[Dovecot] Public namespace permissions documentation/questions

Thomas Hummel hummel at pasteur.fr
Wed Jan 28 19:43:36 EET 2009


Hello Timo,

In my trials to setup a shared namespace with dovecot-1.1.8/LDAP passdb/userdb
(prefetch)/Maildir, I found out that :

1) ACL are mandatory (at least if the acl plugin is triggered in dovecot.conf)

   Am I correct ?
   I'm still not sure if we can do without ACL at all (only with unix permissions and system_user userdb extra field).

2) the system_user userdb extra field is supposed to be ...the logname of the user the secondary groups
   of whom we want to check !

   i.e. if user foobar belongs to secondary groups foogid, zgid, wgid and doveshared

      uid=xxx(foobar) gid=yyy(foogid) groups=zzz(zgid),www(wgid),vvv(doveshared)

  and we dovecot to take them into account, we have to make the usedb return the
  system_user extra field with the value foobar.

  Seems obvious now and said this way, but looking at the wiki :

    "system_user: If this is given, the user's groups are read from /etc/group (or wherever NSS is configured to taken them from)."

  I thought 'system_user' was a flag (a boolean) which, when triggered made
  dovecot look for the secondaries group of the user (user whose name is already
  known).

a) am I correct ?

b) why isn't system_user such a boolean ? Is there a case where we'd want
   system_user to be different than the user dovecot runs as at the moment the
   check takes place ?

3) same idea with acl_groups : since this extra_field holds a list of groups
   for the ACL plugin, why not rely on the native unix groups of the system the
   user belong to ? 

Thanks (and sorry for the 2 previous threads where I was blindly confused by the system_user thing).

-- 
Thomas Hummel 	    | Institut Pasteur
<hummel at pasteur.fr> | Pôle informatique - systèmes et réseau


More information about the dovecot mailing list