[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] OpenWebmail vs Squirrelmail
- Subject: RE: [cobalt-users] OpenWebmail vs Squirrelmail
- From: "Brent Sims" <listmail@xxxxxxxxxxx>
- Date: Tue Jan 14 20:30:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> OpenWebmail or Squirrelmail??? OpenWebmail has a package for
> Raq4 at pkgmaster.com however, installation instructions for
> squirrelmail at
> http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=34 --straight
> forward.
Openwebmail runs as root. I don't mean to insult anyone here,
particularly the pkgmaster team or the authors of openwebmail, but the
simple truth is that running any world accessible functionality as root
is simply not a wise thing to do. A
exploit(http://online.securityfocus.com/archive/1/303997) which results
in root access exists for Openwebmail 1.71 which was available for
downloading (http://pkgmaster.com/packages/raq/1/#openwebmail) at
pkgmaster.com when I wrote this sentence. The current version appears to
be safe but unless you really understand the ramifications of running
world accessible Perl scripts as root you'd be well advised to go with
some other web mail system.
Squirrelmail, on the other hand, can and happily runs as a
non-privileged user. Installation is a breeze and it does virtual
hosting quite nicely. While it may not be quite as pretty as it provides
the same functionality as openwebmail does and since it can run as a non
privileged user it's a far better choice from a security viewpoint.
Best Regards,
Brent
Brent Sims, Customer Service Manager
WebOkay Internet Services, LLC
Phone (719) 595-1427
http://www.webokay.net/