[imp] Writing to user's .forward file from IMP
Eric Jon Rostetter
eric.rostetter@physics.utexas.edu
Fri, 20 Jul 2001 10:29:51 -0500 (CDT)
Quoting Christopher Crowley <ccrowley@tulane.edu>:
> The reason I posed the question was that someone else on the list might have
> encountered this same user request previously. Vacation is used here to
> handle automatic responses.
Yes, many of us have. I do .forward and .vacation files on our server.
> I am in the conceptualization phase, working on offering a web interface to
> the vacation program. The user community here doesn't want to telnet to the
> unix system and modify the appropriate appropriate files using a text
> editor.
Which results in more mistakes in .forward files, etc. I love my IMP-ified
forward/vacation scripts, because the users no longer mess up their configs
and start bouncing/looping mail...
> The most significant point is that a php script won't have permission to
> modify the contents of the user's home directory.
It will if you run the web server with permission to do so (which I do not
suggest) or run it as a cgi such that it has permissions to do so (which I
do not suggest).
> However, the IMAP server
> writes to the user's home directory on a regular basis for the stored mail
> Folders. I would like to leverage the permission granted to the IMAP session
> to write relevant information into the user's home directory.
It essentually does this via root permissions. That's a bit extreme for a
simple task like this. Depending on your IMAP servers code, this could get
you in trouble (root exploits, etc).
> If anyone on the list has accomplished a similar task, please share the
> caveats and your successful methods. Thank you.
Since IMP/php already have the user's username and password, there are many
ways to do this. None-the-less, I still have it prompt for the username
and password anyway, compare this to what IMP has, so that if someone leaves
IMP running a second party can't abuse it (as much).
Anyway, I implement it via a local (localhost) ftp feeding in the user's
username and password. This means that all the files I write (.forward, etc)
are created/deleted/etc as the user, not as some other (e.g. root or httpd)
user.
I block all ftp access on the server except for localhost, and the php connects
via localhost. Seems to work fine and provide a more-or-less secure method
(ftp passwords are clear text, but they never hit the network (only loopback
interface) so they *shouldn't* be vulnerable.
If you had to traverse machines, you could always tunnel the ftp session.
> Chris
>
>
> --
> IMP mailing list: http://horde.org/imp/
> Archive: http://marc.theaimsgroup.com/?l=imp&r=1&w=2
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
Eric Jon Rostetter
The Department of Physics
The University of Texas at Austin
Austin, Texas 78712-1081
Office: RLM 7.126
Telephone: 512-471-5821
Email: eric.rostetter@physics.utexas.edu