diff options
| author | Jakub Jirutka <jakub@jirutka.cz> | 2018-07-27 14:40:29 +0200 |
|---|---|---|
| committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-07-27 15:30:37 +0200 |
| commit | 1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1 (patch) | |
| tree | 3cb6b9bc8ade1f3cd6ab68b40772381293480776 /community | |
| parent | 5fe974d357db25cfea207d327fe3ad92dcedaca8 (diff) | |
| download | aports-1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1.tar.bz2 aports-1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1.tar.xz | |
community/roundcubemail: more secure privileges, prefer php-fpm
If the user want to run Roundcube with "traditional", quite insecure
and silly method by running PHP apps with web server (e.g. Apache2
mod_php) under web server's user, (s)he still can, but have to change
group of config files or add web server's user to group roundcube.
This is announced by message in post-upgrade script.
The -openrc subpackage is now installed by default when openrc is
installed, which should promote running Roundcube using php-fpm.
Diffstat (limited to 'community')
4 files changed, 22 insertions, 13 deletions
diff --git a/community/roundcubemail/APKBUILD b/community/roundcubemail/APKBUILD index a72dadb73d..618976dc37 100644 --- a/community/roundcubemail/APKBUILD +++ b/community/roundcubemail/APKBUILD @@ -35,8 +35,13 @@ makedepends="$_depends_managesieve" pkgusers="roundcube" pkggroups="$pkgusers" options="!check" # no tests provided -install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade - $pkgname-openrc.post-install $pkgname-pgsql.post-install" +install="$pkgname.pre-install + $pkgname.post-install + $pkgname.post-upgrade + $pkgname-installer.post-install + $pkgname-openrc.post-install + $pkgname-pgsql.post-install + " subpackages="$pkgname-installer $pkgname-openrc $pkgname-doc" source="https://github.com/roundcube/$pkgname/releases/download/$pkgver/$pkgname-$pkgver-complete.tar.gz fix-dirs.patch @@ -115,7 +120,7 @@ package() { mv ./$_destdir/config ./etc/roundcube mkdir ./etc/roundcube/plugins - install -m 644 -o roundcube -g roundcube \ + install -m 640 -g roundcube \ "$srcdir"/config.inc.php ./etc/roundcube/ local file; for file in CHANGELOG INSTALL README.md UPGRADING; do @@ -149,6 +154,7 @@ installer() { } openrc() { + default_openrc pkgdesc="OpenRC init script that runs Roundcube with php-fpm" depends="$pkgname=$pkgver-r$pkgrel $_php-fpm" diff --git a/community/roundcubemail/roundcubemail-installer.post-install b/community/roundcubemail/roundcubemail-installer.post-install new file mode 100644 index 0000000000..8cd22c19e6 --- /dev/null +++ b/community/roundcubemail/roundcubemail-installer.post-install @@ -0,0 +1,6 @@ +#!/bin/sh + +# Allow installer to modify the config. +chown roundcube /etc/roundcube/config.inc.php + +exit 0 diff --git a/community/roundcubemail/roundcubemail-openrc.post-install b/community/roundcubemail/roundcubemail-openrc.post-install index cfce997525..f674611211 100644 --- a/community/roundcubemail/roundcubemail-openrc.post-install +++ b/community/roundcubemail/roundcubemail-openrc.post-install @@ -1,9 +1,5 @@ #!/bin/sh -# When don't need (and should not) to let sensitive files readable by www-data -# group when running with php-fpm. -chown roundcube:roundcube /etc/roundcube/session_key - cat >&2 <<EOF * * Point your web server to /run/roundcube/fastcgi.sock and start Roundcube with diff --git a/community/roundcubemail/roundcubemail.post-install b/community/roundcubemail/roundcubemail.post-install index 1774e77a1a..e5da23494d 100644 --- a/community/roundcubemail/roundcubemail.post-install +++ b/community/roundcubemail/roundcubemail.post-install @@ -7,12 +7,7 @@ if ! [ -e "$keyfile" ]; then { head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 && echo ''; } > "$keyfile" chmod 440 "$keyfile" - - # This is for silly and insecure type of installation when Roundcube - # is run under Apache with Apache's privileges instead of separate - # user. Just for backward compatibility. - # Ignore if group www-data does not exist. - chgrp www-data "$keyfile" 2>/dev/null || true + chgrp roundcube "$keyfile" fi if [ "${0##*.}" = 'post-upgrade' ]; then @@ -29,6 +24,12 @@ if [ "${0##*.}" = 'post-upgrade' ]; then if [ "$(apk version -t "$ver_old" '1.3.6-r1')" = '<' ]; then cat >&2 <<-EOF * + * If you run Roundcube with web server's privileges, e.g. using Apache2 + * mod_php (which is highly not recommended due to security reasons!), you + * have to change config permissions (or add user apache to group roundcube): + * + * chgrp www-data /etc/roundcube/* + * * Roundcube plugins managesieve and zipdownload has been moved into * subpackages. If you use them, install roundcubemail-<plugin> using apk * (e.g. apk add roundcubemail-zipdownload). |