egroupware_official/phpgwapi/doc/SECURITY

28 lines
1.5 KiB
Plaintext
Raw Normal View History

2002-05-12 17:09:48 +02:00
First off, I would not recommend using this in any type of environment in which
2000-12-18 21:09:56 +01:00
security is a really big concern. I am *NOT* saying that you shouldn't be
2002-05-12 17:09:48 +02:00
concerned about it. But, until the system is thoroughly tested, I would not
2000-12-18 21:09:56 +01:00
recommend it.
2002-05-12 17:09:48 +02:00
Because of the current methods that the email system uses, it is required
2000-12-18 21:09:56 +01:00
that the users password is in the sessions table. IMAP needs the password
to verify the user. This is one of the main reasons for the stalesessions
2002-05-12 17:09:48 +02:00
program. I do not like keeping passwords in any medium that is not encrypted.
2000-12-18 21:09:56 +01:00
2002-05-12 17:09:48 +02:00
The email system stores its file attachments in a temp directory. For now,
you need to watch this directory because it can fill up very quickly.
If a user does not finish composing the message (going else where in the program,
Internet connection dieing, browser crash, etc) the file will sit there until
2000-12-18 21:09:56 +01:00
it is deleted. There will be a simple cron program to go through and clean
things up.
The files/users and files/groups directories need to be writable by the UID
2002-05-12 17:09:48 +02:00
that php runs under (nobody or your apache UID). This is a security risk
2000-12-18 21:09:56 +01:00
if 3rd parties can place php or cgi scripts on your machine, because they
will have full read/write access to those directories.
You should also consider moving the files directory outside of the
2002-05-12 17:09:48 +02:00
tree your web server has access to to prevent web surfers from directly accessing
2000-12-18 21:09:56 +01:00
the files, or add in .htaccess files to restrict access to that tree.
Besides this, there is nothing else that I am aware of. Let me know if you
find anything.