ACL group vs. owner question
A hopefully simple question regarding the use of ACLs - the spirit being of taking away most permissions first and then adding them back selectively:
In the global ACL declaration I have:
- owner lr
- group=SYS lrwstipekxa
The owner is put into the SYS group via userdb extra field in static passwd file ("archiv" is a system user, but pam is disabled for the server):
archiv:::::::userdb_acl_groups=SYS
Still, the group permissions do not get applied:
root@host:/etc/dovecot# doveadm -D acl debug -u archiv INBOX […] doveadm(archiv): Debug: Added userdb setting: plugin/acl_groups=SYS doveadm(archiv): Debug: Effective uid=1002, gid=1001, home=/home/archiv doveadm(archiv): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled doveadm(archiv): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir doveadm(archiv): Debug: maildir++: root=/home/archiv/Maildir, index=, indexpvt=, control=, inbox=/home/archiv/Maildir, alt= doveadm(archiv): Debug: acl: initializing backend with data: vfile:/etc/dovecot/dovecot-acl doveadm(archiv): Debug: acl: acl username = archiv doveadm(archiv): Debug: acl: owner = 1 doveadm(archiv): Debug: acl vfile: Global ACL file: /etc/dovecot/dovecot-acl doveadm(archiv): Info: Mailbox 'INBOX' is in namespace '' doveadm(archiv): Info: Mailbox path: /home/archiv/Maildir doveadm(archiv): Info: All message flags are shared across users in mailbox doveadm(archiv): Debug: acl vfile: file /home/archiv/Maildir/dovecot-acl not found doveadm(archiv): Info: User archiv has rights: lookup read doveadm(archiv): Info: Mailbox in user's private namespace doveadm(archiv): Info: Mailbox INBOX is visible in LIST
My question: Shouldn't this work? (In a stock setup.)
PS: when I add "* group-override=SYS" to /etc/dovecot/dovecot-acl the user will not even be able to list INBOX.
PPS: As an aside, the setup also switches any sytem or /virtual/ users during login in local.conf:
userdb { driver = static args = uid=archiv gid=archiv home=/home/archiv user=archiv } but I get the above result without that switching when I make it read: userdb { driver = static args = home=/home/archiv } So I suppose that it's not relevant in this case…
Thank you in advance
-- peter
- Peter Chiochetti <pch@myzel.net> 2014.06.22 14:48:
- owner lr
- group=SYS lrwstipekxa doveadm(archiv): Info: User archiv has rights: lookup read
What version is this? There used to be a bug in versions before 2.2.13 where only the first matching ACL line was applied. From the looks this could be the case here as only 'lr' is applied.
http://hg.dovecot.org/dovecot-2.2/rev/7a08a481c133
Regards Thomas
Am 2014-06-22 15:09, schrieb Thomas Leuxner:
- Peter Chiochetti <pch@myzel.net> 2014.06.22 14:48:
- owner lr
- group=SYS lrwstipekxa doveadm(archiv): Info: User archiv has rights: lookup read
What version is this? There used to be a bug in versions before 2.2.13 where only the first matching ACL line was applied. From the looks this could be the case here as only 'lr' is applied.
Thomas, thank you for your interest. This is with 2.2.13, after the mentioned bug was corrected.
As nobody seems to know, whether such should work in stock dovecot, I guess I will have to take out all my config and try myself :(
-- peter
participants (2)
-
Peter Chiochetti
-
Thomas Leuxner