[imp] Writing to user's .forward file from IMP

Eric Jon Rostetter eric.rostetter@physics.utexas.edu
Fri, 20 Jul 2001 10:29:51 -0500 (CDT)


Quoting Christopher Crowley <ccrowley@tulane.edu>:
 
> The reason I posed the question was that someone else on the list might have
> encountered this same user request previously.  Vacation is used here to
> handle automatic responses.

Yes, many of us have.  I do .forward and .vacation files on our server.

> I am in the conceptualization phase, working on offering a web interface to
> the vacation program. The user community here doesn't want to telnet to the
> unix system and modify the appropriate appropriate files using a text
> editor.

Which results in more mistakes in .forward files, etc.  I love my IMP-ified
forward/vacation scripts, because the users no longer mess up their configs
and start bouncing/looping mail...

> The most significant point is that a php script won't have permission to
> modify the contents of the user's home directory.

It will if you run the web server with permission to do so (which I do not
suggest) or run it as a cgi such that it has permissions to do so (which I
do not suggest).

> However, the IMAP server
> writes to the user's home directory on a regular basis for the stored mail
> Folders. I would like to leverage the permission granted to the IMAP session
> to write relevant information into the user's home directory.

It essentually does this via root permissions.  That's a bit extreme for a
simple task like this.  Depending on your IMAP servers code, this could get
you in trouble (root exploits, etc).
 
> If anyone on the list has accomplished a similar task, please share the
> caveats and your successful methods.  Thank you.

Since IMP/php already have the user's username and password, there are many
ways to do this.  None-the-less, I still have it prompt for the username
and password anyway, compare this to what IMP has, so that if someone leaves
IMP running a second party can't abuse it (as much).

Anyway, I implement it via a local (localhost) ftp feeding in the user's 
username and password.  This means that all the files I write (.forward, etc)
are created/deleted/etc as the user, not as some other (e.g. root or httpd)
user.

I block all ftp access on the server except for localhost, and the php connects
via localhost.  Seems to work fine and provide a more-or-less secure method
(ftp passwords are clear text, but they never hit the network (only loopback
interface) so they *shouldn't* be vulnerable.

If you had to traverse machines, you could always tunnel the ftp session.

> Chris
> 
> 
> -- 
> IMP mailing list: http://horde.org/imp/
> Archive: http://marc.theaimsgroup.com/?l=imp&r=1&w=2
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org

Eric Jon Rostetter
The Department of Physics
The University of Texas at Austin
Austin, Texas 78712-1081

Office:    RLM 7.126
Telephone: 512-471-5821
Email:	   eric.rostetter@physics.utexas.edu