admins and virtualdomains, where is authorisation enforced?

Alain Spineux aspineux at gmail.com
Thu Nov 8 12:26:54 EST 2007 

Hi I wrote a patch for this

https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2998


On Oct 1, 2007 11:29 AM, Toschi Pietro <Pietro.Toschi at actalis.it> wrote:
>
>
>
>
> Hi list,
>
> I have a cyrus 2.3.9 test server with two virtual domains: aa.it and bb.it.
> Having "virtualdomains: yes", I've experimented with "admins" directive and
> I've added one account:
>
> "admins: cyrus user01 at aa.it "
>
> After a cyrus-imapd restart I've tried using imtest:
>
>
>
> [root at olimpo ~]# imtest -a utente01 at aa.it -w password -u utente02 at bb.it -v
> localhost
>
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR] olimpo
> Cyrus IMAP4 v2.3.9-Invoca-RPM-2.3.9-3 server ready
>
> C: C01 CAPABILITY
>
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH
>
> S: C01 OK Completed
>
> C: A01 AUTHENTICATE PLAIN
> dXRlbnRlMDJAYmIuaXQAdXRlbnRlMDFAYWEuaXQAdXRlbnRlMDE=
>
> S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH] Success (no protection)
>
> Authenticated.
>
> Security strength factor: 0
>
>
>
> I expected some authorization-related error message, but instead
> user01 at aa.it was able not only to authenticate (as expected, since I used
> the right credentials) but also to get authorized as user02 at bb.it, that is a
> normal user of a different domain.
>
> I expected that every "admin", in a virtualdomain environment, be able to
> manage only its or her accounts based of course on the domain part of the
> username.
>
>
>
> Is there something I missed in my config or maybe in my understanding of
> this feature?
>
>
>
>
>
> Thanks
>
> Pietro
>
>
>
>
>
> configdirectory:        /var/lib/imap
>
>
>
> partition-default:      /storage/mail
>
>
>
> admins:                 cyrus user01 at aa.it
>
>
>
> sievedir:               /var/lib/imap/sieve
>
>
>
> sendmail:               /usr/sbin/sendmail
>
>
>
> hashimapspool:          true
>
>
>
> sasl_pwcheck_method:    saslauthd
>
> sasl_mech_list:         PLAIN
>
>
>
> virtdomains:            yes
>
> defaultdomain:          localdomain
>
> unixhierarchysep:       yes
>  ________________________________
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you

More information about the Info-cyrus mailing list