[Dovecot] Questions about dovecot-shared in 1.2 and inherit group membership from parent mailbox
Hi,
I read the Wiki about dovecot-shared a few times but it is not 100% clear to me (at least for 1.2).
First, if I want shared keywords I *must* have a dovecot-shared. In this case, the permissions are not taken any longer from the parent folder (what is exactly this parent folder?) but from the dovecot-shared file. So in some sense dovecot-shared is always required (since everyone would like to share keywords). True?
Second, is there only *one* dovecot-shared per namespace or per mailbox *under* a specific namespace? Or an arbitrary number (where the "last" is taken)? Where does dovecot-shared need to be placed? For example, if the location of the namespace points to /var/mail/shared and I have two mailboxes "group1" and "group2" inside. Does the dovecot-shared need to reside in /var/mail/shared or /var/mail/shared/group1 and /var/mail/shared/group2 (with LAYOUT=fs)? Is it possible?
Third (and main) question: In /var/mail/shared I want to have a mailbox for each group. Each user is member of his respective groups (in terms of UNIX permissions *and* ACLs). The mailboxes are owned by their respective groups and if a user creates a subfolder inside it should surely have the same group assigned as the parent mailbox (not the namespace!).
namespace public { separator = . prefix = Shared. location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs subscriptions = no }
mail:~# ls -l -R /var/mail/shared/ /var/mail/shared/: total 12 drwxrwx--- 5 root group1 4096 Feb 9 11:53 Group1 drwxrwx--- 5 root group2 4096 Feb 9 12:27 Group2 -rw-r--r-- 1 root root 23 Feb 9 11:52 dovecot-acl -rw-rw-r-- 1 root root 0 Dec 15 2009 dovecot-shared
/var/mail/shared/Group1: total 16 drwxrwx--- 2 root group1 4096 Feb 8 10:35 cur -rw-r--r-- 1 root group1 28 Feb 9 11:52 dovecot-acl -rw-rw-r-- 1 root group1 0 Dec 15 2009 dovecot-shared drwxrwx--- 2 root group1 4096 Dec 15 2009 new drwxrwx--- 2 root group1 4096 Feb 8 10:34 tmp
/var/mail/shared/Group1/cur: total 0
/var/mail/shared/Group1/new: total 0
/var/mail/shared/Group1/tmp: total 0
/var/mail/shared/Group2: total 16 drwxrwx--- 2 root group2 4096 Feb 8 10:35 cur -rw-r--r-- 1 root group2 27 Feb 9 11:52 dovecot-acl -rw-rwS--- 1 root group2 0 Dec 15 2009 dovecot-shared drwxrwx--- 2 root group2 4096 Dec 15 2009 new drwxrwx--- 2 root group2 4096 Feb 8 10:34 tmp
/var/mail/shared/Group2/cur: total 0
/var/mail/shared/Group2/new: total 0
/var/mail/shared/Group2/tmp: total 0
Again: *Inside* /var/mail/shared I want to create mailboxes for each group (Group1, Group2, ...). This is done only by the administrator. Therefore /var/mail/shared is owned by root.
Each Group1, Group2, ... in turn is owned by group1, group2, ...
I tried all combinations using dovecot-shared which came into my mind such that a subfolder of Group1 is owned by group1. However, either
1.) the subfolder is owned by the primary group of the creating user (group "users") or 2.) the group of /var/mail/shared/dovecot-shared or 3.) creation of the subfolder fails with
dovecot: IMAP(user1): chown(/var/mail/shared/Group2/Test1, -1, 0(root)) failed: Operation not permitted (egid=100(users), group based on /var/mail/shared/dovecot-shared) dovecot: IMAP(user1): mkdir(/var/mail/shared/Group2/Test1/cur) failed: Operation not permitted
Is this just not possible or do I get something wrong here?
Regards, Luke
On Wed, 2011-02-09 at 12:51 +0100, Lukas Haase wrote:
First, if I want shared keywords I *must* have a dovecot-shared. In this case, the permissions are not taken any longer from the parent folder (what is exactly this parent folder?)
If you have ~/Maildir/.foo/, then the permissions are based on the .foo directory when ~/Maildir/.foo/dovecot-share doesn't exist.
but from the dovecot-shared file. So in some sense dovecot-shared is always required (since everyone would like to share keywords). True?
dovecot-shared is needed only if you want private \Seen flags.
Second, is there only *one* dovecot-shared per namespace or per mailbox *under* a specific namespace? Or an arbitrary number (where the "last" is taken)? Where does dovecot-shared need to be placed?
For each mailbox.
For example, if the location of the namespace points to /var/mail/shared and I have two mailboxes "group1" and "group2" inside. Does the dovecot-shared need to reside in /var/mail/shared or /var/mail/shared/group1 and /var/mail/shared/group2 (with LAYOUT=fs)? Is it possible?
group1 & group2
Third (and main) question: In /var/mail/shared I want to have a mailbox for each group. Each user is member of his respective groups (in terms of UNIX permissions *and* ACLs). The mailboxes are owned by their respective groups and if a user creates a subfolder inside it should surely have the same group assigned as the parent mailbox (not the namespace!).
Well, now you're going into something that's a new feature :) But you can probably do:
/var/mail/shared = root:root, 02770 /var/mail/shared/group1 = root:group1, 02770
Now filesystem should preserve group1 and Dovecot should preserve 02770 permissions.
Dear Timo,
Thank you for the reply!
Am 09.02.2011 23:55, schrieb Timo Sirainen:
[...]
Second, is there only *one* dovecot-shared per namespace or per mailbox *under* a specific namespace? Or an arbitrary number (where the "last" is taken)? Where does dovecot-shared need to be placed?
For each mailbox.
(Definition) In my example:
/var/mail/shared is the *namespace* and
/var/mail/shared/.Group1/... /var/mail/shared/.Group2/...
the mailboxes; is this true?
For example, if the location of the namespace points to /var/mail/shared and I have two mailboxes "group1" and "group2" inside. Does the dovecot-shared need to reside in /var/mail/shared or /var/mail/shared/group1 and /var/mail/shared/group2 (with LAYOUT=fs)? Is it possible?
group1& group2
Thank you. This means *no* dovecot-acl in /var/mail/shared.
Third (and main) question: In /var/mail/shared I want to have a mailbox for each group. Each user is member of his respective groups (in terms of UNIX permissions *and* ACLs). The mailboxes are owned by their respective groups and if a user creates a subfolder inside it should surely have the same group assigned as the parent mailbox (not the namespace!).
Well, now you're going into something that's a new feature :) But you can probably do:
/var/mail/shared = root:root, 02770 /var/mail/shared/group1 = root:group1, 02770
Now filesystem should preserve group1 and Dovecot should preserve 02770 permissions.
Woow, indeed, this seems to work, also in the presence of the "dovecot-acl" files in /var/mail/shared/group1 and /var/mail/shared/group2. What I have forgotten is 02770 for /var/mail/shared. I somehow do not understand why this matters...
In fact, this structure seems to work now as expected:
D /var/mail/shared = root:root, 02770 F /var/mail/shared/dovecot-acl = root:root, 0644 anyone authenticated l
D /var/mail/shared/Group1 = root:group1, 02770 D /var/mail/shared/Group1/new = root:group1, 0770 D /var/mail/shared/Group1/cur = root:group1, 0770 D /var/mail/shared/Group1/tmp = root:group1, 0770 F /var/mail/shared/Group1/dovecot-shared = root:group1, 02660 F /var/mail/shared/Group1/dovecot-acl = root:group1, 0664 anyone group=group1 lrwstiek
D /var/mail/shared/Group2 = root:group2, 02770 D /var/mail/shared/Group2/new = root:group2, 0770 D /var/mail/shared/Group2/cur = root:group2, 0770 D /var/mail/shared/Group2/tmp = root:group2, 0770 F /var/mail/shared/Group2/dovecot-shared = root:group2, 02660 F /var/mail/shared/Group2/dovecot-acl = root:group2, 0664 anyone group=group2 lrwstiek
Thanks again!
Best regards, Luke
Am 10.02.2011 13:49, schrieb Lukas Haase:
[...] Third (and main) question: In /var/mail/shared I want to have a mailbox for each group. Each user is member of his respective groups (in terms of UNIX permissions *and* ACLs). The mailboxes are owned by their respective groups and if a user creates a subfolder inside it should surely have the same group assigned as the parent mailbox (not the namespace!).
Well, now you're going into something that's a new feature :) But you can probably do:
/var/mail/shared = root:root, 02770 /var/mail/shared/group1 = root:group1, 02770
As already mentioned, thank you very much, this works!
However, I wonder if I am the one who needs different group-based mailboxes in a shared namespace ... I think it can't be that complicated?!
Maybe the common way to go instead is to create a "virtual mail" mail group where all users belong to (and assign with mail_access_groups=sharedmail) and do all group-permissions solely with the ACL plugin?
Best regards, Luke
On Fri, 2011-02-11 at 14:52 +0100, Lukas Haase wrote:
However, I wonder if I am the one who needs different group-based mailboxes in a shared namespace ... I think it can't be that complicated?!
I think most people are happy with having a single uid+gid for all users.
Maybe the common way to go instead is to create a "virtual mail" mail group where all users belong to (and assign with mail_access_groups=sharedmail) and do all group-permissions solely with the ACL plugin?
That's one possibility too, sure.
But yeah, it would be nice if it was easier to do these things with multiple groups.. v2.1 now makes this simpler:
http://hg.dovecot.org/dovecot-2.1/rev/238bafcca676 http://hg.dovecot.org/dovecot-2.1/rev/e2605d2d6b33
participants (2)
-
Lukas Haase
-
Timo Sirainen