YAEGASHI Takeshi
2011-Aug-23 07:52 UTC
[Dovecot] acl with hierarchy separators mismatched config
Hi there,
I'm testing dovecot 2.0.13 on Debian squeeze (deb from
http://xi.rename-it.nl/debian) with the following doveconf -n.
--------
# 2.0.13 (1449a2e2c1f5): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.26-2-openvz-amd64 i686 Debian 6.0.2 first_valid_uid = 8
mail_debug = yes
mail_location = maildir:~/Maildir
mail_plugins = listescape mail_log notify acl
namespace {
inbox = yes
location = prefix = separator = /
type = private
}
namespace {
list = children
location = maildir:/var/mail/public:INDEX=~/Maildir/public
prefix = Public/
separator = /
subscriptions = no
type = public
}
passdb {
driver = pam
}
plugin {
acl = vfile
}
protocols = " imap"
ssl = no
userdb {
args = uid=mail gid=mail home=/var/mail/private/%u
driver = static
}
protocol imap {
mail_plugins = listescape mail_log notify acl imap_acl
}
--------
My primary interest is acl and listescape enabled folders in the public
namespace. I've chosen "/" as the hierarchy separator to support
folder names with dots (".").
/var/mail/public is a maildir with the maildir++ layout where the separator is a
dot ("."). So I set up intial acls and folders as follows:
--------
# mkdir /var/mail/public
# echo 'anyone lra' >/var/mail/public/dovecot-acl #
maildirmake.dovecot /var/mail/public/.aaa
# echo 'anyone lrwstipekxa' >/var/mail/public/.aaa/dovecot-acl
# chown -R mail.mail /var/mail/public
--------
But my attempt to create a mailbox under Public/aaa fails with "Permission
denied".
--------
# imtest -a yaegashi localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN] Dovecot ready.
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN
S: C01 OK Pre-login capabilities listed, post-login capabilities have more.
Please enter your password: C: A01 AUTHENTICATE PLAIN ?????????????????/
S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk
S: A01 OK Logged in
Authenticated.
Security strength factor: 0
. getacl Public
* ACL "Public" "anyone" alr
. OK Getacl completed.
. getacl Public/aaa
* ACL "Public/aaa" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/bbb
. NO [NOPERM] Permission denied
--------
If the layout of /var/mail/public switched to "fs" where the separator
is "/", mailbox creation succeeds as expected.
--------
namespace {
list = children
location = maildir:/var/mail/public:INDEX=~/Maildir/public:LAYOUT=fs
prefix = Public/
separator = /
subscriptions = no
type = public
}
--------
--------
# maildirmake.dovecot /var/mail/public/aaa
# echo 'anyone lrwstipekxa' >/var/mail/public/aaa/dovecot-acl
# chown -R mail.mail /var/mail/public
# imtest -a yaegashi localhost
....
. getacl Public
* ACL "Public" "anyone" alr
. OK Getacl completed.
. getacl Public/aaa
* ACL "Public/aaa" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/bbb
. OK Create completed.
. getacl Public/aaa/bbb * ACL "Public/aaa/bbb" "anyone"
akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/1.2.3
. OK Create completed.
. create Public/aaa/cur
. NO Invalid mailbox name: Public/aaa/cur
--------
Is this behavior expected? Misconfiguration or dovecot bug?
I prefer the maildir++ layout with listescape as it's reserved-folder-name
free (eg. cur new tmp).
Regards,
--
YAEGASHI Takeshi <yaegashi at debian.org>
Timo Sirainen
2011-Aug-23 15:39 UTC
[Dovecot] acl with hierarchy separators mismatched config
On 23.8.2011, at 10.52, YAEGASHI Takeshi wrote:> I prefer the maildir++ layout with listescape as it's reserved-folder-name free (eg. cur new tmp).I remember listescape had problems with ACLs, and that it wasn't really possible to solve those bugs without major changes. The good news though is that those major changes are done in v2.1 where it should work. Also you could make FS layout almost reserved-folder-name free by adding e.g. :DIRNAME=Mails to your mail_location. Now the only reserved name is "Mails", and you can of course use any other name that users are highly unlikely to use (and remember that folder names are case sensitive). Some day I'm hoping to add yet another option that mailbox names wouldn't be used in filenames at all, but rather their GUIDs.