[Dovecot] New global ACL mailbox pattern feature in HG
Hi,
I played around with changeset 9376bf098692 a bit. Right now I'm unsure how to describe a namespace using this feature. Using something like 'Public/*" doesn't seem to work while 'Public*" does, but would also potentially alter non-related mailboxes elsewhere:
$ cat global-acl INBOX owner lrwstiekxap Public* group=PublicMailboxAdmins lrwsik
Regards Thomas
- Thomas Leuxner <tlx@leuxner.net> 2014.01.28 08:29:
$ cat global-acl INBOX owner lrwstiekxap Public* group=PublicMailboxAdmins lrwsik
Following up on this, there seems to be an issue with separators. Mailbox creation crashes, while it used to work fine with the same configuration w/o the 'global-acl' file. Interestingly enough same syntax works for the public namespace (e.g. "mailbox create -u tlx@leuxner.net Public/Test" ):
$ doveadm acl get -u tlx@leuxner.net INBOX ID Global Rights owner admin create delete expunge insert lookup post read write write-deleted write-seen
$ doveadm mailbox create -u tlx@leuxner.net "Shops/Test" doveadm(tlx@leuxner.net): Panic: file acl-global-file.c: line 163 (acl_global_file_find_rights): assertion failed: (file->last_refresh_time != 0) doveadm(tlx@leuxner.net): Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x6b34f) [0x7f7de43bf34f] -> /usr/lib/dovecot/libdovecot.so.0(default_fatal_handler+0x2a) [0x7f7de43bf42a] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f7de4378e8e] -> /usr/lib/dovecot/modules/lib01_acl_plugin.so(+0xc692) [0x7f7de3799692] -> /usr/lib/dovecot/modules/lib01_acl_plugin.so(acl_global_file_have_any+0x1a) [0x7f7de3799bfa] -> /usr/lib/dovecot/modules/lib01_acl_plugin.so(+0x9f92) [0x7f7de3796f92] -> /usr/lib/dovecot/modules/lib01_acl_plugin.so(acl_mailbox_list_have_right+0xed) [0x7f7de379c44d] -> /usr/lib/dovecot/modules/lib01_acl_plugin.so(+0xda69) [0x7f7de379aa69] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x93027) [0x7f7de46bc027] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_create+0x38) [0x7f7de46aa048] -> doveadm() [0x418124] -> doveadm() [0x41358d] -> doveadm(doveadm_mail_try_run+0x251) [0x414251] -> doveadm(main+0x3c8) [0x413138] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f7de3fe8ead] -> doveadm() [0x413351] Aborted
namespace { list = yes location = mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { hidden = no inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private }
On 30.1.2014, at 5.23, Thomas Leuxner <tlx@leuxner.net> wrote:
- Thomas Leuxner <tlx@leuxner.net> 2014.01.28 08:29:
$ cat global-acl INBOX owner lrwstiekxap Public* group=PublicMailboxAdmins lrwsik
Following up on this, there seems to be an issue with separators. Mailbox creation crashes, while it used to work fine with the same configuration w/o the 'global-acl' file. Interestingly enough same syntax works for the public namespace (e.g. "mailbox create -u tlx@leuxner.net Public/Test" ):
$ doveadm acl get -u tlx@leuxner.net INBOX ID Global Rights owner admin create delete expunge insert lookup post read write write-deleted write-seen
$ doveadm mailbox create -u tlx@leuxner.net "Shops/Test" doveadm(tlx@leuxner.net): Panic: file acl-global-file.c: line 163 (acl_global_file_find_rights): assertion failed: (file->last_refresh_time != 0)
Fixed: http://hg.dovecot.org/dovecot-2.2/rev/c69ca1f5bc34
Also I was thinking that maybe it could support a syntax like:
Public,Public/* owner lrw
Or with more weirder mailbox names use quoting:
"foo,bar baz",another owner lrw
- Timo Sirainen <tss@iki.fi> 2014.02.07 21:37:
$ doveadm mailbox create -u tlx@leuxner.net "Shops/Test" doveadm(tlx@leuxner.net): Panic: file acl-global-file.c: line 163 (acl_global_file_find_rights): assertion failed: (file->last_refresh_time != 0)
Crash is gone. Thanks.
Public/* group=PublicMailboxAdmins lrwsik
yields an error (Public/ Namespace) while 'Public*' works: $ doveadm mailbox create -u tlx@leuxner.net "Public/Test" $ doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Test: Permission denied
Also I was thinking that maybe it could support a syntax like:
Public,Public/* owner lrw
+1
On 7.2.2014, at 17.21, Thomas Leuxner <tlx@leuxner.net> wrote:
- Timo Sirainen <tss@iki.fi> 2014.02.07 21:37:
$ doveadm mailbox create -u tlx@leuxner.net "Shops/Test" doveadm(tlx@leuxner.net): Panic: file acl-global-file.c: line 163 (acl_global_file_find_rights): assertion failed: (file->last_refresh_time != 0)
Crash is gone. Thanks.
Public/* group=PublicMailboxAdmins lrwsik
yields an error (Public/ Namespace) while 'Public*' works: $ doveadm mailbox create -u tlx@leuxner.net "Public/Test" $ doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Test: Permission denied
I think that's correct behavior? The "k" right needs to be for the parent "Public", while Public/* only matches its children.
- Timo Sirainen <tss@iki.fi> 2014.02.10 00:25:
Public/* group=PublicMailboxAdmins lrwsik
yields an error (Public/ Namespace) while 'Public*' works: $ doveadm mailbox create -u tlx@leuxner.net "Public/Test" $ doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Test: Permission denied
I think that's correct behavior? The "k" right needs to be for the parent "Public", while Public/* only matches its children.
I see. Wouldn't "Public" also let's say undesirably apply to mailboxes in the user context then, e.g. someone creates a "Public" folder in his INBOX? I'm asking as I only want to apply the ACL to a namespace.
Regards Thomas
- Thomas Leuxner <tlx@leuxner.net> 2014.02.10 08:51:
Public/* group=PublicMailboxAdmins lrwsik
yields an error (Public/ Namespace) while 'Public*' works: $ doveadm mailbox create -u tlx@leuxner.net "Public/Test" $ doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Test: Permission denied
I think that's correct behavior? The "k" right needs to be for the parent "Public", while Public/* only matches its children.
I see. Wouldn't "Public" also let's say undesirably apply to mailboxes in the user context then, e.g. someone creates a "Public" folder in his INBOX? I'm asking as I only want to apply the ACL to a namespace.
Following the http://wiki2.dovecot.org/ACL example of wildcard patters it appears 'Public/*' is completely ignored. I tested with a new mailbox and the only entry applied is the 'Public*' one:
$ cat global-acl INBOX owner lrwstiekxap Public* group=PublicMailboxAdmins lrwsik Public/* anyone lr Public/* authenticated lrws
On 15.2.2014, at 22.13, Thomas Leuxner <tlx@leuxner.net> wrote:
- Thomas Leuxner <tlx@leuxner.net> 2014.02.10 08:51:
Public/* group=PublicMailboxAdmins lrwsik
yields an error (Public/ Namespace) while 'Public*' works: $ doveadm mailbox create -u tlx@leuxner.net "Public/Test" $ doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Test: Permission denied
I think that's correct behavior? The "k" right needs to be for the parent "Public", while Public/* only matches its children.
I see. Wouldn't "Public" also let's say undesirably apply to mailboxes in the user context then, e.g. someone creates a "Public" folder in his INBOX? I'm asking as I only want to apply the ACL to a namespace.
Following the http://wiki2.dovecot.org/ACL example of wildcard patters it appears 'Public/*' is completely ignored. I tested with a new mailbox and the only entry applied is the 'Public*' one:
$ cat global-acl INBOX owner lrwstiekxap Public* group=PublicMailboxAdmins lrwsik Public/* anyone lr Public/* authenticated lrws
http://hg.dovecot.org/dovecot-2.2/rev/7a08a481c133 should help here?
- Timo Sirainen <tss@iki.fi> 2014.05.07 16:12:
http://hg.dovecot.org/dovecot-2.2/rev/7a08a481c133 should help here?
That seems to do the trick:
$ doveadm acl get -u tlx@leuxner.net Public/Mailing-Lists/Dovecot
ID Global Rights
anyone lookup read
authenticated lookup read write write-seen
group=PublicMailboxAdmins create insert lookup read write write-seen
Thanks!
participants (2)
-
Thomas Leuxner
-
Timo Sirainen