User can use any domain from server ?!?

[koniosek]

We have little problem with domains/subdomains on DA servers.
Any user can create additional domain as sudomain from another user domain.
For example user A has domain: aaa.com, user B has bbb.com.
And now .. user B could add on his account additional domain xxx.aaa.com and this domain will be fully working (www,ftp,@), but he haven't any rights to this domain/subdomain.
Is there any possibility to prevent this action ???
We have some servers with cPanel and there is few options to prevent this actions but I don't see anything like this in DA.

 

[nobaloney]

The problem is a bug in BIND. I've reported it to them, and they've told me it's a feature.

Can you explain what CPanel does to avoid the problem?

Thanks.

Jeff

 

[koniosek]

I think that's rather DA duty to check and prevent this ... bind has nothing to do with this - it simply haven't any options to check who owns and who is permitted to use that domains.

And in cPanel there is few options to secure unauthorized use of domains, but 2 from it, I think, should have every hosting panel:
1) system check that added domain has NS pointing to this server IPs/dns
2) final user can't add any subdomain/domain if another user on this server using main domain from this added

It's limits for final users only - admin and reseller can add any domain, but of course I will be happy if in DA we will have option to disable this for selected resellers, and maybe users too.

 

[DamnSkippy]

A user should not be able to add a third level domain to a domain that is not in it's own account, period. I assume the DA site is on its own server. But what if you had a shared account and someone that also had an account on that server made sub domains for directadmin.com.

I mean think about it, wesuck.directadmin.ext, donotuse.directadmin.ext etc etc.

DA should put checks in place somehow, if you do not own (have it in your account) a domain you can not do anything with it. If bind will let you do it or not is not the issue DA should not before it ever gets to bind.

I just checked to verify and Hsphere does not allow this even from my service account.

My .02 worth.

 

[nobaloney]

koniosek and DamnSkippy make some good points, but in my opinion neither of them have carefully thought out all the issues.

I probably haven't thought of them all either; it's been about a year since I reported the problem to the authors of BIND, and it's certainly an important issue. But every idea I've had promoted so far has it's own set of problems:

koniosek wrote:

I think that's rather DA duty to check and prevent this ... bind has nothing to do with this - it simply haven't any options to check who owns and who is permitted to use that domains.

You think it's easy for DA to assume who owns the rights to specific domains; actually it's not.

1) system check that added domain has NS pointing to this server IPs/dns

Which means you can't order webhosting until your registrar points your domain to the server. Some registrars take over twenty-four hours to do this, and most of us order our hosting first, and then change the nameserver delegation when we get our welcome letter.

How would you expect DA to handle this problem? Specifically what would you want your copy of DA to do when a new customer couldn't place an order?

2) final user can't add any subdomain/domain if another user on this server using main domain from this added

Then how could I create the domain secure.example.com with a different IP# than www.example.com, since they need to be on different users?

There may be lots of reasons for different subdomains to be owned by different usernames.

It's limits for final users only - admin and reseller can add any domain, but of course I will be happy if in DA we will have option to disable this for selected resellers, and maybe users too.

Typically the problem isn't with human admins or resellers at all, but for automated scripts. Most people who want to host orderfrom.microsoft.com (for example) wouldn't call you up and ask you to add it.

DamnSkippy wrote:

A user should not be able to add a third level domain to a domain that is not in it's own account, period.

Then how could you handle customers of (for example .co.uk? Since every top level domain has its own management team, and there can be many allowed level, this would be a nightmare to keep up to date and to manage.

Or how could I offer subdomains of abandoned.us to anyone, unless I hosted them myself. Lots of people want these domains, but very few would like to be forced to host them with me.

I'm not the only one offering this kind of subdomain. Lots of top-level domains have resellers whov'e bought popular second-level names and use them to sell third-level domains. As opposed to being a nightmare to manage, this would probably be impossible to manage.

I assume the DA site is on its own server. But what if you had a shared account and someone that also had an account on that server made sub domains for directadmin.com.

Yes it's a problem. I never said it wasn't. I merely said there isn't a fix for it.

I mean think about it, wesuck.directadmin.ext, donotuse.directadmin.ext etc etc.

Sure, but then they could simply buy directadmin.abandoned.us from me .

DA should put checks in place somehow, if you do not own (have it in your account) a domain you can not do anything with it. If bind will let you do it or not is not the issue DA should not before it ever gets to bind.

Okay, so come up with some responses to the problems I've brought up. I'm as interested in fixing this as you are, but I see a large picture and a client base which needs to be catered to.

Again, if you know how some other system specifically does it, tell us.

I just checked to verify and Hsphere does not allow this even from my service account.

Does not allow specifically what? I'd like to know so I can see if H-Sphere can be used to host the kinds of accounts and real-world needs I've posted above.

Jeff

 

[DamnSkippy]

You asked how many times here Jeff. I am sorry I can not give a how in most cases. I am not a programmer and to be honest not knowledgeable enough in many of the underlying systems to know how these could be implemented. I will give my feedback on what you said though.

You make many good points also and I will help in any way I can to make as much of this happen as possible.

You think it's easy for DA to assume who owns the rights to specific domains; actually it's not.

As far as I was thinking this would not have anything to do with a registrar but simply DA would check to see if the user had a domain in their account before allowing them to make a sub-domain or anything else concerning that domain.

Going to the registrar level would not be an option I don't think.

Then how could I create the domain secure.example.com with a different IP# than www.example.com, since they need to be on different users?

That is a DA issue and also one that needs to be fixed. It has been requested many times.

There may be lots of reasons for different subdomains to be owned by different usernames.

Maybe so but there does need to be a way to control it. How to do it I am not sure. But I just don't see letting anyone on the server be able to take control of one of my domains a real option. Yes I know it is a sub-domain but it is my domain not theirs and who know what they are going to do with it.

Then how could you handle customers of (for example .co.uk? Since every top level domain has its own management team, and there can be many allowed level, this would be a nightmare to keep up to date and to manage.

I am not sure what you mean by this Jeff.

Or how could I offer subdomains of abandoned.us to anyone, unless I hosted them myself. Lots of people want these domains, but very few would like to be forced to host them with me.

I'm not the only one offering this kind of subdomain. Lots of top-level domains have resellers whov'e bought popular second-level names and use them to sell third-level domains. As opposed to being a nightmare to manage, this would probably be impossible to manage.

I do see that as a nice feature to be able to do if you wanted. I wish I knew how to help program this in but I really am no programmer at all. It seems to me that there has to be a way to manage it somehow. To be able to select a domain and turn on or off the feature to allow third level domains. But letting anyone have access to any domain on the server without even asking if it is OK is well, not OK.

Sure, but then they could simply buy directadmin.abandoned.us from me .

How much is that domain

Again, if you know how some other system specifically does it, tell us.

You can do most all this with hsphere if you choose to. Hsphere will allow you to offer domains to be able to be used by anyone on that plan. It is a little complicated to explain though how you set it up without knowing some about hsphere. I do not offer this as a sellable service. Therefore I have not messed with how I would go about managing it. I will have to collect my thoughts before I can make a good reply.

In a netshell though, you create a service domain and any plans you make to offer to people you can select if they can make a third level domain with that service domain. Then when users of one of those plans selects add domain from their CP they can add the sub of the service domain.

Does not allow specifically what? I'd like to know so I can see if H-Sphere can be used to host the kinds of accounts and real-world needs I've posted above.

Does not allow a user to make a sub-domain of another users on the server. It provides a drop down list of the domains in their account for them to choose from.

 

[nobaloney]

Thanks for your reply.

I'd like to see hole in BIND fixed. It's actually an easy hole to fix, and then BIND would work the way the documentation says it would work.

Then anyone could create the domain, but no one could see it unless the owner of the higher-level domain put ns records for the subdomain into their own BIND zone file.

Which is what the BIND documentation says.

But not what BIND does.

I've been thinking about publicizing this hole on the 'net at large and among the news media; if I did, then ISC (the authors of BIND) might be forced to fix it.

So far I haven't done that; I don't like being infamous.

If you didn't understand what I meant by co.uk, then let me explain further:

co.uk works the same as a top-level domain; you can buy exampl.co.uk.

But it's a third level domain. You said don't allow third-level domains. I showed you two examples of why that wouldn't work; co.uk and abandoned.us.

I'll answer your other questions in a PM.

Jeff

 

[koniosek]

Yes there are many problems to resolve and make it work correctly. But it's more dangerous leaving this without any security then made some maybe problematic restrictions.

And as I wrote 2 of this restrictions should be on every hosting server, even as option, but it must be.

1) "system check that added domain has NS pointing to this server IPs/dns"

about new domains - if there isn't any NS/A entry then DA could add this one - nothing wrong with this, but if it resolve to another dns/server then for what we are adding it - first it simply will not work as you wrote - but only in some way - look for this problem:
if we add hotmail.com, gmail.com, yahoo.com for user account and activate catchall then all emails from that server to this domains will be on our account and don't reach real servers - it is really big security hole - you could say that it's mta/exim bug, and in this case I will agree with you but until it's possible it's the biggest problem now

2) "final user can't add any subdomain/domain if another user on this server using main domain from this added"

if we use some script to create accounts then it will be working as reseller/root then there wasn't be that restrictons, but user itself shouldn't have any possibility to use another user domain from that server to add subdomain for his account

You think it's easy for DA to assume who owns the rights to specific domains; actually it's not.

yes it's simply - DA check in user.conf file that he owns that domain and that's it"

Typically the problem isn't with human admins or resellers at all, but for automated scripts. Most people who want to host orderfrom.microsoft.com (for example) wouldn't call you up and ask you to add it.
Or how could I offer subdomains of abandoned.us to anyone, unless I hosted them myself. Lots of people want these domains, but very few would like to be forced to host them with me.

look 1) - if he want that domain simply DA checks that it has correctly NS or even A entry and then user can add this - simply
same as with third-level domains etc...

You are saying about bug in bind but I don't see any. For example this problem with emails or with subdomains/domains from same server - bind have noithing to do with this, and only DA know which domain belong to which user.

And as I wrote for example cPanel have this options to activate, and there isn't any problems with this.
I don't want to force this options in DA but maybe only give us possibility to have only option to activate it. If someone don't want this simply he don't activate it but I think that on most shared hosting servers every admin will activate it.

 

[DamnSkippy]

Originally posted by koniosek

1) "system check that added domain has NS pointing to this server IPs/dns"

about new domains - if there isn't any NS/A entry then DA could add this one - nothing wrong with this, but if it resolve to another dns/server then for what we are adding it - first it simply will not work as you wrote - but only in some way - look for this problem:

I do not see why you would even suggest this if I am understanding you correctly. It seems you are saying that DA should check the whois info when adding a domain. If the domains DNS servers at the registrar are not pointing to the DNS servers listed in the account adding the domain then it should deny it.

What if someone had a website up on another server and they wanted to move it to another host. But they wanted to setup the website on the new server then change the DNS at the registrar so that there would be no downtime. If what I said above is what you are suggesting then they would not be able to do this and would be forced to have downtime. This is just one example of why this is a bad idea.

if we add hotmail.com, gmail.com, yahoo.com for user account and activate catchall then all emails from that server to this domains will be on our account and don't reach real servers

That is incorrect, the DNS setting for yahoo.com are not pointing to your server and it will make no difference. There will not be any mail sent to your server.

You are saying about bug in bind but I don't see any. For example this problem with emails or with subdomains/domains from same server - bind have noithing to do with this, and only DA know which domain belong to which user.

There is a bug in bind but I do agree that it would not prevent DA from being able to keep someone from adding a subdomain for a domain that is not in their account.

 

[koniosek]

That is incorrect, the DNS setting for yahoo.com are not pointing to your server and it will make no difference. There will not be any mail sent to your server.

Do you check this and know how exim/mta works ?
When we add domain on server it is added to exim local domains, then if someone send email from that server it will first check that is it local domain, if yes it deliver email to local account/email, if not then it send it outside. Then as you see it's really big problem.

I do not see why you would even suggest this if I am understanding you correctly. It seems you are saying that DA should check the whois info when adding a domain. If the domains DNS servers at the registrar are not pointing to the DNS servers listed in the account adding the domain then it should deny it.

I only suggest one of possible ways of resolving this problem, maybe there is another possibility to do this but I explain how cpanel do this, and for me it's ok.

What if someone had a website up on another server and they wanted to move it to another host. But they wanted to setup the website on the new server then change the DNS at the registrar so that there would be no downtime. If what I said above is what you are suggesting then they would not be able to do this and would be forced to have downtime. This is just one example of why this is a bad idea.

It's one from problems of this solution but then user could simply send this request to admin/reseller. I think it's better way then permit user to add every domain >> look problem with emails.

 

[nobaloney]

DamnSkippy is wrong, as koniosek points out, as far as email is concerned.

But it's not a bug in Exim. It's a limitation in how MTA daemons work.

The MTA daemon has to presume local delivery for mail domains on the server, and here's why:

Let's follow one piece of email from me to you.

The email to you comes to your server on port 25. The MTA has to decide whether or not to accept the email. So it checks to see whether [email protected] is on the server. It discovers that your mailbox is on the server.

So your MTA (in this case Exim, but they all work pretty much the same way) accepts the email and decides what to do with it.

It checks to see if the domain is handled locally, and if so, it uses a local delivery router (that's the one causing the problem you so well describe).

Mail delivered.

But using your method it would never use the local delivery router. Instead it would send the mail back to port 25 for Internet delivery.

Whoops. Endless circle, which Exim will figure out eventually, and the email will be frozen. And never delivered.

All the emails destined for your server.

How do we solve this problem? We use two MTAs, one that never sends emails, but only receives them, and one that only sends them.

You can do this several ways. The most obvious is to have separate physical machines; that's what the big ISPs and the big hosting companies do. I don't know of any hosting control panels that support using multiple MTAs, not even the ones that support multiple servers.

Another way, less obvious, is to have two MTA daemons running on one server. A lot of setup and configuration issues, but doable. Remember though, that you can only have a daemon listing on one port/ip# combination.

So it would require a minimum of two IP#s per server and some not insignificant amount of work.

And of course that still doesn't stop DA from adding domains. I'm absolutelyl against using whois lookups (and there really isn't any alternative) because:

1) there are too many times every day when whois isn't available.

2) it would make it impossible to host the larger number of people these days who use "hidden" information in whois.

3) it would be very hard for DA to determine from whois information whether someone is authorized to run a subdomain.

4) even if it could be determined, it wouldn't work for people who use slightly information in all their whois records, such as a different email address or "box number" or other tracking information

5) and I could probably think of a dozen or two more reasons if I didn't have to leave for a meeting in about three-quarters of an hour.

Jeff

 

[DamnSkippy]

I was misunderstanding what he was meaning. I read it that if I add hotmail .com (or any other domain I do not own or have DNS control over) to one of my accounts all their email will start coming to my server. So in effect I could steal all their email.

Jeff, you said you are against using whois look-ups as I am. But you said there is no alternative which I don't understand. As I have said I am no programmer but it seems to me that it would not be a huge thing to make DA only allow you to make sub domains for domains that are in that same account.

To please both camps having it an option when making the hosting plan would be great. As in while making a hosting plan you can choose to allow anyone to make a sub domain of any domain hosted under that plan. That seems to me to be harder to program but could be an option.

 

[nobaloney]

Sure, DamnSkippy, but then no one could have (for example) a subdomain using a different IP#.

Or a subdomain on a different machine.

I'm going to try to resist the urge to reply to this thread any longer, and just rely on the fact that the DA staff are experienced enough in hosting to know why there's no way to do it that doesn't add more problems.

After all, you're the admin of your server, and like it or not you need to know all the domains on it. All the time.

And if you do, you'll know if anyone's trying anything they shouldn't.

Jeff

 

[DamnSkippy]

Yeah, like we have said in the beginning of this thread this is really a bit of a tough one. It does seem to me that it should be doable in a way that would allow the admin to be able to choose if they want to allow it or not though. But in the end I do not know how myself so I am only guessing.

As for the different IP on a sub domain this is something that should be added for sure I think. I do not see the logic in limiting an account to one IP address. Maybe I am missing something but it is something I have done plenty of times in hsphere without issue. If DA did not support multiple domains it would make a small amount of sense but it does.

 

[Pascal]

I think DA could fix the domain owner problem this way.

The DA-server should keep a local list with user:domain. This list must be accessed by the other DA-servers when multiserver is used.

And now the creating process.

Administrator adds domain "directadmin.com" on the server.

Owner of "directadmin.com" is "administrator"

Reseller/user wants to create domain "directadmin.com" but will fail because it is in use by administrator.

Reseller/user wants to create a subdomain "*.directadmin.com" but will fail because it is in use by administrator.

Administrator creates reseller/user with domain "test.directadmin.com" will succeed because administrator owns "directadmin.com".

Owner of "test.directadmin.com" is "reseller/user".

And so on.

 

[nobaloney]

This doesn't work for reasons I've posted previously.

I'm tired of repeating them, so I won't.

I believe that administrators need to take responsibility for knowing what sites are on their servers.

Jeff

 

[DirectAdmin Support]

Hello,

Someone asked me about this old thread, so I figured I'd better clarify that we've resolved this some time ago with DA 1.29.3:

http://www.directadmin.com/features.php?id=752

John