FS#55689 - [roundcubemail] Passwords in config.inc.php are readable by others
Attached to Project:
Community Packages
Opened by Martin Schulze (schulmar) - Wednesday, 20 September 2017, 11:45 GMT
Last edited by Sergej Pupykin (sergej) - Thursday, 19 April 2018, 13:04 GMT
Opened by Martin Schulze (schulmar) - Wednesday, 20 September 2017, 11:45 GMT
Last edited by Sergej Pupykin (sergej) - Thursday, 19 April 2018, 13:04 GMT
|
Details
Description:
/etc/webapps/roundcubemail/config/config.inc.php has the owner root:root permissions rw-rw-r. This file likely contains passwords for database access that should not be readable by unprivileged users. I propose to change the permissions according to the model of e.g. the nextcloud webapp package: config/ and its contents will be owned by http:http and others will have no (read) permissions on config.inc.php Steps to reproduce: - install the package |
This task depends upon
Closed by Sergej Pupykin (sergej)
Thursday, 19 April 2018, 13:04 GMT
Reason for closing: Fixed
Additional comments about closing: in svn/trunk only
Thursday, 19 April 2018, 13:04 GMT
Reason for closing: Fixed
Additional comments about closing: in svn/trunk only
I'm also unsure why the package ignores the UID/GID database and creates several packaged directories which are later chown'ed to http:http in post_install ...
I am not sure how to proceed here. This file is needed so each user will have to create it.
The owner/group settings prevent it from being directly usable with the default webserver user without setting read access for others or extra permissions via setfacl.