Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030603012533.GA19064@data.is>
Date: Tue, 3 Jun 2003 01:25:33 +0000
From: "Hallgrimur H. Gunnarsson" <hhg@...a.is>
To: popa3d-users@...ts.openwall.com
Subject: Re: virtuals don't seem very virtual ?

Hi,

On  0, Michael Coulter <mjc@...z.ca> wrote:
> I just started looking into running popa3d for a small
> groups of virtual domains.
> 
> I poked around with the current virtual support and each
> virtual seems to require a corresponding real user account.
> I though about this for a while, and I'm guessing this behaviour
> is for the sake of security. I.E. being able to drop privileges
> to a user, and having the mailboxes owned by separate users.
> 
> Is it possible to set this up to simply setuid and/or gid to a
> user with mail privileges and handle virtual domain type user
> names in the following manner:
> 
> usernames/crypts are in files like /vhome/auth/example.com/user
> mboxes would have paths like /vhome/mail/example.com/user
> 
> If this does not yet exist, is there interest in patches that
> would accomplish something to that effect ?

Yes, this is possible. Each virtual user does not require a
corresponding real user account. There is however a feature
for arbitrary {user, domain} -> UID mapping (template user).
Solar designer has suggested to use at least one UID per 
domain. This requires you to have at least one real user account
for use as a template user.

Here's a small tutorial:

* Edit params.h and turn on virtual support (POP_VIRTUAL). You
  can also change VIRTUAL_HOME_PATH,VIRTUAL_AUTH_PATH,
  VIRTUAL_SPOOL_PATH if you dont like the defaults. I'll assume
  the defaults through the rest of the tutorial though.

* Create the VIRTUAL_HOME_PATH.

	$ mkdir /vhome

* Create a home for each IP and the corresponding auth/spool
  directories.

	$ mkdir /vhome/127.0.0.1 /vhome/127.0.0.1/auth /vhome/127.0.0.1/mail

* For each user:

	$ echo "templateuser:passwd:" > /vhome/127.0.0.1/auth/username
	$ touch /vhome/127.0.0.1/mail/username
	$ chown templateuser /vhome/127.0.0.1/mail/username

	Security note:

	The auth file (auth/username) should not be owned by the
	templateuser, or the popa3d user, since that'd allow
	an attacker who compromised popa3d to change user passwords
	and more importantly, to change the templateuser.

This tutorial assumes you'll be using the default IP-based virtual
support. If you require name-based virtual support, which can be
triggered with usernames such as user@...ain, there's a small
patch on my web page http://www.data.is/~hhg/.

-- hhg

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.