[imp] Safe Mode
Eric Rostetter
eric.rostetter at physics.utexas.edu
Tue Sep 30 15:49:12 PDT 2003
Quoting Caylan Van Larson <caylan at aero.und.edu>:
> We just rolled out a separate web server for student use that services
> horde/imp and ~/<username> requests.
Always a dangerous combination. Make sure you check everything for
access restrictions, like where you save php session files, php uploaded
files, etc. I don't allow logins to my Horde server just because of such
reasons.
> I had to turn on safe mode when I
> realized (woke up at 3am sweating) that users could just exec("grep
> password /www/webmail/htdocs/config/horde.conf") and gain access to the
> mysql server. I turned on safe_mode with uid/gid checking... *safe*
You could just protect the file (horde.conf) and the directory containing
it from access by the users...
See http://cvs.horde.org/co.php/horde/docs/SECURITY?r=1.8
> I know horde is not meant to be run with safe_mode enabled, but I'll go
> out on a limb and see what comes of me attempting to do this.
Some one else on the list has hashed out almost all the issues with doing
so in current code. I think spell checking was all they got stumped on.
> Here are my current problems:
Most of these answers are in the recent list archives.
While your reason for putting safe_mode on was completely bogus, given your
setup you should probably run safe_mode anyway. Not to protect horde, but
to protect your users and system in general.
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
Why get even? Get odd!
More information about the imp
mailing list