Hi
tl;dr:
Seems that for Global ACL directory, namespace prefix is not part of the
path, when looking for acl file.
Long version:
We're planning to update dovecot in next os update to 2.2.36 and while
going through regression testing, we found a problem with ACL
configuration combined with namespace.
Test uses "Global ACL directory" configuration.
Relevant configuration part:
mail_location = maildir:~/Maildir
namespace inbox {
hidden = no
inbox = yes
list = yes
location prefix separator = /
}
namespace {
hidden = no
list = yes
location = maildir:/var/mail/pub
prefix = pub/
separator = /
type = public
}
mail_plugins = acl
protocol imap {
mail_plugins = $mail_plugins acl imap_acl
}
plugin {
acl = vfile:/etc/dovecot/global-acls
}
ACL config file is stored at:
/etc/dovecot/global-acls/pub/.DEFAULT
when trying to examine "pub", it is denied:
fetchmail: IMAP> A0005 EXAMINE "pub"
fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000
secs).
# doveadm acl debug -u d2 pub
doveadm(d2): Info: Mailbox '' is in namespace 'pub/'
doveadm(d2): Info: Mailbox path: /var/mail/pub
doveadm(d2): Info: All message flags are shared across users in mailbox
doveadm(d2): Info: User d2 has no rights for mailbox
doveadm(d2): Error: User d2 is missing 'lookup' right
doveadm(d2): Info: Mailbox pub is NOT visible in LIST
because it did not find acl file:
imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no,
hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=,
control=, inbox=, altimap(d2): Debug: acl: initializing backend with data:
vfile:/etc/dovecot/global-acls
imap(d2): Debug: acl: acl username = d2
imap(d2): Debug: acl: owner = 0
imap(d2): Debug: acl vfile: Global ACL legacy directory:
/etc/dovecot/global-acls
imap(d2): Debug: pub: Mailbox opened because: EXAMINE
imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not
found
imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
see it's looking for:
/etc/dovecot/global-acls//.DEFAULT
instead of
/etc/dovecot/global-acls/pub/.DEFAULT
Checking with documentation
https://wiki.dovecot.org/ACL
it seems that prefix should still be part of the path, as it was before:
"""The filenames must start with namespace prefix (if it has
one). For
example with namespace prefix=INBOX/ containing mailbox "foo" use
/etc/dovecot/acls/INBOX/foo."""
Just for comparison, previous version (2.2.10) would work fine:
imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no,
hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub
imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=,
control=, inbox=, altimap(d2): Debug: acl: initializing backend with data:
vfile:/etc/dovecot/global-acls
imap(d2): Debug: acl: acl username = d2
imap(d2): Debug: acl: owner = 0
imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls
imap(d2): Debug: acl vfile: reading file
/etc/dovecot/global-acls/pub/.DEFAULT
imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found
I've localized problem to:
src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
and change from:
vname = mailbox_list_get_vname(_backend->list, name);
to:
vname = *name == '\0' ? "" :
mailbox_list_get_vname(_backend->list, name);
that happened quite time ago during bigger acl changes and I don't know
why exactly this line was changed previously. Anyway, reverting this
line alone fixes the problem and while testing both per-mailbox ACL
vfile and Global ACL file, reverting this did not affect them.
Hi, any progress with this issue? Do you need more information to debug and fix this? Cheers Michal Hlavinka On 9/18/18 4:10 PM, Michal Hlavinka wrote:> Hi > > tl;dr: > Seems that for Global ACL directory, namespace prefix is not part of the > path, when looking for acl file. > > Long version: > > We're planning to update dovecot in next os update to 2.2.36 and while > going through regression testing, we found a problem with ACL > configuration combined with namespace. > > Test uses "Global ACL directory" configuration. > > Relevant configuration part: > mail_location = maildir:~/Maildir > > namespace inbox { > ? hidden = no > ? inbox = yes > ? list = yes > ? location > ? prefix > ? separator = / > } > namespace { > ? hidden = no > ? list = yes > ? location = maildir:/var/mail/pub > ? prefix = pub/ > ? separator = / > ? type = public > } > > mail_plugins = acl > > protocol imap { > ? mail_plugins = $mail_plugins acl imap_acl > } > plugin { > ? acl = vfile:/etc/dovecot/global-acls > } > > ACL config file is stored at: > /etc/dovecot/global-acls/pub/.DEFAULT > > when trying to examine "pub", it is denied: > fetchmail: IMAP> A0005 EXAMINE "pub" > fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs). > > # doveadm acl debug -u d2 pub > doveadm(d2): Info: Mailbox '' is in namespace 'pub/' > doveadm(d2): Info: Mailbox path: /var/mail/pub > doveadm(d2): Info: All message flags are shared across users in mailbox > doveadm(d2): Info: User d2 has no rights for mailbox > doveadm(d2): Error: User d2 is missing 'lookup' right > doveadm(d2): Info: Mailbox pub is NOT visible in LIST > > because it did not find acl file: > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > control=, inbox=, alt> imap(d2): Debug: acl: initializing backend with data: > vfile:/etc/dovecot/global-acls > imap(d2): Debug: acl: acl username = d2 > imap(d2): Debug: acl: owner = 0 > imap(d2): Debug: acl vfile: Global ACL legacy directory: > /etc/dovecot/global-acls > imap(d2): Debug: pub: Mailbox opened because: EXAMINE > imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not > found > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > see it's looking for: > /etc/dovecot/global-acls//.DEFAULT > instead of > /etc/dovecot/global-acls/pub/.DEFAULT > > Checking with documentation > https://wiki.dovecot.org/ACL > it seems that prefix should still be part of the path, as it was before: > """The filenames must start with namespace prefix (if it has one). For > example with namespace prefix=INBOX/ containing mailbox "foo" use > /etc/dovecot/acls/INBOX/foo.""" > > > Just for comparison, previous version (2.2.10) would work fine: > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > control=, inbox=, alt> imap(d2): Debug: acl: initializing backend with data: > vfile:/etc/dovecot/global-acls > imap(d2): Debug: acl: acl username = d2 > imap(d2): Debug: acl: owner = 0 > imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls > imap(d2): Debug: acl vfile: reading file > /etc/dovecot/global-acls/pub/.DEFAULT > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > I've localized problem to: > src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) > and change from: > > vname = mailbox_list_get_vname(_backend->list, name); > > to: > > vname = *name == '\0' ? "" : > ????mailbox_list_get_vname(_backend->list, name); > > that happened quite time ago during bigger acl changes and I don't know > why exactly this line was changed previously. Anyway, reverting this > line alone fixes the problem and while testing both per-mailbox ACL > vfile and Global ACL file, reverting this did not affect them.
Sorry, we have not yet been able to look into this.. It's now in our internal system as DOP-966 Aki> On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote: > > > Hi, > any progress with this issue? Do you need more information to debug and > fix this? > > Cheers > Michal Hlavinka > > On 9/18/18 4:10 PM, Michal Hlavinka wrote: > > Hi > > > > tl;dr: > > Seems that for Global ACL directory, namespace prefix is not part of the > > path, when looking for acl file. > > > > Long version: > > > > We're planning to update dovecot in next os update to 2.2.36 and while > > going through regression testing, we found a problem with ACL > > configuration combined with namespace. > > > > Test uses "Global ACL directory" configuration. > > > > Relevant configuration part: > > mail_location = maildir:~/Maildir > > > > namespace inbox { > > ? hidden = no > > ? inbox = yes > > ? list = yes > > ? location > > ? prefix > > ? separator = / > > } > > namespace { > > ? hidden = no > > ? list = yes > > ? location = maildir:/var/mail/pub > > ? prefix = pub/ > > ? separator = / > > ? type = public > > } > > > > mail_plugins = acl > > > > protocol imap { > > ? mail_plugins = $mail_plugins acl imap_acl > > } > > plugin { > > ? acl = vfile:/etc/dovecot/global-acls > > } > > > > ACL config file is stored at: > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > when trying to examine "pub", it is denied: > > fetchmail: IMAP> A0005 EXAMINE "pub" > > fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs). > > > > # doveadm acl debug -u d2 pub > > doveadm(d2): Info: Mailbox '' is in namespace 'pub/' > > doveadm(d2): Info: Mailbox path: /var/mail/pub > > doveadm(d2): Info: All message flags are shared across users in mailbox > > doveadm(d2): Info: User d2 has no rights for mailbox > > doveadm(d2): Error: User d2 is missing 'lookup' right > > doveadm(d2): Info: Mailbox pub is NOT visible in LIST > > > > because it did not find acl file: > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > control=, inbox=, alt> > imap(d2): Debug: acl: initializing backend with data: > > vfile:/etc/dovecot/global-acls > > imap(d2): Debug: acl: acl username = d2 > > imap(d2): Debug: acl: owner = 0 > > imap(d2): Debug: acl vfile: Global ACL legacy directory: > > /etc/dovecot/global-acls > > imap(d2): Debug: pub: Mailbox opened because: EXAMINE > > imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not > > found > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > see it's looking for: > > /etc/dovecot/global-acls//.DEFAULT > > instead of > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > Checking with documentation > > https://wiki.dovecot.org/ACL > > it seems that prefix should still be part of the path, as it was before: > > """The filenames must start with namespace prefix (if it has one). For > > example with namespace prefix=INBOX/ containing mailbox "foo" use > > /etc/dovecot/acls/INBOX/foo.""" > > > > > > Just for comparison, previous version (2.2.10) would work fine: > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > control=, inbox=, alt> > imap(d2): Debug: acl: initializing backend with data: > > vfile:/etc/dovecot/global-acls > > imap(d2): Debug: acl: acl username = d2 > > imap(d2): Debug: acl: owner = 0 > > imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls > > imap(d2): Debug: acl vfile: reading file > > /etc/dovecot/global-acls/pub/.DEFAULT > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > I've localized problem to: > > src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) > > and change from: > > > > vname = mailbox_list_get_vname(_backend->list, name); > > > > to: > > > > vname = *name == '\0' ? "" : > > ????mailbox_list_get_vname(_backend->list, name); > > > > that happened quite time ago during bigger acl changes and I don't know > > why exactly this line was changed previously. Anyway, reverting this > > line alone fixes the problem and while testing both per-mailbox ACL > > vfile and Global ACL file, reverting this did not affect them.
On 18 Sep 2018, at 17.10, Michal Hlavinka <mhlavink at redhat.com> wrote:> > Seems that for Global ACL directory, namespace prefix is not part of the path, when looking for acl file.Is there a reason you're using ACL directory instead of ACL file? I've rather been thinking about removing code for ACL directories entirely at some point. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190312/37d32c53/attachment.html>
On 3/12/19 10:18 PM, Timo Sirainen via dovecot wrote:> On 18 Sep 2018, at 17.10, Michal Hlavinka <mhlavink at redhat.com > <mailto:mhlavink at redhat.com>> wrote: >> >> Seems that for Global ACL directory, namespace prefix is not part of >> the path, when looking for acl file. > > Is there a reason you're using ACL directory instead of ACL file? I've > rather been thinking about removing code for ACL directories entirely at > some point. >The main reason is "if it works, don't touch it". Which includes zero admin time required, no downtime required and benefit of long time verified configuration. We did some tests before updating dovecot in distribution, as users like to deploy and forget, as any attention required (whatever reason) is disruptive and takes time that could be used elsewhere. We found this issue when running regression tests for other components that use dovecot in their testing environment which means that we would have to rewrite other tests too. Which is in fact just a reiteration of the first paragraph. Cheers, Michal Hlavinka