wolvesb Posted March 20, 2005 Posted March 20, 2005 Now that I have a little more time to tinker, I'd like to get my personal squirrel mail installation to be a little more secured, so that address books and attachments aren't visible to everyone else on the server. From what I read on PHP, it usually runs as "nobody", so any files that squirrelmail needs to update, they must be readable, writeable and visible to anyone. Thanks to earlier help, I know that I can run PHP as myself using the scgi-bin directory. BUT, this requires that all the files end in .CGI (not .PHP), and they all must start with a "#!/bin/php" line. This is a decent amount of copying&pasting. What I am looking for is a secure wrapper for a PHP program. Can anyone suggest anything? Warn me of any security risks? What it would do is, as a PHP .CGI file Take an URL as input which should JUST be a relative reference to a PHP file Sanitize the URL - this has to remove all ".." (anything else)? #include in the sanitized URL to bring in the PHP file This should result in squirrel mail running as my user ID, accessing files as myself, while hopefully not being a terrible security risk. Anything wrong with this idea? Quote
wolvesb Posted March 24, 2005 Author Posted March 24, 2005 Well, I finally got things to work well enough with a mucked together script that just fixed the vars that squirrelmail needed. I still am surprised that there isn't a more generic solution. The basic idea is.. Filter out ..'s from the filename Append to a private path Fix up some subset of _GET and HTTP_GET_VARS and PHP self and ... (1) include the real file That "subset" is bothersome, since I'll probably have to fix the script again should I want to run anything different under it -- I can't find a way of including as a new request to let PHP do it automatically. Quote
TCH-Don Posted March 24, 2005 Posted March 24, 2005 I suspect there are not too many with their own install of squirrel mail Hopefully the security types will comment on this, but glad you are making progress. Quote
kylew Posted April 13, 2005 Posted April 13, 2005 wolvesb, could you include the script you used. I'm in need for a similar wrapper and it soounds like you had some success. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.