Sorry, we have not yet been able to look into this.. It's now in our internal system as DOP-966 Aki> On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote: > > > Hi, > any progress with this issue? Do you need more information to debug and > fix this? > > Cheers > Michal Hlavinka > > On 9/18/18 4:10 PM, Michal Hlavinka wrote: > > Hi > > > > tl;dr: > > Seems that for Global ACL directory, namespace prefix is not part of the > > path, when looking for acl file. > > > > Long version: > > > > We're planning to update dovecot in next os update to 2.2.36 and while > > going through regression testing, we found a problem with ACL > > configuration combined with namespace. > > > > Test uses "Global ACL directory" configuration. > > > > Relevant configuration part: > > mail_location = maildir:~/Maildir > > > > namespace inbox { > > ? hidden = no > > ? inbox = yes > > ? list = yes > > ? location > > ? prefix > > ? separator = / > > } > > namespace { > > ? hidden = no > > ? list = yes > > ? location = maildir:/var/mail/pub > > ? prefix = pub/ > > ? separator = / > > ? type = public > > } > > > > mail_plugins = acl > > > > protocol imap { > > ? mail_plugins = $mail_plugins acl imap_acl > > } > > plugin { > > ? acl = vfile:/etc/dovecot/global-acls > > } > > > > ACL config file is stored at: > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > when trying to examine "pub", it is denied: > > fetchmail: IMAP> A0005 EXAMINE "pub" > > fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs). > > > > # doveadm acl debug -u d2 pub > > doveadm(d2): Info: Mailbox '' is in namespace 'pub/' > > doveadm(d2): Info: Mailbox path: /var/mail/pub > > doveadm(d2): Info: All message flags are shared across users in mailbox > > doveadm(d2): Info: User d2 has no rights for mailbox > > doveadm(d2): Error: User d2 is missing 'lookup' right > > doveadm(d2): Info: Mailbox pub is NOT visible in LIST > > > > because it did not find acl file: > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > control=, inbox=, alt> > imap(d2): Debug: acl: initializing backend with data: > > vfile:/etc/dovecot/global-acls > > imap(d2): Debug: acl: acl username = d2 > > imap(d2): Debug: acl: owner = 0 > > imap(d2): Debug: acl vfile: Global ACL legacy directory: > > /etc/dovecot/global-acls > > imap(d2): Debug: pub: Mailbox opened because: EXAMINE > > imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not > > found > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > see it's looking for: > > /etc/dovecot/global-acls//.DEFAULT > > instead of > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > Checking with documentation > > https://wiki.dovecot.org/ACL > > it seems that prefix should still be part of the path, as it was before: > > """The filenames must start with namespace prefix (if it has one). For > > example with namespace prefix=INBOX/ containing mailbox "foo" use > > /etc/dovecot/acls/INBOX/foo.""" > > > > > > Just for comparison, previous version (2.2.10) would work fine: > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > control=, inbox=, alt> > imap(d2): Debug: acl: initializing backend with data: > > vfile:/etc/dovecot/global-acls > > imap(d2): Debug: acl: acl username = d2 > > imap(d2): Debug: acl: owner = 0 > > imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls > > imap(d2): Debug: acl vfile: reading file > > /etc/dovecot/global-acls/pub/.DEFAULT > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > I've localized problem to: > > src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) > > and change from: > > > > vname = mailbox_list_get_vname(_backend->list, name); > > > > to: > > > > vname = *name == '\0' ? "" : > > ????mailbox_list_get_vname(_backend->list, name); > > > > that happened quite time ago during bigger acl changes and I don't know > > why exactly this line was changed previously. Anyway, reverting this > > line alone fixes the problem and while testing both per-mailbox ACL > > vfile and Global ACL file, reverting this did not affect them.
I tested with release 2.3.5, and doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/pub/INBOX not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not found doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in development. Aki> On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > > > Sorry, we have not yet been able to look into this.. > > It's now in our internal system as DOP-966 > > Aki > > > On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote: > > > > > > Hi, > > any progress with this issue? Do you need more information to debug and > > fix this? > > > > Cheers > > Michal Hlavinka > > > > On 9/18/18 4:10 PM, Michal Hlavinka wrote: > > > Hi > > > > > > tl;dr: > > > Seems that for Global ACL directory, namespace prefix is not part of the > > > path, when looking for acl file. > > > > > > Long version: > > > > > > We're planning to update dovecot in next os update to 2.2.36 and while > > > going through regression testing, we found a problem with ACL > > > configuration combined with namespace. > > > > > > Test uses "Global ACL directory" configuration. > > > > > > Relevant configuration part: > > > mail_location = maildir:~/Maildir > > > > > > namespace inbox { > > > ? hidden = no > > > ? inbox = yes > > > ? list = yes > > > ? location > > > ? prefix > > > ? separator = / > > > } > > > namespace { > > > ? hidden = no > > > ? list = yes > > > ? location = maildir:/var/mail/pub > > > ? prefix = pub/ > > > ? separator = / > > > ? type = public > > > } > > > > > > mail_plugins = acl > > > > > > protocol imap { > > > ? mail_plugins = $mail_plugins acl imap_acl > > > } > > > plugin { > > > ? acl = vfile:/etc/dovecot/global-acls > > > } > > > > > > ACL config file is stored at: > > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > > > when trying to examine "pub", it is denied: > > > fetchmail: IMAP> A0005 EXAMINE "pub" > > > fetchmail: IMAP< A0005 NO Mailbox doesn't exist: pub (0.001 + 0.000 secs). > > > > > > # doveadm acl debug -u d2 pub > > > doveadm(d2): Info: Mailbox '' is in namespace 'pub/' > > > doveadm(d2): Info: Mailbox path: /var/mail/pub > > > doveadm(d2): Info: All message flags are shared across users in mailbox > > > doveadm(d2): Info: User d2 has no rights for mailbox > > > doveadm(d2): Error: User d2 is missing 'lookup' right > > > doveadm(d2): Info: Mailbox pub is NOT visible in LIST > > > > > > because it did not find acl file: > > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > > control=, inbox=, alt> > > imap(d2): Debug: acl: initializing backend with data: > > > vfile:/etc/dovecot/global-acls > > > imap(d2): Debug: acl: acl username = d2 > > > imap(d2): Debug: acl: owner = 0 > > > imap(d2): Debug: acl vfile: Global ACL legacy directory: > > > /etc/dovecot/global-acls > > > imap(d2): Debug: pub: Mailbox opened because: EXAMINE > > > imap(d2): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT not > > > found > > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > > > > see it's looking for: > > > /etc/dovecot/global-acls//.DEFAULT > > > instead of > > > /etc/dovecot/global-acls/pub/.DEFAULT > > > > > > Checking with documentation > > > https://wiki.dovecot.org/ACL > > > it seems that prefix should still be part of the path, as it was before: > > > """The filenames must start with namespace prefix (if it has one). For > > > example with namespace prefix=INBOX/ containing mailbox "foo" use > > > /etc/dovecot/acls/INBOX/foo.""" > > > > > > > > > Just for comparison, previous version (2.2.10) would work fine: > > > imap(d2): Debug: Namespace : type=public, prefix=pub/, sep=/, inbox=no, > > > hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/pub > > > imap(d2): Debug: maildir++: root=/var/mail/pub, index=, indexpvt=, > > > control=, inbox=, alt> > > imap(d2): Debug: acl: initializing backend with data: > > > vfile:/etc/dovecot/global-acls > > > imap(d2): Debug: acl: acl username = d2 > > > imap(d2): Debug: acl: owner = 0 > > > imap(d2): Debug: acl vfile: Global ACL directory: /etc/dovecot/global-acls > > > imap(d2): Debug: acl vfile: reading file > > > /etc/dovecot/global-acls/pub/.DEFAULT > > > imap(d2): Debug: acl vfile: file /var/mail/pub/dovecot-acl not found > > > > > > > > > I've localized problem to: > > > src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...) > > > and change from: > > > > > > vname = mailbox_list_get_vname(_backend->list, name); > > > > > > to: > > > > > > vname = *name == '\0' ? "" : > > > ????mailbox_list_get_vname(_backend->list, name); > > > > > > that happened quite time ago during bigger acl changes and I don't know > > > why exactly this line was changed previously. Anyway, reverting this > > > line alone fixes the problem and while testing both per-mailbox ACL > > > vfile and Global ACL file, reverting this did not affect them.
Hi,
thanks for the answer. I think your environment was not set up correctly
to reproduce this bug. I've retested with 2.3.5 and I can still
reproduce it. I've attached a script that will configure everything for
testing and if you have a virtual machine available, you can use it
directly (it expects linux with systemd for dovecot restart).
relevant section from config:
namespace {
hidden = no
list = yes
location = maildir:/var/mail/pub
prefix = pub/
separator = /
type = public
}
this expects maildir directly in pub:
/var/mail/pub/cur
/var/mail/pub/new
/var/mail/pub/tmp
as it uses '/' separator and there could be subfolders, it should look
for .DEFAULT file in global acls directory which it does not in your
debug output
doveadm(testuser): Info: Mailbox '' is in namespace 'pub/'
doveadm(testuser): Info: All message flags are shared across users in
mailbox
doveadm(testuser): Debug: acl vfile: file /etc/dovecot/global-acls//.DEFAULT
not found
doveadm(testuser): Debug: acl vfile: file /var/mail/pub/dovecot-acl not
found
doveadm(testuser): Info: User testuser has no rights for mailbox
doveadm(testuser): Error: User testuser is missing 'lookup' right
doveadm(testuser): Info: Mailbox pub is NOT visible in LIST
in this output see that it checks this location:
acl vfile: file /etc/dovecot/global-acls//.DEFAULT not found
instead of
/etc/dovecot/global-acls/pub/.DEFAULT
this is caused by line in
src/plugins/acl/acl-backend-vfile.c: acl_backend_vfile_object_init(...)
vname = *name == '\0' ? "" :
mailbox_list_get_vname(_backend->list, name);
and because name is empty, it will not use the "pub" prefix in the
path.
If I'd test acl for "pub/subfolder" that condition would have
different
result and bug would not trigger:
doveadm(testuser): Debug: acl vfile: reading file
/etc/dovecot/global-acls/pub/subfolder/.DEFAULT
For testing I use this acl configuration:
cat /etc/dovecot/global-acls/pub/.DEFAULT
user=testuser l
but as this acl file location is not found by dovecot, content should
not matter.
Cheers,
Michal Hlavinka
On 3/7/19 7:00 PM, Aki Tuomi via dovecot wrote:> I tested with release 2.3.5, and
>
> doveadm -Dv acl debug -u testuser pub doveadm(testuser): Debug: acl
> vfile: file /etc/dovecot/global-acls/pub/INBOX not found
> doveadm(testuser): Debug: acl vfile: file
> /home/vmail/pub/Mail/mailboxes/INBOX/dbox-Mails/dovecot-acl not
> found doveadm(testuser): Debug: acl vfile: file
> /etc/dovecot/global-acls/ not found doveadm(testuser): Debug: acl
> vfile: file /home/vmail/pub/Mail/mailboxes/dovecot-acl not found
>
> so our advice is to upgrade into 2.3.5, as 2.2.36 is no longer in
> development.
>
> Aki
>
>> On 7 March 2019 19:47 Aki Tuomi via dovecot <dovecot at
dovecot.org>
>> wrote:
>>
>>
>> Sorry, we have not yet been able to look into this..
>>
>> It's now in our internal system as DOP-966
>>
>> Aki
>>
>>> On 7 March 2019 17:31 Michal Hlavinka via dovecot
>>> <dovecot at dovecot.org> wrote:
>>>
>>>
>>> Hi, any progress with this issue? Do you need more information to
>>> debug and fix this?
>>>
>>> Cheers Michal Hlavinka
>>>
>>> On 9/18/18 4:10 PM, Michal Hlavinka wrote:
>>>> Hi
>>>>
>>>> tl;dr: Seems that for Global ACL directory, namespace prefix is
>>>> not part of the path, when looking for acl file.
>>>>
>>>> Long version:
>>>>
>>>> We're planning to update dovecot in next os update to
2.2.36
>>>> and while going through regression testing, we found a problem
>>>> with ACL configuration combined with namespace.
>>>>
>>>> Test uses "Global ACL directory" configuration.
>>>>
>>>> Relevant configuration part: mail_location = maildir:~/Maildir
>>>>
>>>> namespace inbox { hidden = no inbox = yes list = yes location
>>>> = prefix = separator = / } namespace { hidden = no list = yes
>>>> location = maildir:/var/mail/pub prefix = pub/ separator = /
>>>> type = public }
>>>>
>>>> mail_plugins = acl
>>>>
>>>> protocol imap { mail_plugins = $mail_plugins acl imap_acl }
>>>> plugin { acl = vfile:/etc/dovecot/global-acls }
>>>>
>>>> ACL config file is stored at:
>>>> /etc/dovecot/global-acls/pub/.DEFAULT
>>>>
>>>> when trying to examine "pub", it is denied:
fetchmail: IMAP>
>>>> A0005 EXAMINE "pub" fetchmail: IMAP< A0005 NO
Mailbox doesn't
>>>> exist: pub (0.001 + 0.000 secs).
>>>>
>>>> # doveadm acl debug -u d2 pub doveadm(d2): Info: Mailbox
'' is
>>>> in namespace 'pub/' doveadm(d2): Info: Mailbox path:
>>>> /var/mail/pub doveadm(d2): Info: All message flags are shared
>>>> across users in mailbox doveadm(d2): Info: User d2 has no
>>>> rights for mailbox doveadm(d2): Error: User d2 is missing
>>>> 'lookup' right doveadm(d2): Info: Mailbox pub is NOT
visible in
>>>> LIST
>>>>
>>>> because it did not find acl file: imap(d2): Debug: Namespace :
>>>> type=public, prefix=pub/, sep=/, inbox=no, hidden=no, list=yes,
>>>> subscriptions=yes location=maildir:/var/mail/pub imap(d2):
>>>> Debug: maildir++: root=/var/mail/pub, index=, indexpvt=,
>>>> control=, inbox=, alt= imap(d2): Debug: acl: initializing
>>>> backend with data: vfile:/etc/dovecot/global-acls imap(d2):
>>>> Debug: acl: acl username = d2 imap(d2): Debug: acl: owner = 0
>>>> imap(d2): Debug: acl vfile: Global ACL legacy directory:
>>>> /etc/dovecot/global-acls imap(d2): Debug: pub: Mailbox opened
>>>> because: EXAMINE imap(d2): Debug: acl vfile: file
>>>> /etc/dovecot/global-acls//.DEFAULT not found imap(d2): Debug:
>>>> acl vfile: file /var/mail/pub/dovecot-acl not found
>>>>
>>>>
>>>> see it's looking for: /etc/dovecot/global-acls//.DEFAULT
>>>> instead of /etc/dovecot/global-acls/pub/.DEFAULT
>>>>
>>>> Checking with documentation https://wiki.dovecot.org/ACL it
>>>> seems that prefix should still be part of the path, as it was
>>>> before: """The filenames must start with
namespace prefix (if
>>>> it has one). For example with namespace prefix=INBOX/
>>>> containing mailbox "foo" use
/etc/dovecot/acls/INBOX/foo."""
>>>>
>>>>
>>>> Just for comparison, previous version (2.2.10) would work
>>>> fine: imap(d2): Debug: Namespace : type=public, prefix=pub/,
>>>> sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes
>>>> location=maildir:/var/mail/pub imap(d2): Debug: maildir++:
>>>> root=/var/mail/pub, index=, indexpvt=, control=, inbox=, alt=
>>>> imap(d2): Debug: acl: initializing backend with data:
>>>> vfile:/etc/dovecot/global-acls imap(d2): Debug: acl: acl
>>>> username = d2 imap(d2): Debug: acl: owner = 0 imap(d2): Debug:
>>>> acl vfile: Global ACL directory: /etc/dovecot/global-acls
>>>> imap(d2): Debug: acl vfile: reading file
>>>> /etc/dovecot/global-acls/pub/.DEFAULT imap(d2): Debug: acl
>>>> vfile: file /var/mail/pub/dovecot-acl not found
>>>>
>>>>
>>>> I've localized problem to:
src/plugins/acl/acl-backend-vfile.c:
>>>> acl_backend_vfile_object_init(...) and change from:
>>>>
>>>> vname = mailbox_list_get_vname(_backend->list, name);
>>>>
>>>> to:
>>>>
>>>> vname = *name == '\0' ? "" :
>>>> mailbox_list_get_vname(_backend->list, name);
>>>>
>>>> that happened quite time ago during bigger acl changes and I
>>>> don't know why exactly this line was changed previously.
>>>> Anyway, reverting this line alone fixes the problem and while
>>>> testing both per-mailbox ACL vfile and Global ACL file,
>>>> reverting this did not affect them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bugtest.sh
Type: application/x-shellscript
Size: 1659 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190312/7cc5ed9a/attachment.bin>