Regression ACL & namespace prefix
Aki Tuomi
aki.tuomi at open-xchange.com
Thu Mar 7 20:00:51 EET 2019
I tested with release 2.3.5, and
doveadm -Dv acl debug -u testuser pub
doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found
doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found
doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found
doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.
Aki
> On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot at dovecot.org> wrote:
>
>
> Sorry, we have not yet been able to look into this..
>
> It's now in our internal system as DOP-966
>
> Aki
>
> > On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote:
> >
> >
> > Hi,
> > any progress with this issue? Do you need more information to debug and
> > fix this?
> >
> > Cheers
> > Michal Hlavinka
> >
> > On 9/18/18 4:10 PM, Michal Hlavinka wrote:
> > > Hi
> > >
> > > tl;dr:
> > > Seems that for Global ACL directory, namespace prefix is not part of the
> > > path, when looking for acl file.
> > >
> > > Long version:
> > >
> > > We're planning to update dovecot in next os update to 2.2.36 and while
> > > going through regression testing, we found a problem with ACL
> > > configuration combined with namespace.
> > >
> > > Test uses "Global ACL directory" configuration.
> > >
> > > Relevant configuration part:
> > > mail_location = maildir:~/Maildir
> > >
> > > namespace inbox {
> > > hidden = no
> > > inbox = yes
> > > list = yes
> > > location =
> > > prefix =
> > > separator = /
> > > }
> > > namespace {
> > > hidden = no
> > > list = yes
> > > location = maildir:/var/mail/pub
> > > prefix = pub/
> > > separator = /
> > > type = public
> > > }
> > >
> > > mail_plugins = acl
> > >
> > > protocol imap {
> > > mail_plugins = $mail_plugins acl imap_acl
> > > }
> > > plugin {
> > > acl = vfile:/etc/dovecot/global-acls
> > > }
> > >
> > > ACL config file is stored at:
> > > /etc/dovecot/global-acls/pub/.DEFAULT
> > >
> > > when trying to examine "pub", it is denied:
> > > fetchmail: IMAP> A0005 EXAMINE "pub"
> > > fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
> > >
> > > # doveadm acl debug -u d2 pub
> > > doveadm(d2): Info: Mailbox '' is in namespace 'pub/'
> > > doveadm(d2): Info: Mailbox path: /var/mail/pub
> > > doveadm(d2): Info: All message flags are shared across users in mailbox
> > > doveadm(d2): Info: User d2 has no rights for mailbox
> > > doveadm(d2): Error: User d2 is missing 'lookup' right
> > > doveadm(d2): Info: Mailbox pub is NOT visible in LIST
> > >
> > > because it did not find acl file:
> > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no,
> > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
> > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=,
> > > control=, inbox=, alt=
> > > imap(d2): Debug: acl: initializing backend with data:
> > > vfile:/etc/dovecot/global-acls
> > > imap(d2): Debug: acl: acl username = d2
> > > imap(d2): Debug: acl: owner = 0
> > > imap(d2): Debug: acl vfile: Global ACL legacy directory:
> > > /etc/dovecot/global-acls
> > > imap(d2): Debug: pub: Mailbox opened because: EXAMINE
> > > imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not
> > > found
> > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
> > >
> > >
> > > see it's looking for:
> > > /etc/dovecot/global-acls//.DEFAULT
> > > instead of
> > > /etc/dovecot/global-acls/pub/.DEFAULT
> > >
> > > Checking with documentation
> > > https://wiki.dovecot.org/ACL
> > > it seems that prefix should still be part of the path, as it was before:
> > > """The filenames must start with namespace prefix (if it has one). For
> > > example with namespace prefix=INBOX/ containing mailbox "foo" use
> > > /etc/dovecot/acls/INBOX/foo."""
> > >
> > >
> > > Just for comparison, previous version (2.2.10) would work fine:
> > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no,
> > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
> > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=,
> > > control=, inbox=, alt=
> > > imap(d2): Debug: acl: initializing backend with data:
> > > vfile:/etc/dovecot/global-acls
> > > imap(d2): Debug: acl: acl username = d2
> > > imap(d2): Debug: acl: owner = 0
> > > imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
> > > imap(d2): Debug: acl vfile: reading file
> > > /etc/dovecot/global-acls/pub/.DEFAULT
> > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
> > >
> > >
> > > I've localized problem to:
> > > src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
> > > and change from:
> > >
> > > vname = mailbox_list_get_vname(_backend->list, name);
> > >
> > > to:
> > >
> > > vname = *name == '\0' ? "" :
> > > mailbox_list_get_vname(_backend->list, name);
> > >
> > > that happened quite time ago during bigger acl changes and I don't know
> > > why exactly this line was changed previously. Anyway, reverting this
> > > line alone fixes the problem and while testing both per-mailbox ACL
> > > vfile and Global ACL file, reverting this did not affect them.
More information about the dovecot
mailing list