more virtual domain funnyness

Kendrick Vargas ken at
Mon Dec 29 13:37:15 EST 2003

On Mon, 29 Dec 2003, Christian Schulte wrote:

> Kendrick Vargas schrieb:
> > 
> > Ok, Igor, Ken, you both must be growing to hate me, but I'm starting to 
> > understand the present need for the defaultdomain paramater. I'm sorry :-)
> > 
> > I have a question. Lets say I have a realm "" and I have the
> > defaultdomain paramater set to "", and I also have "" 
> > and "" on the system. Now, lets say I have "cyrus" users in 
> > each of those realms, and lets say I have the "admins" paramater set to 
> > "cyrus". Will the "cyrus" user from any of those domains be able to 
> > administrate the system, or will it just be the one from the default 
> > domain?
> It should be only the unqualified cyrus user specified in the admins 
> line which can administrate the system. How the login of this 
> unqualified userid looks like is determined by defaultdomain setting and 
> by reverse-dns or servername. Try it out. All others are normal 
> mailboxes cyrus at domain without any admin rights.

I c... so that means that global admins have to have unqualified 
usernames, which are then qualified with the default domain? If that's the 
case, then global admins can only come from the defaultdomain? That seems 
kinda.. well, dumb. Why not just have a seperate admins line specifically 
for global admins?

> > I'm starting to think that maybe there should be two different paramaters, 
> > "admins" (analogous to domain admins) and "globaladmins" (global admins) 
> > to allow more explicit declaration of who has which rights.
> Why ? You can simply specifiy userids in the admins line. Unqualified 
> userids are global admins and fully-qualified userids only have admin 
> rights in theire domain. I do not know if "cyrus at defaultdomain" also is 
> a global admin...logging in as "cyrus at defaultdomain" will lead to 
> "defaultdomain" getting stripped, I think, so that "cyrus at defaultdomain" 
> in the admins line will not work with defaultdomain beeing set to 
> "defaultdomain" but I did not test that.

Well, that's what I was asking earlier. If I specify an unqualified 
"cyrus" user and have the defaultdomain option set to "", is 
the global admin restricted to the user "cyrus at", or does it 
extend to "cyrus@*" ? If it extends to all variations of cyrus@, then it 
seems a big security hole. Lemme give you a non cyrus example...

It's like setting up an administrative website in apache, and only wanting
outside access from two IP addresses allowed: you from work and you from
home. Lets say your work IP is, and your home IP is Using 
the allow/deny syntax, you could either do:

	allow from all
	deny from 2.
	deny from 3.
	deny from 5.
	deny from 6.
	deny from 254.
	deny from 255.

And that doesn't even take into account breaking down the 1.1 and 
1.3-1.255 addresses, or the 4.1 - 4.2 and 4.4-4.255 addresses. Well, from 
a security standpoint, having an unqualified cyrus@* is like doing the 
above. Or you could do this:

	deny from all
	allow from
	allow from

I'd rather specify which users on which domains have full global 
permissions. I dunno, maybe I am just being stupid here. Who knows, in any 
case, I have the configuration hacked so that it works. I just don't 
consider it particularly elegant.

Let he who is without clue kiss my ass

More information about the Info-cyrus mailing list