[Dovecot] Public namespaces with global ACLs 1.2+
Hi,
I'm having trouble to get ACLs working in a more restrictive way with
namespaces. I would like to grant certain users the ability to create
new mailboxes in a public namespace e.g. "Public/Newsletters" etc.
It works when I add the users to a ".DEFAULT" ACL file like this: user=username lrwk
Anyway I'd like to limit their permissions on the Namespace "Public",
or even better - being more restrictive, on "Public/Newsletters".
Neither global ACL files for "Public" nor "Newsletters" nested in the
global path seem to work. For now only the .DEFAULT ACL (/var/vmail/
domain/etc/acls/.DEFAULT) seems to mitigate the problem which is
undesirable.
dovecot -n excerpt:
plugin: acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300
Thanks Thomas
On Thu, 2009-08-13 at 23:10 +0200, Thomas Leuxner wrote:
I don't really understand. What exactly do you want to limit? Above you give username lrwk permissions, don't you want them after all?
You anyway probably don't want to use global ACLs. Just put dovecot-acl files inside those maildirs where you want to change permissions.
Am 14.08.2009 um 07:30 schrieb Timo Sirainen:
I started by adding a 'dovecot-acl' with the lrwk permission in the
root of the public mailbox. My idea was this gets fetched when
creating new mailboxes within it. Actually it seems not to read that
file upon creation of new mailboxes but expects it to be in the newly
created Mailbox itself, which is obviously doesn't work.
If I add permissions to a .DEFAULT file it works, but this is too
broad for me.
Some log examples. Trying to create a new mailbox "Newsletters.123"
under Public/ with a prepopulated "Newsletters.123" ACL file. Although
it reads that file, it does not allow creation of the mailbox. NB: You
wouldn't have a glass ball to predict the mailbox name.
2009-08-14 10:05:05 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/leuxner.net/etc/acls/Newsletters.123
2009-08-14 10:05:05 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/public/.Newsletters.123/dovecot-acl not found
2009-08-14 10:05:06 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/leuxner.net/etc/acls//.DEFAULT not found
Created a .DEFAULT file and the user can create a new mailbox under
Public/:
2009-08-14 10:07:25 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/leuxner.net/etc/acls/Newsletters.123 not found
2009-08-14 10:07:25 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/public/.Newsletters.123/dovecot-acl not found
2009-08-14 10:07:25 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/leuxner.net/etc/acls//.DEFAULT
2009-08-14 10:07:26 IMAP(someone@leuxner.net): Info: Namespace
Public/: Using permissions from /var/vmail/public: mode=0700 gid=-1
2009-08-14 10:07:26 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/leuxner.net/etc/acls//.DEFAULT
2009-08-14 10:07:26 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/public/dovecot-acl
Shouldn't it be possible to put the .DEFAULT ACL in a path like ../
acls/Public/.DEFAULT to only allow some users to create new subdirs
under the Public/ namespace?
On Fri, 2009-08-14 at 07:39 +0200, Thomas Leuxner wrote:
This should help: http://hg.dovecot.org/dovecot-1.2/rev/956d2f962e97
Am 16.08.2009 um 02:43 schrieb Timo Sirainen:
This should help: http://hg.dovecot.org/dovecot-1.2/rev/956d2f962e97
Tested fine with 1.2.4 and 'dovecot-acl' in public root. Thanks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 13 Aug 2009, Thomas Leuxner wrote:
plugin: acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300
I do not use global ACLs, but mailbox-specific ones:
acl: vfile::cache_secs=300
Then one adds the ACLs to .dovecot-acl files located in each mailbox. Or issue a SETACL as owner.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSoUmQXWSIuGy1ktrAQJlvgf/RRY1gSN5Udm+BjIQu2IYKetX5DLaEGz9 r7shxIw4n0s6FiGXEz2LIoxYI7Ao401nuGF7OmHzR93So9CQeKnz0ZACLqYJa/fH BUoapxDnzhNGSX6osa0TxuH6LegJkd5dsp6RK93M8nLUgCmQqZMmFrHp/k9J5mvh XFVAwOI1pKiVOJ3eOiXX1ZuyScqbZ9vKANDwFfRLJTtn4AIgSXoR1z4eP9KOwrXu HTHWVUHEO/jf2It9v2TgnloWmCKlO2vObpVVh5r5VIW2BbDVedTEcv+2x6Dc4X2k iLTNyULS+rD0e/gRpLCCBcB+qdL6VdWSuoQpQpfs1VjKJwPEXBr6BA== =waXI -----END PGP SIGNATURE-----
participants (3)
-
Steffen Kaiser
-
Thomas Leuxner
-
Timo Sirainen