Regression ACL & namespace prefix
Hi
tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part: mail_location = maildir:~/Maildir
namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
mail_plugins = acl
protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }
ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.
Hi, any progress with this issue? Do you need more information to debug and fix this?
Cheers Michal Hlavinka
On 9/18/18 4:10 PM, Michal Hlavinka wrote:
Hi
tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part: mail_location = maildir:~/Maildir
namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
mail_plugins = acl
protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }
ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.
Sorry, we have not yet been able to look into this..
It's now in our internal system as DOP-966
Aki
On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot@dovecot.org> wrote:
Hi, any progress with this issue? Do you need more information to debug and fix this?
Cheers Michal Hlavinka
On 9/18/18 4:10 PM, Michal Hlavinka wrote:
Hi
tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part: mail_location = maildir:~/Maildir
namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
mail_plugins = acl
protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }
ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.
I tested with release 2.3.5, and
doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.
Aki
On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
Sorry, we have not yet been able to look into this..
It's now in our internal system as DOP-966
Aki
On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot@dovecot.org> wrote:
Hi, any progress with this issue? Do you need more information to debug and fix this?
Cheers Michal Hlavinka
On 9/18/18 4:10 PM, Michal Hlavinka wrote:
Hi
tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part: mail_location = maildir:~/Maildir
namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
mail_plugins = acl
protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }
ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.
Hi,
thanks for the answer. I think your environment was not set up correctly to reproduce this bug. I've retested with 2.3.5 and I can still reproduce it. I've attached a script that will configure everything for testing and if you have a virtual machine available, you can use it directly (it expects linux with systemd for dovecot restart).
relevant section from config: namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
this expects maildir directly in pub: /var/mail/pub/cur /var/mail/pub/new /var/mail/pub/tmp
as it uses '/' separator and there could be subfolders, it should look for .DEFAULT file in global acls directory which it does not in your debug output
doveadm(testuser): Info: Mailbox '' is in namespace 'pub/' doveadm(testuser): Info: All message flags are shared across users in mailbox doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found doveadm(testuser): Info: User testuser has no rights for mailbox doveadm(testuser): Error: User testuser is missing 'lookup' right doveadm(testuser): Info: Mailbox pub is NOT visible in LIST
in this output see that it checks this location: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found
instead of
/etc/dovecot/global-acls/pub/.DEFAULT
this is caused by line in src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
and because name is empty, it will not use the "pub" prefix in the path. If I'd test acl for "pub/subfolder" that condition would have different result and bug would not trigger:
doveadm(testuser): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/subfolder/.DEFAULT
For testing I use this acl configuration: cat /etc/dovecot/global-acls/pub/.DEFAULT user=testuser l
but as this acl file location is not found by dovecot, content should not matter.
Cheers, Michal Hlavinka
On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:
I tested with release 2.3.5, and
doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.
Aki
On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
Sorry, we have not yet been able to look into this..
It's now in our internal system as DOP-966
Aki
On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot@dovecot.org> wrote:
Hi, any progress with this issue? Do you need more information to debug and fix this?
Cheers Michal Hlavinka
On 9/18/18 4:10 PM, Michal Hlavinka wrote:
Hi
tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part: mail_location = maildir:~/Maildir
namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
mail_plugins = acl
protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }
ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.
Hi,
were you able to reproduce this problem? Do you need more information to reproduce this? Cheers, Michal Hlavinka
On 3/12/19 3:29 PM, Michal Hlavinka wrote:
Hi,
thanks for the answer. I think your environment was not set up correctly to reproduce this bug. I've retested with 2.3.5 and I can still reproduce it. I've attached a script that will configure everything for testing and if you have a virtual machine available, you can use it directly (it expects linux with systemd for dovecot restart).
relevant section from config: namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
this expects maildir directly in pub: /var/mail/pub/cur /var/mail/pub/new /var/mail/pub/tmp
as it uses '/' separator and there could be subfolders, it should look for .DEFAULT file in global acls directory which it does not in your debug output
doveadm(testuser): Info: Mailbox '' is in namespace 'pub/' doveadm(testuser): Info: All message flags are shared across users in mailbox doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found doveadm(testuser): Info: User testuser has no rights for mailbox doveadm(testuser): Error: User testuser is missing 'lookup' right doveadm(testuser): Info: Mailbox pub is NOT visible in LIST
in this output see that it checks this location: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found
instead of
/etc/dovecot/global-acls/pub/.DEFAULT
this is caused by line in src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
and because name is empty, it will not use the "pub" prefix in the path. If I'd test acl for "pub/subfolder" that condition would have different result and bug would not trigger:
doveadm(testuser): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/subfolder/.DEFAULT
For testing I use this acl configuration: cat /etc/dovecot/global-acls/pub/.DEFAULT user=testuser l
but as this acl file location is not found by dovecot, content should not matter.
Cheers, Michal Hlavinka
On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:
I tested with release 2.3.5, and
doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development.
Aki
On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
Sorry, we have not yet been able to look into this..
It's now in our internal system as DOP-966
Aki
On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot@dovecot.org> wrote:
Hi, any progress with this issue? Do you need more information to debug and fix this?
Cheers Michal Hlavinka
On 9/18/18 4:10 PM, Michal Hlavinka wrote:
Hi
tl;dr: Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while going through regression testing, we found a problem with ACL configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part: mail_location = maildir:~/Maildir
namespace inbox { hidden = no inbox = yes list = yes location = prefix = separator = / } namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public }
mail_plugins = acl
protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile:/etc/dovecot/global-acls }
ACL config file is stored at: /etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied: fetchmail: IMAP> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
# doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is in namespace 'pub/' doveadm(d2): Info: Mailbox path: /var/mail/pub doveadm(d2): Info: All message flags are shared across users in mailbox doveadm(d2): Info: User d2 has no rights for mailbox doveadm(d2): Error: User d2 is missing 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL legacy directory: /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened because: EXAMINE imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for: /etc/dovecot/global-acls//.DEFAULT instead of /etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation https://wiki.dovecot.org/ACL it seems that prefix should still be part of the path, as it was before: """The filenames must start with namespace prefix (if it has one). For example with namespace prefix=INBOX/ containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= imap(d2): Debug: acl: initializing backend with data: vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls imap(d2): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to: src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know why exactly this line was changed previously. Anyway, reverting this line alone fixes the problem and while testing both per-mailbox ACL vfile and Global ACL file, reverting this did not affect them.
On 18 Sep 2018, at 17.10, Michal Hlavinka <mhlavink@redhat.com> wrote:
Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Is there a reason you're using ACL directory instead of ACL file? I've rather been thinking about removing code for ACL directories entirely at some point.
On 3/12/19 10:18 PM, Timo Sirainen via dovecot wrote:
On 18 Sep 2018, at 17.10, Michal Hlavinka <mhlavink@redhat.com <mailto:mhlavink@redhat.com>> wrote:
Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.
Is there a reason you're using ACL directory instead of ACL file? I've rather been thinking about removing code for ACL directories entirely at some point.
The main reason is "if it works, don't touch it". Which includes zero admin time required, no downtime required and benefit of long time verified configuration.
We did some tests before updating dovecot in distribution, as users like to deploy and forget, as any attention required (whatever reason) is disruptive and takes time that could be used elsewhere.
We found this issue when running regression tests for other components that use dovecot in their testing environment which means that we would have to rewrite other tests too. Which is in fact just a reiteration of the first paragraph.
Cheers, Michal Hlavinka
participants (3)
-
Aki Tuomi
-
Michal Hlavinka
-
Timo Sirainen