[Dovecot] Symlink shared mailboxes and system_user extra field
Hello,
I'm trying to set up, as explained in the wiki, shared mailboxes with symlink. I'm running dovecot-1.1.8 with LDAP pass/userdb. The Maildir layout goes like this :
/courriel/boites/foobar : Maildir of user foobar (nfs) /courriel/meta/foobar : control files of user foobar (nfs) /var/dovecot/indexes : indexes (locally stored)
I created :
/courriel/boites/doveshared/.box/ : the Maildir I want to share /courriel/boites/foobar/.box -> /courriel/boites/doveshared/.box (symlink) /courriel/boites/foobaz/.box -> /courriel/boites/doveshared/.box (symlink)
the unix and LDAP group doveshared, so /etc/group holds :
doveshared:*:<gid>:foobar,foobaz
the permissions on the real Maildir are ok for that group :
drwxrwx--- 3 root doveshared 4096 Jan 26 18:58 /courriel/boites/doveshared
drwxrwx--- 5 root doveshared 4096 Jan 26 18:58 .box (in /courriel/boites)
I made the userdb (prefetch) return the system_user extra_field (for now, I'm using an used LDAP attribute - I will create a new attribute in my schema later) :
pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,,,uidNumber=userdb_uid,gidNumber=userdb_gid,shadowMax=userdb_system_user
and it seems to be actually returned :
Jan 27 09:34:10 munster3 dovecot: auth(default): ldap(foobar,157.99.64.42): result: uid(user)=foobar uidNumber(userdb_uid)=xxx gidNumber(userdb_gid)=xxx homeDirectory(userdb_home)=/home1/xxx/foobar userPassword(password)=<hidden> shadowMax(userdb_system_user)=380
But I can't subscribe to the mailbox :
stat(/courriel/boites/doveshared/.box/tmp) failed: Permission denied (euid=xxx egid=<primary gid>)
as a matter of fact, the egid seems to be the primary gid.
What am I missing ?
Thanks.
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
On Tue, Jan 27, 2009 at 09:51:51AM +0100, Thomas Hummel wrote:
What am I missing ?
Or maybe it's because I cannot implement symlink shared mailboxes without using ACL (I thought ACL were used to fine tune what unix permissions allowed to to) ?
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
On Tue, Jan 27, 2009 at 09:51:51AM +0100, Thomas Hummel wrote:
pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,,,uidNumber=userdb_uid,gidNumber=userdb_gid,shadowMax=userdb_system_user
is it the correct way to pass userdb extra field other than home, uid and gid ? Is it supposed to work with prefetch userdb as well ?
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
On Tue, Jan 27, 2009 at 09:51:51AM +0100, Thomas Hummel wrote:
I'm trying to set up, as explained in the wiki, shared mailboxes with symlink.
Ok, I'm trying with namespaces and ACL now (it will be cleaner anyway than symlinks) but I'm still missing something :
I'm still running dovecot-1.1.8 with LDAP pass/userdb.
The Maildir layout for the private namespace goes like this :
/courriel/boites/foobar : Maildir of user foobar (nfs) /courriel/meta/foobar : control files of user foobar (nfs) /var/dovecot/indexes/f/foobar : indexes for user foobar (locally stored)
In the Public/ namespace :
/courriel/boites/public/.box/ is the Maildir I want to share
I created the unix and LDAP group doveshared, so /etc/group holds :
doveshared:*:<gid>:foobar,foobaz
The permissions on the Maildir I want to share seem ok for that group :
drwxrwx--- 3 root doveshared 4096 Jan 26 18:58 /courriel/boites/public drwxrwx--- 5 root doveshared 4096 Jan 26 18:58 /courriel/boites/public/.box
I made the userdb (prefetch) return the system_user and acl_groups extra fields [temporary hijacking 2 unused LDAP attributes (shadowMax and title)] :
pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,,,uidNumber=userdb_uid,gidNumber=userdb_gid,shadowMax=userdb_system_user,title=userdb_acl_groups
the title LDAP attributes holds a comma separated list of groups, one beeing the doveshared group :
title: xxx,doveshared
the maildir I want to share holds 2 files :
-rwxrwx--- 1 root doveshared 28 Jan 27 11:35 dovecot-acl -rwxrwx--- 1 root doveshared 0 Jan 26 18:25 dovecot-shared
with dovecot-acl holding :
group=doveshared lrwstiekxa
Here are the relevant part of my dovecot.conf :
namespace public { separator = / prefix = Public/ location = maildir:/courriel/boites/public/.box inbox = no hidden = no list = yes subscriptions = yes }
That setup doesn't seem to work (I just see the Public folder in the Thunderbird subscrition list but that'all).
I have several questions :
is the namespace prefix case sensitive (i.e. does the unix corresponding directory have to match its case ? It seems to me it isn't.
is the way I return userdb (which is prefetch) system_user and acl_groups correct ?
is my location correct (it points to the maildir itself instead of the "public" directory) ?
what did I miss :
opendir(/courriel/boites/public/.box) failed: Permission denied
Thanks
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
On Tue, Jan 27, 2009 at 02:23:38PM +0100, Thomas Hummel wrote:
Hello again ;-(
I think the ambiguity may come from that statement in the doc (wiki) :
"Both symlinking and namespaces have a common problem: Dovecot needs to have permissions to read, and possibly to write to the shared mailbox."
My understanding of that statement is : not the 'dovecot' user, but the user himself since dovecot acts with its effective uid/gid.
"Besides to limit the access to a shared mailbox via the ACL plugin, the Unix permission must allow the access of the user to the files. If you use real (system) users or multiple UIDs and rely on Unix permissions per group, make sure to set the system_user field explained in UserDatabase/ExtraFields."
Note sure about that : are ACLs optionnal (only to fine tune what unix permission can do) or mandatory ?
Does it make sense to use both system_user and acl_groups extra fields ?
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
On Tue, Jan 27, 2009 at 03:28:27PM +0100, Thomas Hummel wrote:
Please, ignore this thread, I will sum up what I figure out in another one.
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
participants (1)
-
Thomas Hummel