1 Topic by evenmoreconfused (edited by evenmoreconfused 2021-04-10 06:52:04)

  • evenmoreconfused
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 77

Topic: Permission Denied adding dovecot ACLs

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.1
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: CentOS 8 Basic
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I am pretty sure I'm missing something obvious, but I can't see what. I'm trying to implement public folders following the tutorial. It all works fine until adding the ACLs.

Command issued:

 [root@<host-name> vmail]# doveadm -D acl set "Public/TestFolder" "user=postmaster@<my.domain>" lookup read write write-seen write-deleted insert delete expunge create

Error message:

doveadm(root): Debug: Effective uid=2000, gid=2000, home=/root
doveadm(root): Error: chdir(/root/) failed: Permission denied (euid=2000(vmail) egid=2000(vmail) missing +x perm: /root, we're not in group 0(root), dir owned by 0:0 mode=0550)
doveadm(root): Debug: Namespace : type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/root/Maildir/:INDEX=/root/Maildir/
doveadm(root): Debug: maildir++: root=/root/Maildir, index=, indexpvt=, control=, inbox=/root/Maildir, alt=
doveadm(root): Debug: acl: initializing backend with data: vfile
doveadm(root): Debug: acl: acl username = root
doveadm(root): Debug: acl: owner = 1
doveadm(root): Debug: acl vfile: Global ACLs disabled
doveadm(root): Debug: Namespace : type=shared, prefix=Shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/Shared/%Ld/%Ln
doveadm(root): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt=
doveadm(root): Debug: acl: initializing backend with data: vfile
doveadm(root): Debug: acl: acl username = root
doveadm(root): Debug: acl: owner = 0
doveadm(root): Debug: acl vfile: Global ACLs disabled
doveadm(root): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/var/vmail/public:CONTROL=/root/Maildir/public:INDEXPVT=/root/Maildir/public
doveadm(root): Debug: maildir++: root=/var/vmail/public, index=, indexpvt=/root/Maildir/public, control=/root/Maildir/public, inbox=, alt=
doveadm(root): Debug: acl: initializing backend with data: vfile
doveadm(root): Debug: acl: acl username = root
doveadm(root): Debug: acl: owner = 0
doveadm(root): Debug: acl vfile: Global ACLs disabled
doveadm(root): Debug: quota: quota_over_flag check: quota_over_script unset - skipping
doveadm(root): Debug: acl vfile: reading file /var/vmail/public/.TestFolder/dovecot-acl
doveadm(root): Error: Mailbox Public/TestFolder: open(/root/Maildir/public/.TestFolder/dovecot-uidlist) failed: Permission denied
doveadm(root): Error: Mailbox Public/TestFolder: open(/root/Maildir/public/.TestFolder/dovecot-uidlist) failed: Permission denied

(I have removed several lines regarding loaded modules and quotas for readability)

Is this related to me running the command as root? Am I supposed to run it as vmail? Am I running it from the wrong folder (I've tried several)?

Thanks as always for any help...

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by evenmoreconfused (edited by evenmoreconfused 2021-04-10 07:34:55)

  • evenmoreconfused
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 77

Re: Permission Denied adding dovecot ACLs

Update: nevertheless the command seems to have done something, because I now have:

[root@<host-name> /]# doveadm acl get -A "Public/TestFolder"
Username                           ID                       Global Rights
accounts@domain1.com              user=postmaster@<my.domain1>        create delete expunge insert lookup read write write-deleted write-seen
user-a@domain1.com                 user=postmaster@<my.domain1>               create delete expunge insert lookup read write write-deleted write-seen

.....
user-n@domain.com                   user=postmaster@<my.domain1>               create delete expunge insert lookup read write write-deleted write-seen
user-x@domain-n.com                 user=postmaster@<my.domain1>         create delete expunge insert lookup read write write-deleted write-seen

What is the meaning of the first column vs the second column? Why did it add a line for every user in the system (the second column shows the only user I was trying to add rights for)?

PS: there's another thread here about a documentation error that used to include the -A flag on the acl set command, (https://forum.iredmail.org/topic17694-a … usion.html) but I saw that, and did not use -A on the acl set command.

3 Reply by evenmoreconfused

  • evenmoreconfused
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 77

Re: Permission Denied adding dovecot ACLs

I think I understand the second issue (why the list includes a line for each user, all showing the same ID and access rights).

The -A on the get command seems to cause it to repeat the query for every user in the system, and each time thru it finds the same user and rights.

The documentation was fixed earlier to remove the -A from the set command, but not from the get. The get works properly when I omit -A from the get.

But the initial issue (Permission Denied) is no clearer, although the rights got added in spite of the reported error.