On 12/09/2011 10:49 AM, Grant wrote:
There is a Squirrelmail document recommending that the Squirrelmail
data and attachments directories are established outside of the web
server's reach. /var is given as an example.
The two aren't mutually exclusive; using the previous example, we have,
php_admin_value upload_tmp_dir /var/www/example.com/www/tmp
DocumentRoot /var/www/example.com/www/public
so Apache can't serve up the temporary files. But sticking them both
under /var/www/example.com/www does allow you to use tighter
open_basedir restrictions.
This is a little disturbing because my Squirrelmail data directory was
created under the webroot as apache:apache 0755 at some point. Would
this have been done by Gentoo? Should I file a bug?
I'm not sure. There's probably a policy that says one of two things:
1. Ebuilds should by default set up everything as securely as
possible, or
2. Ebuilds should not mess with upstream
I've honestly never used Gentoo's webapp stuff; it confuses the hell out
of me.