Dec 29, 2023: iRedMail-1.6.8 has been released.

**sylonhosting** · 2015-11-30 22:32:08

sylonhosting
Member
Offline

Registered: 2015-11-09
Posts: 6

Topic: User can see all domains on Server

Hi!

We have a problem on our Server. A logged in domain-admin can only edit the domains he is specified as admin. That's fine. But, if said domain-admin decides to click on a letter under 'Domains and Accounts' he can see all of the domains that exists on the server, as well as the quota and the # of users, aliases and lists. If he tries to edit one of those other domains, he gets access denied (correctly). But the thing is that he can see so much information that does not concern him. It's a privacy issue.

Is this a known bug? Fix? Did we make a mistake in the configuration? Help would be greatly appreciated.

Thanks in advance
- sylonhosting

Versions:
iRedMail 0.9.2 (LDAP Backend)
iRedAdmin 2.3.1
iRedAPD 1.6.0

Centos 5

Postfix 2.5.9-5.ired
Dovecot 1.2.17-0_116.el5
policyd 1.82-4.rhms
httpd 2.2.3-78.el5.centos

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2015-12-01 07:31:20

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: User can see all domains on Server

It's a bug, i will try to reproduce it and come back with a fix. Thanks very much for the feedback, and sorry about this trouble.

**ZhangHuangbin** · 2015-12-01 08:46:39

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: User can see all domains on Server

Here's the patch for iRedAdmin-Pro-LDAP-2.3.1 to fix this issue:

diff -Naur a/controllers/ldap/domain.py b/controllers/ldap/domain.py
--- a/controllers/ldap/domain.py    2015-06-03 15:09:16.000000000 +0800
+++ b/controllers/ldap/domain.py    2015-12-01 08:41:49.000000000 +0800
@@ -31,11 +31,13 @@
         search_filter = None
         if 'starts_with' in web_input:
             first_char = web_input.get('starts_with')[:1].upper()
-            if iredutils.is_valid_account_first_char(first_char):
-                search_filter = '(&(objectClass=mailDomain)(domainName=%s*))' % first_char
+            if not iredutils.is_valid_account_first_char(first_char):
+                first_char = None
 
         domainLib = domainlib.Domain()
-        result = domainLib.list_accounts(search_filter=search_filter)
+        result = domainLib.list_accounts(search_filter=search_filter,
+                                         starts_with=first_char)
         if result[0] is True:
             allDomains = result[1]
 
diff -Naur a/libs/ldaplib/connUtils.py b/libs/ldaplib/connUtils.py
--- a/libs/ldaplib/connUtils.py    2015-06-03 15:09:16.000000000 +0800
+++ b/libs/ldaplib/connUtils.py    2015-12-01 08:43:48.000000000 +0800
@@ -613,7 +613,8 @@
     def get_all_domains(self,
                         attributes=attrs.DOMAIN_SEARCH_ATTRS,
                         search_filter=None,
-                        names_only=False):
+                        names_only=False,
+                        starts_with=None):
         admin = session['username']
 
         if not search_filter:
@@ -621,11 +622,15 @@
             if session.get('is_global_admin'):
                 search_filter = '(objectClass=mailDomain)'
 
+        if starts_with:
+            if iredutils.is_valid_account_first_char(starts_with):
+                search_filter = '(&' + search_filter + ('(domainName=%s*)' % starts_with) + ')'
+
         try:
             qr = self.conn.search_s(settings.ldap_basedn,
-                                         ldap.SCOPE_ONELEVEL,
-                                         search_filter,
-                                         attributes)
+                                    ldap.SCOPE_ONELEVEL,
+                                    search_filter,
+                                    attributes)
             if names_only:
                 domain_names = []
                 for r in qr:
diff -Naur a/libs/ldaplib/domain.py b/libs/ldaplib/domain.py
--- a/libs/ldaplib/domain.py    2015-08-19 19:45:38.000000000 +0800
+++ b/libs/ldaplib/domain.py    2015-12-01 08:44:22.000000000 +0800
@@ -134,11 +134,13 @@
     def list_accounts(self,
                       attributes=attrs.DOMAIN_SEARCH_ATTRS,
                       search_filter=None,
-                      names_only=False):
+                      names_only=False,
+                      starts_with=None):
         connutils = connUtils.Utils()
         result = connutils.get_all_domains(attributes=attributes,
                                            search_filter=search_filter,
-                                           names_only=names_only)
+                                           names_only=names_only,
+                                           starts_with=starts_with)
         if result[0] is True:
             all_domains = result[1]
             all_domains.sort()

Post's attachments

starts_with.patch 3.21 kb, file has never been downloaded.

You don't have the permssions to download the attachments of this post.

**sylonhosting** · 2015-12-01 17:54:42

sylonhosting
Member
Offline

Registered: 2015-11-09
Posts: 6

Re: User can see all domains on Server

Hi and thanks for your quick response. Unfortunately the patch creates a server error. This is the log entry:

[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123] Traceback (most recent call last):
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]   File "/usr/lib/python2.4/site-packages/web/application.py", line 239, in process
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]     return self.handle()
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]   File "/usr/lib/python2.4/site-packages/web/application.py", line 230, in handle
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]     return self._delegate(fn, self.fvars, args)
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]   File "/usr/lib/python2.4/site-packages/web/application.py", line 420, in _delegate
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]     return handle_class(cls)
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]   File "/usr/lib/python2.4/site-packages/web/application.py", line 396, in handle_class
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]     return tocall(*args)
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]   File "/var/www/iredadmin/controllers/decorators.py", line 22, in proxyfunc
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]     return func(self, *args, **kw)
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]   File "/var/www/iredadmin/controllers/ldap/domain.py", line 39, in GET
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]     disabled_only=disabled_only,
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123] NameError: global name 'disabled_only' is not defined
[Tue Dec 01 10:47:42 2015] [error] [client 123.123.123.123]

If I comment out the line 'disabled_only=disabled_only,' it works, but I don't what the side effects would be. But even with the line commented out the patch fixes the problem (so thank you very much! ).

Best
- sylonhosting

**ZhangHuangbin** · 2015-12-01 22:03:50

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: User can see all domains on Server

Please remove the 'disabled_only=disabled_only,' line, this is part of upcoming iRedAdmin-Pro release.
Sorry about this confusion.

Dec 29, 2023: iRedMail-1.6.8 has been released.

[ Closed ] User can see all domains on Server

Posts: 5

1 Topic by sylonhosting 2015-11-30 22:32:08

Topic: User can see all domains on Server

2 Reply by ZhangHuangbin 2015-12-01 07:31:20

Re: User can see all domains on Server

3 Reply by ZhangHuangbin 2015-12-01 08:46:39

Re: User can see all domains on Server

4 Reply by sylonhosting 2015-12-01 17:54:42

Re: User can see all domains on Server

5 Reply by ZhangHuangbin 2015-12-01 22:03:50

Re: User can see all domains on Server

Posts: 5