[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] neomail on RAQ02
- Subject: Re: [cobalt-security] neomail on RAQ02
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 27 Nov 2001 21:15:36 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Taco,
> But I did create the neomail package and added a lot of changes so it would
> support multiple domains and multiple architectures. As the maintainer of
> the package I do think it is my issue.
Just a suggestion from my end whith which you can restrict user logins to the
domains they belong to. Maybe there is an easier way, but this here might
work:
Upon processing the login values check the Apache variable $HTTP_HOST to
determine which domain the user used to fill out the login form for neomail.
Then grep /etc/passwd for the username:
Example:
intern:x:208:100:intern:/home/sites/site24/users/intern:/bin/badsh
This tells us that user "intern" belongs to "site24".
An "ls -l /home/sites/ |grep site24" returns the domain name associated with
"site24". In this case:
1 drwxrwxr-x 13 admin site24 1024 Apr 19 2001 site24
0 lrwxrwxrwx 1 root root 18 Jul 20 01:37
www.solarspeed.net -> /home/sites/site24
Now if the domain name doesn't match the $HTTP_REFERER of the page which
parses the submitted username and passwords, then the user has no business to
login under that domain.
That's six to ten lines of additional PERL code. I volunteer to submit that
to you. If interested I'll rip your PKG apart and send you the fixed script.
--
With best regards,
Michael Stauber
SOLARSPEED.NET