From 1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1 Mon Sep 17 00:00:00 2001
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Fri, 27 Jul 2018 14:40:29 +0200
Subject: community/roundcubemail: more secure privileges, prefer php-fpm

If the user want to run Roundcube with "traditional", quite insecure
and silly method by running PHP apps with web server (e.g. Apache2
mod_php) under web server's user, (s)he still can, but have to change
group of config files or add web server's user to group roundcube.
This is announced by message in post-upgrade script.

The -openrc subpackage is now installed by default when openrc is
installed, which should promote running Roundcube using php-fpm.
---
 community/roundcubemail/APKBUILD                            | 12 +++++++++---
 .../roundcubemail/roundcubemail-installer.post-install      |  6 ++++++
 community/roundcubemail/roundcubemail-openrc.post-install   |  4 ----
 community/roundcubemail/roundcubemail.post-install          | 13 +++++++------
 4 files changed, 22 insertions(+), 13 deletions(-)
 create mode 100644 community/roundcubemail/roundcubemail-installer.post-install

(limited to 'community')

diff --git a/community/roundcubemail/APKBUILD b/community/roundcubemail/APKBUILD
index a72dadb73d..618976dc37 100644
--- a/community/roundcubemail/APKBUILD
+++ b/community/roundcubemail/APKBUILD
@@ -35,8 +35,13 @@ makedepends="$_depends_managesieve"
 pkgusers="roundcube"
 pkggroups="$pkgusers"
 options="!check"  # no tests provided
-install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade
-	$pkgname-openrc.post-install $pkgname-pgsql.post-install"
+install="$pkgname.pre-install
+	$pkgname.post-install
+	$pkgname.post-upgrade
+	$pkgname-installer.post-install
+	$pkgname-openrc.post-install
+	$pkgname-pgsql.post-install
+	"
 subpackages="$pkgname-installer $pkgname-openrc $pkgname-doc"
 source="https://github.com/roundcube/$pkgname/releases/download/$pkgver/$pkgname-$pkgver-complete.tar.gz
 	fix-dirs.patch
@@ -115,7 +120,7 @@ package() {
 	mv ./$_destdir/config ./etc/roundcube
 	mkdir ./etc/roundcube/plugins
 
-	install -m 644 -o roundcube -g roundcube \
+	install -m 640 -g roundcube \
 		"$srcdir"/config.inc.php ./etc/roundcube/
 
 	local file; for file in CHANGELOG INSTALL README.md UPGRADING; do
@@ -149,6 +154,7 @@ installer() {
 }
 
 openrc() {
+	default_openrc
 	pkgdesc="OpenRC init script that runs Roundcube with php-fpm"
 	depends="$pkgname=$pkgver-r$pkgrel $_php-fpm"
 
diff --git a/community/roundcubemail/roundcubemail-installer.post-install b/community/roundcubemail/roundcubemail-installer.post-install
new file mode 100644
index 0000000000..8cd22c19e6
--- /dev/null
+++ b/community/roundcubemail/roundcubemail-installer.post-install
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Allow installer to modify the config.
+chown roundcube /etc/roundcube/config.inc.php
+
+exit 0
diff --git a/community/roundcubemail/roundcubemail-openrc.post-install b/community/roundcubemail/roundcubemail-openrc.post-install
index cfce997525..f674611211 100644
--- a/community/roundcubemail/roundcubemail-openrc.post-install
+++ b/community/roundcubemail/roundcubemail-openrc.post-install
@@ -1,9 +1,5 @@
 #!/bin/sh
 
-# When don't need (and should not) to let sensitive files readable by www-data
-# group when running with php-fpm.
-chown roundcube:roundcube /etc/roundcube/session_key
-
 cat >&2 <<EOF
 *
 * Point your web server to /run/roundcube/fastcgi.sock and start Roundcube with
diff --git a/community/roundcubemail/roundcubemail.post-install b/community/roundcubemail/roundcubemail.post-install
index 1774e77a1a..e5da23494d 100644
--- a/community/roundcubemail/roundcubemail.post-install
+++ b/community/roundcubemail/roundcubemail.post-install
@@ -7,12 +7,7 @@ if ! [ -e "$keyfile" ]; then
 
 	{ head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 && echo ''; } > "$keyfile"
 	chmod 440 "$keyfile"
-
-	# This is for silly and insecure type of installation when Roundcube
-	# is run under Apache with Apache's privileges instead of separate
-	# user. Just for backward compatibility.
-	# Ignore if group www-data does not exist.
-	chgrp www-data "$keyfile" 2>/dev/null || true
+	chgrp roundcube "$keyfile"
 fi
 
 if [ "${0##*.}" = 'post-upgrade' ]; then
@@ -29,6 +24,12 @@ if [ "${0##*.}" = 'post-upgrade' ]; then
 	if [ "$(apk version -t "$ver_old" '1.3.6-r1')" = '<' ]; then
 		cat >&2 <<-EOF
 		*
+		* If you run Roundcube with web server's privileges, e.g. using Apache2
+		* mod_php (which is highly not recommended due to security reasons!), you
+		* have to change config permissions (or add user apache to group roundcube):
+		*
+		*   chgrp www-data /etc/roundcube/*
+		*
 		* Roundcube plugins managesieve and zipdownload has been moved into
 		* subpackages. If you use them, install roundcubemail-<plugin> using apk
 		* (e.g. apk add roundcubemail-zipdownload).
-- 
cgit v1.2.3