Marcin Soltysiak wrote:

Another problem, if you allow the www user access to the vpopmail
programs - how do you keep every web site on the server from having full
access to mail system?  The vpopmail library functions don't provide
authentication.  (They do provide functions for doing authentication,
but the calling program has to manage it.)

Perhaps it would be nice to have some authorization method like:


The function is already there.

struct vpasswd *vauth_user( char *user, char *domain, char *password );

All it does is return the password file data for the user if the
password is valid, or NULL for an authentication error.  The problem is
you can call vdeldomain() or anything else, even you haven't
authenticated yet.  The only security checks in the vpopmail library are
done at the system level.  Does the user running the process have rights
to change the files it needs to affect?


Reply via email to