Re: [cpx] Hardening directory rights and cpx

[Rus Berrett <rberrett@xxxxxxxxx>]

On Sun, Feb 13, 2005 at 06:02:36PM +0100, ADNET Ghislain wrote:
>
> Subject: [cpx] Hardening directory rights and cpx
>
> Hi Scott,
> 
>  Will CPX (or imanager) suffer if i do some changes on the directory's 
> security settings :
> 
> chmod 751 /home/login   -----------    for the web users
> chmod 750 /home/login   -----------    for the mail users
> 
>  I wondered if imanager or cpx can break because of this ?
> 
> Best regards,
> Ghislain.

Ghislain,

iManager is an suid program that drops privs down to the authenticated 
user level... so iManager won't (or rather, shouldn't) care.

The underlying VSAP modules that perform _most_ of the CPX tasks 
operate in much the same way as iManager; they will run as if they are
the authenticated user (well, except for tasks which are done on files
owned by endusers at the behest of a domain admin).  There are, however,
some tasks which are handled without any other privileges but those that
are given to the apache user/group (www/www).  The ones that I can think
of off the top of my head are upload file (such as a mail attachment)
and download file.  Therefore, a home directory mode of 750 would
probably not be wise for any user that uses CPX, or at least, any user 
that expects CPX to behave and operate normally... 751 should be ok.  

Inside your home directory, you can chmod 700 on any subdirectory with
the exception of ".cpx_tmp".  Your subdirectories such as "Mail" should
already be 700.

hth.

--rus.


========================================================================
Rus Berrett                                                    NTT/Verio
                 See Perl. See Perl Run. Run Perl, Run!

======================================================================
This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
Before posting a question, please search the archives (see above URL).