FS#55689 - [roundcubemail] Passwords in config.inc.php are readable by others

Attached to Project: Community Packages
Opened by Martin Schulze (schulmar) - Wednesday, 20 September 2017, 11:45 GMT
Last edited by Sergej Pupykin (sergej) - Thursday, 19 April 2018, 13:04 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
/etc/webapps/roundcubemail/config/config.inc.php has the owner root:root permissions rw-rw-r.
This file likely contains passwords for database access that should not be readable by unprivileged users.
I propose to change the permissions according to the model of e.g. the nextcloud webapp package:
config/ and its contents will be owned by http:http and others will have no (read) permissions on config.inc.php

Steps to reproduce:
- install the package
This task depends upon

Closed by  Sergej Pupykin (sergej)
Thursday, 19 April 2018, 13:04 GMT
Reason for closing:  Fixed
Additional comments about closing:  in svn/trunk only
Comment by Eli Schwartz (eschwartz) - Wednesday, 20 September 2017, 12:55 GMT
That file does not appear to be packaged at all, it is probably just inheriting the default umask when the user creates it, and remains readable because of the directory permissions of /etc/webapps/roundcubemail/.

I'm also unsure why the package ignores the UID/GID database and creates several packaged directories which are later chown'ed to http:http in post_install ...
Comment by Martin Schulze (schulmar) - Wednesday, 20 September 2017, 13:10 GMT
You're right. That file is not in the package. I likely copied it from the sample file, which has the same permissions.
I am not sure how to proceed here. This file is needed so each user will have to create it.
The owner/group settings prevent it from being directly usable with the default webserver user without setting read access for others or extra permissions via setfacl.

Loading...