[Dovecot] restricting shared folders access
Hi all,
I have a dovecot setup with virtual users and a passwd-file passdb. All users have the same uid and gid. Recently I got my public folders working using namespaces and they work great. However, now I'm trying to share a folder between a limited number of users and so far I failed to get it working. Symlinks aren't an option because users need to be able to create subfolders of the shared folder so I'm trying to do it with namespaces but I'm not sure how to restrict access to a limited number of users.
I tried doing it with groups. I made sure that the shared folder's group is set to 'staff' and the mode is 070, I also changed the group of a few virtual users to 'staff'. However, when I try accessing the shared folder I get a permission denied error (although the user is in the staff group).
Can someone please recommend the best way to do this? Should I look into ACL's?
Many thanks,
Andrew.
On Aug 12, 2008, at 6:07 AM, Andrew Von Cid wrote:
I have a dovecot setup with virtual users and a passwd-file passdb.
All users have the same uid and gid. Recently I got my public
folders working using namespaces and they work great. However, now
I'm trying to share a folder between a limited number of users and
so far I failed to get it working. Symlinks aren't an option
because users need to be able to create subfolders of the shared
folder so I'm trying to do it with namespaces but I'm not sure how
to restrict access to a limited number of users.I tried doing it with groups. I made sure that the shared folder's
group is set to 'staff' and the mode is 070, I also changed the
group of a few virtual users to 'staff'. However, when I try
accessing the shared folder I get a permission denied error
(although the user is in the staff group).
How exactly are you changing virtual users' groups? You said you're
using a single UID and GID, so from the OS point of view there's only
a single user.
Can someone please recommend the best way to do this? Should I look
into ACL's?
Either that or use a different UID for all users (or the staff users).
With ACLs you could create dovecot-acl file with either:
a) Listing all the users who have access to it and their permissions
b) List staff group's access, and have your userdb return
acl_groups=staff extra field for the staff users. This will work only
with v1.1.
Hi Timo,
Thanks for your reply.
How exactly are you changing virtual users' groups? You said you're using a single UID and GID, so from the OS point of view there's only a single user.
Makes sense.
Either that or use a different UID for all users (or the staff users). With ACLs you could create dovecot-acl file with either:
a) Listing all the users who have access to it and their permissions b) List staff group's access, and have your userdb return acl_groups=staff extra field for the staff users. This will work only with v1.1.
I'm running 1.0.10 so I tried option 'a' using global ACLs. However, I have a number of problems:
I'm unable to grant permissions on the whole namespace, only per folder. Is this normal?
Is it possible to grant permissions to a folder and all of it's subfolders? I gave a user the permission to create subfolders of a folder, but it looks like I need to create a new ACL for every subfolder created, otherwise it won't be visible.
When I enabled the ACL plugin my other public namespace became inaccessible. When I try to access any of it's folders with Thunderbird I get "Mailbox doesn't exist" error. Is it possible to allow access by default unless there is an ACL that says otherwise?
The basic thing that I'm trying to do is to have two namespaces. One public, shared between all users with read-write permission. And the other accessible only to a small group of staff users. In both cases users need to be able to create and access any subfolders without my intervention. If I change the UID of the staff users then they won't be able to access the public namespace, so this isn't great either. Is there any way I can get this working with dovecot?
Many thanks,
Andrew
On Aug 14, 2008, at 7:06 AM, Andrew Von Cid wrote:
Either that or use a different UID for all users (or the staff
users). With ACLs you could create dovecot-acl file with either:a) Listing all the users who have access to it and their permissions b) List staff group's access, and have your userdb return
acl_groups=staff extra field for the staff users. This will work
only with v1.1.I'm running 1.0.10 so I tried option 'a' using global ACLs.
However, I have a number of problems:I'm unable to grant permissions on the whole namespace, only per
folder. Is this normal?Is it possible to grant permissions to a folder and all of it's
subfolders? I gave a user the permission to create subfolders of a
folder, but it looks like I need to create a new ACL for every
subfolder created, otherwise it won't be visible.
Currently there's no way to set up recursive/default permissions. Yes,
they would be nice.
When I enabled the ACL plugin my other public namespace became
inaccessible. When I try to access any of it's folders with
Thunderbird I get "Mailbox doesn't exist" error. Is it possible to
allow access by default unless there is an ACL that says otherwise?
Not without making the namespace private. The only real difference
there is that IMAP NAMESPACE command replies the namespace being
private instead of public, but few clients support NAMESPACE so it
probably doesn't really matter..
The basic thing that I'm trying to do is to have two namespaces.
One public, shared between all users with read-write permission.
And the other accessible only to a small group of staff users. In
both cases users need to be able to create and access any subfolders
without my intervention. If I change the UID of the staff users
then they won't be able to access the public namespace, so this
isn't great either. Is there any way I can get this working with
dovecot?
Dovecot's shared mailbox support is unfortunately pretty bad currently.
Hi Timo,
Thanks for your reply.
How exactly are you changing virtual users' groups? You said you're using a single UID and GID, so from the OS point of view there's only a single user.
Makes sense.
Either that or use a different UID for all users (or the staff users). With ACLs you could create dovecot-acl file with either:
a) Listing all the users who have access to it and their permissions b) List staff group's access, and have your userdb return acl_groups=staff extra field for the staff users. This will work only with v1.1.
I'm running 1.0.10 so I tried option 'a' using global ACLs. However, I have a number of problems:
I'm unable to grant permissions on the whole namespace, only per folder. Is this normal?
Is it possible to grant permissions to a folder and all of it's subfolders? I gave a user the permission to create subfolders of a folder, but it looks like I need to create a new ACL for every subfolder created, otherwise it won't be visible.
When I enabled the ACL plugin then my other public namespace became inaccessible. When I try to access any of it's folders with Thunderbird I get "Mailbox doesn't exist" error. Is it possible to allow access by default unless there is an ACL that says otherwise?
The basic thing that I'm trying to do is to have two namespaces. One public, shared between all users with read-write permission. And the other accessible only to a small group of staff users. In both cases users need to be able to create and access any subfolders without my intervention. If I change the UID of the staff users then they won't be able to access the public namespace, so this isn't great either. Is there any way I can get this working with Dovecot?
Many thanks,
Andrew
participants (2)
-
Andrew Von Cid
-
Timo Sirainen