admins and virtualdomains, where is authorisation enforced?

Toschi Pietro Pietro.Toschi at actalis.it
Mon Oct 1 06:29:12 EDT 2007 

Hi list,

I have a cyrus 2.3.9 test server with two virtual domains: aa.it and
bb.it. Having "virtualdomains: yes", I've experimented with "admins"
directive and I've added one account:

"admins: cyrus user01 at aa.it "

After a cyrus-imapd restart I've tried using imtest:

 

[root at olimpo ~]# imtest -a utente01 at aa.it -w password -u utente02 at bb.it
-v localhost

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR]
olimpo Cyrus IMAP4 v2.3.9-Invoca-RPM-2.3.9-3 server ready

C: C01 CAPABILITY

S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR ACL
RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT
LIST-SUBSCRIBED X-NETSCAPE URLAUTH

S: C01 OK Completed

C: A01 AUTHENTICATE PLAIN
dXRlbnRlMDJAYmIuaXQAdXRlbnRlMDFAYWEuaXQAdXRlbnRlMDE=

S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT
LIST-SUBSCRIBED X-NETSCAPE URLAUTH] Success (no protection)

Authenticated.

Security strength factor: 0

 

I expected some authorization-related error message, but instead
user01 at aa.it was able not only to authenticate (as expected, since I
used the right credentials) but also to get authorized as user02 at bb.it,
that is a normal user of a different domain.

I expected that every "admin", in a virtualdomain environment, be able
to manage only its or her accounts based of course on the domain part of
the username.

 

Is there something I missed in my config or maybe in my understanding of
this feature?

 

 

Thanks

Pietro

 

 

configdirectory:        /var/lib/imap

 

partition-default:      /storage/mail

 

admins:                 cyrus user01 at aa.it 

 

sievedir:               /var/lib/imap/sieve

 

sendmail:               /usr/sbin/sendmail

 

hashimapspool:          true

 

sasl_pwcheck_method:    saslauthd

sasl_mech_list:         PLAIN

 

virtdomains:            yes

defaultdomain:          localdomain

unixhierarchysep:       yes

________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20071001/82d297e6/attachment-0001.html

More information about the Info-cyrus mailing list