Regression ACL & namespace prefix

Michal Hlavinka mhlavink at redhat.com
Tue Sep 18 17:10:39 EEST 2018


Hi

tl;dr:
Seems that for Global ACL directory, namespace prefix is not part of the 
path, when looking for acl file.

Long version:

We're planning to update dovecot in next os update to 2.2.36 and while 
going through regression testing, we found a problem with ACL 
configuration combined with namespace.

Test uses "Global ACL directory" configuration.

Relevant configuration part:
mail_location = maildir:~/Maildir

namespace inbox {
   hidden = no
   inbox = yes
   list = yes
   location =
   prefix =
   separator = /
}
namespace {
   hidden = no
   list = yes
   location = maildir:/var/mail/pub
   prefix = pub/
   separator = /
   type = public
}

mail_plugins = acl

protocol imap {
   mail_plugins = $mail_plugins acl imap_acl
}
plugin {
   acl = vfile:/etc/dovecot/global-acls
}

ACL config file is stored at:
/etc/dovecot/global-acls/pub/.DEFAULT

when trying to examine "pub", it is denied:
fetchmail: IMAP> A0005 EXAMINE "pub"
fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).

# doveadm acl debug -u d2 pub
doveadm(d2): Info: Mailbox '' is in namespace 'pub/'
doveadm(d2): Info: Mailbox path: /var/mail/pub
doveadm(d2): Info: All message flags are shared across users in mailbox
doveadm(d2): Info: User d2 has no rights for mailbox
doveadm(d2): Error: User d2 is missing 'lookup' right
doveadm(d2): Info: Mailbox pub is NOT visible in LIST

because it did not find acl file:
imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, 
hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, 
control=, inbox=, alt=
imap(d2): Debug: acl: initializing backend with data: 
vfile:/etc/dovecot/global-acls
imap(d2): Debug: acl: acl username = d2
imap(d2): Debug: acl: owner = 0
imap(d2): Debug: acl vfile: Global ACL legacy directory: 
/etc/dovecot/global-acls
imap(d2): Debug: pub: Mailbox opened because: EXAMINE
imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not 
found
imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found


see it's looking for:
/etc/dovecot/global-acls//.DEFAULT
instead of
/etc/dovecot/global-acls/pub/.DEFAULT

Checking with documentation
https://wiki.dovecot.org/ACL
it seems that prefix should still be part of the path, as it was before:
"""The filenames must start with namespace prefix (if it has one). For 
example with namespace prefix=INBOX/ containing mailbox "foo" use 
/etc/dovecot/acls/INBOX/foo."""


Just for comparison, previous version (2.2.10) would work fine:
imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, 
hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, 
control=, inbox=, alt=
imap(d2): Debug: acl: initializing backend with data: 
vfile:/etc/dovecot/global-acls
imap(d2): Debug: acl: acl username = d2
imap(d2): Debug: acl: owner = 0
imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
imap(d2): Debug: acl vfile: reading file 
/etc/dovecot/global-acls/pub/.DEFAULT
imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found


I've localized problem to:
src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
and change from:

vname = mailbox_list_get_vname(_backend->list, name);

to:

vname = *name == '\0' ? "" :
	mailbox_list_get_vname(_backend->list, name);

that happened quite time ago during bigger acl changes and I don't know 
why exactly this line was changed previously. Anyway, reverting this 
line alone fixes the problem and while testing both per-mailbox ACL 
vfile and Global ACL file, reverting this did not affect them.


More information about the dovecot mailing list