Hash: SHA1

Jean Wainer wrote:
>> Thus giving anyone that has web access or is allowed to run PHP
>> scripts on your server the allowance to play with vpopmail as much
>> as they want. If this is just a webmail based server i do think it
>> is okay, but if i were you i would still be worried.
> We are using it on one of our webmail servers, and since we have a
> lot of anti-spam and account management features which depend on the
> vpopmail user to be configured within the webmail, we have choosen to
> do that..

What i would suggest instead is to create a wrapper in C, that is set
setuid to vpopmail instead, that way only vpasswd can be abused if there
is a hole in some PHP script that is run on the server. Worst thing that
can happen then is that your users passwords are changed, but that is
still a lot of guess work. I personally would prefer to have just one
function, than having Apache be able to access all the vpopmail
functions. I'd rather not be in for a surprise that i am hosting a
random domain without knowing it.

>>> --Jw.
>> Jan-Willem Regeer
> So i'm not the only jw here, eh?
> Jean C. S. Wainer
> --Jw.

Sorry :P Indeed you are not.

Jan-Willem Regeer
Version: GnuPG v1.2.4 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Reply via email to