diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2018-07-27 14:40:29 +0200 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-07-27 15:30:37 +0200 |
commit | 1d6c1025d8d5fa9787fa3632bc7bc1fa357e62f1 (patch) | |
tree | 3cb6b9bc8ade1f3cd6ab68b40772381293480776 /community/roundcubemail/roundcubemail.post-install | |
parent | 5fe974d357db25cfea207d327fe3ad92dcedaca8 (diff) |
community/roundcubemail: more secure privileges, prefer php-fpm
If the user want to run Roundcube with "traditional", quite insecure
and silly method by running PHP apps with web server (e.g. Apache2
mod_php) under web server's user, (s)he still can, but have to change
group of config files or add web server's user to group roundcube.
This is announced by message in post-upgrade script.
The -openrc subpackage is now installed by default when openrc is
installed, which should promote running Roundcube using php-fpm.
Diffstat (limited to 'community/roundcubemail/roundcubemail.post-install')
-rw-r--r-- | community/roundcubemail/roundcubemail.post-install | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/community/roundcubemail/roundcubemail.post-install b/community/roundcubemail/roundcubemail.post-install index 1774e77a1a6..e5da23494df 100644 --- a/community/roundcubemail/roundcubemail.post-install +++ b/community/roundcubemail/roundcubemail.post-install @@ -7,12 +7,7 @@ if ! [ -e "$keyfile" ]; then { head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 && echo ''; } > "$keyfile" chmod 440 "$keyfile" - - # This is for silly and insecure type of installation when Roundcube - # is run under Apache with Apache's privileges instead of separate - # user. Just for backward compatibility. - # Ignore if group www-data does not exist. - chgrp www-data "$keyfile" 2>/dev/null || true + chgrp roundcube "$keyfile" fi if [ "${0##*.}" = 'post-upgrade' ]; then @@ -29,6 +24,12 @@ if [ "${0##*.}" = 'post-upgrade' ]; then if [ "$(apk version -t "$ver_old" '1.3.6-r1')" = '<' ]; then cat >&2 <<-EOF * + * If you run Roundcube with web server's privileges, e.g. using Apache2 + * mod_php (which is highly not recommended due to security reasons!), you + * have to change config permissions (or add user apache to group roundcube): + * + * chgrp www-data /etc/roundcube/* + * * Roundcube plugins managesieve and zipdownload has been moved into * subpackages. If you use them, install roundcubemail-<plugin> using apk * (e.g. apk add roundcubemail-zipdownload). |