Eduardo M. Bragatto wrote:
Rick Widmer wrote:

There are two ways to run the extension that I know of.

o Start a separate instance of Apache on its own port or IP address,
running as the mail user.  This instance should only serve mail related
pages.  This is very easy to do.

o Don't allow any web sites on the mail server.  Only run QmailAdmin and
sqWebmail on the mail server, and don't allow anyone but mail system
administrators to login on the machine.  (This is the one I use.)

Didn't you ever heard about "sudo"?
Using sudo you may allow the apache's user to run commands (that you specify) as the vpopmail's user. I did it once, it isn't hard. I also believe that's more secure, since the vpopmail's user will be used only weh necessary (to run some commands) and not all the time (to run apache).

I think you are missing something here. Extensions give PHP _direct_ access to functions provided by a c or c++ library. They are executed _within_ the Apache child process that handles a page request. They don't spawn a new process, so there is no place to use sudo. If you are going to use sudo then you may as well skip extensions and use exec/system/passthru or the streams facility directly from a PHP library.

Another problem, if you allow the www user access to the vpopmail programs - how do you keep every web site on the server from having full access to mail system? The vpopmail library functions don't provide authentication. (They do provide functions for doing authentication, but the calling program has to manage it.)


Reply via email to