Hi, I'm having trouble to get ACLs working in a more restrictive way with namespaces. I would like to grant certain users the ability to create new mailboxes in a public namespace e.g. "Public/Newsletters" etc. It works when I add the users to a ".DEFAULT" ACL file like this: user=username lrwk Anyway I'd like to limit their permissions on the Namespace "Public", or even better - being more restrictive, on "Public/Newsletters". Neither global ACL files for "Public" nor "Newsletters" nested in the global path seem to work. For now only the .DEFAULT ACL (/var/vmail/ domain/etc/acls/.DEFAULT) seems to mitigate the problem which is undesirable. dovecot -n excerpt: plugin: acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300 Thanks Thomas
On Thu, 2009-08-13 at 23:10 +0200, Thomas Leuxner wrote:> Hi, > > I'm having trouble to get ACLs working in a more restrictive way with > namespaces. I would like to grant certain users the ability to create > new mailboxes in a public namespace e.g. "Public/Newsletters" etc. > > It works when I add the users to a ".DEFAULT" ACL file like this: > user=username lrwk > > Anyway I'd like to limit their permissions on the Namespace "Public", > or even better - being more restrictive, on "Public/Newsletters".I don't really understand. What exactly do you want to limit? Above you give username lrwk permissions, don't you want them after all?> Neither global ACL files for "Public" nor "Newsletters" nested in the > global path seem to work. For now only the .DEFAULT ACL (/var/vmail/ > domain/etc/acls/.DEFAULT) seems to mitigate the problem which is > undesirable.You anyway probably don't want to use global ACLs. Just put dovecot-acl files inside those maildirs where you want to change permissions. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090813/0bcddd60/attachment-0002.bin>
Am 13.08.2009 um 23:47 schrieb Timo Sirainen:> On Thu, 2009-08-13 at 23:10 +0200, Thomas Leuxner wrote: >> Anyway I'd like to limit their permissions on the Namespace "Public", >> or even better - being more restrictive, on "Public/Newsletters". > > I don't really understand. What exactly do you want to limit? Above > you > give username lrwk permissions, don't you want them after all?I want to limit certain people to create new mailboxes in namespace "Public" only.> You anyway probably don't want to use global ACLs. Just put dovecot- > acl > files inside those maildirs where you want to change permissions.That doesn't work for yet uncreated mailboxes, I can not predict names here.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Aug 2009, Thomas Leuxner wrote:> plugin: > acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300I do not use global ACLs, but mailbox-specific ones: acl: vfile::cache_secs=300 Then one adds the ACLs to .dovecot-acl files located in each mailbox. Or issue a SETACL as owner. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSoUmQXWSIuGy1ktrAQJlvgf/RRY1gSN5Udm+BjIQu2IYKetX5DLaEGz9 r7shxIw4n0s6FiGXEz2LIoxYI7Ao401nuGF7OmHzR93So9CQeKnz0ZACLqYJa/fH BUoapxDnzhNGSX6osa0TxuH6LegJkd5dsp6RK93M8nLUgCmQqZMmFrHp/k9J5mvh XFVAwOI1pKiVOJ3eOiXX1ZuyScqbZ9vKANDwFfRLJTtn4AIgSXoR1z4eP9KOwrXu HTHWVUHEO/jf2It9v2TgnloWmCKlO2vObpVVh5r5VIW2BbDVedTEcv+2x6Dc4X2k iLTNyULS+rD0e/gRpLCCBcB+qdL6VdWSuoQpQpfs1VjKJwPEXBr6BA==waXI -----END PGP SIGNATURE-----
Am 14.08.2009 um 10:54 schrieb Steffen Kaiser:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 13 Aug 2009, Thomas Leuxner wrote: > >> plugin: >> acl: vfile:/var/vmail/%d/etc/acls:cache_secs=300 > > I do not use global ACLs, but mailbox-specific ones: > > acl: vfile::cache_secs=300 > > Then one adds the ACLs to .dovecot-acl files located in each mailbox. > Or issue a SETACL as owner.Right, the dovecot-acl however does not get evaluated in my Public/ namespace root. I want to assign rights to users creating new mailboxes.