include note about password security in security doc

author kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>

Thu, 8 Jun 2006 15:53:54 +0000 (15:53 +0000)

committer kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>

Thu, 8 Jun 2006 15:53:54 +0000 (15:53 +0000)
author kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 8 Jun 2006 15:53:54 +0000 (15:53 +0000)
committer kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 8 Jun 2006 15:53:54 +0000 (15:53 +0000)
diff --git a/doc/security.txt b/doc/security.txt

index fe20e6afd05ef8f6ce3e955bf395e959445984be..e6eff624f67a30a2e70869f04fa50f2c691c1e41 100644 (file)
--- a/doc/security.txt
+++ b/doc/security.txt
@@ -23,6 +23,12 @@ further improve the security of your webmail system.
    IMAP server. Note that this makes no sense if both are on the same machine.
    See doc/authentication.txt for info.
  
+- config.php. Some options in conf.pl / config.php allow for passwords to
+  be set in that file, e.g. the addressbook/preferences DSN, and LDAP
+  addressbooks. When setting a sensitive password, check that config.php
+  is not readable for untrusted system users, and consider the possibility
+  of it being read by other users of the same webserver.
+
  - Subscribe to the squirrelmail-announce mailinglist to be informed about new
    releases which may fix security bugs. If you run SquirrelMail packaged by
    your distribution, make sure to apply their security upgrades.
author	kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
	Thu, 8 Jun 2006 15:53:54 +0000 (15:53 +0000)
committer	kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
	Thu, 8 Jun 2006 15:53:54 +0000 (15:53 +0000)