more virtual domain funnyness
ken at hudat.com
Mon Dec 29 13:37:15 EST 2003
On Mon, 29 Dec 2003, Christian Schulte wrote:
> Kendrick Vargas schrieb:
> > Ok, Igor, Ken, you both must be growing to hate me, but I'm starting to
> > understand the present need for the defaultdomain paramater. I'm sorry :-)
> > I have a question. Lets say I have a realm "example.com" and I have the
> > defaultdomain paramater set to "example.com", and I also have "domain.com"
> > and "otherdomain.com" on the system. Now, lets say I have "cyrus" users in
> > each of those realms, and lets say I have the "admins" paramater set to
> > "cyrus". Will the "cyrus" user from any of those domains be able to
> > administrate the system, or will it just be the one from the default
> > domain?
> It should be only the unqualified cyrus user specified in the admins
> line which can administrate the system. How the login of this
> unqualified userid looks like is determined by defaultdomain setting and
> by reverse-dns or servername. Try it out. All others are normal
> mailboxes cyrus at domain without any admin rights.
I c... so that means that global admins have to have unqualified
usernames, which are then qualified with the default domain? If that's the
case, then global admins can only come from the defaultdomain? That seems
kinda.. well, dumb. Why not just have a seperate admins line specifically
for global admins?
> > I'm starting to think that maybe there should be two different paramaters,
> > "admins" (analogous to domain admins) and "globaladmins" (global admins)
> > to allow more explicit declaration of who has which rights.
> Why ? You can simply specifiy userids in the admins line. Unqualified
> userids are global admins and fully-qualified userids only have admin
> rights in theire domain. I do not know if "cyrus at defaultdomain" also is
> a global admin...logging in as "cyrus at defaultdomain" will lead to
> "defaultdomain" getting stripped, I think, so that "cyrus at defaultdomain"
> in the admins line will not work with defaultdomain beeing set to
> "defaultdomain" but I did not test that.
Well, that's what I was asking earlier. If I specify an unqualified
"cyrus" user and have the defaultdomain option set to "example.com", is
the global admin restricted to the user "cyrus at example.com", or does it
extend to "cyrus@*" ? If it extends to all variations of cyrus@, then it
seems a big security hole. Lemme give you a non cyrus example...
It's like setting up an administrative website in apache, and only wanting
outside access from two IP addresses allowed: you from work and you from
home. Lets say your work IP is 188.8.131.52, and your home IP is 184.108.40.206. Using
the allow/deny syntax, you could either do:
allow from all
deny from 2.
deny from 3.
deny from 5.
deny from 6.
deny from 254.
deny from 255.
And that doesn't even take into account breaking down the 1.1 and
1.3-1.255 addresses, or the 4.1 - 4.2 and 4.4-4.255 addresses. Well, from
a security standpoint, having an unqualified cyrus@* is like doing the
above. Or you could do this:
deny from all
allow from 220.127.116.11
allow from 18.104.22.168
I'd rather specify which users on which domains have full global
permissions. I dunno, maybe I am just being stupid here. Who knows, in any
case, I have the configuration hacked so that it works. I just don't
consider it particularly elegant.
Let he who is without clue kiss my ass
More information about the Info-cyrus