Description of problem: Installing roundcubemail creates directories with insecure permissions, granting read-access to sensitive data to anyone on the same host. Version-Release number of selected component (if applicable): roundcubemail-1.1.2-1.el7.noarch roundcubemail-1.1.3-1.el7.noarch How reproducible: Always. Steps to Reproduce: 1. Just install the package using yum. 2. 3. Actual results: ls -ld /var/lib/roundcubemail /var/log/roundcubemail drwxrwxr-x. 2 root apache 6 Sep 22 19:01 /var/lib/roundcubemail drwxrwxr-x. 2 root apache 51 Oct 5 18:52 /var/log/roundcubemail Expected results: drwxr-x---. 2 apache apache 6 Sep 22 19:01 /var/lib/roundcubemail drwxr-x---. 2 apache apache 51 Oct 5 18:52 /var/log/roundcubemail Additional info: The logrotate configuration contains a create option with mask 0660 which fixes a part of the problem; it does not prevent access to files created prior to the first file rotation. And there are possibly other logs in /var/log/roundcubemail/ which are not covered by the logrotate configuration, and logrotate isn't a feasible solution for /var/lib/roundcubemail/. Please do not set group write permissions for group apache to allow write access for the webserver process, but do use owner access, instead.
> Please do not set group write permissions for group apache to allow write access for the webserver process, but do use owner access, instead. I prefer to keep group write access, to allow various user (apache / nginx instances to use this directory) But definitively, should not be world readable
roundcubemail-1.1.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-6e299214b8
roundcubemail-1.1.4-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-431d39fbff
roundcubemail-1.1.4-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-5538691958
roundcubemail-1.0.8-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-d47aefe0b2
roundcubemail-1.0.8-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-d47aefe0b2
roundcubemail-1.1.4-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-5538691958
roundcubemail-1.1.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-6e299214b8
roundcubemail-1.1.4-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-431d39fbff
roundcubemail-1.1.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-1.1.4-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-1.1.4-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-1.0.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.