[Kolab-devel] Secure handling of Templates.pm

Stuart Bingë list at codefusion.co.za
Tue May 18 14:43:28 CEST 2004


On Tuesday 18 May 2004 12:18, Bernhard Reiter wrote:
> On Thursday 13 May 2004 15:23, Stuart Bingë wrote:
> > On Thursday 13 May 2004 15:11, cvs at intevation.de wrote:
> > > Modified Files:
> > > 	Templates.pm
> > > Log Message:
> > > New file permission handling. This should fix the security
> > > vulnerabilities that we've been experiencing
> >
> > This change allows you to specify the owner and uid/gid of the template
> > file in the metadata header. The new meta variables (mvars) are
> > 'file_perms', 'file_uid' and 'file_gid'. file_perms defaults to 0644,
> > whereas file_uid and file_gid default to the 'kolab' users' uid/gid.
> >
> > I've updated slapd.conf to utilise this new functionality - it now has
> > file_perms set to 0600.
> >
> > I would appreciate it if someone who is familiar with these sorts of
> > security issues to look over my code and check if it's correct. Basically
> > what I do is as follows:
>
> Cannot say much about it without deep analysis.
> Anybody else?
> Did you look at the Erfrakon solution for Kolab 1.0.x?
> How does your solution compare to it?

I wasn't able to compare it against Erfrakon (where does one get the latest 
Erfrakon packages?), however it was basically an extension of the solution we 
implemented in our package.

This doesn't really apply any more though (at least for the forseeable future) 
as the code in /devel has been abandoned.

-- 
Stuart Bingë
Code Fusion cc.

Office: +27 11 673 0411
Mobile: +27 83 298 9727
Email: s.binge at codefusion.co.za

Tailored email solutions; Kolab specialists.
http://www.codefusion.co.za/




More information about the devel mailing list