SECURITY.txt: Adding

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@329 a1433add-5e2c-0410-b055-b7f2511e0802
18 years ago · 5b2bc3c475
parent 45ee01a551
commit 5b2bc3c475
1 changed files with 37 additions and 0 deletions
--- a/DOCUMENTS/SECURITY.txt
+++ b/DOCUMENTS/SECURITY.txt
@ -0,0 +1,37 @@
+Security and PostfixAdmin
+-------------------------
+
+While the developers of PostfixAdmin believe the software to be 
+secure, there is no guarantee that it will continue to do be so
+in the future - especially as new types of exploit are discovered.
+(After all, this software is without warranty!)
+
+In the event you do discover a vulnerability in this software,
+please report it to the development mailing list, or contact 
+one of the developers directly.
+
+
+
+
+DATABASE USER SECURITY
+----------------------
+
+You may wish to consider the following :
+
+ 1. Postfix only requires READ access to the database tables.
+ 2. The virtual vacation support (if used) only needs to WRITE to 
+    the vacation_notification table (and read alias and vacation).
+ 3. PostfixAdmin itself needs to be able to READ and WRITE to 
+    all the tables.
+
+Using the above, you can improve security by creating separate 
+database user accounts for each of the above roles, and limit 
+the permissions available to them as appropriate.
+
+
+FILE SYSTEM SECURITY
+--------------------
+
+PostfixAdmin does not require write support on the underlying 
+filesystem - aside from PHP creating session files.
+