[Pkg-roundcube-maintainers] Bug#608976: roundcube-core: /etc/roundcube/debian-db.php is owned by (and writable by) www-data
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 5 04:06:59 UTC 2011
Package: roundcube
Version: 0.3.1-6
Severity: normal
I installed roundcube-pgsql and roundcube-core, then ran
dpkg-reconfigure roundcube-core
and answered a lot of questions. this resulted in the following files:
dkg at foo:/tmp$ ls -l /etc/roundcube/
total 29
-rw-r--r-- 1 root root 1116 Sep 27 2009 apache.conf
-rw-r--r-- 1 root root 2260 Oct 18 17:18 db.inc.php
-rw-rw---- 1 www-data www-data 546 Jan 4 22:37 debian-db.php
-rw-r--r-- 1 root root 567 Sep 27 2009 lighttpd.conf
-rw-r----- 1 root www-data 18313 Jan 4 22:37 main.inc.php
-rw-r--r-- 1 root root 2392 Aug 7 2009 mimetypes.php
dkg at foo:/tmp$
Presumably, the package thinks that the www-data user is going to be
running roundcube, which i think is reasonable.
What's not reasonable is www-data owning and having write access to
debian-db.php. Why should the web server to be able to
overwrite/trash its own config?
Thanks for packaging roundcube for debian!
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages roundcube-core depends on:
ii dbconfig-common 1.8.46 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy
ii libjs-jquery 1.4.2-2 JavaScript library for dynamic web
ii libmagic1 5.04-5 File type determination library us
ii nginx [httpd] 0.7.67-3 small, but very powerful and effic
ii php-auth 1.6.2-1 PHP PEAR modules for creating an a
ii php-mail-mime 1.8.0-2 PHP PEAR module for creating MIME
ii php-mdb2 2.5.0b2-1 PHP PEAR module to provide a commo
ii php-net-smtp 1.4.2-3 PHP PEAR module implementing SMTP
ii php-net-socket 1.0.9-2 PHP PEAR Network Socket Interface
ii php5 5.3.3-6 server-side, HTML-embedded scripti
ii php5-gd 5.3.3-6 GD module for php5
ii php5-mcrypt 5.3.3-6 MCrypt module for php5
ii php5-pspell 5.3.3-6 pspell module for php5
ii roundcube-pgsql 0.3.1-6 metapackage providing PostgreSQL d
ii tinymce 3.3.8+dfsg0-0.1 platform independent web based Jav
ii ucf 3.0025+nmu1 Update Configuration File: preserv
roundcube-core recommends no packages.
Versions of packages roundcube-core suggests:
ii php-auth-sasl 1.0.4-1 Abstraction of various SASL mechan
-- debconf information:
roundcube/upgrade-error: abort
* roundcube/pgsql/authmethod-user: ident
roundcube/purge: false
* roundcube/dbconfig-install: true
* roundcube/db/dbname: roundcube
* roundcube/language: en_US
roundcube/remote/newhost:
roundcube/pgsql/changeconf: false
roundcube/upgrade-backup: true
roundcube/install-error: abort
roundcube/mysql/admin-user: root
* roundcube/hosts: localhost
* roundcube/pgsql/authmethod-admin: ident
roundcube/dbconfig-remove:
* roundcube/pgsql/admin-user: postgres
roundcube/internal/skip-preseed: false
* roundcube/db/app-user: roundcube
roundcube/dbconfig-reinstall: false
roundcube/mysql/method: unix socket
roundcube/remove-error: abort
* roundcube/restart-webserver: false
roundcube/dbconfig-upgrade: true
roundcube/remote/port:
* roundcube/pgsql/method: unix socket
roundcube/pgsql/manualconf:
roundcube/db/basepath:
roundcube/pgsql/no-empty-passwords:
roundcube/passwords-do-not-match:
roundcube/internal/reconfiguring: false
* roundcube/reconfigure-webserver:
* roundcube/database-type: pgsql
roundcube/remote/host:
roundcube/missing-db-package-error: abort
More information about the Pkg-roundcube-maintainers
mailing list