SASL login as another user - unexpected behavior on cyrus 2.4.17

Bron Gondwana brong at fastmailteam.com
Mon Sep 25 20:16:23 EDT 2017


That's going to be the case on all versions of Cyrus - admins have quite
a lot of "root"-like power, and the @domain limitation is quite
lightweight as you can see!
I would recommend running a completely separate Cyrus instance per
zone of control if this is a concern - while it would be nice to lock
down all the ways in which admins are powerful, realistically it's a
ton of work.
(the usual "pull requests welcome" of course - I wouldn't object to
making boundaries around domain admins solid, but I don't have the dev
cycles to throw at it)
Bron.


On Mon, 25 Sep 2017, at 18:19, Marco wrote:
> Hello,
> 
>   I run Cyrus-IMAPD 2.4.17 with many virtual domains:
> 
> virtdomains: userid
> 
> I configured a domain administrator:
> 
> admins: admin at example.com
> 
> With this account I can LIST all accounts in example.com domain
> only, as> expected.
> 
> Let suppose the Cyrus-IMAPD server stores also accounts for other
> domains, such as example2.com domain.
> 
> Well, I see that I can SASL PLAIN login using admin at example.com on
> example2.com accounts too, if I know their names. I can't
> understand why> this could happen. It seems a security issue.
> 
> 
> Is there a way to prevent this issue without modifying ACL on all
> accounts?
> 
> Thank you
> Marco
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong at fastmailteam.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20170926/f54402fa/attachment.html>


More information about the Info-cyrus mailing list