That seems to have done the job perfectly. Thanks for your help Matt - That old old book of yours and your interpretation of this lot have done me and I should imagine and hope others, the world of good in securing this neomail from potential easy harmful use.
You are a diamond... Thanks Ian -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew Nuzum Sent: 16 March 2002 04:23 To: [EMAIL PROTECTED]; Ian Subject: Re: [cobalt-developers] Neomail domains? OK, I think I figured it out. Try adding a slash before the .. so: $homedir = $ENV{DOCUMENT_ROOT} . '/../users/'.$username; A nifty little script I found somehwere: #!/usr/bin/perl print "Content-type: text/html\n\n"; foreach $key (keys %ENV) { print "$key --> $ENV{$key}<br>"; } displays all CGI variables, which is cool. It shows document root being: DOCUMENT_ROOT --> /home/sites/site42/web notice it's missing the / at the end, so with my previous script, the $homedir variable would have been: /home/sites/site42/web../users/$USER which of course doesn't exist. Matt Nuzum ----- Original Message ----- From: "Ian" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 15, 2002 6:18 PM Subject: RE: [cobalt-developers] Neomail domains? > Hi Matt, > > Thanks for the help, I gave your code a go, but it didnt work out I am > afraid. I kept getting failed logins. > > I placed the: > > if($passcorrect == 0){ > $homedir = $ENV{DOCUMENT_ROOT} . '../users/'.$username; > if(-d $homedir){ > $passcorrect = 0; > # home dir exists > }else{ > $passcorect =1; > # home dir not exist > } > } > > directly above the last "exit $passcorrect;" statement. > > I changed the passcorrect 0 and 1 around and it obviously worked, which > means that so long as info held within the $homedir did not match then it > allowed access, so I think it means their was a problem with the > $ENV{DOCUMENT_ROOT} . '../users/'.$username; part. I tried different > combinations of just ../, ../../ etc > > Thinking about this, isnt the neomail - webmail folder a reference as > opposed to a physical folder to go in and out off? > > Anyone got any ideas.... > > Ian > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew > Nuzum > Sent: 15 March 2002 20:43 > To: [EMAIL PROTECTED] > Subject: Re: [cobalt-developers] Neomail domains? > > > Here is a possible solution to the problem of user's logging into webmail > using the wrong domain. > > I've been looking through the neomail sources, and honestly, I have a hard > time making sense of it. This is probably because I don't use perl for the > web. However I have some code at the bottom of this message for someone to > try out. > > Because the Cobalt Raq servers are so standardized, we can make some > assumptions about the configuration. For example, the location of certain > files, etc. > > The cgi variable, DOCUMENT_ROOT should always point to the path of the > current virtual domain's document root. For example, the primary site on > the raq should say: > DOCUMENT_ROOT --> /home/sites/home/web > > That means that if a user wants to log in, and their user name is $USER, we > should be able to check if the folder $DOCUMENT_ROOT/../users/$USER exists > before we check to see if their password is correct. We could do it > afterwards, that part doesn't really matter. Which ever is more resource > intensive should be done last. > > So what we're doing is creating two tests that the user must pass to login. > Pass only one, and you're out. Pass both and you're in. > > So here is my attempt to help. First, I'll include the original text of > checklogin.pl: > #!/usr/bin/perl -T > > my ($username, $password, $usr, $pswd, $passwdfile); > my $passcorrect = 0; # default to correct, set incorrect when determined > my $line; > chomp($passwdfile = <STDIN>); > chomp($username = <STDIN>); > chomp($password = <STDIN>); > > if ( $passwdfile && $username && $password ) { > open (PASSWD, $passwdfile) or exit 1; > while (defined($line = <PASSWD>)) { > chomp($line); > ($usr,$pswd) = (split(/:/, $line))[0,1]; > last if ($usr eq $username); # We've found the user in /etc/passwd > } > close (PASSWD); > if (($usr ne $username) or (crypt($password, $pswd) ne $pswd)) { > $passcorrect = 1; # User/Pass combo is WRONG! > } > } else { > $passcorrect = 1; > } > exit $passcorrect; > -------<END>------ > > $passcorrect is set to 0 by default, and 0 indicates a successful login. The > variables $username contains the username entered by the user (vs. $usr > which is the username as specified by the /etc/passwd file). So, we can > build a path for the user's supposed home directory with the command: > $homedir = $ENV{DOCUMENT_ROOT} . '../users/'.$username; > > Then, I **think** we can check to see if that directory exists by using the > following: > if(-d $homedir){ > $passcorrect = 0; > # home dir exists > }else{ > $passcorect =1; > # home dir not exist > } > > SO, to bring it all together, we might end up with something like this at > the end of the file: > > if($passcorrect == 0){ > $homedir = $ENV{DOCUMENT_ROOT} . '../users/'.$username; > if(-d $homedir){ > $passcorrect = 0; > # home dir exists > }else{ > $passcorect =1; > # home dir not exist > } > } > exit $passcorrect; > > Now, keep in mind that most of this code came out of my Learning Perl book > dated August 1994, so it may be somewhat outdated. (they haven't changed > that much since perl 4, right?) > > Maybe this will help, maybe not. Let me know if it works and I'll post it > on my website. > > Matt > > _______________________________________________ > cobalt-developers mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-developers > > > > _______________________________________________ > cobalt-developers mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-developers > _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
