community/roundcubemail: more secure privileges, prefer php-fpm

If the user want to run Roundcube with "traditional", quite insecure
and silly method by running PHP apps with web server (e.g. Apache2
mod_php) under web server's user, (s)he still can, but have to change
group of config files or add web server's user to group roundcube.
This is announced by message in post-upgrade script.

The -openrc subpackage is now installed by default when openrc is
installed, which should promote running Roundcube using php-fpm.

1 files changed, 7 insertions, 6 deletions

diff --git a/community/roundcubemail/roundcubemail.post-install b/community/roundcubemail/roundcubemail.post-install
index 1774e77a1a6..e5da23494df 100644
--- a/community/roundcubemail/roundcubemail.post-install
+++ b/community/roundcubemail/roundcubemail.post-install
@@ -7,12 +7,7 @@ if ! [ -e "$keyfile" ]; then
 
 	{ head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 && echo ''; } > "$keyfile"
 	chmod 440 "$keyfile"
-
-	# This is for silly and insecure type of installation when Roundcube
-	# is run under Apache with Apache's privileges instead of separate
-	# user. Just for backward compatibility.
-	# Ignore if group www-data does not exist.
-	chgrp www-data "$keyfile" 2>/dev/null || true
+	chgrp roundcube "$keyfile"
 fi
 
 if [ "${0##*.}" = 'post-upgrade' ]; then
@@ -29,6 +24,12 @@ if [ "${0##*.}" = 'post-upgrade' ]; then
 	if [ "$(apk version -t "$ver_old" '1.3.6-r1')" = '<' ]; then
 		cat >&2 <<-EOF
 		*
+		* If you run Roundcube with web server's privileges, e.g. using Apache2
+		* mod_php (which is highly not recommended due to security reasons!), you
+		* have to change config permissions (or add user apache to group roundcube):
+		*
+		*   chgrp www-data /etc/roundcube/*
+		*
 		* Roundcube plugins managesieve and zipdownload has been moved into
 		* subpackages. If you use them, install roundcubemail-<plugin> using apk
 		* (e.g. apk add roundcubemail-zipdownload).