Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 3 Jun 2003 01:25:33 +0000
From: "Hallgrimur H. Gunnarsson" <hhg@...a.is>
To: popa3d-users@...ts.openwall.com
Subject: Re: virtuals don't seem very virtual ?

Hi,

On  0, Michael Coulter <mjc@...z.ca> wrote:
> I just started looking into running popa3d for a small
> groups of virtual domains.
> 
> I poked around with the current virtual support and each
> virtual seems to require a corresponding real user account.
> I though about this for a while, and I'm guessing this behaviour
> is for the sake of security. I.E. being able to drop privileges
> to a user, and having the mailboxes owned by separate users.
> 
> Is it possible to set this up to simply setuid and/or gid to a
> user with mail privileges and handle virtual domain type user
> names in the following manner:
> 
> usernames/crypts are in files like /vhome/auth/example.com/user
> mboxes would have paths like /vhome/mail/example.com/user
> 
> If this does not yet exist, is there interest in patches that
> would accomplish something to that effect ?

Yes, this is possible. Each virtual user does not require a
corresponding real user account. There is however a feature
for arbitrary {user, domain} -> UID mapping (template user).
Solar designer has suggested to use at least one UID per 
domain. This requires you to have at least one real user account
for use as a template user.

Here's a small tutorial:

* Edit params.h and turn on virtual support (POP_VIRTUAL). You
  can also change VIRTUAL_HOME_PATH,VIRTUAL_AUTH_PATH,
  VIRTUAL_SPOOL_PATH if you dont like the defaults. I'll assume
  the defaults through the rest of the tutorial though.

* Create the VIRTUAL_HOME_PATH.

	$ mkdir /vhome

* Create a home for each IP and the corresponding auth/spool
  directories.

	$ mkdir /vhome/127.0.0.1 /vhome/127.0.0.1/auth /vhome/127.0.0.1/mail

* For each user:

	$ echo "templateuser:passwd:" > /vhome/127.0.0.1/auth/username
	$ touch /vhome/127.0.0.1/mail/username
	$ chown templateuser /vhome/127.0.0.1/mail/username

	Security note:

	The auth file (auth/username) should not be owned by the
	templateuser, or the popa3d user, since that'd allow
	an attacker who compromised popa3d to change user passwords
	and more importantly, to change the templateuser.

This tutorial assumes you'll be using the default IP-based virtual
support. If you require name-based virtual support, which can be
triggered with usernames such as user@...ain, there's a small
patch on my web page http://www.data.is/~hhg/.

-- hhg

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.