Marcin Soltysiak wrote:
Another problem, if you allow the www user access to the vpopmail programs - how do you keep every web site on the server from having full access to mail system? The vpopmail library functions don't provide authentication. (They do provide functions for doing authentication, but the calling program has to manage it.)
Perhaps it would be nice to have some authorization method like:
$vid=vpopmail_auth_module("vpopmail-user", "vpopmail-pass-perhaps-in-crypted-md5-form");
The function is already there.
struct vpasswd *vauth_user( char *user, char *domain, char *password );
All it does is return the password file data for the user if the password is valid, or NULL for an authentication error. The problem is you can call vdeldomain() or anything else, even you haven't authenticated yet. The only security checks in the vpopmail library are done at the system level. Does the user running the process have rights to change the files it needs to affect?
Rick
