admins access from Cyrus 2.4 proxy

Dan White dwhite at olp.net
Thu Jun 28 14:57:31 EDT 2012 

On 06/28/12 18:08 +0100, David Mayo wrote:
>
>We have started the process of upgrading our Cyrus IMAP service from 2.3
>to 2.4. We upgraded the proxy IMAP server earlier this week and
>subsequently noticed that quotas can no longer be viewed or set from the
>proxy IMAP server.
>
>Cyrus 2.3 front end behaviour:
>
>== cyradm ==
>
>proxy> lq user.test
>  STORAGE 121/250000 (0.0484%)
>proxy>
>
>== Proxy ==
>
>C: 5 GETQUOTA user.test
>S: 5 NO [REFERRAL imap://;AUTH=*@backend.bath.ac.uk/user.test] Remote
>mailbox.
>
>== Backend ==
>
>C: 5 GETQUOTA user.test
>S: * QUOTA user.test (STORAGE 121 250000)

If I understand correctly, the frontend, running version 2.3, is
incorrectly returning a referral, but should not be, since you have
proxyd_disable_mailbox_referrals enabled.

>Cyrus 2.4 front end behaviour:
>
>== cyradm ==
>
>proxy> lq user.test
>
>proxy>
>
>== Proxy ==
>
>C: 4 GETQUOTA user.test
>S: 4 NO Permission denied
>
>== Backend ==
>
>C: 4 Getquota {11+}
>user.test
>S: 4 NO Permission denied
>
>
>Direct to Cyrus 2.3 backend using the same admin user:
>
>== cyradm ==
>
>backend> getacl user.test
>  STORAGE 121/250000 (0.0484%)
>backend>
>
>== Backend ==
>
>C: 1 Getquota {11+}
>user.test
>S: * QUOTA user.test (STORAGE 121 250000)
>1 OK Completed
>
>Server details: 2x Solaris 10 x86 machines, proxy server 2.4.16, backend
>server 2.3.13.
>
>proxyd_disable_mailbox_referrals is set to true on imapd.conf on the
>proxy server for both versions.
>
>It's good to see that an IMAP referral isn't being generated by the
>front end server - we use Kerberos authentication so the login was
>happening automatically anyway - but is it expected behaviour that the
>admin user be denied admin rights when logging in from a proxy server?
>Or should I raise a bug about this?

I believe this is intentional. The documentation states
(install-murder.html):

"You must also configure atleast one user/group using the proxyservers
imapd.conf option. This user should not be an administrator, since this
means that anyone who can get ahold of your proxy servers now has full
administrative control on your backend. Example:

admins: cyrus
proxyservers: murder"

This section of code (from imap/global.c) is unchanged between 2.3.12 and
2.4.16:

     if (alen != rlen || strncmp(auth_identity, requested_user, alen)) {
         /* we want to authenticate as a different user; we'll allow this
            if we're an admin or if we've allowed ACL proxy logins */
         int use_acl = ctx->use_acl && config_getswitch(IMAPOPT_LOGINUSEACL);

         if (userisadmin ||
             (use_acl && acl_ok(requested_user, authstate)) ||
             (ctx->proxy_servers &&
              global_authisa(authstate, IMAPOPT_PROXYSERVERS))) {
             /* proxy ok! */

             userisadmin = 0;    /* no longer admin */
             auth_freestate(authstate);
             
             authstate = auth_newstate(requested_user);

             /* are we a proxy admin? */
             if (ctx->userisproxyadmin)
                 *(ctx->userisproxyadmin) =
                     global_authisa(authstate, IMAPOPT_ADMINS);
         } else {
             sasl_seterror(conn, 0, "user %s is not allowed to proxy",
                           auth_identity);

             auth_freestate(authstate);

             return SASL_BADAUTH;
         }
     }

This section drops admin privileges if a proxy authentication succeeds.

-- 
Dan White

More information about the Info-cyrus mailing list