On 10/07/2014 06:31 AM, Gordan Bobic wrote:
On 2014-10-07 11:23, Robert Moskowitz wrote:On 10/07/2014 02:26 AM, Gordan Bobic wrote:On 10/07/2014 12:50 AM, Robert Moskowitz wrote:I am making progress with postfixadmin. My earlier php problem SEEMed to be because I was running it via http://ipaddr/... Once I setup thedns entry for this server then ran it as http://fqdn/... it worked. Toget to an actual setup error:Error: Smarty template compile directory templates_c is not writable. Please make it writable. If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access. templates_c is writable: 4 drwxrwxr-x 2 root root 4096 May 6 16:50 templates_c And no selinux installed at all. So any ideas from the outside looking at this? I asked on the postfixadmin forum, but no answer there. yet.If this is supposed to run under apache, then as far as the permissions are concerned, everything will run as the apache user and group. So you will either need to chown that directory to apache or make the privileges 777.I looked at that for 2 hours and I did not see that priv is 775. changed to 777 and got it working. Sheesh, maybe I DO need those new glasses... thanks.777 permissions are a really bad practice. You should really chown that to the user than needs to have it writable and chmod it to 700.
Yes. I was thinking that; Sort of let's first see if this is indeed the issue. But better to do it now and not forget it. Too many things have too open permissions. Part of the reason why I find the shuffling around of what is where going on in F21 interesting.
I have to say I am somewhat surprised that you are running such a web management interface after expressing concern regarding security patches and the lack of working SELinux and. Web based management interfaces like this are one of the most common attack vectors.I am not a happy camper. Two mitigating factors: Only the virtual roundcubemail is globally accessable. The regular server, which can only do this postfixadmin, is allowed only to the local net. I hardly ever make email account changes, so the plan is this will only be available internally for those infrequent accounting changes. Really only the initial mail setup.As a counterpoint, you probably already spent longer getting the web administration tool to work than it would have taken you to learn how to configure postfix using it's configuration files in /etc/postfix/ ...
Oh, I know how to configure postfix; I actually contributed some to the tools. Well really the requests that were deemed of value by the PTB. Been there got the scars. This is more for the mysql database for the virtual domains and users.
Of course roundcubemail is its own set of problems, but I do have to provide web imap email.Roundcube isn't really that problematic, I've been running it for years. Having said that, I run it on a dedicated VServer instance, so any scope for damage even if it did turn out to have an exploit is very limited.
And when I was first testing Roundcube about 1.5 years ago, I detected a problem in their conf and recommended:
php_admin_flag session.cookie_secure "1"
and got yelled down! A couple others agreed that this should be the
default. I will have to see if the new build does this.
I generally prefer to use VServer/LXC/OpenVZ to isolate instances if I need to have things running efficiently on a single machine. It mitigates at least some types of possible attack. Of course, those require rebuilding the kernel with suitable patches, if they are not already in the kernel you are using...
I run separate hardware for each purpose; why I am so interested in arm platforms. Then TRY and have as little other stuff as possible. I move SSH to another port, just to keep the rift-raft away. And whatever else I learn.
Always learning more. _______________________________________________ users mailing list [email protected] http://lists.redsleeve.org/mailman/listinfo/users
