Bug 1269155

Summary:	Insecure permissions of /var/lib/roundcubemail and /var/log/roundcubemail
Product:	[Fedora] Fedora EPEL	Reporter:	Robert Vogelgesang <vogel>
Component:	roundcubemail	Assignee:	Remi Collet <fedora>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	epel7	CC:	christoph.wickert, fedora, gwync, mhlavink
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:	roundcubemail-1.1.4-2.fc23 roundcubemail-1.1.4-2.fc22 roundcubemail-1.1.4-2.el7 roundcubemail-1.0.8-1.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-01-07 19:56:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robert Vogelgesang 2015-10-06 13:17:56 UTC

Description of problem:
Installing roundcubemail creates directories with insecure permissions, granting read-access to sensitive data to anyone on the same host.

Version-Release number of selected component (if applicable):
roundcubemail-1.1.2-1.el7.noarch
roundcubemail-1.1.3-1.el7.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Just install the package using yum.
2.
3.

Actual results:
ls -ld /var/lib/roundcubemail /var/log/roundcubemail
drwxrwxr-x. 2 root apache  6 Sep 22 19:01 /var/lib/roundcubemail
drwxrwxr-x. 2 root apache 51 Oct  5 18:52 /var/log/roundcubemail

Expected results:
drwxr-x---. 2 apache apache  6 Sep 22 19:01 /var/lib/roundcubemail
drwxr-x---. 2 apache apache 51 Oct  5 18:52 /var/log/roundcubemail

Additional info:

The logrotate configuration contains a create option with mask 0660 which fixes a part of the problem; it does not prevent access to files created prior to the first file rotation.  And there are possibly other logs in /var/log/roundcubemail/ which are not covered by the logrotate configuration, and logrotate isn't a feasible solution for /var/lib/roundcubemail/.

Please do not set group write permissions for group apache to allow write access for the webserver process, but do use owner access, instead.

Comment 1 Remi Collet 2015-12-28 08:01:15 UTC

> Please do not set group write permissions for group apache to allow write access for the webserver process, but do use owner access, instead.

I prefer to keep group write access, to allow various user (apache / nginx instances to use this directory)

But definitively, should not be world readable

Comment 2 Fedora Update System 2015-12-28 08:34:35 UTC

roundcubemail-1.1.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-6e299214b8

Comment 3 Fedora Update System 2015-12-28 08:34:35 UTC

roundcubemail-1.1.4-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-431d39fbff

Comment 4 Fedora Update System 2015-12-28 08:34:46 UTC

roundcubemail-1.1.4-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-5538691958

Comment 5 Fedora Update System 2015-12-28 08:48:54 UTC

roundcubemail-1.0.8-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-d47aefe0b2

Comment 6 Fedora Update System 2015-12-29 00:22:13 UTC

roundcubemail-1.0.8-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-d47aefe0b2

Comment 7 Fedora Update System 2015-12-29 00:25:54 UTC

roundcubemail-1.1.4-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-5538691958

Comment 8 Fedora Update System 2015-12-29 00:54:56 UTC

roundcubemail-1.1.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-6e299214b8

Comment 9 Fedora Update System 2015-12-30 20:54:17 UTC

roundcubemail-1.1.4-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-431d39fbff

Comment 10 Fedora Update System 2016-01-07 19:56:17 UTC

roundcubemail-1.1.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-01-08 03:21:30 UTC

roundcubemail-1.1.4-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-01-13 04:26:30 UTC

roundcubemail-1.1.4-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-01-13 04:55:45 UTC

roundcubemail-1.0.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.