Open brong opened 16 years ago
From: Alain Spineux
This bug is related to thread
http://lists.andrew.cmu.edu/pipermail/info-cyrus/2007-October/027116.html
I'm login as bk17@beta.loc using domain admin admin.mydomain.loc@mydomain.loc credential. First I dont know if i should fail or not. Second I look for the ACL, and I see admin.mydomain.loc@mydomain.loc is not in the list for bk17@beta.loc INBOX Then i use MYRIGHT an the INBOX and get full right ! I went further by creating folder in INBOX
Here is the log
bk17@beta.loc -v localhost S: OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR] eg01.emailgency.loc Cyrus IMAP4 v2.3.9-openpkg server ready C: C01 CAPABILITY S: CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE URLAUTH S: C01 OK Completed C: A01 AUTHENTICATE PLAIN YmsxN0BiZXRhLmxvYwBhZG1pbi5teWRvbWFpbi5sb2NAbXlkb21haW4ubG9jAHZpc2hub3U= S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE URLAUTH] Success (no protection) Authenticated. Security strength factor: 0 A4 GETACL INBOX
I'm running an Openpkg cyrus-2.3.9 on kolab-2.2beta1 runing on centos 5.0
Here is my imapd.conf
configdirectory: /kolab/var/imapd partition-default: /kolab/var/imapd/spool allowusermoves: 0 admins: admin.beta.loc@beta.loc admin.teta.loc@teta.loc admin.gamma.loc@gamma.loc admin.mydomain.loc@mydomain.loc manager sasl_pwcheck_method: saslauthd sasl_mech_list: plain sendmail: /kolab/sbin/sendmail allowanonymouslogin: no allowplaintext: yes servername: eg01.emailgency.loc autocreatequota: 100000 reject8bit: no munge8bit: no quotawarn: 80 lmtp_over_quota_perm_failure: 0 timeout: 30 sievedir: /kolab/var/imapd/sieve lmtpsocket: /kolab/var/kolab/lmtp allowapop: no tls_cert_file: /kolab/etc/kolab/cert.pem tls_key_file: /kolab/etc/kolab/key.pem altnamespace: 0 unixhierarchysep: yes lmtp_downcase_rcpt: yes username_tolower: 1 hashimapspool: yes loginrealms: eg01.emailgency.loc mydomain.loc eg01.emailgency.loc beta.loc teta.loc koko.loc gamma.loc ldap_uri: ldap://127.0.0.1:389 ldap_base: dc=eg01,dc=emailgency,dc=loc ldap_bind_dn: cn=nobody,cn=internal,dc=eg01,dc=emailgency,dc=loc ldap_password: **** ldap_time_limit: 15 virtdomains: ldap postuser: kolab userprefix: user sharedprefix: shared notifysocket: /kolab/var/imapd/socket/notify sievenotifier: mailto mailnotifier: mailto annotation_db: berkeley mboxlist_db: berkeley duplicatesuppression: 0 imapidlepoll: 5 annotation_definitions: /kolab/etc/imapd/imapd.annotation_definitions singleinstancestore: 1
Attachment-Id: 961 From: Alain Spineux Type: text/plain File: cyrus-imapd-2.3.9_deny_cross_admin-asx.patch
cyrus-imapd-2.3.9_deny_cross_admin_login-asx.patch
From: Alain Spineux
About the patch:
The problem is cyrus let domain admin impersonate user of other domain, because cyrus dont compare domains. When the admin is in, he has full right on the mailbox because cyrus don't make any check later!
The patch reject connection when the user is an admin and if both have a domain, and if theses domains don't match.
From: Alain Spineux Bugzilla-Id: 2998 Version: 2.3.x Owner: Ken Murchison