SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties













Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

SquirrelMail uses two directories to store the user configuration and the attachments that are about to be sent. The data directory is used for storing user preferences, like their signature, theme, address book (by default), and other information specific to each user. The attachments directory is used for temporarily storing attachments which needs to be cached at the server before being sent. It's preferred, for security reasons, to have these directories outside the web tree.

Some SquirrelMail installations are preconfigured to use the data directory for attachments as well. That works, but it makes maintenance a bit trickier (see "Cleaning the attachments directory" below) so it's recommended to have separate directories for data and attachments.

The benefit of moving these directories outside the web directory tree is security. Everything inside the web directory tree gets an URI and is accessible by browsing to that address. If an attacker knows or guesses a user name, that user’s preferences can be read by the attacker. In SquirrelMail 1.4 and 1.5.0 a directory called data/ is included. Make sure that its contents are moved to the new data directory when creating it. Since SquirrelMail 1.5.1 this isn't needed.

The examples below uses www-data.www-data as the web server user and group IDs, but some web servers are using nobody.nobody, nobody.nogroup, apache.apache, or wwwrun.nobody instead. Check your web server configuration to find out what to use.

As a side note, it's not recommended to run the web servers run as an anonymous user such as nobody.nogroup. It's easier to manage permissions when the web server runs with a unique user and group ID. Create a new group and a new user, and run the web server as that user.

TODO: Add permissions to the examples.

Example

    mkdir -p /var/local/squirrelmail/attach
    mv -i data/ /var/local/squirrelmail/ # Replace "data/" with the path to the original data directory.
    chown -R www-data.www-data /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
    # On some systems you might have to use the two commands below instead of the "chown" above.
    # chown -R www-data /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
    # chgrp -R www-data /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

Example for SquirrelMail 1.5.1.

    mkdir -p /var/local/squirrelmail/attach /var/local/squirrelmail/data
    chown -R www-data.www-data /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
    # On some systems you might have to use the two commands below instead of the "chown" above.
    # chown -R www-data /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
    # chgrp -R www-data /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

The configure variables in config/config.php are $data_dir and $attachment_dir. If using the examples above, they should be set to /var/local/squirrelmail/data/ and /var/local/squirrelmail/attach/ respectively.

The second best solution is to keep the directories within the web tree, and deny access to them for anyone who tries to access them directly. Check your web server documentation to learn how to do that.

Cleaning the attachments directory

Usually SquirrelMail removes the attachments from the attachments directory when sending them, but if a user decides not to send the mail and doesn't remove the attachments manually they will be lying around in the attachments directory forever unless the system administrator removes them. While administrators for smaller systems might remove them by hand, it's easier to schedule the task to be done automatically.

It's tempting to remove all attachments once per day, but that will also delete the attachments for the end users currently writing mails when the scheduled maintenance is taking place. It's possible to list all attachments that haven't been used in two days with the command:

find /var/local/squirrelmail/attach/ -atime +2

The command above can be extended to a script, doing the actual deleting:

find /var/local/squirrelmail/attach/ -atime +2 -print0 | xargs -0 rm -f

Deleting and excluding any files containing a period or underscore is like this:

find /var/local/squirrelmail/attach/ -atime +2 \! -name "*.*" \! -name "*_*" -print0 | xargs -0 rm -f

Note that the above script only is safe if the attachments are in their own directory. If used in a combined data and attachment directory, it will also remove the preferences for users who haven't been logged in during the last two days. There are ways around this by excluding files with a full stop (.) or an underscore (_), characters which are present in the preference files' names but not in the attachments' names, but that might not be true for data stored by plugins. Since having data and attachments in the same directory isn't the recommended solution, and that plugins might have a different syntax for their data files, no example of a script dealing with this situation is provided in this documentation. Make sure that you have backups of the data and test your solution extensively before automating maintenance in a combined data and attachment directory.

Don't use /tmp/ (or a subdirectory thereof) as the attachments directory, even though it might be tempting. It's both safer and easier to use a dedicated directory instead.

Security summary

SquirrelMail will not serve any data on the web without proper authorization. It does, however, rely on your web server not to hand out sensitive data "behind SquirrelMail's back". The most common case would be if your web server indexes your SquirrelMail data directory. As a general rule, you should have auto indexing off on your web server, and turn it on selectively where you need it. For security reasons, it's strongly suggested that you:

  • pick good places outside the web directory tree for the data and attachments to be kept,
  • change the permissions so it is harder for people outside your system to get the files, and
  • read your web server documentation for how to limit/deny access to particular directories.

TODO: Integrate the info below into the text above.


The data directory must be writeable by the web server. Also, the web server needs write and execute permissions on the data and attachment directories. You can do this with:

chmod 300 data
© 1999-2010 by The SquirrelMail Project Team