ACL group vs. owner question

Peter Chiochetti pch at
Sun Jun 22 12:48:39 UTC 2014

A hopefully simple question regarding the use of ACLs - the spirit being 
of taking away most permissions first and then adding them back selectively:

In the global ACL declaration I have:

> * owner lr
> * group=SYS lrwstipekxa

The owner is put into the SYS group via userdb extra field in static 
passwd file ("archiv" is a system user, but pam is disabled for the server):

> archiv:::::::userdb_acl_groups=SYS

Still, the group permissions do not get applied:

> root at host:/etc/dovecot# doveadm -D acl debug -u archiv INBOX
> […]
> doveadm(archiv): Debug: Added userdb setting: plugin/acl_groups=SYS
> doveadm(archiv): Debug: Effective uid=1002, gid=1001, home=/home/archiv
> doveadm(archiv): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
> doveadm(archiv): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
> doveadm(archiv): Debug: maildir++: root=/home/archiv/Maildir, index=, indexpvt=, control=, inbox=/home/archiv/Maildir, alt=
> doveadm(archiv): Debug: acl: initializing backend with data: vfile:/etc/dovecot/dovecot-acl
> doveadm(archiv): Debug: acl: acl username = archiv
> doveadm(archiv): Debug: acl: owner = 1
> doveadm(archiv): Debug: acl vfile: Global ACL file: /etc/dovecot/dovecot-acl
> doveadm(archiv): Info: Mailbox 'INBOX' is in namespace ''
> doveadm(archiv): Info: Mailbox path: /home/archiv/Maildir
> doveadm(archiv): Info: All message flags are shared across users in mailbox
> doveadm(archiv): Debug: acl vfile: file /home/archiv/Maildir/dovecot-acl not found
> doveadm(archiv): Info: User archiv has rights: lookup read
> doveadm(archiv): Info: Mailbox in user's private namespace
> doveadm(archiv): Info: Mailbox INBOX is visible in LIST

My question: Shouldn't this work? (In a stock setup.)

PS: when I add "* group-override=SYS" to /etc/dovecot/dovecot-acl the 
user will not even be able to list INBOX.

PPS: As an aside, the setup also switches any sytem or /virtual/ users 
during login in local.conf:
> userdb {
>         driver = static
>         args = uid=archiv gid=archiv home=/home/archiv user=archiv
> }
but I get the above result without that switching when I make it read:
> userdb {
>    driver = static
>    args = home=/home/archiv
> }
So I suppose that it's not relevant in this case…

Thank you in advance


More information about the dovecot mailing list