From iRedMail

Current revision as of 14:26, 19 March 2013

If you already have iRedAdmin installed, either iRedAdmin-Pro or open source edition, you can simply secure it by following below tutorial.

Create a new system account

We will make iRedAdmin run with Apache web server, but as non-apache, low privilege user: iredadmin.

#
# ---- On Linux ----
# 
# useradd -s /sbin/nologin -m -d /home/iredadmin iredadmin

#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredadmin -m -n iredadmin

Note: Don't forget to use -m flag to create HOME directory, otherwise apache can't chroot process to this directory.

Configure Apache

Edit Apache config file of iRedAdmin, make iRedAdmin run as user 'iredadmin'. File localtion on different distributions:

• RHEL/CentOS: /etc/httpd/conf.d/iredadmin.conf
• Debian/Ubuntu: /etc/apache2/conf.d/iredadmin.conf
• FreeBSD: /usr/local/etc/apache22/Includes/iredadmin.conf

WSGISocketPrefix /var/run/wsgi
WSGIDaemonProcess iredadmin user=iredadmin threads=15
WSGIProcessGroup iredadmin

Change file permissions

Change current directory to apache server root directory:

#
# ---- On RHEL/CentOS ----
#
# cd /var/www/

#
# ---- On Debian/Ubuntu ----
#
# cd /usr/share/apache2/

#
# ---- On FreeBSD ----
#
# cd /usr/local/www/

Change file permissions:

# chown -R iredadmin:iredadmin iRedAdmin-x.y.z
# chmod -R 0755 iRedAdmin-x.y.z
# chmod 0600 iRedAdmin-x.y.z/settings.ini

Restart Apache

Restart Apache to make changes work.

Verify it

On Linux/OpenBSD, you can simply use top -u iredadmin command to verify it. On FreeBSD, please use top -Uiredadmin instead.

#
# ---- Sample output ----
#
# top -u iredadmin
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                        
 3978 iredadmi  25   0  458m 7052 1028 S  0.0  1.4   0:00.00 httpd

Credits

We'd like to thank supanji12@YouTube for his/her great video tutorial: http://www.youtube.com/watch?v=o285XYJTGQw