[imp] Safe Mode

Eric Rostetter eric.rostetter at physics.utexas.edu
Tue Sep 30 15:49:12 PDT 2003


Quoting Caylan Van Larson <caylan at aero.und.edu>:

> We just rolled out a separate web server for student use that services
> horde/imp and ~/<username> requests.

Always a dangerous combination.  Make sure you check everything for
access restrictions, like where you save php session files, php uploaded
files, etc.  I don't allow logins to my Horde server just because of such
reasons.

> I had to turn on safe mode when I
> realized (woke up at 3am sweating) that users could just exec("grep
> password /www/webmail/htdocs/config/horde.conf") and gain access to the
> mysql server.  I turned on safe_mode with uid/gid checking... *safe*

You could just protect the file (horde.conf) and the directory containing
it from access by the users...

See http://cvs.horde.org/co.php/horde/docs/SECURITY?r=1.8

> I know horde is not meant to be run with safe_mode enabled, but I'll go
> out on a limb and see what comes of me attempting to do this.

Some one else on the list has hashed out almost all the issues with doing
so in current code.  I think spell checking was all they got stumped on.

> Here are my current problems:

Most of these answers are in the recent list archives.

While your reason for putting safe_mode on was completely bogus, given your
setup you should probably run safe_mode anyway.  Not to protect horde, but
to protect your users and system in general.

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the imp mailing list