SECURITY IN VADMIN
-------------------
Security was one of the primary concerns of mine when I was writing
Vadmin. I think I have come up with a pretty decent model which
I think is the most one can ask for when password files are to be
readable (and writable) by an apache process.

SECURITY MODEL
--------------
Vadmin stores all its sensitive data in an encrypted format. However,
PHP must be able to decrypt this data in order to be able to operate
vmailmgrd. Here is the solution I have come up with.

We create a special include file for apache, in which we specify the
directory where the squirrelmail directory is located (<Directory>
directive). Then we set two environment variables in that
Directory. One variable is CRYPTO_HASH_LINE, while another is
MCRYPT_ALGO. First variable is a symmetric key to be used by Vadmin
when encrypting and decrypting the stored data, and the second one is
a symmetric encryption MCRYPT algorithm to be used. If it's
"rc4_builtin," then a builtin arc4 algorithm will be used.

After we finish with this include file, we set it to be owned by root
and only accessible by root (chmod 0600). When apache starts, it reads this
file before it switches to user apache. After the startup is complete,
this file can no longer be read by any apache process or other process
running as non-root.

The environment variables are only accessible in the squirrelmail
directory, and Vadmin uses them to encrypt data before writing it out
to disk and decrypts it before using it. All the data saved by Vadmin
at any time is encrypted (with the exception of the picture, but its
md5 is stored in the prefs file, so Vadmin knows when it is replaced
by some other source.

In other words, unless your setup allows arbitrary code to be executed
inside the squirrelmail directory, third parties will not be able to
decrypt or modify the contents of the save files.

[NB: it used to be that only the Vadmin plugin directory itself needed
to be specified, but now it has to be the entire squirrelmail
directory. If that makes you uneasy, make two entries, one pointing to
/usr/share/squirrelmail/src, and another to
/usr/share/squirrelmail/plugins/vadmin. As long as MCRYPT_ALGO and
CRYPTO_HASH_LINE are the same in both <Directory> entries, Vadmin
should work. This significantly limits the amount of code that can
*see* crypto settings, in case there is some overlooked vulnerability
in the squirrelmail code itself, or in one of the plugins that allows
arbitrary PHP execution.]

SUPERUSER
----------
Superuser is amicably called "elvis". You can configure your
superusers in vadmin.conf. More than one super-user is possible, as
long as you separate them using comma-space. E.g.:

[auth]
elvis = albus@hogwarts.jk, minerva@hogwarts.jk

CROSS-ADMINS
-------------
Cross-admins are superusers who can admin more than one domain in a
single login. This is useful for administrators who don't want to
create a login for themselves for every domain they administer.

Cross-admins are stored in an encrypted file cross-admins.v2 in the
root vadmin var directory (/var/lib/vadmin).

Depending on the auth->method defined in vadin.conf, cross-admins can
either log in using their mailbox password, or a domain password per
each domain they select. Both methods have their shortcomings and
advantages, so it's up to you as to which one to choose.
Authentication by mailbox password is more convenient, but is more
easily abused, while authentication by domain password is less
convenient, but limits the "blast area" in case intruder gets a hold
of one of the passwords (however, in return, it provides cross-admins
with system passwords, which is a whole other set of problems).

Elvis can set up cross-admins via the vadmin web interface.
