[Kolab-devel] R: admins and virtualdomains, where is authorisation enforced?

Toschi Pietro Pietro.Toschi at actalis.it
Mon Oct 1 15:54:39 CEST 2007


Honestly, I'm far more interested in understanding and evaluating cyrus than having the honour of reporting a bug, so I'm glad to live this task to someone like you who's able to distinguish between a bug and a feature, that I'm not. :-))
I'll continue to check the list for additional comments anyway.

Thanks for your answer.
Pietro


Pietro Toschi
Actalis S.p.A. Gruppo AlmavivA
Via Luigi Rizzo, 20
00136 Roma
www.actalis.it
 

-----Messaggio originale-----
Da: Alain Spineux [mailto:aspineux at gmail.com] 
Inviato: lunedì 1 ottobre 2007 14.26
A: Toschi Pietro
Cc: info-cyrus at lists.andrew.cmu.edu; Kolab development coordination
Oggetto: Re: admins and virtualdomains, where is authorisation enforced?

I things this is a bug, I tried GETACL and MYRIGHTS and got unexpected result !
If I dont get explanations, I will report a BUG, or you can ! You found it !

# imtest -a admin.mydomain.loc at mydomain.loc -w password -u
bk17 at beta.loc  -v localhost
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
SASL-IR] eg01.emailgency.loc Cyrus IMAP4 v2.3.9-openpkg server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
YmsxN0BiZXRhLmxvYwBhZG1pbi5teWRvbWFpbi5sb2NAbXlkb21haW4ubG9jAHZpc2hub3U=
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE URLAUTH] Success (no protection)
Authenticated.
Security strength factor: 0
A4 GETACL INBOX
* ACL INBOX bk17 at beta.loc lrswipkxtecda manager r
A4 OK Completed
A7 MYRIGHTS INBOX
* MYRIGHTS INBOX lrswipkxtecda
A7 OK Completed
A8 CREATE INBOX/foo
A8 OK Completed
A9 MYRIGHTS INBOX/boo
A9 NO Mailbox does not exist
A10 MYRIGHTS INBOX/foo
* MYRIGHTS INBOX/foo lrswipkxtecda
A10 OK Completed
A11 GETACL INBOX/foo
* ACL INBOX/foo bk17 at beta.loc lrswipkxtecda  manager r
A11 OK Completed


On 10/1/07, Toschi Pietro <Pietro.Toschi at actalis.it> wrote:
>
>
>
>
> Hi list,
>
> I have a cyrus 2.3.9 test server with two virtual domains: aa.it and bb.it.
> Having "virtualdomains: yes", I've experimented with "admins" directive and
> I've added one account:
>
> "admins: cyrus user01 at aa.it "
>
> After a cyrus-imapd restart I've tried using imtest:
>
>
>
> [root at olimpo ~]# imtest -a utente01 at aa.it -w password -u utente02 at bb.it -v
> localhost
>
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR] olimpo
> Cyrus IMAP4 v2.3.9-Invoca-RPM-2.3.9-3 server ready
>
> C: C01 CAPABILITY
>
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH
>
> S: C01 OK Completed
>
> C: A01 AUTHENTICATE PLAIN
> dXRlbnRlMDJAYmIuaXQAdXRlbnRlMDFAYWEuaXQAdXRlbnRlMDE=
>
> S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH] Success (no protection)
>
> Authenticated.
>
> Security strength factor: 0
>
>
>
> I expected some authorization-related error message, but instead
> user01 at aa.it was able not only to authenticate (as expected, since I used
> the right credentials) but also to get authorized as user02 at bb.it, that is a
> normal user of a different domain.
>
> I expected that every "admin", in a virtualdomain environment, be able to
> manage only its or her accounts based of course on the domain part of the
> username.
>
>
>
> Is there something I missed in my config or maybe in my understanding of
> this feature?
>
>
>
>
>
> Thanks
>
> Pietro
>
>
>
>
>
> configdirectory:        /var/lib/imap
>
>
>
> partition-default:      /storage/mail
>
>
>
> admins:                 cyrus user01 at aa.it
>
>
>
> sievedir:               /var/lib/imap/sieve
>
>
>
> sendmail:               /usr/sbin/sendmail
>
>
>
> hashimapspool:          true
>
>
>
> sasl_pwcheck_method:    saslauthd
>
> sasl_mech_list:         PLAIN
>
>
>
> virtdomains:            yes
>
> defaultdomain:          localdomain
>
> unixhierarchysep:       yes
>  ________________________________
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info:
> http://asg.web.cmu.edu/cyrus/mailing-list.html
>


-- 
Alain Spineux
aspineux gmail com
May the sources be with you




More information about the devel mailing list