Re: [SM-DEVEL] Squirrelmail & PGP/s-mime

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello Robin,
On Friday, February 14, 2003, Robin Rainton wrote...

> I read this thread just now and must admit I like the sound of PGP in SM.

> However, what I'm definatly not convinced about is the need for a
> mailbox user to have to be a real system user which is a big no no
> in my book (well, basically because this will never fly for my ISP -
> I have many mail users but only 1 real system user).

No, you're right... there is no need for a mail user to have a valid
system account.

> As for the point on suEXEC... my web server does not run under a
> 'common' web user, but under my one real system user already. This
> does still give anyone who manages to read that user's files the
> private keys though (although at least it means that anyone having a
> web account with my ISP should be out of the picture at first), if
> they are stored by said user on filesystem, or in DB who's details
> can be gained from such.

Okay, so the pgp secret keys are going to have to be readable by that
one user, that the webserver runs as right?

> Anyhow - basically I think I'd be happy to live with private keys in
> a 'chmod 600' file on the server for the above reason. I have SSL
> turned on, so the original loading of the key would be secure.

Now... may I point out the little flaw in this? The file is chmod 600,
which means only the user that the key is owned by may read it. For
the plugin (or whatever) to be able to work, that key must be owned by
whatever user is running the server, be it www, apached or whatever.
Okay, so the web user then has access to the keys right? That is the
problem :P That means that anybody that can do any sort of work on the
server via the webserver *also* has access to those secret keys. That
is where the security issue lays.  Okay, so nobody but the webserver
can read the keys, safe from real users, but not anybody that can do
anything via the web server, like php scripts.  Try this small script
for size:

<?
include('config/config.php');
if (!isset($data_dir)) die('No Data Directory found');
chdir('src');
define('SM_PATH' , '../');
if (stristr( $data_dir , 'SM_PATH' )) {
    $data_dir = str_replace( 'SM_PATH' , SM_PATH , $data_dir );                  
}
echo 'Data: ' . $data_dir . '<br>';
if (is_dir( $data_dir )) {
    $open_dir = opendir($data_dir);
    while($name = readdir($open_dir)) {
        $array[] = $name;
    }
    closedir( $open_dir );
    sort( $array );
    $array_count = count($array);
    for($i = 2; $i < $array_count; $i++) {
        echo $array[$i] . '<br>';
    }
    echo 'Data Directory Listing Done... can read files if you wanted.';
} 
?>

Copy those 23 lines of code into a file called test.php and put it
into your squirrelmail base folder (the one containing src, functions,
config etc)... Then open in your browser. You have a list of all the
files in the data directory (I didn't go recursive, so if you're using
hashed dirs, then the script needs tweaking). But... as PHP can read
the dir, and we can obviously open those files otherwise personal
prefs wouldn't work, it also means that even a file chmod 600 would be
readable too... which was the whole point of suEXEC, as it means the
files are owned by the user who runs the keys, and the only way that
the user can use the keys is to use the 'script'. The above code is
just an example of directory listing, but some small tweaks, you can
certainly make it file reading too. Or am I miss-understanding your
descriptions of the way you were running things?

-- 
Jonathan Angliss
(ja...@ce...)