ACL group-override question

Peter Chiochetti pch at myzel.net
Mon Jun 23 17:20:38 UTC 2014


Previous posts below, here why I guess this one fails:

http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/src/plugins/acl/acl-api.c#l744

It says: …a user can't match multiple usernames…

In my setup this is not true: there is only one user, but she goes by 
several names. (Like in /etc/passwd several users can have the same ID.)

I do not understand the source, but I guess the acl is attached to the 
"user" and therefore I am out of luck in my adventure: no way short of 
having a "userdb_acl_user" parameter in passdb.

Kind regards

Peter

Am 2014-06-17 22:59, schrieb Peter Chiochetti:
>> Trying to get ACLs working, very basic setup:
>>
>> Virtual users are put into different acl_group via passdb.
>>
>>> u:{PLAIN}B::::::userdb_acl_groups=g
>>
>> The global acl file restricts what they can do.
>>
>>> * group-override=g
>>> * group=g lr
>>
>> Shouldn't this mean, that the group rights override the user rights?
>>
>> The effect that I see though is, that the user "u" then may not do
>> anything, not even lookup and read.
>
> Further to this experiment, I made the ACLs to not use any group
> settings at all, only trying to lock down the server for anybody, like
> that:
>
>> root at xxx:/etc/dovecot# cat dovecot-acl
>> * user=archiv lr
>> * owner lr
>> * authenticated lr
>> * anyone lr
>
> Yet, I still can delete messages from anywhere - What am I missing?
>
> Below system setup info (dovecot from bigmichi1 ppa):
>
>> root at xxx:/etc/dovecot# doveconf -n
>> # 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf
>> # OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS
>> mail_debug = yes
>> mail_location = maildir:~/Maildir
>> mail_log_prefix = "%s(%{auth_user}): "
>> mail_plugins = " acl fts fts_solr mail_log notify"
>> namespace inbox {
>>   inbox = yes
>>   location =
>>   mailbox Drafts {
>>     special_use = \Drafts
>>   }
>>   mailbox Junk {
>>     special_use = \Junk
>>   }
>>   mailbox Sent {
>>     special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     special_use = \Trash
>>   }
>>   prefix =
>> }
>> passdb {
>>   args = /etc/dovecot/passwd
>>   driver = passwd-file
>> }
>> plugin {
>>   acl = vfile:/etc/dovecot/dovecot-acl
>>   fts = solr
>>   fts_autoindex = yes
>>   fts_solr = url=http://localhost:8983/solr/
>>   mail_log_events = save copy delete undelete expunge mailbox_create
>> mailbox_rename mailbox_delete
>>   mail_log_fields = uid box msgid from subject
>> }
>> protocols = " imap"
>> ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
>> ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
>> userdb {
>>   args = uid=archiv gid=archiv home=/home/archiv user=archiv
>>   driver = static
>> }
>
> The virtual users all act as the system user, their names are just icing
> for auditing.
>


More information about the dovecot mailing list