aboutsummaryrefslogtreecommitdiffstats
path: root/community
diff options
context:
space:
mode:
authorJakub Jirutka <jakub@jirutka.cz>2018-07-27 14:40:29 +0200
committerJakub Jirutka <jakub@jirutka.cz>2018-07-27 15:30:37 +0200
commit1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1 (patch)
tree3cb6b9bc8ade1f3cd6ab68b40772381293480776 /community
parent5fe974d357db25cfea207d327fe3ad92dcedaca8 (diff)
downloadaports-1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1.tar.bz2
aports-1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1.tar.xz
community/roundcubemail: more secure privileges, prefer php-fpm
If the user want to run Roundcube with "traditional", quite insecure and silly method by running PHP apps with web server (e.g. Apache2 mod_php) under web server's user, (s)he still can, but have to change group of config files or add web server's user to group roundcube. This is announced by message in post-upgrade script. The -openrc subpackage is now installed by default when openrc is installed, which should promote running Roundcube using php-fpm.
Diffstat (limited to 'community')
-rw-r--r--community/roundcubemail/APKBUILD12
-rw-r--r--community/roundcubemail/roundcubemail-installer.post-install6
-rw-r--r--community/roundcubemail/roundcubemail-openrc.post-install4
-rw-r--r--community/roundcubemail/roundcubemail.post-install13
4 files changed, 22 insertions, 13 deletions
diff --git a/community/roundcubemail/APKBUILD b/community/roundcubemail/APKBUILD
index a72dadb73d..618976dc37 100644
--- a/community/roundcubemail/APKBUILD
+++ b/community/roundcubemail/APKBUILD
@@ -35,8 +35,13 @@ makedepends="$_depends_managesieve"
pkgusers="roundcube"
pkggroups="$pkgusers"
options="!check" # no tests provided
-install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade
- $pkgname-openrc.post-install $pkgname-pgsql.post-install"
+install="$pkgname.pre-install
+ $pkgname.post-install
+ $pkgname.post-upgrade
+ $pkgname-installer.post-install
+ $pkgname-openrc.post-install
+ $pkgname-pgsql.post-install
+ "
subpackages="$pkgname-installer $pkgname-openrc $pkgname-doc"
source="https://github.com/roundcube/$pkgname/releases/download/$pkgver/$pkgname-$pkgver-complete.tar.gz
fix-dirs.patch
@@ -115,7 +120,7 @@ package() {
mv ./$_destdir/config ./etc/roundcube
mkdir ./etc/roundcube/plugins
- install -m 644 -o roundcube -g roundcube \
+ install -m 640 -g roundcube \
"$srcdir"/config.inc.php ./etc/roundcube/
local file; for file in CHANGELOG INSTALL README.md UPGRADING; do
@@ -149,6 +154,7 @@ installer() {
}
openrc() {
+ default_openrc
pkgdesc="OpenRC init script that runs Roundcube with php-fpm"
depends="$pkgname=$pkgver-r$pkgrel $_php-fpm"
diff --git a/community/roundcubemail/roundcubemail-installer.post-install b/community/roundcubemail/roundcubemail-installer.post-install
new file mode 100644
index 0000000000..8cd22c19e6
--- /dev/null
+++ b/community/roundcubemail/roundcubemail-installer.post-install
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Allow installer to modify the config.
+chown roundcube /etc/roundcube/config.inc.php
+
+exit 0
diff --git a/community/roundcubemail/roundcubemail-openrc.post-install b/community/roundcubemail/roundcubemail-openrc.post-install
index cfce997525..f674611211 100644
--- a/community/roundcubemail/roundcubemail-openrc.post-install
+++ b/community/roundcubemail/roundcubemail-openrc.post-install
@@ -1,9 +1,5 @@
#!/bin/sh
-# When don't need (and should not) to let sensitive files readable by www-data
-# group when running with php-fpm.
-chown roundcube:roundcube /etc/roundcube/session_key
-
cat >&2 <<EOF
*
* Point your web server to /run/roundcube/fastcgi.sock and start Roundcube with
diff --git a/community/roundcubemail/roundcubemail.post-install b/community/roundcubemail/roundcubemail.post-install
index 1774e77a1a..e5da23494d 100644
--- a/community/roundcubemail/roundcubemail.post-install
+++ b/community/roundcubemail/roundcubemail.post-install
@@ -7,12 +7,7 @@ if ! [ -e "$keyfile" ]; then
{ head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 && echo ''; } > "$keyfile"
chmod 440 "$keyfile"
-
- # This is for silly and insecure type of installation when Roundcube
- # is run under Apache with Apache's privileges instead of separate
- # user. Just for backward compatibility.
- # Ignore if group www-data does not exist.
- chgrp www-data "$keyfile" 2>/dev/null || true
+ chgrp roundcube "$keyfile"
fi
if [ "${0##*.}" = 'post-upgrade' ]; then
@@ -29,6 +24,12 @@ if [ "${0##*.}" = 'post-upgrade' ]; then
if [ "$(apk version -t "$ver_old" '1.3.6-r1')" = '<' ]; then
cat >&2 <<-EOF
*
+ * If you run Roundcube with web server's privileges, e.g. using Apache2
+ * mod_php (which is highly not recommended due to security reasons!), you
+ * have to change config permissions (or add user apache to group roundcube):
+ *
+ * chgrp www-data /etc/roundcube/*
+ *
* Roundcube plugins managesieve and zipdownload has been moved into
* subpackages. If you use them, install roundcubemail-<plugin> using apk
* (e.g. apk add roundcubemail-zipdownload).