Package: roundcube-plugins Version: 0.9.5-1~bpo70+1 Severity: important
Dear Debian folks,
it’s not a direct issue, but people copying over the example file, get a
world readable file, which is not a good idea, if passwords for
databases are stored in them.
# ls -lh /etc/roundcube/plugins/password/config.inc.php
-rw-r--r-- 1 root root 127 Nov 3 19:28
/etc/roundcube/plugins/password/config.inc.php
# cp -a /usr/share/roundcube/plugins/password/config.inc.php.dist
/etc/roundcube/plugins/password/config.inc.php
# ls -lh /etc/roundcube/plugins/password/config.inc.php
-rw-r--r-- 1 root root 14K Oct 21 19:39
/etc/roundcube/plugins/password/config.inc.php
For example the database password is stored in the variable below.
$rcmail_config['password_db_dsn']
One could argue that the user/administrator should take care of that but
a note in the empty configuration file would be helpful so that this is
not overlooked. No idea if you can think of other ways.
Thanks,
Paul
signature.asc
Description: This is a digitally signed message part
