SECURITY IN VADMIN
-------------------
Security was one of the primary concerns of mine when I was writing
VADMIN. I think I have come up with a pretty decent model which
I think is the most one can ask for when password files are to be
readable (and writable) by an apache process.

SECURITY MODEL
--------------
VADMIN stores all its sensitive data in an encrypted format. However,
PHP must be able to decrypt this data in order to be able to operate
vmailmgrd. Here is the solution I have come up with.

We create a special include file for apache, in which we specify the
directory where vadmin files are located (<Directory> directive).
Then we set two environment variables in that Directory. One variable
is CRYPTO_HASH_LINE, while another is MCRYPT_ALGO. First variable is
a symmetric key to be used by VADMIN when encrypting and decrypting 
the stored data, and the second one is a symmetric encryption MCRYPT 
algorithm to be used.

After we finish with this include file, we set it to be owned by root
and only accessible by root (chmod 0600). When apache starts, it reads this
file before it switches to user nobody. After the startup is complete,
this file can no longer be read by any apache process or other process
running as non-root.

[If you are extra-paranoid, you can encrypt the file itself between
the apache restarts and then write a script which will decrypt this
file right before apache starts and re-encrypt it back when the
startup has been completed, but this is too much for me.;)]

The environment variables are only accessible in the vadmin plugin
directory, and VADMIN uses them to encrypt data before writing it 
out to disk and decrypts it before using it. The data it saves
at any time is domain passwords (stored in a file in VADMIN_DIR) and
session data, which is stored by PHP in /tmp in clear text, and therefore
has to be encrypted to disallow evesdropping.

FILE PERMISSIONS
-----------------
As I said, the apache include file is owned by root and is only readable
by root. There are also other several files used by VADMIN. During the
setup, a special directory is set up somewhere off-docroot (defaults to
/var/vadmin). This directory is owned by root and has this structure:

/var/vadmin (root/root)
 |->domain.com (root/root)
 |   |->admins (root/root)
 |   |->passwd (nobody/nogroup)
 |   |->pic    (nobody/nogroup)
 |   \->prefs  (nobody/nogroup)
 |->domain2.com (root/root)
 |->...
 \->cross-admins (root/root)
     |->admin@domain.com (root/root)
     |->admin2@domain2.com (root/root)
     \->...

All files are readable by apache, but only files passwd, pic, prefs are
writable by it. Passwd is where we store the encrypted password of
the domain (it's ok for it to be writable, since it's encrypted. VADMIN
checks whether this is a valid password after decrypting it, and if it's not,
then it discards it). "pic" is where a customized login picture is stored, 
and "prefs" is where other customization preferences are.

"Admins" file has a listing of user logins who are allowed to administer
that domain (and only that domain). This file is only writable by root
and to operate admins you have to use one of the provided shell scripts.

CROSS-ADMINS
-------------
Cross-admins are superusers who can admin more than one domain in a single
login. This is useful for administrators who don't want to create a
login for themselves for every domain they administer.

Every cross-admin has a file in "cross-admins" directory with their login
handle as the name of the file. In that file is a listing of domains this 
cross-admin can administer, or just one word "elvis", if this is a
super-user and can administer ALL virtual domains.

Depending on the $VADMIN_CROSS_ADMINS_AUTH_METHOD variable in
vadmin_config.php, cross-admins can either log in using their mailbox
password, or a domain password per each domain they select. Both methods
have their shortcomings and advantages, so it's up to you as to which
one to select. Authentication by mailbox password is more convenient,
but is more easily abused, while authentication by domain password is
less convenient, but limits the "blast area" in case intruder gets a 
hold of one of the passwords (however, in return, it provides cross-
admins with system passwords, which is a whole other set of problems).

Since it makes sense to enforce HTTPS when dealing with cross-admins,
this feature can be turned on in vadmin_config.php (and during the
initial setup). With this flag on, every cross-admin logging in via
cleartext HTTP protocol will be denied access.

You can either operate cross-admins by hand, or using simple shell
scripts provided in "scripts" directory.
