Posted by Miguel Lopes on 01/04/08 11:52

"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spamyourself.com> escreveu na
mensagem news:477dfd80$0$85792$e4fe514c@news.xs4all.nl...
> Miguel Lopes wrote:
>> Hello,
>> I need to run a command as root to create users on the system for webmail
>> server.
>>
>> What is the best way to do this?
>>
>> Thanks
>>
>>
>
> Hi,
>
> The easy way, adding user PHP (apache, nobody, www-date, whatever) to
> sudo, is also very unsafe. So that is a no-go I'd say.
>
> I solved this once in a similar situation as described hereunder.
> It is not REAL security, more security-by-obscurity.
>
> 1) Make a directory somewhere that has NO directorylisting (check chmod
> for directories under *nix for details)
> 2) In this directory, make another directory with an impossible-to-guess
> name.
> So you end up with something like this:
> /home/lopes/public_html/nodirlisting/hjuyERWdklkJ754hjk367LpH
> where the directory nodirlisting has no listingrights, so nobody can find
> the name of the hjuyERWdklkJ754hjk367LpH-directory.
> Make hjuyERWdklkJ754hjk367LpH writable for user PHP (eg www-data).
>
>
> 3) When you want to add a new user, write some commands to a file, eg a
> line for each new webmailuser, then username, then password, etc.
> 4) create a cronjob for a user that has access to webmail (I am not sure
> if that needs to be root).
> Let the cronjob run every minute or so, and if something in the file in
> hjuyERWdklkJ754hjk367LpH is found, add that to the webmail.
>
> This is still not 100% safe, since everybody on the machine that can
> access the file (eg other PHP-scripts), but they will have a hard time
> guessing the name of the directory.
>
> Security by obscurity. :-)
>
> Maybe somebody has a REAL solid solution.
> Regards,
> Erwin Moller

I been looking at a suphp has anyone worked with this.

[Back to original message]