From 9f4b1bcf315f09fd6d302ad187281ec4ed443f04 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Thu, 17 Oct 2013 12:05:26 +0200
Subject: blacklist system logins for aliases and logins

We blacklist based on three things:
* blacklist in APP_CONFIG[:handle_blacklist]
* emails in RFC 2142
* usernames in /etc/passwd

The latter two can be allowed by explicitly whitelisting them in APP_CONFIG[:handle_whitelist].

We stick to blocking names that have been configured as both blacklisted and whitelisted - better be save than sorry.
---
 config/defaults.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'config')

diff --git a/config/defaults.yml b/config/defaults.yml
index 8d81668..66ec639 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -18,6 +18,11 @@ common: &common
   pagination_size: 30
   auth:
     token_expires_after: 60
+  # handles that will be blocked from being used as logins or email aliases
+  # in addition to the ones in /etc/passwd and http://tools.ietf.org/html/rfc2142
+  handle_blacklist: [certmaster, ssladmin, arin-admin, administrator, www-data, maildrop]
+  # handles that will be allowed despite being in /etc/passwd or rfc2142
+  handle_whitelist: []
 
 development:
   <<: *dev_ca
@@ -43,4 +48,4 @@ production:
   admins: []
   domain: example.net
   payment: []
-# logfile: /path/to/your/logs
+  # logfile: /path/to/your/logs
-- 
cgit v1.2.3