Regression ACL & namespace prefix
Michal Hlavinka
mhlavink at redhat.com
Thu Mar 28 19:42:07 EET 2019
Hi,
were you able to reproduce this problem? Do you need more information to
reproduce this?
Cheers,
Michal Hlavinka
On 3/12/19 3:29 PM, Michal Hlavinka wrote:
> Hi,
>
> thanks for the answer. I think your environment was not set up correctly
> to reproduce this bug. I've retested with 2.3.5 and I can still
> reproduce it. I've attached a script that will configure everything for
> testing and if you have a virtual machine available, you can use it
> directly (it expects linux with systemd for dovecot restart).
>
> relevant section from config:
> namespace {
> hidden = no
> list = yes
> location = maildir:/var/mail/pub
> prefix = pub/
> separator = /
> type = public
> }
>
> this expects maildir directly in pub:
> /var/mail/pub/cur
> /var/mail/pub/new
> /var/mail/pub/tmp
>
> as it uses '/' separator and there could be subfolders, it should look
> for .DEFAULT file in global acls directory which it does not in your
> debug output
>
> doveadm(testuser): Info: Mailbox '' is in namespace 'pub/'
> doveadm(testuser): Info: All message flags are shared across users in
> mailbox
> doveadm(testuser): Debug: acl vfile: file
> /etc/dovecot/global-acls//.DEFAULT
> not found
> doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not
> found
> doveadm(testuser): Info: User testuser has no rights for mailbox
> doveadm(testuser): Error: User testuser is missing 'lookup' right
> doveadm(testuser): Info: Mailbox pub is NOT visible in LIST
>
> in this output see that it checks this location:
> acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found
>
> instead of
>
> /etc/dovecot/global-acls/pub/.DEFAULT
>
> this is caused by line in
> src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
>
> vname = *name == '\0' ? "" :
> mailbox_list_get_vname(_backend->list, name);
>
> and because name is empty, it will not use the "pub" prefix in the path.
> If I'd test acl for "pub/subfolder" that condition would have different
> result and bug would not trigger:
>
> doveadm(testuser): Debug: acl vfile: reading file
> /etc/dovecot/global-acls/pub/subfolder/.DEFAULT
>
>
> For testing I use this acl configuration:
> cat /etc/dovecot/global-acls/pub/.DEFAULT
> user=testuser l
>
> but as this acl file location is not found by dovecot, content should
> not matter.
>
>
> Cheers,
> Michal Hlavinka
>
>
> On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:
>> I tested with release 2.3.5, and
>>
>> doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl
>> vfile: file /etc/dovecot/global-acls/pub/INBOX not found
>> doveadm(testuser): Debug: acl vfile: file
>> /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not
>> found doveadm(testuser): Debug: acl vfile: file
>> /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl
>> vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
>>
>> so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in
>> development.
>>
>> Aki
>>
>>> On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot at dovecot.org>
>>> wrote:
>>>
>>>
>>> Sorry, we have not yet been able to look into this..
>>>
>>> It's now in our internal system as DOP-966
>>>
>>> Aki
>>>
>>>> On 7 March 2019 17:31 Michal Hlavinka via dovecot
>>>> <dovecot at dovecot.org> wrote:
>>>>
>>>>
>>>> Hi, any progress with this issue? Do you need more information to
>>>> debug and fix this?
>>>>
>>>> Cheers Michal Hlavinka
>>>>
>>>> On 9/18/18 4:10 PM, Michal Hlavinka wrote:
>>>>> Hi
>>>>>
>>>>> tl;dr: Seems that for Global ACL directory, namespace prefix is
>>>>> not part of the path, when looking for acl file.
>>>>>
>>>>> Long version:
>>>>>
>>>>> We're planning to update dovecot in next os update to 2.2.36
>>>>> and while going through regression testing, we found a problem
>>>>> with ACL configuration combined with namespace.
>>>>>
>>>>> Test uses "Global ACL directory" configuration.
>>>>>
>>>>> Relevant configuration part: mail_location = maildir:~/Maildir
>>>>>
>>>>> namespace inbox { hidden = no inbox = yes list = yes location
>>>>> = prefix = separator = / } namespace { hidden = no list = yes
>>>>> location = maildir:/var/mail/pub prefix = pub/ separator = / type =
>>>>> public }
>>>>>
>>>>> mail_plugins = acl
>>>>>
>>>>> protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin
>>>>> { acl = vfile:/etc/dovecot/global-acls }
>>>>>
>>>>> ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
>>>>>
>>>>> when trying to examine "pub", it is denied: fetchmail: IMAP>
>>>>> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't
>>>>> exist: pub (0.001 + 0.000 secs).
>>>>>
>>>>> # doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is
>>>>> in namespace 'pub/' doveadm(d2): Info: Mailbox path:
>>>>> /var/mail/pub doveadm(d2): Info: All message flags are shared
>>>>> across users in mailbox doveadm(d2): Info: User d2 has no
>>>>> rights for mailbox doveadm(d2): Error: User d2 is missing
>>>>> 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in
>>>>> LIST
>>>>>
>>>>> because it did not find acl file: imap(d2): Debug: Namespace :
>>>>> type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes,
>>>>> subscriptions=yes location=maildir:/var/mail/pub imap(d2):
>>>>> Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=,
>>>>> inbox=, alt= imap(d2): Debug: acl: initializing
>>>>> backend with data: vfile:/etc/dovecot/global-acls imap(d2):
>>>>> Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0
>>>>> imap(d2): Debug: acl vfile: Global ACL legacy directory:
>>>>> /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened
>>>>> because: EXAMINE imap(d2): Debug: acl vfile: file
>>>>> /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug:
>>>>> acl vfile: file /var/mail/pub/dovecot-acl not found
>>>>>
>>>>>
>>>>> see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of
>>>>> /etc/dovecot/global-acls/pub/.DEFAULT
>>>>>
>>>>> Checking with documentation https://wiki.dovecot.org/ACL it
>>>>> seems that prefix should still be part of the path, as it was
>>>>> before: """The filenames must start with namespace prefix (if
>>>>> it has one). For example with namespace prefix=INBOX/
>>>>> containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
>>>>>
>>>>>
>>>>> Just for comparison, previous version (2.2.10) would work
>>>>> fine: imap(d2): Debug: Namespace : type=public, prefix=pub/,
>>>>> sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes
>>>>> location=maildir:/var/mail/pub imap(d2): Debug: maildir++:
>>>>> root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt=
>>>>> imap(d2): Debug: acl: initializing backend with data:
>>>>> vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl
>>>>> username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug:
>>>>> acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2):
>>>>> Debug: acl vfile: reading file
>>>>> /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl
>>>>> vfile: file /var/mail/pub/dovecot-acl not found
>>>>>
>>>>>
>>>>> I've localized problem to: src/plugins/acl/acl-backend-vfile.c:
>>>>> acl_backend_vfile_object_init(...) and change from:
>>>>>
>>>>> vname = mailbox_list_get_vname(_backend->list, name);
>>>>>
>>>>> to:
>>>>>
>>>>> vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list,
>>>>> name);
>>>>>
>>>>> that happened quite time ago during bigger acl changes and I
>>>>> don't know why exactly this line was changed previously.
>>>>> Anyway, reverting this line alone fixes the problem and while
>>>>> testing both per-mailbox ACL vfile and Global ACL file,
>>>>> reverting this did not affect them.
More information about the dovecot
mailing list