Note about files/* and security (or lack therof)

2024-11-08 00:54:50 +01:00 · 2000-10-11 14:45:37 +00:00 · 2000-10-11 14:45:37 +00:00 · 2b633e055b
commit 2b633e055b
parent 9f0d7b8aa8
1 changed files with 10 additions and 1 deletions
--- a/doc/SECURITY
+++ b/doc/SECURITY
@ -10,9 +10,18 @@ program.  I do not like keeping passwords in any medium that is not encryped.

 The email system stores its file attachments in a temp directory.  For right
 now, you need to watch this directory because it can fill up very quickly.
-If a user does not finsh composing the message (going else where in the program, internet connection dieing, browser crash, etc) the file will sit there until
+If a user does not finsh composing the message (going else where in the program, 
+internet connection dieing, browser crash, etc) the file will sit there until
 it is deleted.  There will be a simple cron program to go through and clean
 things up.  

+The files/users and files/groups directories need to be writable by the UID
+that php runs under (nobody or your apache UID). This is a security risk
+if 3rd parties can place php or cgi scripts on your machine, because they
+will have full read/write access to those directories.
+You should also consider moving the files directory outside of the
+tree your webserver has access to to prevent websurfers from directly accessing
+the files, or add in .htaccess files to restrict access to that tree.
+
 Besides this, there is nothing else that I am aware of.  Let me know if you
 find anything.