A hopefully simple question regarding the use of ACLs - the spirit being of taking away most permissions first and then adding them back selectively:
In the global ACL declaration I have:
- owner lr
- group=SYS lrwstipekxa
The owner is put into the SYS group via userdb extra field in static passwd file ("archiv" is a system user, but pam is disabled for the server):
archiv:::::::userdb_acl_groups=SYS
Still, the group permissions do not get applied:
root@host:/etc/dovecot# doveadm -D acl debug -u archiv INBOX […] doveadm(archiv): Debug: Added userdb setting: plugin/acl_groups=SYS doveadm(archiv): Debug: Effective uid=1002, gid=1001, home=/home/archiv doveadm(archiv): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled doveadm(archiv): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir doveadm(archiv): Debug: maildir++: root=/home/archiv/Maildir, index=, indexpvt=, control=, inbox=/home/archiv/Maildir, alt= doveadm(archiv): Debug: acl: initializing backend with data: vfile:/etc/dovecot/dovecot-acl doveadm(archiv): Debug: acl: acl username = archiv doveadm(archiv): Debug: acl: owner = 1 doveadm(archiv): Debug: acl vfile: Global ACL file: /etc/dovecot/dovecot-acl doveadm(archiv): Info: Mailbox 'INBOX' is in namespace '' doveadm(archiv): Info: Mailbox path: /home/archiv/Maildir doveadm(archiv): Info: All message flags are shared across users in mailbox doveadm(archiv): Debug: acl vfile: file /home/archiv/Maildir/dovecot-acl not found doveadm(archiv): Info: User archiv has rights: lookup read doveadm(archiv): Info: Mailbox in user's private namespace doveadm(archiv): Info: Mailbox INBOX is visible in LIST
My question: Shouldn't this work? (In a stock setup.)
PS: when I add "* group-override=SYS" to /etc/dovecot/dovecot-acl the user will not even be able to list INBOX.
PPS: As an aside, the setup also switches any sytem or /virtual/ users during login in local.conf:
userdb { driver = static args = uid=archiv gid=archiv home=/home/archiv user=archiv } but I get the above result without that switching when I make it read: userdb { driver = static args = home=/home/archiv } So I suppose that it's not relevant in this case…
Thank you in advance
-- peter