> >>Another problem, if you allow the www user access to the vpopmail
> >>programs - how do you keep every web site on the server from having full
> >>access to mail system? The vpopmail library functions don't provide
> >>authentication. (They do provide functions for doing authentication,
> >>but the calling program has to manage it.)
> >
> >
> > Perhaps it would be nice to have some authorization method like:
> >
> > $vid=vpopmail_auth_module("vpopmail-user",
> > "vpopmail-pass-perhaps-in-crypted-md5-form");
>
> The function is already there.
>
> struct vpasswd *vauth_user( char *user, char *domain, char *password );
>
> All it does is return the password file data for the user if the
> password is valid, or NULL for an authentication error. The problem is
> you can call vdeldomain() or anything else, even you haven't
> authenticated yet. The only security checks in the vpopmail library are
> done at the system level. Does the user running the process have rights
> to change the files it needs to affect?
Notice that I called the function .._auth_module(). If you want to separate
websites from accessing vpopmail on your box you need a fundamental
authorization that allow you to perform vdeldomain(). More descriptive
example follows:
$vid=vpopmail_auth_module("vpopmail-user-like-unix-vpopmail-user-that-can-ad
d-and-delete-and-so-on", "vpopmail-pass-perhaps-in-crypted-md5-form");
if($vid){
//Your'e a super admin and can manipulate domains and users
$rst=vadddomain("myname.tld","postmaster_pass"); //or whatever is the
syntax
if($rst){
echo "domain created";
}else{
echo vpopmail_errstr();
}
}else{
//your regular user that can only auth himself via
$auth=vauth_user("user","domain","password");
}
on vpopmail_auth_module() level there would be a something like "sudo"
mechanism performed so that all functions that require phisycal access to
vpopmail dir structure were run as authorized super user (or any other user
that has some limited permissions.
Personally I feel, that could be an extension to vpopmail itself. A module
for PHP operations that would introduce some levels of admins etc...Imagine
that you can assign a user rigths to create 5 doimains...
Bad thing is I am no coder. All of above is just my imagination and
theoretical issues. Perhaps someone of vpopmail users is quite a PHP geek
and could verify if it has chance for a success.
Solt
