[Pkg-owncloud-maintainers] Bug#676131: owncloud: generates configuration that is user-readable

[Paul van Tilburg]

Package: owncloud
Version: 4.0.1debian-1
Severity: important

Hi,

When you install owncloud, set up a MySQL/PostgreSQL database and then
visit http://<host>/owncloud/, it generates the configurationf file
/etc/owncloud/config.php.  However, this file is readable by all users,
which thereby gives them access to the database!

This files should have mode 600 or 640 (given that it's owned by
www-data:www-data).

Cheers,
Paul

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/3 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages owncloud depends on:
ii  apache2                      2.2.22-5
ii  apache2-mpm-prefork [httpd]  2.2.22-5
ii  libjs-jquery                 1.7.2+debian-1
ii  libjs-jquery-jplayer         2.1.0-1
ii  libjs-jquery-ui              1.8.ooops.20+dfsg-1
ii  libphp-phpmailer             5.1-1
ii  owncloud-mysql               4.0.1debian-1
ii  php-crypt-blowfish           1.1.0~RC2-1
ii  php-getid3                   1.9.3-1
ii  php-mdb2                     2.5.0b3-2
ii  php-mdb2-schema              0.8.5-1
ii  php-pear                     5.4.0-3
ii  php-sabredav                 1.6.2-1
ii  php-xml-parser               1.3.4-4
ii  php5                         5.4.0-3
ii  php5-curl                    5.4.0-3
ii  php5-gd                      5.4.0-3

Versions of packages owncloud recommends:
ii  exim4                                      4.77-1
ii  exim4-daemon-light [mail-transport-agent]  4.77-1+b1

owncloud suggests no packages.

-- Configuration Files:
/etc/apache2/conf.d/owncloud.conf changed [not included]

-- no debconf information