global admin without defaultdomain?

Kendrick Vargas ken at hudat.com
Mon Dec 29 15:22:37 EST 2003 

On Mon, 29 Dec 2003, Igor Brezac wrote:

> On Mon, 29 Dec 2003, Kendrick Vargas wrote:
> 
> > On Mon, 29 Dec 2003, Christian Schulte wrote:
> >
> > > Since you enabled virtdomains why do you still want unqualified logins
> > > if not due upgrading reasons from an old installation with unqualified
> > > logins ? This all only has to do with unqualified logins which I do not
> > > want/need except for the global admin. If someone plans on changing the
> > > behaviour with the global admin and defaultdomain I would really like to
> > > keep the ability to not let a global admin in if not connecting to
> > > localhost and of course there should be a note about the change so that
> > > next time updating cyrus I do not open up a security hole I spent hours
> > > to prove that its greatly closed and safe :-)
> >
> > Well, that's basically it. I want a global admin, so I need to have a
> > defaultdomain set, which means the allowance of unqualified logins.
> 
> Why is this a problem?  Unqualified userid is meaningful only if there is
> a mailbox for this userid in defaultdomain.
> 
> > As for
> > only being able to log in via localhost to your global admin account,
> > it's a bug whether you like it or not :-) Relying on a bug to maintain
> > your security is really bad security. The only time I feel secure in my
> > setups is when I know everything is working as it should, otherwise theres
> > always that bit of doubt about things always working right.
> 
> This would be correct only if there is a bug.  There is no bug here, but
> rather a misconfiguration on your part.  We can argue how to make the code
> different/better in order to make it easier to configure.
> 
> On my configuration, I can cannect as admin to any interface on the mail
> server (I have to use fully qualified username: admin at defaultdomain), or
> I can connect to a specific ip with an unqualified admin userid.

Maybe I'm just not using cyradm correctly, I've gotta admit that cyradm 
has always been something of a black art to me. But Christian seems to be 
seeing the same problem as me, so maybe it isn't me after all. I was, 
however working for a while so my sleepyness got to me :-)

Here's what I'm doing:

toy:~# cyradm
cyradm> auth cyrus
authenticate: no connection to server
cyradm> server toy.hudat.com
IMAP Password: 
              Login failed: user not found at 
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
server: toy.hudat.com: cannot authenticate
toy.hudat.com> 

and here's the query thats comming through...

                   5327 Connect     cyrus at localhost on 
                   5327 Init DB     hudat_sys
                   5327 Query       SELECT sys_shadow.password AS 
userPassword FROM sys_users, sys_shadow WHERE sys_users.username = 'cyrus' 
AND sys_users.domain = 'hudat.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5327 Query       SELECT sys_shadow.password AS 
cmusaslsecretPLAIN FROM sys_users, sys_shadow WHERE sys_users.username = 
'cyrus' AND sys_users.domain = 'hudat.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5327 Quit       

Now, I can try and gain and the same results come right through the exact 
same way. So, lets try authing with the fully qualified user_id for the 
admin...

toy.hudat.com> auth cyrus at imap.somename.com
IMAP Password: 
              Login failed: user not found at 
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
authenticate: authentication to server toy.hudat.com failed
toy.hudat.com> 


031229 14:56:56    5351 Connect     cyrus at localhost on 
                   5351 Init DB     hudat_sys
                   5351 Query       SELECT sys_shadow.password AS 
userPassword FROM sys_users, sys_shadow WHERE sys_users.username = 'cyrus' 
AND sys_users.domain = 'imap.somename.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5351 Query       SELECT sys_shadow.password AS 
cmusaslsecretPLAIN FROM sys_users, sys_shadow WHERE sys_users.username = 
'cyrus' AND sys_users.domain = 'imap.somename.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5351 Quit       
                   5352 Connect     cyrus at localhost on 
                   5352 Init DB     hudat_sys
                   5352 Quit       
                   5353 Connect     cyrus at localhost on 
                   5353 Init DB     hudat_sys
                   5353 Query       SELECT sys_shadow.password AS 
userPassword FROM sys_users, sys_shadow WHERE sys_users.username = 'cyrus' 
AND sys_users.domain = 'hudat.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5353 Query       SELECT sys_shadow.password AS 
cmusaslsecretPLAIN FROM sys_users, sys_shadow WHERE sys_users.username = 
'cyrus' AND sys_users.domain = 'hudat.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5353 Quit

I didn't notice that it did a double query before, but, whatever... I 
tried it twice, still don't work. 

Now, lets look at what happens when I go in through localhost from a clean 
start:

toy:~# cyradm
cyradm> auth cyrus
authenticate: no connection to server
cyradm> server localhost
IMAP Password: 
              Login failed: user not found at 
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
server: localhost: cannot authenticate
localhost> 

                   5357 Connect     cyrus at localhost on 
                   5357 Init DB     hudat_sys
                   5357 Query       SELECT sys_shadow.password AS 
userPassword FROM sys_users, sys_shadow WHERE sys_users.username = 'root' 
AND sys_users.domain = 'imap.somename.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5357 Query       SELECT sys_shadow.password AS 
cmusaslsecretPLAIN FROM sys_users, sys_shadow WHERE sys_users.username = 
'root' AND sys_users.domain = 'imap.somename.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5357 Quit       

Whups, picked up root as the username, but at least it got the right 
domain! Lets try authing again:

localhost> auth cyrus      
IMAP Password: 
localhost> 

                   5363 Connect     cyrus at localhost on 
                   5363 Init DB     hudat_sys
                   5363 Query       SELECT sys_shadow.password AS 
userPassword FROM sys_users, sys_shadow WHERE sys_users.username = 'cyrus' 
AND sys_users.domain = 'imap.somename.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5363 Query       SELECT sys_shadow.password AS 
cmusaslsecretPLAIN FROM sys_users, sys_shadow WHERE sys_users.username = 
'cyrus' AND sys_users.domain = 'imap.somename.com' AND 
sys_shadow.sys_users_id=sys_users.sys_users_id
                   5363 Quit       


Look at that, it worked unqualified. It also goes in qualified too... but 
only on localhost:

toy:~# cyradm
cyradm> server localhost
IMAP Password: 
              Login failed: user not found at 
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
server: localhost: cannot authenticate
localhost> auth cyrus at imap.somename.com
IMAP Password: 
localhost> 


Now, I'm not crazy, I've been admining boxes for 6 or 7 years now and I am 
just proficient enough that I can go in and hack away at something when it 
doesn't work, given enough time. The imap.somename.com only started 
working when I added the following to my /etc/hosts file:

127.0.0.1       localhost localhost.localdomain imap.somename.com

I don't know if it worked on the localhost before I added that to the 
/etc/hosts (for resolving purposes), but I can test if you like.

Oh, and umm... if you still don't believe me:

toy:~# telnet toy.hudat.com 143
Trying 204.235.97.76...
Connected to toy.hudat.com.
Escape character is '^]'.
* OK imap.somename.com Cyrus IMAP4 v2.2.2-BETA server ready
. login cyrus at imap.somename.com PASSWORD
. NO Login failed: user not found

toy:~# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK imap.somename.com Cyrus IMAP4 v2.2.2-BETA server ready
. login cyrus at imap.somename.com PASSWORD
. OK User logged in
. logout
* BYE LOGOUT received
. OK Completed
Connection closed by foreign host.
toy:~# 



> Here are simple rules:
> 
> - global admins need to be unqualified in imapd.conf
> - Setup an interface that resolves to host.defaultdomain or setup an
> interface that does not resolve to anything.  This is required only if you
> want to use unqualified admins when connecting to cyrus.
> - global admins need to be unqualified in the user database

Well I guess I found a bug then, because I think the proof above basically 
breaks like 3 of those rules in terms of what is actually happening. In my 
user database, the user is qualified (and, I might add, qualified to the 
right domain). The user can log into the localhost interface where 
imap.somename.com resolves to just fine, either qualified or unqualified, 
don't matter. However, when trying to go in through the public interface, 
it doesn't matter what I try, I just can't log in. 

I still think the present behavior is dumb. I don't think cyrus should 
care where a domain comes from, or even whether or not it exists. But, 
whatever
			-paece

-- 
Let he who is without clue kiss my ass

More information about the Info-cyrus mailing list