Re: admins and virtualdomains, where is authorisation enforced?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I things this is a bug, I tried GETACL and MYRIGHTS and got unexpected result !
If I dont get explanations, I will report a BUG, or you can ! You found it !

# imtest -a admin.mydomain.loc@xxxxxxxxxxxx -w password -u
bk17@xxxxxxxx  -v localhost
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
SASL-IR] eg01.emailgency.loc Cyrus IMAP4 v2.3.9-openpkg server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
YmsxN0BiZXRhLmxvYwBhZG1pbi5teWRvbWFpbi5sb2NAbXlkb21haW4ubG9jAHZpc2hub3U=
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE URLAUTH] Success (no protection)
Authenticated.
Security strength factor: 0
A4 GETACL INBOX
* ACL INBOX bk17@xxxxxxxx lrswipkxtecda manager r
A4 OK Completed
A7 MYRIGHTS INBOX
* MYRIGHTS INBOX lrswipkxtecda
A7 OK Completed
A8 CREATE INBOX/foo
A8 OK Completed
A9 MYRIGHTS INBOX/boo
A9 NO Mailbox does not exist
A10 MYRIGHTS INBOX/foo
* MYRIGHTS INBOX/foo lrswipkxtecda
A10 OK Completed
A11 GETACL INBOX/foo
* ACL INBOX/foo bk17@xxxxxxxx lrswipkxtecda  manager r
A11 OK Completed


On 10/1/07, Toschi Pietro <Pietro.Toschi@xxxxxxxxxx> wrote:
>
>
>
>
> Hi list,
>
> I have a cyrus 2.3.9 test server with two virtual domains: aa.it and bb.it.
> Having "virtualdomains: yes", I've experimented with "admins" directive and
> I've added one account:
>
> "admins: cyrus user01@xxxxx "
>
> After a cyrus-imapd restart I've tried using imtest:
>
>
>
> [root@olimpo ~]# imtest -a utente01@xxxxx -w password -u utente02@xxxxx -v
> localhost
>
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR] olimpo
> Cyrus IMAP4 v2.3.9-Invoca-RPM-2.3.9-3 server ready
>
> C: C01 CAPABILITY
>
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH
>
> S: C01 OK Completed
>
> C: A01 AUTHENTICATE PLAIN
> dXRlbnRlMDJAYmIuaXQAdXRlbnRlMDFAYWEuaXQAdXRlbnRlMDE=
>
> S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH] Success (no protection)
>
> Authenticated.
>
> Security strength factor: 0
>
>
>
> I expected some authorization-related error message, but instead
> user01@xxxxx was able not only to authenticate (as expected, since I used
> the right credentials) but also to get authorized as user02@xxxxx, that is a
> normal user of a different domain.
>
> I expected that every "admin", in a virtualdomain environment, be able to
> manage only its or her accounts based of course on the domain part of the
> username.
>
>
>
> Is there something I missed in my config or maybe in my understanding of
> this feature?
>
>
>
>
>
> Thanks
>
> Pietro
>
>
>
>
>
> configdirectory:        /var/lib/imap
>
>
>
> partition-default:      /storage/mail
>
>
>
> admins:                 cyrus user01@xxxxx
>
>
>
> sievedir:               /var/lib/imap/sieve
>
>
>
> sendmail:               /usr/sbin/sendmail
>
>
>
> hashimapspool:          true
>
>
>
> sasl_pwcheck_method:    saslauthd
>
> sasl_mech_list:         PLAIN
>
>
>
> virtdomains:            yes
>
> defaultdomain:          localdomain
>
> unixhierarchysep:       yes
>  ________________________________
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info:
> http://asg.web.cmu.edu/cyrus/mailing-list.html
>


-- 
Alain Spineux
aspineux gmail com
May the sources be with you
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux