Thanks for the clarification, I got around to testing the configuration you claim to use, but unfortunately I cannot get an ACL to have any affect on the mailbox access :( Can you tell me what acl flags you are restricting to (rl, etc) and what actual affect that has on the mail client in terms of behavior when attempting to perform an unallowed action?
I get this in the log:
May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: initializing backend with data: vfile:/usr/local/etc/dovecot-acls May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: acl username = mcdouga9 May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl: owner username = mcdouga9 May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl vfile: Global ACL directory: /usr/local/etc/dovecot-acls May 10 15:46:58 gribble dovecot: IMAP(mcdouga9): acl vfile: reading file /egr/mail/shared-dovecot2/decs/.support.In/dovecot-acl
# ls -ld .support.In drwxrws--- 5 postlocal decsall 4096 May 9 12:55 .support.In # ls -ld .support.In/cur drwxrwxr-x 2 postlocal decsstaff 8192 Apr 24 12:47 .support.In/cur # ls -ld .support.In/cur/1177428192.M918738P11081.zee -rw-rw-r-- 1 postlocal decsstaff 2904 Apr 24 11:23 .support.In/cur/1177428192.M918738P11081.zee
mcdouga9 is in decsstaff, which has full write permission to the directory and file.
I have inside that dovecot-acl: user=mcdouga9 rl group-override=wheel
I tried just user=mcdouga9 rl first, no effect, added group-override=wheel (mcdouga9 is a member of wheel) and restarted thunderbird, still seem to have full access to the mailbox. Argh.
On Tue, May 08, 2007 at 02:36:24PM -0400, Matt Zukowski wrote:
The shared mailbox and all its files and subdirectories are owned by the 'dovecot' user and by the 'domain users' group that all users belong to. The ACL restrictions cause a reduction (i.e. more fine-grained constraint) in privileges. In other words, at the system-file level, everyone can read the directory/files, but at the ACL level, only members of some particular list of groups should be able to read them.
And as I said, the user=<username> constraint seems to work fine, but group=<groupname> does not. It looks like the group=<groupname> constraint just never matches anyone. So I might have group=admins and "joeblow" is in group admins, but Dovecot thinks that he isn't.
Adam McDougall wrote:
What are the directory and file permissions of your shared folder, and do your <permissions> cause an increase or reduction of permissions compared to the dir and file permissions, or some of both? On Mon, May 07, 2007 at 02:47:40PM -0400, Matt Zukowski wrote:
I would just add to this that simply putting a dovecot-acl file in a shared folder with "user=<username> <permissions>" does work just fine for us (without the complicated setup described below). Our problem is that group-based restrictions don't work at all (i.e. "group=<groupname> <permissions>", as described in the manual). I'm also trying to figure out what the force-group ACL identifier is supposed to mean. .... I gotta stop hitting "reply" for this list. I keep accidentally sending messages to the original authors rather than to the mailing list :)
This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited. Le contenu du pr'esent courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il est interdit de l'utiliser ou de le divulguer sans autorisation.