Re: [gentoo-user] Gentoo location for squirrelmail attachments
I ran squirrelmail/configtest.php and realized I don't have an attachment directory set up for Squirrelmail: ERROR: Attachment dir (/var/local/squirrelmail/attach/) does not exist! I don't even have a /var/local/. Would a good Gentoo'er create the directory in that location? If a website needs to write files, let it do so under its own directory hierarchy. All of our PHP sites have something equivalent to the following in their apache vhost configs: php_admin_value open_basedir /var/www/example.com/www/ php_admin_value upload_tmp_dir /var/www/example.com/www/tmp php_admin_value session.save_path /var/www/example.com/www/tmp That way, if www.example.com is compromised, the rest of the machine is still safe (barring PHP bugs). There is a Squirrelmail document recommending that the Squirrelmail data and attachments directories are established outside of the web server's reach. /var is given as an example. They also recommend root:apache 0730 for both directories. This is a little disturbing because my Squirrelmail data directory was created under the webroot as apache:apache 0755 at some point. Would this have been done by Gentoo? Should I file a bug? Prepare data and attachment directories http://squirrelmail.org/docs/admin/admin-3.html - Grant
Re: [gentoo-user] Gentoo location for squirrelmail attachments
I ran squirrelmail/configtest.php and realized I don't have an attachment directory set up for Squirrelmail: ERROR: Attachment dir (/var/local/squirrelmail/attach/) does not exist! I don't even have a /var/local/. Would a good Gentoo'er create the directory in that location? Is this a new installation of Squirrelmail or an existing one? When you install Squirrelmail you're supposed to (last time I did so, which is admittedly a long time ago) run a setup program (it uses curses / text-menus). That asks what kind of IMAP server you're going to be connecting to (it works with all of them, but optimises itself for different ones), and the naming convention for Trash / Deleted Items, Drafts c on your server. I would have thought paths like this would be configured during this setup stage. I'm pretty sure it's safe to rerun this setup program at any time. Yes, it can be rerun at any time. The script is in the webroot where you installed squirrelmail and is called configure. Simply run that, then select option 4 (General Options). The directories you want to check/change are the first 2. That is the script which sets the location of the attachment directory, which I think is what you meant. I could be wrong but I think Stroller was referring to a script that actually creates the directory. - Grant
Re: [gentoo-user] Gentoo location for squirrelmail attachments
On Friday, December 09, 2011 07:51:16 AM Grant wrote: SNIPPED The script is in the webroot where you installed squirrelmail and is called configure. Simply run that, then select option 4 (General Options). The directories you want to check/change are the first 2. That is the script which sets the location of the attachment directory, which I think is what you meant. I could be wrong but I think Stroller was referring to a script that actually creates the directory. - Grant I don't think there is a script that automatically creates the directory. If there is, I haven't seen it yet. -- Joost
Re: [gentoo-user] Gentoo location for squirrelmail attachments
On 12/09/2011 10:49 AM, Grant wrote: There is a Squirrelmail document recommending that the Squirrelmail data and attachments directories are established outside of the web server's reach. /var is given as an example. The two aren't mutually exclusive; using the previous example, we have, php_admin_value upload_tmp_dir /var/www/example.com/www/tmp DocumentRoot /var/www/example.com/www/public so Apache can't serve up the temporary files. But sticking them both under /var/www/example.com/www does allow you to use tighter open_basedir restrictions. This is a little disturbing because my Squirrelmail data directory was created under the webroot as apache:apache 0755 at some point. Would this have been done by Gentoo? Should I file a bug? I'm not sure. There's probably a policy that says one of two things: 1. Ebuilds should by default set up everything as securely as possible, or 2. Ebuilds should not mess with upstream I've honestly never used Gentoo's webapp stuff; it confuses the hell out of me.
Re: [gentoo-user] Gentoo location for squirrelmail attachments
On Friday, December 09, 2011 07:49:13 AM Grant wrote: I ran squirrelmail/configtest.php and realized I don't have an attachment directory set up for Squirrelmail: ERROR: Attachment dir (/var/local/squirrelmail/attach/) does not exist! I don't even have a /var/local/. Would a good Gentoo'er create the directory in that location? If a website needs to write files, let it do so under its own directory hierarchy. All of our PHP sites have something equivalent to the following in their apache vhost configs: php_admin_value open_basedir /var/www/example.com/www/ php_admin_value upload_tmp_dir /var/www/example.com/www/tmp php_admin_value session.save_path /var/www/example.com/www/tmp That way, if www.example.com is compromised, the rest of the machine is still safe (barring PHP bugs). There is a Squirrelmail document recommending that the Squirrelmail data and attachments directories are established outside of the web server's reach. /var is given as an example. They also recommend root:apache 0730 for both directories. This is a little disturbing because my Squirrelmail data directory was created under the webroot as apache:apache 0755 at some point. Would this have been done by Gentoo? Should I file a bug? Prepare data and attachment directories http://squirrelmail.org/docs/admin/admin-3.html - Grant I think the data-directory is included from upstream and is there to have it work when installing it blindly. Recommendations are not always possible (think hosted environments) -- Joost
Re: [gentoo-user] Gentoo location for squirrelmail attachments
There is a Squirrelmail document recommending that the Squirrelmail data and attachments directories are established outside of the web server's reach. /var is given as an example. They also recommend root:apache 0730 for both directories. This is a little disturbing because my Squirrelmail data directory was created under the webroot as apache:apache 0755 at some point. Would this have been done by Gentoo? Should I file a bug? Prepare data and attachment directories http://squirrelmail.org/docs/admin/admin-3.html - Grant I think the data-directory is included from upstream and is there to have it work when installing it blindly. Recommendations are not always possible (think hosted environments) The Squirrelmail list is telling me: SquirrelMail doesn't create any directories aside from the ones contained in the installation itself. It doesn't put anything in your webroot or anywhere else unless you're using some third party installer that does other things. Maybe you should file a bug report against whatever entity it was that provided the package that did that. Does this sound like a Gentoo bug I should report? - Grant
Re: [gentoo-user] Gentoo location for squirrelmail attachments
On 8 December 2011, at 19:17, Grant wrote: I ran squirrelmail/configtest.php and realized I don't have an attachment directory set up for Squirrelmail: ERROR: Attachment dir (/var/local/squirrelmail/attach/) does not exist! I don't even have a /var/local/. Would a good Gentoo'er create the directory in that location? Is this a new installation of Squirrelmail or an existing one? When you install Squirrelmail you're supposed to (last time I did so, which is admittedly a long time ago) run a setup program (it uses curses / text-menus). That asks what kind of IMAP server you're going to be connecting to (it works with all of them, but optimises itself for different ones), and the naming convention for Trash / Deleted Items, Drafts c on your server. I would have thought paths like this would be configured during this setup stage. I'm pretty sure it's safe to rerun this setup program at any time. Stroller.
Re: [gentoo-user] Gentoo location for squirrelmail attachments
On 12/08/2011 02:17 PM, Grant wrote: I ran squirrelmail/configtest.php and realized I don't have an attachment directory set up for Squirrelmail: ERROR: Attachment dir (/var/local/squirrelmail/attach/) does not exist! I don't even have a /var/local/. Would a good Gentoo'er create the directory in that location? If a website needs to write files, let it do so under its own directory hierarchy. All of our PHP sites have something equivalent to the following in their apache vhost configs: php_admin_value open_basedir /var/www/example.com/www/ php_admin_value upload_tmp_dir /var/www/example.com/www/tmp php_admin_value session.save_path /var/www/example.com/www/tmp That way, if www.example.com is compromised, the rest of the machine is still safe (barring PHP bugs).
Re: [gentoo-user] Gentoo location for squirrelmail attachments
On Thu, December 8, 2011 8:37 pm, Stroller wrote: On 8 December 2011, at 19:17, Grant wrote: I ran squirrelmail/configtest.php and realized I don't have an attachment directory set up for Squirrelmail: ERROR: Attachment dir (/var/local/squirrelmail/attach/) does not exist! I don't even have a /var/local/. Would a good Gentoo'er create the directory in that location? Is this a new installation of Squirrelmail or an existing one? When you install Squirrelmail you're supposed to (last time I did so, which is admittedly a long time ago) run a setup program (it uses curses / text-menus). That asks what kind of IMAP server you're going to be connecting to (it works with all of them, but optimises itself for different ones), and the naming convention for Trash / Deleted Items, Drafts c on your server. I would have thought paths like this would be configured during this setup stage. I'm pretty sure it's safe to rerun this setup program at any time. Yes, it can be rerun at any time. The script is in the webroot where you installed squirrelmail and is called configure. Simply run that, then select option 4 (General Options). The directories you want to check/change are the first 2. HTH, Joost
