Re: ACL group-override question
Previous posts below, here why I guess this one fails: http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/src/plugins/acl/acl-api.c#l744 It says: …a user can't match multiple usernames… In my setup this is not true: there is only one user, but she goes by several names. (Like in /etc/passwd several users can have the same ID.) I do not understand the source, but I guess the acl is attached to the "user" and therefore I am out of luck in my adventure: no way short of having a "userdb_acl_user" parameter in passdb. Kind regards Peter Am 2014-06-17 22:59, schrieb Peter Chiochetti: Trying to get ACLs working, very basic setup: Virtual users are put into different acl_group via passdb. u:{PLAIN}B::userdb_acl_groups=g The global acl file restricts what they can do. * group-override=g * group=g lr Shouldn't this mean, that the group rights override the user rights? The effect that I see though is, that the user "u" then may not do anything, not even lookup and read. Further to this experiment, I made the ACLs to not use any group settings at all, only trying to lock down the server for anybody, like that: root@xxx:/etc/dovecot# cat dovecot-acl * user=archiv lr * owner lr * authenticated lr * anyone lr Yet, I still can delete messages from anywhere - What am I missing? Below system setup info (dovecot from bigmichi1 ppa): root@xxx:/etc/dovecot# doveconf -n # 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS mail_debug = yes mail_location = maildir:~/Maildir mail_log_prefix = "%s(%{auth_user}): " mail_plugins = " acl fts fts_solr mail_log notify" namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { acl = vfile:/etc/dovecot/dovecot-acl fts = solr fts_autoindex = yes fts_solr = url=http://localhost:8983/solr/ mail_log_events = save copy delete undelete expunge mailbox_create mailbox_rename mailbox_delete mail_log_fields = uid box msgid from subject } protocols = " imap" ssl_cert = The virtual users all act as the system user, their names are just icing for auditing.
Re: ACL group-override question
Trying to get ACLs working, very basic setup: Virtual users are put into different acl_group via passdb. u:{PLAIN}B::userdb_acl_groups=g The global acl file restricts what they can do. * group-override=g * group=g lr Shouldn't this mean, that the group rights override the user rights? The effect that I see though is, that the user "u" then may not do anything, not even lookup and read. Further to this experiment, I made the ACLs to not use any group settings at all, only trying to lock down the server for anybody, like that: root@xxx:/etc/dovecot# cat dovecot-acl * user=archiv lr * owner lr * authenticated lr * anyone lr Yet, I still can delete messages from anywhere - What am I missing? Below system setup info (dovecot from bigmichi1 ppa): root@xxx:/etc/dovecot# doveconf -n # 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS mail_debug = yes mail_location = maildir:~/Maildir mail_log_prefix = "%s(%{auth_user}): " mail_plugins = " acl fts fts_solr mail_log notify" namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { acl = vfile:/etc/dovecot/dovecot-acl fts = solr fts_autoindex = yes fts_solr = url=http://localhost:8983/solr/ mail_log_events = save copy delete undelete expunge mailbox_create mailbox_rename mailbox_delete mail_log_fields = uid box msgid from subject } protocols = " imap" ssl_cert = The virtual users all act as the system user, their names are just icing for auditing. -- peter
ACL group-override question
Trying to get ACLs working, very basic setup: Virtual users are put into different acl_group via passdb. u:{PLAIN}B::userdb_acl_groups=g The global acl file restricts what they can do. * group-override=g * group=g lr Shouldn't this mean, that the group rights override the user rights? The effect that I see though is, that the user "u" then may not do anything, not even lookup and read. The wiki text is not fully clear to me: It tells about disabling access fully (probably by specifying a non-existent group?). But this can only be one way to use group_override… -- peter