acl_ignore_namespace & dovecot-acl-list files

Markus Valentin markus.valentin at open-xchange.com
Tue Jun 29 17:16:41 EEST 2021 

> On 29/06/2021 12:09 Vincent Brillault <vincent.brillault at cern.ch> wrote:
> 
>  
> Hi!
> 
> After updating to 2.3.15, I was hoping to be able to get rid of some of
> the work-around I had in place when configuring shared folders in
> cluster mode in 2.3.14. Unfortunately it seems that I still need one.
> 
> Running on CentOS7 with both a 'virtual' and 'shared' namespace,
> whenever I update the global vfile, I'm getting the following warning:
> ```
> Error: open(/etc/dovecot/virtual/.temp.....8536.f1a78823779ee98d)
> failed: Read-only file system
> Error: dovecot-acl-list creation failed:
> safe_mkstemp(/etc/dovecot/virtual/.temp.....8536.) failed: Read-only
> file system
> Error: unlink(/etc/dovecot/virtual/dovecot-acl-list) failed: Read-only
> file system (in acl-backend-vfile-acllist.c:339)
> ```
> 
> I found it weird, as I'm using acl_ignore_namespace to ignore the
> virtual filesystem, but still dovecot seems to be trying to create a
> dovecot-acl-list file there. After digging into it and generating a
> backtrace where that error message is triggered, I believe I've trace it
> down to `acl_lookup_dict_rebuild`, which doesn't filter out "ignored"
> namespaces. The attached patch seems to solve the problem for me, but I
> must admit I didn't test it in depth so I'm not sure if I'm breaking
> something else...
> 
> Let me know if I'm missing something,

Hi Vincent,

thank you very much for your mail and the patch. Sad to hear that 2.3.15 wasn't able to get rid of your work-arounds. I think your fix is valid and needed. It seems that checking ignore_acls was simply forgotten to be added there.

Markus

> Thanks,
> Vincent
> 
> PS: Some details:
> - Relevant configuration (let me know if I'm missing something):
> ```
> mail_plugins = acl zlib virtual fts fts_solr
> 
> namespace Virtual {
>   prefix = Virtual/
>   separator = /
>   hidden = yes
>   list = no
>   subscriptions = no
>   location = virtual:/etc/dovecot/virtual:INDEX=~/virtual
> }
> 
> namespace shared {
>   type = shared
>   prefix = shared/%%u/
>   list = children
>   subscriptions = no
>   location = imapc:~/shared/%%u
> }
> 
> plugin {
>   # ACLs
>   acl = vfile:/etc/dovecot/dovecot-acl
>   acl_ignore_namespace = Virtual/
>   acl_ignore_namespace2 = shared/*
>   acl_shared_dict = proxy::acl
> 
> }
> ```
> - Backtrace generated manually (adding `backtrace_get(&backtrace)` &
> printing the result under the `dovecot-acl-list creation failed` error):
> ```
> Raw backtrace:
>   /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7ff99d364862]
>  -> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7ff99d36496e]
>  -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb071) [0x7ff99ca9f071]
>  ->
> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d)
> [0x7ff99ca9f3ed]
>  ->
> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_refresh+0x250)
> [0x7ff99ca9f6b0]
>  ->
> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_nonowner_iter_init+0x9)
> [0x7ff99ca9f849]
>  ->
> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_lookup_dict_rebuild+0x13e)
> [0x7ff99caa179e]
>  -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb245) [0x7ff99ca9f245]
>  ->
> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d)
> [0x7ff99ca9f3ed]
>  -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xa9ad) [0x7ff99ca9e9ad]
>  -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0x6e4c) [0x7ff99ca9ae4c]
>  ->
> /usr/lib64/dovecot/lib01_acl_plugin.so(acl_object_get_my_rights+0x75)
> [0x7ff99ca9af35]
>  -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xe44e) [0x7ff99caa244e]
>  -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_exists+0x6e)
> [0x7ff99d6845fe]
>  ->
> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_mailbox+0x226)
> [0x7ff99d694ff6]
>  ->
> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_iter_init_namespaces+0x282)
> [0x7ff99d6eecf2]
>  -> dovecot/imap [vbrillau XXXXX LIST](cmd_list_full+0x55b) [0x563f9bb004bb]
>  -> dovecot/imap [vbrillau XXXXX LIST](command_exec+0x64) [0x563f9bb0ab04]
>  -> dovecot/imap [vbrillau XXXXX LIST](+0x1d9e2) [0x563f9bb089e2]
>  -> dovecot/imap [vbrillau XXXXX LIST](+0x1da71) [0x563f9bb08a71]
>  -> dovecot/imap [vbrillau XXXXX LIST](client_handle_input+0x205)
> [0x563f9bb08ef5]
>  -> dovecot/imap [vbrillau XXXXX LIST](client_input+0x79) [0x563f9bb094d9]
>  -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x65)
> [0x7ff99d38a425]
>  ->
> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x12b)
> [0x7ff99d38bdab]
>  -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x59)
> [0x7ff99d38a529]
>  -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff99d38a768]
>  -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13)
> [0x7ff99d2f43c3]
>  -> dovecot/imap [vbrillau XXXXX LIST](main+0x342) [0x563f9bafa2f2]
>  -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff99ced1555]
>  -> dovecot/imap [vbrillau XXXXX LIST](+0xf4f5) [0x563f9bafa4f5]
> ```

More information about the dovecot mailing list