First Last Prev Next    This bug is not in your last search results.
Bug 40038 - UCS41: Unable to remove/move mails from shared folder
UCS41: Unable to remove/move mails from shared folder
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
:
: 40190 (view as bug list)
Depends on: 40037
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-19 16:27 CET by Sönke Schwardt-Krummrich
Modified: 2015-12-09 16:43 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2015-11-19 16:27:27 CET 
This has to be fixed for UCS 4.1, too.

+++ This bug was initially created as a clone of Bug #40037 +++

Ticket #2015111121001141

The dovecot shared folder listener module does not set the "expunge" permission if "write" or "all" is selected in UDM for IMAP ACLs.
Due to the missing "expunge" permission, users are unable to remove mails from shared folder or to move mails from a shared folder to a different folder. The user gets "permission denied".
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2015-12-08 09:19:56 CET 
*** Bug 40190 has been marked as a duplicate of this bug. ***
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-12-08 21:21:30 CET 
The "expunge" permission has been added. To add expunge permission on existing dovecot shared folder, the script reapply_shared_folder_acls is called in univention-mail-dovecot's join script.

2015-11-18-univention-mail-dovecot.yaml:
r66186 | Bug #40038: updated yaml
r66180 | Bug #40038: Updated yaml

univention-mail-dovecot (2.0.1-1):
r66179 | Bug #40038: add IMAP permission expunge if shared folder permission write or all has been selected


Test setup:

root@master94:/usr/share/ucs-test/40_mail# udm mail/folder list
DN: cn=folder-ohne@nstx.local,cn=domain,cn=mail,dc=nstx,dc=local
ARG: None
  sharedFolderUserACL: mail1@nstx.local read
  sharedFolderUserACL: mail2@nstx.local append
  sharedFolderUserACL: mail3@nstx.local write
  sharedFolderUserACL: mail4@nstx.local all
  mailDomain: nstx.local
  sharedFolderGroupACL: Domain Admins all
  sharedFolderGroupACL: Windows Hosts write
  name: folder-ohne
  mailHomeServer: master94.nstx.local
  mailPrimaryAddress: None
  cyrus-userquota: None

DN: cn=folder-mit@nstx.local,cn=domain,cn=mail,dc=nstx,dc=local
ARG: None
  sharedFolderUserACL: mail1@nstx.local read
  sharedFolderUserACL: mail2@nstx.local append
  sharedFolderUserACL: mail3@nstx.local write
  sharedFolderUserACL: mail4@nstx.local all
  mailDomain: nstx.local
  sharedFolderGroupACL: Domain Admins all
  sharedFolderGroupACL: Windows Hosts write
  name: folder-mit
  mailHomeServer: master94.nstx.local
  mailPrimaryAddress: folder-mit@nstx.local
  cyrus-userquota: None

# (doveadm acl get -u mail4@nstx.local folder-ohne@nstx.local/INBOX ; \
 doveadm acl get -u mail4@nstx.local shared/folder-mit@nstx.local) > BEFORE 2>&1

# echo "deb http://192.168.0.10/build2/ ucs_4.1-0-errata4.1-0/all/" \
      >> /etc/apt/sources.list
# echo "deb http://192.168.0.10/build2/ ucs_4.1-0-errata4.1-0/$(ARCH)/" \
      >> /etc/apt/sources.list
# univention-install univention-mail-dovecot

# (doveadm acl get -u mail4@nstx.local folder-ohne@nstx.local/INBOX ; \
 doveadm acl get -u mail4@nstx.local shared/folder-mit@nstx.local) > AFTER 2>&1

# wdiff BEFORE AFTER
ID                    Global Rights                                             
group=Domain Admins          admin {+expunge+} insert lookup post read write write-deleted write-seen
group=Windows Hosts          {+expunge+} insert lookup post read write write-deleted write-seen
user=mail1@nstx.local        lookup read write write-seen                       
user=mail2@nstx.local        insert lookup post read write write-seen           
user=mail3@nstx.local        {+expunge+} insert lookup post read write write-deleted write-seen
user=mail4@nstx.local        admin {+expunge+} insert lookup post read write write-deleted write-seen
ID                    Global Rights                                             
group=Domain Admins          admin {+expunge+} insert lookup post read write write-deleted write-seen
group=Windows Hosts          {+expunge+} insert lookup post read write write-deleted write-seen
user=mail1@nstx.local        lookup read write write-seen                       
user=mail2@nstx.local        insert lookup post read write write-seen           
user=mail3@nstx.local        {+expunge+} insert lookup post read write write-deleted write-seen
user=mail4@nstx.local        admin {+expunge+} insert lookup post read write write-deleted write-seen
Comment 3 Daniel Tröder univentionstaff 2015-12-09 09:35:26 CET 
OK: code review
OK: advisory
OK: manual tests:

root@Test35:~# udm mail/folder create --position cn=folder,cn=mail,$ldap_base --set name=pub1 --set mailDomain=$domainname --set mailHomeServer=$hostname.$domainname --append sharedFolderUserACL="test1m@uni.dtr write" --append sharedFolderUserACL="test2m@uni.dtr all" --append sharedFolderUserACL="test3m@uni.dtr read"

root@Test35:~# udm mail/folder create --position cn=folder,cn=mail,$ldap_base --set name=pub2 --set mailDomain=$domainname --set mailHomeServer=$hostname.$domainname --append sharedFolderUserACL="test1m@uni.dtr write" --append sharedFolderUserACL="test2m@uni.dtr all" --append sharedFolderUserACL="test3m@uni.dtr read" --set mailPrimaryAddress=pub2m@uni.dtr

root@Test35:~# cp /var/spool/dovecot/public/Uni.Dtr/pub1/.INBOX/dovecot-acl pub1-before
root@Test35:~# cp /var/spool/dovecot/private/uni.dtr/pub2m/Maildir/dovecot-acl pub2m-before

root@Test35:~# cat pub1-before
user=test1m@uni.dtr ilprwts
user=test2m@uni.dtr ailprwts
user=test3m@uni.dtr lrws

root@Test35:~# diff pub1-before pub2m-before 

root@Test35:~# univention-upgrade 

root@Test35:~# grep univention-mail-dovecot /var/univention-join/status
univention-mail-dovecot v1 successful
univention-mail-dovecot v2 successful

root@Test35:~# cat /var/log/univention/reapply_shared_folder_acls.log
09.12.15 09:17:40.217  DEBUG_INIT
09.12.15 09:17:40.224  MAIN        ( INFO    ) : Initialising reapply_shared_folder_acls...
09.12.15 09:17:40.268  MAIN        ( INFO    ) : Looking for objects matching to following LDAP filter:
   (&(objectClass=univentionMailSharedFolder)(univentionMailHomeServer=Test35.Uni.Dtr))
09.12.15 09:17:40.270  MAIN        ( PROCESS ) : DN: 'cn=pub1@Uni.Dtr,cn=folder,cn=mail,dc=Uni,dc=Dtr'
09.12.15 09:17:41.464  LISTENER    ( PROCESS ) : reapply_shared_folder_acls: Updated shared mailbox configuration.
09.12.15 09:17:41.623  LISTENER    ( PROCESS ) : reapply_shared_folder_acls: Set ACLs on 'pub1@Uni.Dtr'.
09.12.15 09:17:41.623  MAIN        ( PROCESS ) : ACLs updated
09.12.15 09:17:41.623  MAIN        ( PROCESS ) : DN: 'cn=pub2@Uni.Dtr,cn=folder,cn=mail,dc=Uni,dc=Dtr'
09.12.15 09:17:41.714  LISTENER    ( PROCESS ) : reapply_shared_folder_acls: Set ACLs on 'pub2m@uni.dtr'.
09.12.15 09:17:41.715  MAIN        ( PROCESS ) : ACLs updated
09.12.15 09:17:41.715  MAIN        ( PROCESS ) : Done

root@Test35:~# diff pub1-before /var/spool/dovecot/public/Uni.Dtr/pub1/.INBOX/dovecot-acl
1,2c1,2
< user=test1m@uni.dtr ilprwts
< user=test2m@uni.dtr ailprwts
---
> user=test1m@uni.dtr eilprwts
> user=test2m@uni.dtr aeilprwts

root@Test35:~# diff pub2m-before /var/spool/dovecot/private/uni.dtr/pub2m/Maildir/dovecot-acl
1,2c1,2
< user=test1m@uni.dtr ilprwts
< user=test2m@uni.dtr ailprwts
---
> user=test1m@uni.dtr eilprwts
> user=test2m@uni.dtr aeilprwts

root@Test35:~# diff /var/spool/dovecot/public/Uni.Dtr/pub1/.INBOX/dovecot-acl /var/spool/dovecot/private/uni.dtr/pub2m/Maildir/dovecot-acl


* Manual tests with Horde webmail worked as expected.
Comment 4 Janek Walkenhorst univentionstaff 2015-12-09 16:43:39 CET 
<http://errata.software-univention.de/ucs/4.1/18.html>
First Last Prev Next    This bug is not in your last search results.