Regression ACL & namespace prefix

Thu Mar 7 17:31:34 EET 2019

Hi,
any progress with this issue? Do you need more information to debug and 
fix this?

Cheers
Michal Hlavinka

On 9/18/18 4:10 PM, Michal Hlavinka wrote:
> Hi
> 
> tl;dr:
> Seems that for Global ACL directory, namespace prefix is not part of the 
> path, when looking for acl file.
> 
> Long version:
> 
> We're planning to update dovecot in next os update to 2.2.36 and while 
> going through regression testing, we found a problem with ACL 
> configuration combined with namespace.
> 
> Test uses "Global ACL directory" configuration.
> 
> Relevant configuration part:
> mail_location = maildir:~/Maildir
> 
> namespace inbox {
>    hidden = no
>    inbox = yes
>    list = yes
>    location =
>    prefix =
>    separator = /
> }
> namespace {
>    hidden = no
>    list = yes
>    location = maildir:/var/mail/pub
>    prefix = pub/
>    separator = /
>    type = public
> }
> 
> mail_plugins = acl
> 
> protocol imap {
>    mail_plugins = $mail_plugins acl imap_acl
> }
> plugin {
>    acl = vfile:/etc/dovecot/global-acls
> }
> 
> ACL config file is stored at:
> /etc/dovecot/global-acls/pub/.DEFAULT
> 
> when trying to examine "pub", it is denied:
> fetchmail: IMAP> A0005 EXAMINE "pub"
> fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs).
> 
> # doveadm acl debug -u d2 pub
> doveadm(d2): Info: Mailbox '' is in namespace 'pub/'
> doveadm(d2): Info: Mailbox path: /var/mail/pub
> doveadm(d2): Info: All message flags are shared across users in mailbox
> doveadm(d2): Info: User d2 has no rights for mailbox
> doveadm(d2): Error: User d2 is missing 'lookup' right
> doveadm(d2): Info: Mailbox pub is NOT visible in LIST
> 
> because it did not find acl file:
> imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, 
> hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
> imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, 
> control=, inbox=, alt=
> imap(d2): Debug: acl: initializing backend with data: 
> vfile:/etc/dovecot/global-acls
> imap(d2): Debug: acl: acl username = d2
> imap(d2): Debug: acl: owner = 0
> imap(d2): Debug: acl vfile: Global ACL legacy directory: 
> /etc/dovecot/global-acls
> imap(d2): Debug: pub: Mailbox opened because: EXAMINE
> imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not 
> found
> imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
> 
> 
> see it's looking for:
> /etc/dovecot/global-acls//.DEFAULT
> instead of
> /etc/dovecot/global-acls/pub/.DEFAULT
> 
> Checking with documentation
> https://wiki.dovecot.org/ACL
> it seems that prefix should still be part of the path, as it was before:
> """The filenames must start with namespace prefix (if it has one). For 
> example with namespace prefix=INBOX/ containing mailbox "foo" use 
> /etc/dovecot/acls/INBOX/foo."""
> 
> 
> Just for comparison, previous version (2.2.10) would work fine:
> imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, 
> hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
> imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, 
> control=, inbox=, alt=
> imap(d2): Debug: acl: initializing backend with data: 
> vfile:/etc/dovecot/global-acls
> imap(d2): Debug: acl: acl username = d2
> imap(d2): Debug: acl: owner = 0
> imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
> imap(d2): Debug: acl vfile: reading file 
> /etc/dovecot/global-acls/pub/.DEFAULT
> imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
> 
> 
> I've localized problem to:
> src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
> and change from:
> 
> vname = mailbox_list_get_vname(_backend->list, name);
> 
> to:
> 
> vname = *name == '\0' ? "" :
>      mailbox_list_get_vname(_backend->list, name);
> 
> that happened quite time ago during bigger acl changes and I don't know 
> why exactly this line was changed previously. Anyway, reverting this 
> line alone fixes the problem and while testing both per-mailbox ACL 
> vfile and Global ACL file, reverting this did not affect them.