SUPERADMIN.txt:

- replace SQL instructions to create a superadmin with a note about setup.php SECURITY.txt: - add a note about permissions needed by setup.php - add note about templates_c directory git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1157 a1433add-5e2c-0410-b055-b7f2511e0802
14 years ago · 3556e4bfda
parent 0656852d4e
commit 3556e4bfda
2 changed files with 12 additions and 26 deletions
--- a/DOCUMENTS/SECURITY.txt
+++ b/DOCUMENTS/SECURITY.txt
@ -23,6 +23,11 @@ You may wish to consider the following :
    the vacation_notification table (and read alias and vacation).
 3. PostfixAdmin itself needs to be able to READ and WRITE to 
    all the tables.
+ 4. PostfixAdmin's setup.php additionally needs permissions to CREATE
+    and ALTER tables in the PostfixAdmin database. For PostgreSQL, also
+	permissions for CREATE FUNCTION and CREATE TRIGGER are needed.
+	In other words: setup.php needs all permissions on the PostfixAdmin
+	database.

 Using the above, you can improve security by creating separate 
 database user accounts for each of the above roles, and limit 
@ -33,5 +38,7 @@ FILE SYSTEM SECURITY
 --------------------

 PostfixAdmin does not require write support on the underlying 
-filesystem - aside from PHP creating session files.
+filesystem with the following exceptions:
+- the templates_c directory where Smarty caches the templates
+- PHP's session.save_path to store session files

--- a/DOCUMENTS/SUPERADMIN.txt
+++ b/DOCUMENTS/SUPERADMIN.txt
@ -9,29 +9,8 @@ With that login you can create new superadmins (and you should delete or change
 password of  admin@domain.tld). If that user is no longer there or you didn't use
 the .TXT files, you could add another manually from the database. 

-(The example uses MySQL, the syntax will be similar for PostgreSQL)
+In case you forgot your superadmin username or password, you can create a new
+superadmin account using setup.php.

-# mysql 
-Welcome to the MySQL monitor. Commands end with ; or \g. 
-Your MySQL connection id is 8186 to server version: 5.0.27 
- 
-Type 'help;' or '\h' for help. Type '\c' to clear the buffer. 
- 
-mysql> use postfix 
-Reading table information for completion of table and column names 
-You can turn off this feature to get a quicker startup with -A 
- 
-Database changed 
-mysql> INSERT INTO domain_admins (username, domain, active) VALUES ('new@domain.tld','ALL','1'); 
-Query OK, 1 row affected (0.00 sec) 
- 
-mysql> INSERT INTO admin (username, password, active) VALUES ('new@domain.tld','$1$0fec9189$bgI6ncWrldPOsXnkUBIjl1','1'); 
-Query OK, 1 row affected (0.00 sec) 
- 
-mysql> exit 
-Bye 
- 
-Then you can log in as new@domain.tld, password: admin 
-
-
-(The domain 'ALL' should already exist in the domain table; if not you'll need to recreate it)
+If you also have forgotten your setup password, you can use setup.php to configure
+a new setup password.