[Pkg-roundcube-maintainers] Bug#608976: roundcube-core: /etc/roundcube/debian-db.php is owned by (and writable by) www-data

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 5 04:06:59 UTC 2011

Package: roundcube
Version: 0.3.1-6
Severity: normal

I installed roundcube-pgsql and roundcube-core, then ran

  dpkg-reconfigure roundcube-core

and answered a lot of questions.  this resulted in the following files:

dkg at foo:/tmp$ ls -l /etc/roundcube/
total 29
-rw-r--r-- 1 root     root      1116 Sep 27  2009 apache.conf
-rw-r--r-- 1 root     root      2260 Oct 18 17:18 db.inc.php
-rw-rw---- 1 www-data www-data   546 Jan  4 22:37 debian-db.php
-rw-r--r-- 1 root     root       567 Sep 27  2009 lighttpd.conf
-rw-r----- 1 root     www-data 18313 Jan  4 22:37 main.inc.php
-rw-r--r-- 1 root     root      2392 Aug  7  2009 mimetypes.php
dkg at foo:/tmp$ 

Presumably, the package thinks that the www-data user is going to be
running roundcube, which i think is reasonable.

What's not reasonable is www-data owning and having write access to
debian-db.php.  Why should the web server to be able to
overwrite/trash its own config?

Thanks for packaging roundcube for debian!


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages roundcube-core depends on:
ii  dbconfig-common          1.8.46          common framework for packaging dat
ii  debconf [debconf-2.0]    1.5.36          Debian configuration management sy
ii  libjs-jquery             1.4.2-2         JavaScript library for dynamic web
ii  libmagic1                5.04-5          File type determination library us
ii  nginx [httpd]            0.7.67-3        small, but very powerful and effic
ii  php-auth                 1.6.2-1         PHP PEAR modules for creating an a
ii  php-mail-mime            1.8.0-2         PHP PEAR module for creating MIME 
ii  php-mdb2                 2.5.0b2-1       PHP PEAR module to provide a commo
ii  php-net-smtp             1.4.2-3         PHP PEAR module implementing SMTP 
ii  php-net-socket           1.0.9-2         PHP PEAR Network Socket Interface 
ii  php5                     5.3.3-6         server-side, HTML-embedded scripti
ii  php5-gd                  5.3.3-6         GD module for php5
ii  php5-mcrypt              5.3.3-6         MCrypt module for php5
ii  php5-pspell              5.3.3-6         pspell module for php5
ii  roundcube-pgsql          0.3.1-6         metapackage providing PostgreSQL d
ii  tinymce                  3.3.8+dfsg0-0.1 platform independent web based Jav
ii  ucf                      3.0025+nmu1     Update Configuration File: preserv

roundcube-core recommends no packages.

Versions of packages roundcube-core suggests:
ii  php-auth-sasl                 1.0.4-1    Abstraction of various SASL mechan

-- debconf information:
  roundcube/upgrade-error: abort
* roundcube/pgsql/authmethod-user: ident
  roundcube/purge: false
* roundcube/dbconfig-install: true
* roundcube/db/dbname: roundcube
* roundcube/language: en_US
  roundcube/pgsql/changeconf: false
  roundcube/upgrade-backup: true
  roundcube/install-error: abort
  roundcube/mysql/admin-user: root
* roundcube/hosts: localhost
* roundcube/pgsql/authmethod-admin: ident
* roundcube/pgsql/admin-user: postgres
  roundcube/internal/skip-preseed: false
* roundcube/db/app-user: roundcube
  roundcube/dbconfig-reinstall: false
  roundcube/mysql/method: unix socket
  roundcube/remove-error: abort
* roundcube/restart-webserver: false
  roundcube/dbconfig-upgrade: true
* roundcube/pgsql/method: unix socket
  roundcube/internal/reconfiguring: false
* roundcube/reconfigure-webserver:
* roundcube/database-type: pgsql
  roundcube/missing-db-package-error: abort

More information about the Pkg-roundcube-maintainers mailing list