Now that I have a little more time to tinker, I'd like to get my personal squirrel mail installation to be a little more secured, so that address books and attachments aren't visible to everyone else on the server. <br /><br />From what I read on PHP, it usually runs as "nobody", so any files that squirrelmail needs to update, they must be readable, writeable and visible to anyone. <br /><br />Thanks to earlier help, I know that I can run PHP as myself using the scgi-bin directory. BUT, this requires that all the files end in .CGI (not .PHP), and they all must start with a "#!/bin/php" line. This is a decent amount of copying&pasting.<br /><br />What I am looking for is a secure wrapper for a PHP program. Can anyone suggest anything? Warn me of any security risks?<br /><br />What it would do is, as a PHP .CGI file<br /> Take an URL as input which should JUST be a relative reference to a PHP file<br /> Sanitize the URL - this has to remove all ".." (anything else)?<br /> #include in the sanitized URL to bring in the PHP file<br /><br />This should result in squirrel mail running as my user ID, accessing files as myself, while hopefully not being a terrible security risk.<br /><br />Anything wrong with this idea?<!--content-->
Well, <br />I finally got things to work well enough with a mucked together script that just fixed the vars that squirrelmail needed. <br /><br />I still am surprised that there isn't a more generic solution.<br /><br />The basic idea is..<br /> Filter out ..'s from the filename<br /> Append to a private path<br /> Fix up some subset of _GET and HTTP_GET_VARS and PHP self and ... (1)<br /> include the real file<br /><br />That "subset" is bothersome, since I'll probably have to fix the script again should I want to run anything different under it -- I can't find a way of including as a new request to let PHP do it automatically.<!--content-->
I suspect there are not too many with their own install of squirrel mail<br /><br />Hopefully the security types will comment on this,<br />but glad you are making progress.<!--content-->
wolvesb,<br /><br />could you include the script you used. I'm in need for a similar wrapper and it soounds like you had some success.<!--content-->
Well, <br />I finally got things to work well enough with a mucked together script that just fixed the vars that squirrelmail needed. <br /><br />I still am surprised that there isn't a more generic solution.<br /><br />The basic idea is..<br /> Filter out ..'s from the filename<br /> Append to a private path<br /> Fix up some subset of _GET and HTTP_GET_VARS and PHP self and ... (1)<br /> include the real file<br /><br />That "subset" is bothersome, since I'll probably have to fix the script again should I want to run anything different under it -- I can't find a way of including as a new request to let PHP do it automatically.<!--content-->
I suspect there are not too many with their own install of squirrel mail<br /><br />Hopefully the security types will comment on this,<br />but glad you are making progress.<!--content-->
wolvesb,<br /><br />could you include the script you used. I'm in need for a similar wrapper and it soounds like you had some success.<!--content-->