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found
doveadm(tlx at leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found

# 2.2.15 (6078354e6238): /etc/dovecot/dovecot.conf

I know there have been some changes in Mercurial as to how global ACLs are interpreted. Is doveadm probably behind on them? 

Regards
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141231/3bc5c8b0/attachment.sig>


More information about the dovecot mailing list