1 |
>> I ran squirrelmail/configtest.php and realized I don't have an |
2 |
>> attachment directory set up for Squirrelmail: |
3 |
>> |
4 |
>> ERROR: Attachment dir (/var/local/squirrelmail/attach/) does not exist! |
5 |
>> |
6 |
>> I don't even have a /var/local/. Would a good Gentoo'er create the |
7 |
>> directory in that location? |
8 |
> |
9 |
> |
10 |
> If a website needs to write files, let it do so under its own directory |
11 |
> hierarchy. All of our PHP sites have something equivalent to the following |
12 |
> in their apache vhost configs: |
13 |
> |
14 |
> php_admin_value open_basedir /var/www/example.com/www/ |
15 |
> php_admin_value upload_tmp_dir /var/www/example.com/www/tmp |
16 |
> php_admin_value session.save_path /var/www/example.com/www/tmp |
17 |
> |
18 |
> That way, if www.example.com is compromised, the rest of the machine is |
19 |
> still safe (barring PHP bugs). |
20 |
|
21 |
There is a Squirrelmail document recommending that the Squirrelmail |
22 |
data and attachments directories are established outside of the web |
23 |
server's reach. /var is given as an example. They also recommend |
24 |
root:apache 0730 for both directories. |
25 |
|
26 |
This is a little disturbing because my Squirrelmail data directory was |
27 |
created under the webroot as apache:apache 0755 at some point. Would |
28 |
this have been done by Gentoo? Should I file a bug? |
29 |
|
30 |
"Prepare data and attachment directories" |
31 |
http://squirrelmail.org/docs/admin/admin-3.html |
32 |
|
33 |
- Grant |