document cve's

[squirrelmail.git] / INSTALL

diff --git a/INSTALL b/INSTALL
index 11b11d78aeb9a6595e99e36028d019681543ca90..d7d1457c7f79f0a652f0bcc38678da19ea9fc20b 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -69,6 +69,10 @@ Each of these steps is covered in detail below.
     Required for Japanese translation. Optional for translations that
     use non-ISO-8859-1 charset
 
     Required for Japanese translation. Optional for translations that
     use non-ISO-8859-1 charset
 

+  It is highly advised to NOT turn on register_globals, as this can lead
+  to security holes. If you must use register_globals for some applications,
+  turn it on locally for only those directories, or turn it off for the
+  SquirrelMail folder.

   If you want your users to attach files to their mails, make sure
   File Uploads in php.ini is set to On.
 
   If you want your users to attach files to their mails, make sure
   File Uploads in php.ini is set to On.
 


@@ -106,13 +110,14 @@ b. Setting up directories
   directories outside of your web tree.
 
   The data directory is used for storing user preferences, like
   directories outside of your web tree.
 
   The data directory is used for storing user preferences, like

-  signature, name and theme. When unpacking the sources this directory
-  is created as data/ in your SquirrelMail directory. This directory
-  must be writable by the webserver. If your webserver is running as
-  the user "nobody" you can fix this by running:
+  signature, name and theme. You need to create this directory yourself.
+  Recommended location is under /var, for example:
+  /var/local/squirrelmail/data
+  This directory must be writable by the webserver. If your webserver is
+  running as the user "nobody" and group "nobody" you can fix this by
+  running:

 
 

-    $ chown -R nobody data
-    $ chgrp -R nobody data
+    $ chown -R nobody:nobody /path/to/your/datadir

 
   Keep in mind that with different installations, the web server could
   typically run as userid/groupid of nobody/nobody, nobody/nogroup,
 
   Keep in mind that with different installations, the web server could
   typically run as userid/groupid of nobody/nobody, nobody/nogroup,


@@ -134,8 +139,8 @@ b. Setting up directories
     $ chmod 730 SomeDirectory
 
   If you trust all the users on you system not to read mail they are
     $ chmod 730 SomeDirectory
 
   If you trust all the users on you system not to read mail they are

-  not supposed to read change the last line to chmod 777 SomeDirectory
-  or simply use /tmp as you attachments directory.
+  not supposed to read, you can simply use /tmp as you attachments
+  directory.

 
   If a user is aborting a mail but has uploaded some attachments to it
   the files will be lying around in this directory forever if you do not
 
   If a user is aborting a mail but has uploaded some attachments to it
   the files will be lying around in this directory forever if you do not


@@ -143,7 +148,7 @@ b. Setting up directories
   deletes everything in the attachment directory.  Something similar
   to the following will be good enough:
 
   deletes everything in the attachment directory.  Something similar
   to the following will be good enough:
 

-    $ cd /var/attach/directory
+    $ cd /var/local/squirrelmail/attach

     $ rm -f *
 
   However, this will delete attachments that are currently in use by people
     $ rm -f *
 
   However, this will delete attachments that are currently in use by people


@@ -157,18 +162,21 @@ b. Setting up directories
   attachment directory is the same as your data directory) might look like
   this:
 
   attachment directory is the same as your data directory) might look like
   this:
 

-    $ rm `find /var/attach/directory -atime +2 | grep -v "\." | grep -v _`
+    $ rm `find /var/local/squirrelmail/attach -atime +2 | grep -v "\." | grep -v _`

 
   Remember to be careful with whatever method you do use, and to test out
   the command before it potentially wipes out everyone's preferences.
 
 c. Setting up SquirrelMail
 
 
   Remember to be careful with whatever method you do use, and to test out
   the command before it potentially wipes out everyone's preferences.
 
 c. Setting up SquirrelMail
 

-  There are two ways to configure SquirrelMail.  In the config/ directory,
+  There are three ways to configure SquirrelMail.  In the config/ directory,

   there is a perl script called conf.pl that will aid you in the
   configuration process.  This is the recommended way of handling
   the config.
 
   there is a perl script called conf.pl that will aid you in the
   configuration process.  This is the recommended way of handling
   the config.
 

+  There's also a plugin called 'administrator' for the webinterface but you'll
+  have to be able to at least log in to SquirrelMail first.
+

   You can also copy the config/config_default.php file to config/config.php
   and edit that manually.
 
   You can also copy the config/config_default.php file to config/config.php
   and edit that manually.
 


@@ -210,11 +218,11 @@ c. Setting up SquirrelMail
 
   Each translation contains an install script that copies the required files
   into their appropriate locations. If you can't run that script, you can
 
   Each translation contains an install script that copies the required files
   into their appropriate locations. If you can't run that script, you can

-  extract the contents of translation packages into your SquirrelMail
+  extract the contents of a translation package into your SquirrelMail

   directory.
 
   NOTE No.1: *-src.tar.gz, *-src.tar.bz2 and *-src.zip archives do not contain
   directory.
 
   NOTE No.1: *-src.tar.gz, *-src.tar.bz2 and *-src.zip archives do not contain

-  compiled translation files. You will need to run the compilelocales script
+  compiled translation files. You will need to run the "compilelocales" script

   in order to get all gettext binary translations.
 
   NOTE No.2: You might need to restart your webserver before using translations.
   in order to get all gettext binary translations.
 
   NOTE No.2: You might need to restart your webserver before using translations.