Re: ACL group-override question

2014-06-23 Thread Peter Chiochetti 

Previous posts below, here why I guess this one fails:

http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/src/plugins/acl/acl-api.c#l744

It says: …a user can't match multiple usernames…

In my setup this is not true: there is only one user, but she goes by 
several names. (Like in /etc/passwd several users can have the same ID.)


I do not understand the source, but I guess the acl is attached to the 
"user" and therefore I am out of luck in my adventure: no way short of 
having a "userdb_acl_user" parameter in passdb.


Kind regards

Peter

Am 2014-06-17 22:59, schrieb Peter Chiochetti:

Trying to get ACLs working, very basic setup:

Virtual users are put into different acl_group via passdb.


u:{PLAIN}B::userdb_acl_groups=g


The global acl file restricts what they can do.


* group-override=g
* group=g lr


Shouldn't this mean, that the group rights override the user rights?

The effect that I see though is, that the user "u" then may not do
anything, not even lookup and read.


Further to this experiment, I made the ACLs to not use any group
settings at all, only trying to lock down the server for anybody, like
that:


root@xxx:/etc/dovecot# cat dovecot-acl
* user=archiv lr
* owner lr
* authenticated lr
* anyone lr


Yet, I still can delete messages from anywhere - What am I missing?

Below system setup info (dovecot from bigmichi1 ppa):


root@xxx:/etc/dovecot# doveconf -n
# 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS
mail_debug = yes
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%{auth_user}): "
mail_plugins = " acl fts fts_solr mail_log notify"
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/passwd
  driver = passwd-file
}
plugin {
  acl = vfile:/etc/dovecot/dovecot-acl
  fts = solr
  fts_autoindex = yes
  fts_solr = url=http://localhost:8983/solr/
  mail_log_events = save copy delete undelete expunge mailbox_create
mailbox_rename mailbox_delete
  mail_log_fields = uid box msgid from subject
}
protocols = " imap"
ssl_cert = 

The virtual users all act as the system user, their names are just icing
for auditing.

Re: ACL group-override question

2014-06-17 Thread Peter Chiochetti 

Trying to get ACLs working, very basic setup:

Virtual users are put into different acl_group via passdb.


u:{PLAIN}B::userdb_acl_groups=g


The global acl file restricts what they can do.


* group-override=g
* group=g lr


Shouldn't this mean, that the group rights override the user rights?

The effect that I see though is, that the user "u" then may not do
anything, not even lookup and read.


Further to this experiment, I made the ACLs to not use any group 
settings at all, only trying to lock down the server for anybody, like that:



root@xxx:/etc/dovecot# cat dovecot-acl
* user=archiv lr
* owner lr
* authenticated lr
* anyone lr


Yet, I still can delete messages from anywhere - What am I missing?

Below system setup info (dovecot from bigmichi1 ppa):


root@xxx:/etc/dovecot# doveconf -n
# 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS
mail_debug = yes
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%{auth_user}): "
mail_plugins = " acl fts fts_solr mail_log notify"
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/passwd
  driver = passwd-file
}
plugin {
  acl = vfile:/etc/dovecot/dovecot-acl
  fts = solr
  fts_autoindex = yes
  fts_solr = url=http://localhost:8983/solr/
  mail_log_events = save copy delete undelete expunge mailbox_create 
mailbox_rename mailbox_delete
  mail_log_fields = uid box msgid from subject
}
protocols = " imap"
ssl_cert = 

The virtual users all act as the system user, their names are just icing 
for auditing.


--
peter