Regression ACL & namespace prefix

Michal Hlavinka mhlavink at redhat.com
Tue Mar 12 16:29:20 EET 2019


Hi,

thanks for the answer. I think your environment was not set up correctly
to reproduce this bug. I've retested with 2.3.5 and I can still
reproduce it. I've attached a script that will configure everything for
testing and if you have a virtual machine available, you can use it
directly (it expects linux with systemd for dovecot restart).

relevant section from config:
namespace {
   hidden = no
   list = yes
   location = maildir:/var/mail/pub
   prefix = pub/
   separator = /
   type = public
}

this expects maildir directly in pub:
/var/mail/pub/cur
/var/mail/pub/new
/var/mail/pub/tmp

as it uses '/' separator and there could be subfolders, it should look
for .DEFAULT file in global acls directory which it does not in your
debug output

doveadm(testuser): Info: Mailbox '' is in namespace 'pub/'
doveadm(testuser): Info: All message flags are shared across users in 
mailbox
doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT
not found
doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not 
found
doveadm(testuser): Info: User testuser has no rights for mailbox
doveadm(testuser): Error: User testuser is missing 'lookup' right
doveadm(testuser): Info: Mailbox pub is NOT visible in LIST

in this output see that it checks this location:
acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found

instead of

/etc/dovecot/global-acls/pub/.DEFAULT

this is caused by line in
src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)

vname = *name == '\0' ? "" :
      mailbox_list_get_vname(_backend->list, name);

and because name is empty, it will not use the "pub" prefix in the path.
If I'd test acl for "pub/subfolder" that condition would have different
result and bug would not trigger:

doveadm(testuser): Debug: acl vfile: reading file
/etc/dovecot/global-acls/pub/subfolder/.DEFAULT


For testing I use this acl configuration:
cat /etc/dovecot/global-acls/pub/.DEFAULT
user=testuser l

but as this acl file location is not found by dovecot, content should
not matter.


Cheers,
Michal Hlavinka


On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:
> I tested with release 2.3.5, and
> 
> doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl
> vfile: file /etc/dovecot/global-acls/pub/INBOX not found 
> doveadm(testuser): Debug: acl vfile: file
> /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not
> found doveadm(testuser): Debug: acl vfile: file
> /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl
> vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
> 
> so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in
> development.
> 
> Aki
> 
>> On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot at dovecot.org>
>> wrote:
>> 
>> 
>> Sorry, we have not yet been able to look into this..
>> 
>> It's now in our internal system as DOP-966
>> 
>> Aki
>> 
>>> On 7 March 2019 17:31 Michal Hlavinka via dovecot
>>> <dovecot at dovecot.org> wrote:
>>> 
>>> 
>>> Hi, any progress with this issue? Do you need more information to
>>> debug and fix this?
>>> 
>>> Cheers Michal Hlavinka
>>> 
>>> On 9/18/18 4:10 PM, Michal Hlavinka wrote:
>>>> Hi
>>>> 
>>>> tl;dr: Seems that for Global ACL directory, namespace prefix is
>>>> not part of the path, when looking for acl file.
>>>> 
>>>> Long version:
>>>> 
>>>> We're planning to update dovecot in next os update to 2.2.36
>>>> and while going through regression testing, we found a problem
>>>> with ACL configuration combined with namespace.
>>>> 
>>>> Test uses "Global ACL directory" configuration.
>>>> 
>>>> Relevant configuration part: mail_location = maildir:~/Maildir
>>>> 
>>>> namespace inbox { hidden = no inbox = yes list = yes location
>>>> = prefix = separator = / } namespace { hidden = no list = yes 
>>>> location = maildir:/var/mail/pub prefix = pub/ separator = / 
>>>> type = public }
>>>> 
>>>> mail_plugins = acl
>>>> 
>>>> protocol imap { mail_plugins = $mail_plugins acl imap_acl } 
>>>> plugin { acl = vfile:/etc/dovecot/global-acls }
>>>> 
>>>> ACL config file is stored at: 
>>>> /etc/dovecot/global-acls/pub/.DEFAULT
>>>> 
>>>> when trying to examine "pub", it is denied: fetchmail: IMAP>
>>>> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't
>>>> exist: pub (0.001 + 0.000 secs).
>>>> 
>>>> # doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is
>>>> in namespace 'pub/' doveadm(d2): Info: Mailbox path:
>>>> /var/mail/pub doveadm(d2): Info: All message flags are shared
>>>> across users in mailbox doveadm(d2): Info: User d2 has no
>>>> rights for mailbox doveadm(d2): Error: User d2 is missing
>>>> 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in
>>>> LIST
>>>> 
>>>> because it did not find acl file: imap(d2): Debug: Namespace :
>>>> type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes,
>>>> subscriptions=yes location=maildir:/var/mail/pub imap(d2):
>>>> Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, 
>>>> control=, inbox=, alt= imap(d2): Debug: acl: initializing
>>>> backend with data: vfile:/etc/dovecot/global-acls imap(d2):
>>>> Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 
>>>> imap(d2): Debug: acl vfile: Global ACL legacy directory: 
>>>> /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened
>>>> because: EXAMINE imap(d2): Debug: acl vfile: file
>>>> /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug:
>>>> acl vfile: file /var/mail/pub/dovecot-acl not found
>>>> 
>>>> 
>>>> see it's looking for: /etc/dovecot/global-acls//.DEFAULT 
>>>> instead of /etc/dovecot/global-acls/pub/.DEFAULT
>>>> 
>>>> Checking with documentation https://wiki.dovecot.org/ACL it
>>>> seems that prefix should still be part of the path, as it was
>>>> before: """The filenames must start with namespace prefix (if
>>>> it has one). For example with namespace prefix=INBOX/
>>>> containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo."""
>>>> 
>>>> 
>>>> Just for comparison, previous version (2.2.10) would work
>>>> fine: imap(d2): Debug: Namespace : type=public, prefix=pub/,
>>>> sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes
>>>> location=maildir:/var/mail/pub imap(d2): Debug: maildir++:
>>>> root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= 
>>>> imap(d2): Debug: acl: initializing backend with data: 
>>>> vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl
>>>> username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug:
>>>> acl vfile: Global ACL directory: /etc/dovecot/global-acls 
>>>> imap(d2): Debug: acl vfile: reading file 
>>>> /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl
>>>> vfile: file /var/mail/pub/dovecot-acl not found
>>>> 
>>>> 
>>>> I've localized problem to: src/plugins/acl/acl-backend-vfile.c:
>>>> acl_backend_vfile_object_init(...) and change from:
>>>> 
>>>> vname = mailbox_list_get_vname(_backend->list, name);
>>>> 
>>>> to:
>>>> 
>>>> vname = *name == '\0' ? "" : 
>>>> mailbox_list_get_vname(_backend->list, name);
>>>> 
>>>> that happened quite time ago during bigger acl changes and I
>>>> don't know why exactly this line was changed previously.
>>>> Anyway, reverting this line alone fixes the problem and while
>>>> testing both per-mailbox ACL vfile and Global ACL file,
>>>> reverting this did not affect them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bugtest.sh
Type: application/x-shellscript
Size: 1659 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190312/7cc5ed9a/attachment.bin>


More information about the dovecot mailing list