On Thu, Mar 20, 2003 at 06:29:21PM -0800, Chris Berry wrote: > >From: Sam Varshavchik <[EMAIL PROTECTED]> > >Chris Berry writes: > >>Isnt' setuid usually a "bad thing" as it opens up all kinds of security > >>holes? (though from what I hear PHP isn't exactly real secure either) > > > >[EMAIL PROTECTED] httpd]# ls -l /bin/ping > >-rwsr-xr-x 1 root root 35302 Jun 23 2002 /bin/ping > > > >Quick -- get rid of 'ping'. It's a major security hole. > > Hehe, ok, I get your point, though speaking of ping, most high security > firewalls drop icmp responses. I'm just canvasing for opinions so don't > take it personal. *grin*
If you're running a virtual hosting system where all the accounts are owned by one system user, you can make sqwebmail suid to that user instead of root. Also, if you run sqwebmail on a front-end box (or cluster) which NFS mount the mail spool, then should someone manage to break into sqwebmail then you're not in much worse position than if someone broke into squirrelmail. And personally I'd trust sqwebmail not to be broken in to much more than squirrelmail, just because of C versus PHP. Regards, Brian. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
