SASL login as another user - unexpected behavior on cyrus 2.4.17
Bron Gondwana
brong at fastmailteam.com
Mon Sep 25 20:16:23 EDT 2017
That's going to be the case on all versions of Cyrus - admins have quite
a lot of "root"-like power, and the @domain limitation is quite
lightweight as you can see!
I would recommend running a completely separate Cyrus instance per
zone of control if this is a concern - while it would be nice to lock
down all the ways in which admins are powerful, realistically it's a
ton of work.
(the usual "pull requests welcome" of course - I wouldn't object to
making boundaries around domain admins solid, but I don't have the dev
cycles to throw at it)
Bron.
On Mon, 25 Sep 2017, at 18:19, Marco wrote:
> Hello,
>
> I run Cyrus-IMAPD 2.4.17 with many virtual domains:
>
> virtdomains: userid
>
> I configured a domain administrator:
>
> admins: admin at example.com
>
> With this account I can LIST all accounts in example.com domain
> only, as> expected.
>
> Let suppose the Cyrus-IMAPD server stores also accounts for other
> domains, such as example2.com domain.
>
> Well, I see that I can SASL PLAIN login using admin at example.com on
> example2.com accounts too, if I know their names. I can't
> understand why> this could happen. It seems a security issue.
>
>
> Is there a way to prevent this issue without modifying ACL on all
> accounts?
>
> Thank you
> Marco
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--
Bron Gondwana, CEO, FastMail Pty Ltd
brong at fastmailteam.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20170926/f54402fa/attachment.html>
More information about the Info-cyrus
mailing list