-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jean Wainer wrote: >> Thus giving anyone that has web access or is allowed to run PHP >> scripts on your server the allowance to play with vpopmail as much >> as they want. If this is just a webmail based server i do think it >> is okay, but if i were you i would still be worried. > > We are using it on one of our webmail servers, and since we have a > lot of anti-spam and account management features which depend on the > vpopmail user to be configured within the webmail, we have choosen to > do that..
What i would suggest instead is to create a wrapper in C, that is set setuid to vpopmail instead, that way only vpasswd can be abused if there is a hole in some PHP script that is run on the server. Worst thing that can happen then is that your users passwords are changed, but that is still a lot of guess work. I personally would prefer to have just one function, than having Apache be able to access all the vpopmail functions. I'd rather not be in for a surprise that i am hosting a random domain without knowing it. > > >>> --Jw. >> >> Jan-Willem Regeer > > So i'm not the only jw here, eh? > > Jean C. S. Wainer > > --Jw. Sorry :P Indeed you are not. Jan-Willem Regeer X-Istence -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAuzkMJukONu5DUaQRAkWoAJ94TEs1Xa93Tup9zaBWtMjJvB3J6QCeLueo m6F7FXBPz+BDlZIzS0K5luk= =ieUi -----END PGP SIGNATURE-----