Sorry, we have not yet been able to look into this.. It's now in our internal system as DOP-966 Aki> On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote: > > > Hi, > any progress with this issue? Do you need more information to debug and > fix this? > > Cheers > Michal Hlavinka > > On 9/18/18 4:10 PM, Michal Hlavinka wrote: > > Hi > > > > tl;dr: > > Seems that for Global ACL directory, namespace prefix is not part of the > > path, when looking for acl file. > > > > Long version: > > > > We're planning to update dovecot in next os update to 2.2.36 and while > > going through regression testing, we found a problem with ACL > > configuration combined with namespace. > > > > Test uses "Global ACL directory" configuration. > > > > Relevant configuration part: > > mail_location = maildir:~/Maildir > > > > namespace inbox { > > ? hidden = no > > ? inbox = yes > > ? list = yes > > ? location > > ? prefix > > ? separator = / > > } > > namespace { > > ? hidden = no > > ? list = yes > > ? location = maildir:/var/mail/pub > > ? prefix = pub/ > > ? separator = / > > ? type = public > > } > > > > mail_plugins = acl > > > > protocol imap { > > ? mail_plugins = $mail_plugins acl imap_acl > > } > > plugin { > > ? acl = vfile:/etc/dovecot/global-acls > > } > > > > ACL config file is stored at: > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > when trying to examine "pub", it is denied: > > fetchmail: IMAP> A0005 EXAMINE "pub" > > fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs). > > > > # doveadm acl debug -u d2 pub > > doveadm(d2): Info: Mailbox '' is in namespace 'pub/' > > doveadm(d2): Info: Mailbox path: /var/mail/pub > > doveadm(d2): Info: All message flags are shared across users in mailbox > > doveadm(d2): Info: User d2 has no rights for mailbox > > doveadm(d2): Error: User d2 is missing 'lookup' right > > doveadm(d2): Info: Mailbox pub is NOT visible in LIST > > > > because it did not find acl file: > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > control=, inbox=, alt> > imap(d2): Debug: acl: initializing backend with data: > > vfile:/etc/dovecot/global-acls > > imap(d2): Debug: acl: acl username = d2 > > imap(d2): Debug: acl: owner = 0 > > imap(d2): Debug: acl vfile: Global ACL legacy directory: > > /etc/dovecot/global-acls > > imap(d2): Debug: pub: Mailbox opened because: EXAMINE > > imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not > > found > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > see it's looking for: > > /etc/dovecot/global-acls//.DEFAULT > > instead of > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > Checking with documentation > > https://wiki.dovecot.org/ACL > > it seems that prefix should still be part of the path, as it was before: > > """The filenames must start with namespace prefix (if it has one). For > > example with namespace prefix=INBOX/ containing mailbox "foo" use > > /etc/dovecot/acls/INBOX/foo.""" > > > > > > Just for comparison, previous version (2.2.10) would work fine: > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > control=, inbox=, alt> > imap(d2): Debug: acl: initializing backend with data: > > vfile:/etc/dovecot/global-acls > > imap(d2): Debug: acl: acl username = d2 > > imap(d2): Debug: acl: owner = 0 > > imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls > > imap(d2): Debug: acl vfile: reading file > > /etc/dovecot/global-acls/pub/.DEFAULT > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > I've localized problem to: > > src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) > > and change from: > > > > vname = mailbox_list_get_vname(_backend->list, name); > > > > to: > > > > vname = *name == '\0' ? "" : > > ????mailbox_list_get_vname(_backend->list, name); > > > > that happened quite time ago during bigger acl changes and I don't know > > why exactly this line was changed previously. Anyway, reverting this > > line alone fixes the problem and while testing both per-mailbox ACL > > vfile and Global ACL file, reverting this did not affect them.
I tested with release 2.3.5, and doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development. Aki> On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > > > Sorry, we have not yet been able to look into this.. > > It's now in our internal system as DOP-966 > > Aki > > > On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote: > > > > > > Hi, > > any progress with this issue? Do you need more information to debug and > > fix this? > > > > Cheers > > Michal Hlavinka > > > > On 9/18/18 4:10 PM, Michal Hlavinka wrote: > > > Hi > > > > > > tl;dr: > > > Seems that for Global ACL directory, namespace prefix is not part of the > > > path, when looking for acl file. > > > > > > Long version: > > > > > > We're planning to update dovecot in next os update to 2.2.36 and while > > > going through regression testing, we found a problem with ACL > > > configuration combined with namespace. > > > > > > Test uses "Global ACL directory" configuration. > > > > > > Relevant configuration part: > > > mail_location = maildir:~/Maildir > > > > > > namespace inbox { > > > ? hidden = no > > > ? inbox = yes > > > ? list = yes > > > ? location > > > ? prefix > > > ? separator = / > > > } > > > namespace { > > > ? hidden = no > > > ? list = yes > > > ? location = maildir:/var/mail/pub > > > ? prefix = pub/ > > > ? separator = / > > > ? type = public > > > } > > > > > > mail_plugins = acl > > > > > > protocol imap { > > > ? mail_plugins = $mail_plugins acl imap_acl > > > } > > > plugin { > > > ? acl = vfile:/etc/dovecot/global-acls > > > } > > > > > > ACL config file is stored at: > > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > > > when trying to examine "pub", it is denied: > > > fetchmail: IMAP> A0005 EXAMINE "pub" > > > fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs). > > > > > > # doveadm acl debug -u d2 pub > > > doveadm(d2): Info: Mailbox '' is in namespace 'pub/' > > > doveadm(d2): Info: Mailbox path: /var/mail/pub > > > doveadm(d2): Info: All message flags are shared across users in mailbox > > > doveadm(d2): Info: User d2 has no rights for mailbox > > > doveadm(d2): Error: User d2 is missing 'lookup' right > > > doveadm(d2): Info: Mailbox pub is NOT visible in LIST > > > > > > because it did not find acl file: > > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > > control=, inbox=, alt> > > imap(d2): Debug: acl: initializing backend with data: > > > vfile:/etc/dovecot/global-acls > > > imap(d2): Debug: acl: acl username = d2 > > > imap(d2): Debug: acl: owner = 0 > > > imap(d2): Debug: acl vfile: Global ACL legacy directory: > > > /etc/dovecot/global-acls > > > imap(d2): Debug: pub: Mailbox opened because: EXAMINE > > > imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not > > > found > > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > > > > see it's looking for: > > > /etc/dovecot/global-acls//.DEFAULT > > > instead of > > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > > > Checking with documentation > > > https://wiki.dovecot.org/ACL > > > it seems that prefix should still be part of the path, as it was before: > > > """The filenames must start with namespace prefix (if it has one). For > > > example with namespace prefix=INBOX/ containing mailbox "foo" use > > > /etc/dovecot/acls/INBOX/foo.""" > > > > > > > > > Just for comparison, previous version (2.2.10) would work fine: > > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > > control=, inbox=, alt> > > imap(d2): Debug: acl: initializing backend with data: > > > vfile:/etc/dovecot/global-acls > > > imap(d2): Debug: acl: acl username = d2 > > > imap(d2): Debug: acl: owner = 0 > > > imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls > > > imap(d2): Debug: acl vfile: reading file > > > /etc/dovecot/global-acls/pub/.DEFAULT > > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > > > > I've localized problem to: > > > src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) > > > and change from: > > > > > > vname = mailbox_list_get_vname(_backend->list, name); > > > > > > to: > > > > > > vname = *name == '\0' ? "" : > > > ????mailbox_list_get_vname(_backend->list, name); > > > > > > that happened quite time ago during bigger acl changes and I don't know > > > why exactly this line was changed previously. Anyway, reverting this > > > line alone fixes the problem and while testing both per-mailbox ACL > > > vfile and Global ACL file, reverting this did not affect them.
Hi, thanks for the answer. I think your environment was not set up correctly to reproduce this bug. I've retested with 2.3.5 and I can still reproduce it. I've attached a script that will configure everything for testing and if you have a virtual machine available, you can use it directly (it expects linux with systemd for dovecot restart). relevant section from config: namespace { hidden = no list = yes location = maildir:/var/mail/pub prefix = pub/ separator = / type = public } this expects maildir directly in pub: /var/mail/pub/cur /var/mail/pub/new /var/mail/pub/tmp as it uses '/' separator and there could be subfolders, it should look for .DEFAULT file in global acls directory which it does not in your debug output doveadm(testuser): Info: Mailbox '' is in namespace 'pub/' doveadm(testuser): Info: All message flags are shared across users in mailbox doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found doveadm(testuser): Info: User testuser has no rights for mailbox doveadm(testuser): Error: User testuser is missing 'lookup' right doveadm(testuser): Info: Mailbox pub is NOT visible in LIST in this output see that it checks this location: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found instead of /etc/dovecot/global-acls/pub/.DEFAULT this is caused by line in src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) vname = *name == '\0' ? "" : mailbox_list_get_vname(_backend->list, name); and because name is empty, it will not use the "pub" prefix in the path. If I'd test acl for "pub/subfolder" that condition would have different result and bug would not trigger: doveadm(testuser): Debug: acl vfile: reading file /etc/dovecot/global-acls/pub/subfolder/.DEFAULT For testing I use this acl configuration: cat /etc/dovecot/global-acls/pub/.DEFAULT user=testuser l but as this acl file location is not found by dovecot, content should not matter. Cheers, Michal Hlavinka On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:> I tested with release 2.3.5, and > > doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl > vfile: file /etc/dovecot/global-acls/pub/INBOX not found > doveadm(testuser): Debug: acl vfile: file > /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not > found doveadm(testuser): Debug: acl vfile: file > /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl > vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found > > so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in > development. > > Aki > >> On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot at dovecot.org> >> wrote: >> >> >> Sorry, we have not yet been able to look into this.. >> >> It's now in our internal system as DOP-966 >> >> Aki >> >>> On 7 March 2019 17:31 Michal Hlavinka via dovecot >>> <dovecot at dovecot.org> wrote: >>> >>> >>> Hi, any progress with this issue? Do you need more information to >>> debug and fix this? >>> >>> Cheers Michal Hlavinka >>> >>> On 9/18/18 4:10 PM, Michal Hlavinka wrote: >>>> Hi >>>> >>>> tl;dr: Seems that for Global ACL directory, namespace prefix is >>>> not part of the path, when looking for acl file. >>>> >>>> Long version: >>>> >>>> We're planning to update dovecot in next os update to 2.2.36 >>>> and while going through regression testing, we found a problem >>>> with ACL configuration combined with namespace. >>>> >>>> Test uses "Global ACL directory" configuration. >>>> >>>> Relevant configuration part: mail_location = maildir:~/Maildir >>>> >>>> namespace inbox { hidden = no inbox = yes list = yes location >>>> = prefix = separator = / } namespace { hidden = no list = yes >>>> location = maildir:/var/mail/pub prefix = pub/ separator = / >>>> type = public } >>>> >>>> mail_plugins = acl >>>> >>>> protocol imap { mail_plugins = $mail_plugins acl imap_acl } >>>> plugin { acl = vfile:/etc/dovecot/global-acls } >>>> >>>> ACL config file is stored at: >>>> /etc/dovecot/global-acls/pub/.DEFAULT >>>> >>>> when trying to examine "pub", it is denied: fetchmail: IMAP> >>>> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO Mailbox doesn't >>>> exist: pub (0.001 + 0.000 secs). >>>> >>>> # doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox '' is >>>> in namespace 'pub/' doveadm(d2): Info: Mailbox path: >>>> /var/mail/pub doveadm(d2): Info: All message flags are shared >>>> across users in mailbox doveadm(d2): Info: User d2 has no >>>> rights for mailbox doveadm(d2): Error: User d2 is missing >>>> 'lookup' right doveadm(d2): Info: Mailbox pub is NOT visible in >>>> LIST >>>> >>>> because it did not find acl file: imap(d2): Debug: Namespace : >>>> type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes, >>>> subscriptions=yes location=maildir:/var/mail/pub imap(d2): >>>> Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, >>>> control=, inbox=, alt= imap(d2): Debug: acl: initializing >>>> backend with data: vfile:/etc/dovecot/global-acls imap(d2): >>>> Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0 >>>> imap(d2): Debug: acl vfile: Global ACL legacy directory: >>>> /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened >>>> because: EXAMINE imap(d2): Debug: acl vfile: file >>>> /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug: >>>> acl vfile: file /var/mail/pub/dovecot-acl not found >>>> >>>> >>>> see it's looking for: /etc/dovecot/global-acls//.DEFAULT >>>> instead of /etc/dovecot/global-acls/pub/.DEFAULT >>>> >>>> Checking with documentation https://wiki.dovecot.org/ACL it >>>> seems that prefix should still be part of the path, as it was >>>> before: """The filenames must start with namespace prefix (if >>>> it has one). For example with namespace prefix=INBOX/ >>>> containing mailbox "foo" use /etc/dovecot/acls/INBOX/foo.""" >>>> >>>> >>>> Just for comparison, previous version (2.2.10) would work >>>> fine: imap(d2): Debug: Namespace : type=public, prefix=pub/, >>>> sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes >>>> location=maildir:/var/mail/pub imap(d2): Debug: maildir++: >>>> root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt= >>>> imap(d2): Debug: acl: initializing backend with data: >>>> vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl >>>> username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug: >>>> acl vfile: Global ACL directory: /etc/dovecot/global-acls >>>> imap(d2): Debug: acl vfile: reading file >>>> /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl >>>> vfile: file /var/mail/pub/dovecot-acl not found >>>> >>>> >>>> I've localized problem to: src/plugins/acl/acl-backend-vfile.c: >>>> acl_backend_vfile_object_init(...) and change from: >>>> >>>> vname = mailbox_list_get_vname(_backend->list, name); >>>> >>>> to: >>>> >>>> vname = *name == '\0' ? "" : >>>> mailbox_list_get_vname(_backend->list, name); >>>> >>>> that happened quite time ago during bigger acl changes and I >>>> don't know why exactly this line was changed previously. >>>> Anyway, reverting this line alone fixes the problem and while >>>> testing both per-mailbox ACL vfile and Global ACL file, >>>> reverting this did not affect them.-------------- next part -------------- A non-text attachment was scrubbed... Name: bugtest.sh Type: application/x-shellscript Size: 1659 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20190312/7cc5ed9a/attachment.bin>