[dev] help/options links

Roel Gloudemans roel at gloudemans.info
Tue Aug 31 07:57:26 PDT 2004


>> Hmmm, what would be a good way to block access to the options 
>> mechanism? I know you can lock the preferences, but if the 'Options' 
>> icon is set to
>> 'authenticated users' only a mechanism to block setting options for
>> guests only would be nice.
>
> I guess I just don't see the harm - guest settings won't get saved into the
> backend anyway.

On my system guests are less trusted than users (users have to be entered by
me). Guests cannot exploit potential security bugs in code they cannot 
execute.
(As I said earlier, I'm a bit over the edge when it comes to security. I'm an
Internet security specialist ;) ) Ah well, if you really want to you 
can always
block it in the webserver config.

>> I was thinking of another solution. Let the menu detect the 
>> permissions on the
>> php files. If permissions are thus that the webserver cannot read the files,
>> then don't show the options. In this way you could allow overwriting 
>> conf.php
>> from horde and still keep the shells disallowed.
>
> Eh?

e.g. set ownership of cmdshell.php to root:sys and permissions to 500 
(or remove
the script alltogether). In that case the webserver cannot execute the script.
If we can detect this from the menu script we don't show the link. Now you can
allow uploading a new conf.php from horde without endangering this setting.

Cheers,
Roel.



More information about the dev mailing list