[Dovecot] [SOLVED] Installing Dovecot on Gentoo

Michael Orlitzky michael at orlitzky.com
Mon Jan 14 00:17:29 EET 2013

Hash: SHA1

On 01/13/2013 02:41 PM, Branko Majic wrote:
> Slightly off-topic from my side, but wanted to mention it since
> I've worked with POSIX ACLs a bit.
> Personally, I've had very bad experiences with POSIX ACLs. They can
> act in quite an unintuitive way when you start combining them with 
> different umask's, originating directory/file permissions (in case
> of copying), sticky bits, and chmod's on files/directories where
> you've already set-up the permissions (not to mention that some
> stuff seems to outright ignore it, like mod_php5/php).

Most of the problem is that the utilities don't support it, and the
tooling isn't there to make it easy to fix things when they get messed up.

GNU tar, cp, and mkdir for example claim to support ACLs, but then do
it only half way: if you copy a non-ACL file into a directory with a
default ACL, cp will preserve the group bits -- which are now the ACL
mask -- making your ACLs useless.

I've had very little success getting things fixed; most people just
aren't interested.

I have a standalone utility called apply-default-acl (now in Gentoo)
that can reapply the default ACL on a file or tree, fixing most of
these issues after the fact. I've patched tar, cp, and mkdir to
reapply the default ACL after they're done screwing things up, but for
other utilities, you just have to call `apply-default-acl -r` on the

I wrote some stuff about this problem at [1].

The other half of the problem is that there's no "just do what I want"
command to set ACLs on a hierarchy. For this I've created scripts
called set-ro-perms, set-rw-perms, etc. It's just find, xargs, and
setfacl -- but it makes a world of difference. There is a recursive
mode for apply-default-acl now which can mimic most of them; you just
need to set a default ACL on '.' and run it.

> I've also attempted using it at some point for some LAMP apps I've
> deployed, and ended-up abandoning them in favour of group sticky
> bits on directories (wanted to administer the web app with regular
> account, while still letting the Apache access files using umask
> 0007).
> So, personally, I'd avoid using them.

Same use case here, except we have multiple groups and users who need
differing levels of access, and each website runs as a different
system user. I don't know of any other way to do it.

Eventually, NFSv4 ACLs[2] are supposed to supercede the POSIX ones.
Hopefully, unlike POSIX, the NFS ACLs will get standardized and
actually gain some traction and decent support. At that point it
should be fairly simple to migrate, since there's an "easy" mapping
from POSIX to NFSv4.


[2] http://wiki.linux-nfs.org/wiki/index.php/ACLs
Version: GnuPG v2.0.19 (GNU/Linux)


More information about the dovecot mailing list