[Pkg-roundcube-maintainers] Bug#739592: roundcube-plugins: Config files world readable
Paul Menzel
pm.debian at googlemail.com
Thu Feb 20 08:58:02 UTC 2014
Package: roundcube-plugins
Version: 0.9.5-1~bpo70+1
Severity: important
Dear Debian folks,
it’s not a direct issue, but people copying over the example file, get a
world readable file, which is not a good idea, if passwords for
databases are stored in them.
# ls -lh /etc/roundcube/plugins/password/config.inc.php
-rw-r--r-- 1 root root 127 Nov 3 19:28 /etc/roundcube/plugins/password/config.inc.php
# cp -a /usr/share/roundcube/plugins/password/config.inc.php.dist /etc/roundcube/plugins/password/config.inc.php
# ls -lh /etc/roundcube/plugins/password/config.inc.php
-rw-r--r-- 1 root root 14K Oct 21 19:39 /etc/roundcube/plugins/password/config.inc.php
For example the database password is stored in the variable below.
$rcmail_config['password_db_dsn']
One could argue that the user/administrator should take care of that but
a note in the empty configuration file would be helpful so that this is
not overlooked. No idea if you can think of other ways.
Thanks,
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20140220/ac70647a/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list