From: Jonathan A. <ja...@ce...> - 2003-02-14 17:00:51
|
Hello Robin, On Friday, February 14, 2003, Robin Rainton wrote... > I read this thread just now and must admit I like the sound of PGP in SM. > However, what I'm definatly not convinced about is the need for a > mailbox user to have to be a real system user which is a big no no > in my book (well, basically because this will never fly for my ISP - > I have many mail users but only 1 real system user). No, you're right... there is no need for a mail user to have a valid system account. > As for the point on suEXEC... my web server does not run under a > 'common' web user, but under my one real system user already. This > does still give anyone who manages to read that user's files the > private keys though (although at least it means that anyone having a > web account with my ISP should be out of the picture at first), if > they are stored by said user on filesystem, or in DB who's details > can be gained from such. Okay, so the pgp secret keys are going to have to be readable by that one user, that the webserver runs as right? > Anyhow - basically I think I'd be happy to live with private keys in > a 'chmod 600' file on the server for the above reason. I have SSL > turned on, so the original loading of the key would be secure. Now... may I point out the little flaw in this? The file is chmod 600, which means only the user that the key is owned by may read it. For the plugin (or whatever) to be able to work, that key must be owned by whatever user is running the server, be it www, apached or whatever. Okay, so the web user then has access to the keys right? That is the problem :P That means that anybody that can do any sort of work on the server via the webserver *also* has access to those secret keys. That is where the security issue lays. Okay, so nobody but the webserver can read the keys, safe from real users, but not anybody that can do anything via the web server, like php scripts. Try this small script for size: <? include('config/config.php'); if (!isset($data_dir)) die('No Data Directory found'); chdir('src'); define('SM_PATH' , '../'); if (stristr( $data_dir , 'SM_PATH' )) { $data_dir = str_replace( 'SM_PATH' , SM_PATH , $data_dir ); } echo 'Data: ' . $data_dir . '<br>'; if (is_dir( $data_dir )) { $open_dir = opendir($data_dir); while($name = readdir($open_dir)) { $array[] = $name; } closedir( $open_dir ); sort( $array ); $array_count = count($array); for($i = 2; $i < $array_count; $i++) { echo $array[$i] . '<br>'; } echo 'Data Directory Listing Done... can read files if you wanted.'; } ?> Copy those 23 lines of code into a file called test.php and put it into your squirrelmail base folder (the one containing src, functions, config etc)... Then open in your browser. You have a list of all the files in the data directory (I didn't go recursive, so if you're using hashed dirs, then the script needs tweaking). But... as PHP can read the dir, and we can obviously open those files otherwise personal prefs wouldn't work, it also means that even a file chmod 600 would be readable too... which was the whole point of suEXEC, as it means the files are owned by the user who runs the keys, and the only way that the user can use the keys is to use the 'script'. The above code is just an example of directory listing, but some small tweaks, you can certainly make it file reading too. Or am I miss-understanding your descriptions of the way you were running things? -- Jonathan Angliss (ja...@ce...) |