acl_ignore_namespace & dovecot-acl-list files

Tue, 29 Jun 2021 03:10:06 -0700 

Hi!

After updating to 2.3.15, I was hoping to be able to get rid of some of
the work-around I had in place when configuring shared folders in
cluster mode in 2.3.14. Unfortunately it seems that I still need one.

Running on CentOS7 with both a 'virtual' and 'shared' namespace,
whenever I update the global vfile, I'm getting the following warning:
```
Error: open(/etc/dovecot/virtual/.temp.....8536.f1a78823779ee98d)
failed: Read-only file system
Error: dovecot-acl-list creation failed:
safe_mkstemp(/etc/dovecot/virtual/.temp.....8536.) failed: Read-only
file system
Error: unlink(/etc/dovecot/virtual/dovecot-acl-list) failed: Read-only
file system (in acl-backend-vfile-acllist.c:339)
```

I found it weird, as I'm using acl_ignore_namespace to ignore the
virtual filesystem, but still dovecot seems to be trying to create a
dovecot-acl-list file there. After digging into it and generating a
backtrace where that error message is triggered, I believe I've trace it
down to `acl_lookup_dict_rebuild`, which doesn't filter out "ignored"
namespaces. The attached patch seems to solve the problem for me, but I
must admit I didn't test it in depth so I'm not sure if I'm breaking
something else...

Let me know if I'm missing something,
Thanks,
Vincent

PS: Some details:
- Relevant configuration (let me know if I'm missing something):
```
mail_plugins = acl zlib virtual fts fts_solr

namespace Virtual {
  prefix = Virtual/
  separator = /
  hidden = yes
  list = no
  subscriptions = no
  location = virtual:/etc/dovecot/virtual:INDEX=~/virtual
}

namespace shared {
  type = shared
  prefix = shared/%%u/
  list = children
  subscriptions = no
  location = imapc:~/shared/%%u
}

plugin {
  # ACLs
  acl = vfile:/etc/dovecot/dovecot-acl
  acl_ignore_namespace = Virtual/
  acl_ignore_namespace2 = shared/*
  acl_shared_dict = proxy::acl

}
```
- Backtrace generated manually (adding `backtrace_get(&backtrace)` &
printing the result under the `dovecot-acl-list creation failed` error):
```
Raw backtrace:
  /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7ff99d364862]
 -> /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7ff99d36496e]
 -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb071) [0x7ff99ca9f071]
 ->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d)
[0x7ff99ca9f3ed]
 ->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_refresh+0x250)
[0x7ff99ca9f6b0]
 ->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_nonowner_iter_init+0x9)
[0x7ff99ca9f849]
 ->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_lookup_dict_rebuild+0x13e)
[0x7ff99caa179e]
 -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xb245) [0x7ff99ca9f245]
 ->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_backend_vfile_acllist_rebuild+0x1d)
[0x7ff99ca9f3ed]
 -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xa9ad) [0x7ff99ca9e9ad]
 -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0x6e4c) [0x7ff99ca9ae4c]
 ->
/usr/lib64/dovecot/lib01_acl_plugin.so(acl_object_get_my_rights+0x75)
[0x7ff99ca9af35]
 -> /usr/lib64/dovecot/lib01_acl_plugin.so(+0xe44e) [0x7ff99caa244e]
 -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_exists+0x6e)
[0x7ff99d6845fe]
 ->
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_mailbox+0x226)
[0x7ff99d694ff6]
 ->
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_list_iter_init_namespaces+0x282)
[0x7ff99d6eecf2]
 -> dovecot/imap [vbrillau XXXXX LIST](cmd_list_full+0x55b) [0x563f9bb004bb]
 -> dovecot/imap [vbrillau XXXXX LIST](command_exec+0x64) [0x563f9bb0ab04]
 -> dovecot/imap [vbrillau XXXXX LIST](+0x1d9e2) [0x563f9bb089e2]
 -> dovecot/imap [vbrillau XXXXX LIST](+0x1da71) [0x563f9bb08a71]
 -> dovecot/imap [vbrillau XXXXX LIST](client_handle_input+0x205)
[0x563f9bb08ef5]
 -> dovecot/imap [vbrillau XXXXX LIST](client_input+0x79) [0x563f9bb094d9]
 -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x65)
[0x7ff99d38a425]
 ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x12b)
[0x7ff99d38bdab]
 -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x59)
[0x7ff99d38a529]
 -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff99d38a768]
 -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13)
[0x7ff99d2f43c3]
 -> dovecot/imap [vbrillau XXXXX LIST](main+0x342) [0x563f9bafa2f2]
 -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff99ced1555]
 -> dovecot/imap [vbrillau XXXXX LIST](+0xf4f5) [0x563f9bafa4f5]
```

diff --git a/src/plugins/acl/acl-lookup-dict.c b/src/plugins/acl/acl-lookup-dict.c
index 61d5fa8..23c6f54 100644
--- a/src/plugins/acl/acl-lookup-dict.c
+++ b/src/plugins/acl/acl-lookup-dict.c
@@ -114,8 +114,10 @@ static int acl_lookup_dict_rebuild_add_backend(struct mail_namespace *ns,
 	string_t *id;
 	int ret = 0;
 
-	if ((ns->flags & NAMESPACE_FLAG_NOACL) != 0 || ns->owner == NULL ||
-	    ACL_LIST_CONTEXT(ns->list) == NULL)
+	if ((ns->flags & NAMESPACE_FLAG_NOACL) != 0 || ns->owner == NULL)
+		return 0;
+	struct acl_mailbox_list *alist = ACL_LIST_CONTEXT(ns->list);
+	if (alist == NULL || alist->ignore_acls)
 		return 0;
 
 	id = t_str_new(128);

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to