[Dovecot] [SOLVED] Installing Dovecot on Gentoo

Michael Orlitzky michael at orlitzky.com
Mon Jan 14 00:17:29 EET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/13/2013 02:41 PM, Branko Majic wrote:
> 
> Slightly off-topic from my side, but wanted to mention it since
> I've worked with POSIX ACLs a bit.
> 
> Personally, I've had very bad experiences with POSIX ACLs. They can
> act in quite an unintuitive way when you start combining them with 
> different umask's, originating directory/file permissions (in case
> of copying), sticky bits, and chmod's on files/directories where
> you've already set-up the permissions (not to mention that some
> stuff seems to outright ignore it, like mod_php5/php).

Most of the problem is that the utilities don't support it, and the
tooling isn't there to make it easy to fix things when they get messed up.

GNU tar, cp, and mkdir for example claim to support ACLs, but then do
it only half way: if you copy a non-ACL file into a directory with a
default ACL, cp will preserve the group bits -- which are now the ACL
mask -- making your ACLs useless.

I've had very little success getting things fixed; most people just
aren't interested.

I have a standalone utility called apply-default-acl (now in Gentoo)
that can reapply the default ACL on a file or tree, fixing most of
these issues after the fact. I've patched tar, cp, and mkdir to
reapply the default ACL after they're done screwing things up, but for
other utilities, you just have to call `apply-default-acl -r` on the
result.

I wrote some stuff about this problem at [1].

The other half of the problem is that there's no "just do what I want"
command to set ACLs on a hierarchy. For this I've created scripts
called set-ro-perms, set-rw-perms, etc. It's just find, xargs, and
setfacl -- but it makes a world of difference. There is a recursive
mode for apply-default-acl now which can mimic most of them; you just
need to set a default ACL on '.' and run it.


> I've also attempted using it at some point for some LAMP apps I've
> deployed, and ended-up abandoning them in favour of group sticky
> bits on directories (wanted to administer the web app with regular
> account, while still letting the Apache access files using umask
> 0007).
> 
> So, personally, I'd avoid using them.
> 

Same use case here, except we have multiple groups and users who need
differing levels of access, and each website runs as a different
system user. I don't know of any other way to do it.

Eventually, NFSv4 ACLs[2] are supposed to supercede the POSIX ones.
Hopefully, unlike POSIX, the NFS ACLs will get standardized and
actually gain some traction and decent support. At that point it
should be fairly simple to migrate, since there's an "easy" mapping
from POSIX to NFSv4.



[1]
http://michael.orlitzky.com/articles/problems_with_posix_acls_and_common_utilities.php

[2] http://wiki.linux-nfs.org/wiki/index.php/ACLs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBAgAGBQJQ8zJ5AAoJEBxJck0inpOir+MP/1p///gBNmXO3qQVOZabAXDc
iYUMgiZ48WSpg7SKHUus80nKrue1IQdHC69ORTo7QUFw8o2/8CYXQo6v1EaytyDJ
f702Qx7nMnwvdjH5PZQbxVi3qd+L3I+vwmH4omx2g4cFzM4KWNNXcG+tgWALquAc
0xMn8IpODfqV4SqNx1vjHKH35MBuPtyN+0YxGTixlryxQjSjSaSITxFEfRdXvzLT
xL2WQw++XT5yC1UOyET4F/HQ0BG1C5jIB1auxrkLYQo3a4u+fXFjNQ3r67rL6Jus
t9Z3drj48LSHeyc3tRV0MsIiVhgXGTmGyG+XR7DREt9MbMv2SjHbOtP6YsQ7tVpN
54JndK7Rbcm6yaSExBxCC7eCqgXb5AR10J8AijPwnNj2I6CstHMlG4lLqWvj8Bdm
YQBdid3zbnb8r8sbpwe67UUArwMZWzVReZpETYbW4BrBy7CTPaooizP0fOE/mNwn
78vc5L+1I3edQEOtD3DQhUOFKxPFjJh1x4EdDNzd0K5+a1ZgfBxYw/U6q8ItBJ12
leoNzWMvZklJb/U4gGx2fYSwlZM1wxDGfRp0P63YYvNSaEXloGcRuozVInIzpm3g
QOA5I/1ux7WiisQoln74gJGkPPnbZuAOs45xEl0RUjrWJGzgSWpc8I8h5j755COV
w80fwFF4c5SIYXf/luor
=/6b8
-----END PGP SIGNATURE-----


More information about the dovecot mailing list