Re: [Dovecot] some clarification re: ACL?
On Wed, 2007-05-09 at 11:15 -0400, Matt Zukowski wrote:
> Perhaps adopting Courier-IMAP's ACL specification might make sense? Tab
> is the delimiter instead of space, so spaces are allowed in identifiers.
This can't be changed anymore without breaking backwards compatibility.
There could of course be some new setting or maybe the file format could
be changed in a way that it allows spaces in identifiers but is still
backwards compatible, but I'm not sure what would be the best way to do
it.
> Also, negative permissions are possible (i.e. +r to grant read access,
> -r to disable it).
This should work with Dovecot too.
> Also, I believe precedence is based on the order of
> the rules in the file, so you could have the group permissions override
> the user permissions by placing the group constraint further down.
I don't think this is a good idea. Especially after I add support for
IMAP ACL extension. It doesn't support ordering rules. group-override=xx
is for that.
> Anyway, there's also probably some benefit in using a common ACL
> format... interoperability is a good thing (unless you're Microsoft).
I thought the dovecot-acl file was compatible with Courier, but I guess
not if I missed the TAB separator thing. :)
> Regarding the group permissions not working, am I to understand that as
> of now they are implemented but don't actually do anything? i.e. how can
> I make use of the group constraints?
The code looks like this (src/plugins/acl/acl-storage.c):
backend = acl_backend_init(acl_env, storage, user_env, NULL,
owner_username);
The NULL in there is the list of groups the user is in. So if you wanted
to use groups, you'd have to set it somehow. Perhaps this would work:
backend = acl_backend_init(acl_env, storage, user_env,
getenv("GROUPS") == NULL ? NULL : t_strsplit(getenv("GROUPS",
","),
owner_username);
Then you'll need to return "groups=a,b,c,d" from userdb. I'm not yet
sure how I want this to work in Dovecot v1.1.
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] some clarification re: ACL?
Perhaps adopting Courier-IMAP's ACL specification might make sense? Tab is the delimiter instead of space, so spaces are allowed in identifiers. Also, negative permissions are possible (i.e. +r to grant read access, -r to disable it). Also, I believe precedence is based on the order of the rules in the file, so you could have the group permissions override the user permissions by placing the group constraint further down. Anyway, there's also probably some benefit in using a common ACL format... interoperability is a good thing (unless you're Microsoft). Regarding the group permissions not working, am I to understand that as of now they are implemented but don't actually do anything? i.e. how can I make use of the group constraints? Timo Sirainen wrote: On Wed, 2007-05-02 at 12:40 -0400, Matt Zukowski wrote: The ACL documentation is at http://wiki.dovecot.org/ACL is a bit vague... I'd be happy to update it myself, but I need some clarification: For example, I have a dovecot-acl file with: group=portal_admin lrw anyone l The page also contains "Groups aren't currently supported, but only because the groups can't be specified in userdb currently." Secondly, what is the group-override identifier supposed to do? Updated the page: Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example: user=timo rw group-override=tempdisabled Now if timo is in tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the user=timo would override it. Thirdly, are spaces and other special characters allowed in the group/username identifiers? Spaces unfortunately aren't. I was thinking about this myself also a while ago. I'm not sure what would be the best way to change the current format to support spaces. Other characters are allowed. This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited. Le contenu du pr'esent courriel est privil'egi'e, confidentiel et soumis `a des droits d'auteur. Il est interdit de l'utiliser ou de le divulguer sans autorisation.
Re: [Dovecot] some clarification re: ACL?
On Wed, 2007-05-02 at 12:40 -0400, Matt Zukowski wrote: > The ACL documentation is at http://wiki.dovecot.org/ACL is a bit > vague... I'd be happy to update it myself, but I need some clarification: > > For example, I have a dovecot-acl file with: > > group=portal_admin lrw > anyone l The page also contains "Groups aren't currently supported, but only because the groups can't be specified in userdb currently." > Secondly, what is the group-override identifier supposed to do? Updated the page: Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example: user=timo rw group-override=tempdisabled Now if timo is in tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the user=timo would override it. > Thirdly, are spaces and other special characters allowed in the > group/username identifiers? Spaces unfortunately aren't. I was thinking about this myself also a while ago. I'm not sure what would be the best way to change the current format to support spaces. Other characters are allowed. signature.asc Description: This is a digitally signed message part
