Re: admins and virtualdomains, where is authorisation enforced?

• Previous message: Toschi Pietro: "admins and virtualdomains, where is authorisation enforced?"
• In reply to: Toschi Pietro: "admins and virtualdomains, where is authorisation enforced?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I things this is a bug, I tried GETACL and MYRIGHTS and got unexpected result !
If I dont get explanations, I will report a BUG, or you can ! You found it !

# imtest -a -w password -u
  -v localhost
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
SASL-IR] eg01.emailgency.loc Cyrus IMAP4 v2.3.9-openpkg server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
YmsxN0BiZXRhLmxvYwBhZG1pbi5teWRvbWFpbi5sb2NAbXlkb21haW4ubG9jAHZpc2hub3U=
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE URLAUTH] Success (no protection)
Authenticated.
Security strength factor: 0
A4 GETACL INBOX
* ACL INBOX lrswipkxtecda manager r
A4 OK Completed
A7 MYRIGHTS INBOX
* MYRIGHTS INBOX lrswipkxtecda
A7 OK Completed
A8 CREATE INBOX/foo
A8 OK Completed
A9 MYRIGHTS INBOX/boo
A9 NO Mailbox does not exist
A10 MYRIGHTS INBOX/foo
* MYRIGHTS INBOX/foo lrswipkxtecda
A10 OK Completed
A11 GETACL INBOX/foo
* ACL INBOX/foo lrswipkxtecda manager r
A11 OK Completed

On 10/1/07, Toschi Pietro <> wrote:
>
>
>
>
> Hi list,
>
> I have a cyrus 2.3.9 test server with two virtual domains: aa.it and bb.it.
> Having "virtualdomains: yes", I've experimented with "admins" directive and
> I've added one account:
>
> "admins: cyrus "
>
> After a cyrus-imapd restart I've tried using imtest:
>
>
>
> [root at olimpo ~]# imtest -a -w password -u -v
> localhost
>
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR] olimpo
> Cyrus IMAP4 v2.3.9-Invoca-RPM-2.3.9-3 server ready
>
> C: C01 CAPABILITY
>
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH
>
> S: C01 OK Completed
>
> C: A01 AUTHENTICATE PLAIN
> dXRlbnRlMDJAYmIuaXQAdXRlbnRlMDFAYWEuaXQAdXRlbnRlMDE=
>
> S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH] Success (no protection)
>
> Authenticated.
>
> Security strength factor: 0
>
>
>
> I expected some authorization-related error message, but instead
> was able not only to authenticate (as expected, since I used
> the right credentials) but also to get authorized as , that is a
> normal user of a different domain.
>
> I expected that every "admin", in a virtualdomain environment, be able to
> manage only its or her accounts based of course on the domain part of the
> username.
>
>
>
> Is there something I missed in my config or maybe in my understanding of
> this feature?
>
>
>
>
>
> Thanks
>
> Pietro
>
>
>
>
>
> configdirectory: /var/lib/imap
>
>
>
> partition-default: /storage/mail
>
>
>
> admins: cyrus
>
>
>
> sievedir: /var/lib/imap/sieve
>
>
>
> sendmail: /usr/sbin/sendmail
>
>
>
> hashimapspool: true
>
>
>
> sasl_pwcheck_method: saslauthd
>
> sasl_mech_list: PLAIN
>
>
>
> virtdomains: yes
>
> defaultdomain: localdomain
>
> unixhierarchysep: yes
> ________________________________
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info:
> http://asg.web.cmu.edu/cyrus/mailing-list.html
>

-- 
Alain Spineux
aspineux gmail com
May the sources be with you
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

• Previous message: Toschi Pietro: "admins and virtualdomains, where is authorisation enforced?"
• In reply to: Toschi Pietro: "admins and virtualdomains, where is authorisation enforced?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]