[Dovecot] Public namespace permissions documentation/questions
Hello Timo,
In my trials to setup a shared namespace with dovecot-1.1.8/LDAP passdb/userdb (prefetch)/Maildir, I found out that :
ACL are mandatory (at least if the acl plugin is triggered in dovecot.conf)
Am I correct ? I'm still not sure if we can do without ACL at all (only with unix permissions and system_user userdb extra field).
the system_user userdb extra field is supposed to be ...the logname of the user the secondary groups of whom we want to check !
i.e. if user foobar belongs to secondary groups foogid, zgid, wgid and doveshared
uid=xxx(foobar) gid=yyy(foogid) groups=zzz(zgid),www(wgid),vvv(doveshared)
and we dovecot to take them into account, we have to make the usedb return the system_user extra field with the value foobar.
Seems obvious now and said this way, but looking at the wiki :
"system_user: If this is given, the user's groups are read from /etc/group (or wherever NSS is configured to taken them from)."I thought 'system_user' was a flag (a boolean) which, when triggered made dovecot look for the secondaries group of the user (user whose name is already known).
a) am I correct ?
b) why isn't system_user such a boolean ? Is there a case where we'd want system_user to be different than the user dovecot runs as at the moment the check takes place ?
- same idea with acl_groups : since this extra_field holds a list of groups for the ACL plugin, why not rely on the native unix groups of the system the user belong to ?
Thanks (and sorry for the 2 previous threads where I was blindly confused by the system_user thing).
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On Wed, 2009-01-28 at 18:43 +0100, Thomas Hummel wrote:
Hello Timo,
In my trials to setup a shared namespace with dovecot-1.1.8/LDAP passdb/userdb (prefetch)/Maildir, I found out that :
ACL are mandatory (at least if the acl plugin is triggered in dovecot.conf)
Am I correct ? I'm still not sure if we can do without ACL at all (only with unix permissions and system_user userdb extra field).
I don't really understand. ACLs are not required if UNIX permissions are enough for you. ACLs only add extra restrictions.
the system_user userdb extra field is supposed to be ...the logname of the user the secondary groups of whom we want to check ! .. Seems obvious now and said this way, but looking at the wiki :
"system_user: If this is given, the user's groups are read from /etc/group (or wherever NSS is configured to taken them from)."
I thought 'system_user' was a flag (a boolean) which, when triggered made dovecot look for the secondaries group of the user (user whose name is already known).
Updated wiki.
b) why isn't system_user such a boolean ? Is there a case where we'd want system_user to be different than the user dovecot runs as at the moment the check takes place ?
Maybe. But there's no way to change that now without breaking backwards compatibility.
- same idea with acl_groups : since this extra_field holds a list of groups for the ACL plugin, why not rely on the native unix groups of the system the user belong to ?
Do you mean the ACL plugin would use the user's current UNIX groups? That might be useful as an extra option, but virtual users won't have any UNIX groups, so it can't work for everyone.
participants (2)
-
Thomas Hummel
-
Timo Sirainen