dovecot - Jun 2014 - ACL group vs. owner question

A hopefully simple question regarding the use of ACLs - the spirit being 
of taking away most permissions first and then adding them back selectively:

In the global ACL declaration I have:
> * owner lr
> * group=SYS lrwstipekxa
The owner is put into the SYS group via userdb extra field in static 
passwd file ("archiv" is a system user, but pam is disabled for the
server):
> archiv:::::::userdb_acl_groups=SYS
Still, the group permissions do not get applied:
> root at host:/etc/dovecot# doveadm -D acl debug -u archiv INBOX
> [?]
> doveadm(archiv): Debug: Added userdb setting: plugin/acl_groups=SYS
> doveadm(archiv): Debug: Effective uid=1002, gid=1001, home=/home/archiv
> doveadm(archiv): Debug: acl: No acl_shared_dict setting - shared mailbox
listing is disabled
> doveadm(archiv): Debug: Namespace inbox: type=private, prefix=, sep=,
inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
> doveadm(archiv): Debug: maildir++: root=/home/archiv/Maildir, index=,
indexpvt=, control=, inbox=/home/archiv/Maildir, alt> doveadm(archiv): Debug:
acl: initializing backend with data: vfile:/etc/dovecot/dovecot-acl
> doveadm(archiv): Debug: acl: acl username = archiv
> doveadm(archiv): Debug: acl: owner = 1
> doveadm(archiv): Debug: acl vfile: Global ACL file:
/etc/dovecot/dovecot-acl
> doveadm(archiv): Info: Mailbox 'INBOX' is in namespace ''
> doveadm(archiv): Info: Mailbox path: /home/archiv/Maildir
> doveadm(archiv): Info: All message flags are shared across users in mailbox
> doveadm(archiv): Debug: acl vfile: file /home/archiv/Maildir/dovecot-acl
not found
> doveadm(archiv): Info: User archiv has rights: lookup read
> doveadm(archiv): Info: Mailbox in user's private namespace
> doveadm(archiv): Info: Mailbox INBOX is visible in LIST
My question: Shouldn't this work? (In a stock setup.)


PS: when I add "* group-override=SYS" to /etc/dovecot/dovecot-acl the 
user will not even be able to list INBOX.

PPS: As an aside, the setup also switches any sytem or /virtual/ users 
during login in local.conf:
> userdb {
>         driver = static
>         args = uid=archiv gid=archiv home=/home/archiv user=archiv
> }
but I get the above result without that switching when I make it
read:
> userdb {
>    driver = static
>    args = home=/home/archiv
> }
So I suppose that it's not relevant in this case?

Thank you in advance

-- 
peter

* Peter Chiochetti <pch at myzel.net> 2014.06.22 14:48:
> >* owner lr
> >* group=SYS lrwstipekxa
> >doveadm(archiv): Info: User archiv has rights: lookup read
What version is this? There used to be a bug in versions before 2.2.13 where
only the first matching ACL line was applied. From the looks this could be the
case here as only 'lr' is applied.

http://hg.dovecot.org/dovecot-2.2/rev/7a08a481c133

Regards
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140622/d592db08/attachment.sig>