[Dovecot] Public namespaces with global ACLs 1.2+
Hi,
I'm having trouble to get ACLs working in a more restrictive way with
namespaces. I would like to grant certain users the ability to create
new mailboxes in a public namespace e.g. "Public/Newsletters" etc.
It works when I add the users to a ".DEFAULT" ACL file like this: user=username lrwk
Anyway I'd like to limit their permissions on the Namespace "Public",
or even better - being more restrictive, on "Public/Newsletters".
Neither global ACL files for "Public" nor "Newsletters" nested in the
global path seem to work. For now only the .DEFAULT ACL (/var/vmail/
domain/etc/acls/.DEFAULT) seems to mitigate the problem which is
undesirable.
dovecot -n excerpt:
plugin: acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300
Thanks Thomas
On Thu, 2009-08-13 at 23:10 +0200, Thomas Leuxner wrote:
Hi,
I'm having trouble to get ACLs working in a more restrictive way with
namespaces. I would like to grant certain users the ability to create
new mailboxes in a public namespace e.g. "Public/Newsletters" etc.It works when I add the users to a ".DEFAULT" ACL file like this: user=username lrwk
Anyway I'd like to limit their permissions on the Namespace "Public",
or even better - being more restrictive, on "Public/Newsletters".
I don't really understand. What exactly do you want to limit? Above you give username lrwk permissions, don't you want them after all?
Neither global ACL files for "Public" nor "Newsletters" nested in the
global path seem to work. For now only the .DEFAULT ACL (/var/vmail/ domain/etc/acls/.DEFAULT) seems to mitigate the problem which is
undesirable.
You anyway probably don't want to use global ACLs. Just put dovecot-acl files inside those maildirs where you want to change permissions.
Am 13.08.2009 um 23:47 schrieb Timo Sirainen:
On Thu, 2009-08-13 at 23:10 +0200, Thomas Leuxner wrote:
Anyway I'd like to limit their permissions on the Namespace "Public", or even better - being more restrictive, on "Public/Newsletters".
I don't really understand. What exactly do you want to limit? Above
you give username lrwk permissions, don't you want them after all?
I want to limit certain people to create new mailboxes in namespace
"Public" only.
You anyway probably don't want to use global ACLs. Just put dovecot- acl files inside those maildirs where you want to change permissions.
That doesn't work for yet uncreated mailboxes, I can not predict names
here.
On Aug 14, 2009, at 1:25 AM, Thomas Leuxner wrote:
Am 13.08.2009 um 23:47 schrieb Timo Sirainen:
On Thu, 2009-08-13 at 23:10 +0200, Thomas Leuxner wrote:
Anyway I'd like to limit their permissions on the Namespace
"Public", or even better - being more restrictive, on "Public/Newsletters".I don't really understand. What exactly do you want to limit? Above
you give username lrwk permissions, don't you want them after all?I want to limit certain people to create new mailboxes in namespace
"Public" only.
So didn't it work like that the way you did it? Or without global
ACLs, the same way by placing the dovecot-acl file to the shared
Maildir root.
Am 14.08.2009 um 07:30 schrieb Timo Sirainen:
I want to limit certain people to create new mailboxes in namespace
"Public" only.So didn't it work like that the way you did it? Or without global
ACLs, the same way by placing the dovecot-acl file to the shared
Maildir root.
I started by adding a 'dovecot-acl' with the lrwk permission in the
root of the public mailbox. My idea was this gets fetched when
creating new mailboxes within it. Actually it seems not to read that
file upon creation of new mailboxes but expects it to be in the newly
created Mailbox itself, which is obviously doesn't work.
If I add permissions to a .DEFAULT file it works, but this is too
broad for me.
Some log examples. Trying to create a new mailbox "Newsletters.123"
under Public/ with a prepopulated "Newsletters.123" ACL file. Although
it reads that file, it does not allow creation of the mailbox. NB: You
wouldn't have a glass ball to predict the mailbox name.
2009-08-14 10:05:05 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/leuxner.net/etc/acls/Newsletters.123
2009-08-14 10:05:05 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/public/.Newsletters.123/dovecot-acl not found
2009-08-14 10:05:06 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/leuxner.net/etc/acls//.DEFAULT not found
Created a .DEFAULT file and the user can create a new mailbox under
Public/:
2009-08-14 10:07:25 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/leuxner.net/etc/acls/Newsletters.123 not found
2009-08-14 10:07:25 IMAP(someone@leuxner.net): Info: acl vfile: file /
var/vmail/public/.Newsletters.123/dovecot-acl not found
2009-08-14 10:07:25 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/leuxner.net/etc/acls//.DEFAULT
2009-08-14 10:07:26 IMAP(someone@leuxner.net): Info: Namespace
Public/: Using permissions from /var/vmail/public: mode=0700 gid=-1
2009-08-14 10:07:26 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/leuxner.net/etc/acls//.DEFAULT
2009-08-14 10:07:26 IMAP(someone@leuxner.net): Info: acl vfile:
reading file /var/vmail/public/dovecot-acl
Shouldn't it be possible to put the .DEFAULT ACL in a path like ../
acls/Public/.DEFAULT to only allow some users to create new subdirs
under the Public/ namespace?
On Fri, 2009-08-14 at 07:39 +0200, Thomas Leuxner wrote:
I started by adding a 'dovecot-acl' with the lrwk permission in the
root of the public mailbox. My idea was this gets fetched when
creating new mailboxes within it. Actually it seems not to read that
file upon creation of new mailboxes but expects it to be in the newly
created Mailbox itself, which is obviously doesn't work.
This should help: http://hg.dovecot.org/dovecot-1.2/rev/956d2f962e97
Am 16.08.2009 um 02:43 schrieb Timo Sirainen:
This should help: http://hg.dovecot.org/dovecot-1.2/rev/956d2f962e97
Tested fine with 1.2.4 and 'dovecot-acl' in public root. Thanks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 13 Aug 2009, Thomas Leuxner wrote:
plugin: acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300
I do not use global ACLs, but mailbox-specific ones:
acl: vfile::cache_secs=300
Then one adds the ACLs to .dovecot-acl files located in each mailbox. Or issue a SETACL as owner.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSoUmQXWSIuGy1ktrAQJlvgf/RRY1gSN5Udm+BjIQu2IYKetX5DLaEGz9 r7shxIw4n0s6FiGXEz2LIoxYI7Ao401nuGF7OmHzR93So9CQeKnz0ZACLqYJa/fH BUoapxDnzhNGSX6osa0TxuH6LegJkd5dsp6RK93M8nLUgCmQqZMmFrHp/k9J5mvh XFVAwOI1pKiVOJ3eOiXX1ZuyScqbZ9vKANDwFfRLJTtn4AIgSXoR1z4eP9KOwrXu HTHWVUHEO/jf2It9v2TgnloWmCKlO2vObpVVh5r5VIW2BbDVedTEcv+2x6Dc4X2k iLTNyULS+rD0e/gRpLCCBcB+qdL6VdWSuoQpQpfs1VjKJwPEXBr6BA== =waXI -----END PGP SIGNATURE-----
Am 14.08.2009 um 10:54 schrieb Steffen Kaiser:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 13 Aug 2009, Thomas Leuxner wrote:
plugin: acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300
I do not use global ACLs, but mailbox-specific ones:
acl: vfile::cache_secs=300
Then one adds the ACLs to .dovecot-acl files located in each mailbox. Or issue a SETACL as owner.
Right, the dovecot-acl however does not get evaluated in my Public/
namespace root. I want to assign rights to users creating new mailboxes.
participants (3)
-
Steffen Kaiser
-
Thomas Leuxner
-
Timo Sirainen