ACL group-override question

Peter Chiochetti pch at myzel.net
Tue Jun 17 20:59:12 UTC 2014


> Trying to get ACLs working, very basic setup:
>
> Virtual users are put into different acl_group via passdb.
>
>> u:{PLAIN}B::::::userdb_acl_groups=g
>
> The global acl file restricts what they can do.
>
>> * group-override=g
>> * group=g lr
>
> Shouldn't this mean, that the group rights override the user rights?
>
> The effect that I see though is, that the user "u" then may not do
> anything, not even lookup and read.

Further to this experiment, I made the ACLs to not use any group 
settings at all, only trying to lock down the server for anybody, like that:

> root at xxx:/etc/dovecot# cat dovecot-acl
> * user=archiv lr
> * owner lr
> * authenticated lr
> * anyone lr

Yet, I still can delete messages from anywhere - What am I missing?

Below system setup info (dovecot from bigmichi1 ppa):

> root at xxx:/etc/dovecot# doveconf -n
> # 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS
> mail_debug = yes
> mail_location = maildir:~/Maildir
> mail_log_prefix = "%s(%{auth_user}): "
> mail_plugins = " acl fts fts_solr mail_log notify"
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /etc/dovecot/passwd
>   driver = passwd-file
> }
> plugin {
>   acl = vfile:/etc/dovecot/dovecot-acl
>   fts = solr
>   fts_autoindex = yes
>   fts_solr = url=http://localhost:8983/solr/
>   mail_log_events = save copy delete undelete expunge mailbox_create mailbox_rename mailbox_delete
>   mail_log_fields = uid box msgid from subject
> }
> protocols = " imap"
> ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
> ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
> userdb {
>   args = uid=archiv gid=archiv home=/home/archiv user=archiv
>   driver = static
> }

The virtual users all act as the system user, their names are just icing 
for auditing.

-- 
peter


More information about the dovecot mailing list