Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#55689 - [roundcubemail] Passwords in config.inc.php are readable by others

Attached to Project: Community Packages
Opened by Martin Schulze (schulmar) - Wednesday, 20 September 2017, 11:45 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 20 September 2017, 12:55 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
/etc/webapps/roundcubemail/config/config.inc.php has the owner root:root permissions rw-rw-r.
This file likely contains passwords for database access that should not be readable by unprivileged users.
I propose to change the permissions according to the model of e.g. the nextcloud webapp package:
config/ and its contents will be owned by http:http and others will have no (read) permissions on config.inc.php

Steps to reproduce:
- install the package
This task depends upon

Comment by Eli Schwartz (eschwartz) - Wednesday, 20 September 2017, 12:55 GMT
That file does not appear to be packaged at all, it is probably just inheriting the default umask when the user creates it, and remains readable because of the directory permissions of /etc/webapps/roundcubemail/.

I'm also unsure why the package ignores the UID/GID database and creates several packaged directories which are later chown'ed to http:http in post_install ...
Comment by Martin Schulze (schulmar) - Wednesday, 20 September 2017, 13:10 GMT
You're right. That file is not in the package. I likely copied it from the sample file, which has the same permissions.
I am not sure how to proceed here. This file is needed so each user will have to create it.
The owner/group settings prevent it from being directly usable with the default webserver user without setting read access for others or extra permissions via setfacl.

Loading...