Regression ACL & namespace prefix

older
CVE-2019-7524 backport patch for...

Michal Hlavinka

18 Sep 2018 18 Sep '18

4:10 p.m.

tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Long version:

We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.

Test uses "Global ACL directory" configuration.

Relevant configuration part: mail_location = maildir:~/Maildir

namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

mail_plugins = acl

protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }

ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT

when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).

# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST

because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT

Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""

Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:

vname = mailbox_list_get_vname(_backend->list, name);

to:

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.

Show replies by date

Michal Hlavinka

7 Mar 7 Mar

4:31 p.m.

Hi, any progress with this issue? Do you need more information to debug and fix this?

Cheers Michal Hlavinka

On 9/18/18 4:10 PM, Michal Hlavinka wrote:

...

Hi

tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Long version:

We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.

Test uses "Global ACL directory" configuration.

Relevant configuration part: mail_location = maildir:~/Maildir

namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

mail_plugins = acl

protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }

ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT

when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).

# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST

because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT

Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""

Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:

vname = mailbox_list_get_vname(_backend->list, name);

to:

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.

Aki Tuomi

6:47 p.m.

Sorry, we have not yet been able to look into this..

It's now in our internal system as DOP-966

Aki

...

On 7 March 2019 17:31 Michal Hlavinka via dovecot dovecot@dovecot.org wrote:

Hi, any progress with this issue? Do you need more information to debug and fix this?

Cheers Michal Hlavinka

On 9/18/18 4:10 PM, Michal Hlavinka wrote:

...
Hi

tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Long version:

We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.

Test uses "Global ACL directory" configuration.

Relevant configuration part: mail_location = maildir:~/Maildir

namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

mail_plugins = acl

protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }

ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT

when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).

# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST

because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT

Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""

Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:

vname = mailbox_list_get_vname(_backend->list, name);

to:

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.

Aki Tuomi

7 p.m.

I tested with release 2.3.5, and

doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found

so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.

Aki

...

On 7 March 2019 19:47 Aki Tuomi via dovecot dovecot@dovecot.org wrote:

Sorry, we have not yet been able to look into this..

It's now in our internal system as DOP-966

Aki

...
On 7 March 2019 17:31 Michal Hlavinka via dovecot dovecot@dovecot.org wrote:

Hi, any progress with this issue? Do you need more information to debug and fix this?

Cheers Michal Hlavinka

On 9/18/18 4:10 PM, Michal Hlavinka wrote:

...
Hi

tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Long version:

We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.

Test uses "Global ACL directory" configuration.

Relevant configuration part: mail_location = maildir:~/Maildir

namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

mail_plugins = acl

protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }

ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT

when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).

# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST

because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT

Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""

Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:

vname = mailbox_list_get_vname(_backend->list, name);

to:

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.

Michal Hlavinka

12 Mar 12 Mar

3:29 p.m.

Hi,

thanks for the answer. I think your environment was not set up correctly to reproduce this bug. I've retested with 2.3.5 and I can still reproduce it. I've attached a script that will configure everything for testing and if you have a virtual machine available, you can use it directly (it expects linux with systemd for dovecot restart).

relevant section from config: namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

this expects maildir directly in pub: /var/mail/pub/cur /var/mail/pub/new /var/mail/pub/tmp

as it uses '/' separator and there could be subfolders, it should look for .DEFAULT file in global acls directory which it does not in your debug output

doveadm(testuser): Info: Mailbox '' is in namespace 'pub/' doveadm(testuser): Info: All message flags are shared across users in mailbox doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found doveadm(testuser): Info: User testuser has no rights for mailbox doveadm(testuser): Error: User testuser is missing 'lookup' right doveadm(testuser): Info: Mailbox pub is NOT visible in LIST

in this output see that it checks this location: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found

instead of

/etc/dovecot/global-acls/pub/.DEFAULT

this is caused by line in src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

and because name is empty, it will not use the "pub" prefix in the path. If I'd test acl for "pub/subfolder" that condition would have different result and bug would not trigger:

doveadm(testuser): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/subfolder/.DEFAULT

For testing I use this acl configuration: cat /etc/dovecot/global-acls/pub/.DEFAULT user=testuser l

but as this acl file location is not found by dovecot, content should not matter.

Cheers, Michal Hlavinka

On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:

...

I tested with release 2.3.5, and

doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found

so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.

Aki

...
On 7 March 2019 19:47 Aki Tuomi via dovecot dovecot@dovecot.org wrote:

Sorry, we have not yet been able to look into this..

It's now in our internal system as DOP-966

Aki

...
On 7 March 2019 17:31 Michal Hlavinka via dovecot dovecot@dovecot.org wrote:

Hi, any progress with this issue? Do you need more information to debug and fix this?

Cheers Michal Hlavinka

On 9/18/18 4:10 PM, Michal Hlavinka wrote:

...
Hi

tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Long version:

We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.

Test uses "Global ACL directory" configuration.

Relevant configuration part: mail_location = maildir:~/Maildir

namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

mail_plugins = acl

protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }

ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT

when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).

# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST

because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT

Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""

Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:

vname = mailbox_list_get_vname(_backend->list, name);

to:

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.

Michal Hlavinka

28 Mar 28 Mar

6:42 p.m.

Hi,

were you able to reproduce this problem? Do you need more information to reproduce this? Cheers, Michal Hlavinka

On 3/12/19 3:29 PM, Michal Hlavinka wrote:

...

Hi,

thanks for the answer. I think your environment was not set up correctly to reproduce this bug. I've retested with 2.3.5 and I can still reproduce it. I've attached a script that will configure everything for testing and if you have a virtual machine available, you can use it directly (it expects linux with systemd for dovecot restart).

relevant section from config: namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

this expects maildir directly in pub: /var/mail/pub/cur /var/mail/pub/new /var/mail/pub/tmp

as it uses '/' separator and there could be subfolders, it should look for .DEFAULT file in global acls directory which it does not in your debug output

doveadm(testuser): Info: Mailbox '' is in namespace 'pub/' doveadm(testuser): Info: All message flags are shared across users in mailbox doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found doveadm(testuser): Info: User testuser has no rights for mailbox doveadm(testuser): Error: User testuser is missing 'lookup' right doveadm(testuser): Info: Mailbox pub is NOT visible in LIST

in this output see that it checks this location: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found

instead of

/etc/dovecot/global-acls/pub/.DEFAULT

this is caused by line in src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

and because name is empty, it will not use the "pub" prefix in the path. If I'd test acl for "pub/subfolder" that condition would have different result and bug would not trigger:

doveadm(testuser): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/subfolder/.DEFAULT

For testing I use this acl configuration: cat /etc/dovecot/global-acls/pub/.DEFAULT user=testuser l

but as this acl file location is not found by dovecot, content should not matter.

Cheers, Michal Hlavinka

On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:

...
I tested with release 2.3.5, and

doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found

so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.

Aki

...
On 7 March 2019 19:47 Aki Tuomi via dovecot dovecot@dovecot.org wrote:

Sorry, we have not yet been able to look into this..

It's now in our internal system as DOP-966

Aki

...
On 7 March 2019 17:31 Michal Hlavinka via dovecot dovecot@dovecot.org wrote:

Hi, any progress with this issue? Do you need more information to debug and fix this?

Cheers Michal Hlavinka

On 9/18/18 4:10 PM, Michal Hlavinka wrote:

...
Hi

tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Long version:

We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.

Test uses "Global ACL directory" configuration.

Relevant configuration part: mail_location = maildir:~/Maildir

namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }

mail_plugins = acl

protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }

ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT

when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).

# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST

because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT

Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""

Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found

I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:

vname = mailbox_list_get_vname(_backend->list, name);

to:

vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);

that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.

Timo Sirainen

12 Mar 12 Mar

10:18 p.m.

On 18 Sep 2018, at 17.10, Michal Hlavinka mhlavink@redhat.com wrote:

...

Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Is there a reason you're using ACL directory instead of ACL file? I've rather been thinking about removing code for ACL directories entirely at some point.

Michal Hlavinka

13 Mar 13 Mar

2:39 p.m.

On 3/12/19 10:18 PM, Timo Sirainen via dovecot wrote:

...

On 18 Sep 2018, at 17.10, Michal Hlavinka mailto:mhlavink@redhat.com> wrote:

...
Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.

Is there a reason you're using ACL directory instead of ACL file? I've rather been thinking about removing code for ACL directories entirely at some point.

The main reason is "if it works, don't touch it". Which includes zero admin time required, no downtime required and benefit of long time verified configuration.

We did some tests before updating dovecot in distribution, as users like to deploy and forget, as any attention required (whatever reason) is disruptive and takes time that could be used elsewhere.

We found this issue when running regression tests for other components that use dovecot in their testing environment which means that we would have to rewrite other tests too. Which is in fact just a reiteration of the first paragraph.

Cheers, Michal Hlavinka

2065

Age (days ago)

2256

Last active (days ago)

List overview

7 comments

3 participants

participants (3)

Aki Tuomi
Michal Hlavinka
Timo Sirainen

Regression ACL & namespace prefix

tags

participants (3)