From 06c0c78956efd18f4cb68724a12b5ae841afb84a Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 13 Nov 2022 13:44:35 +0100 Subject: [PATCH] Hardening: run the http and php as different users --- webmails/Dockerfile | 9 +++++---- webmails/php-webmail.conf | 4 ++-- webmails/start.py | 3 +-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/webmails/Dockerfile b/webmails/Dockerfile index 90d56ad5..34085f4f 100644 --- a/webmails/Dockerfile +++ b/webmails/Dockerfile @@ -41,8 +41,9 @@ RUN set -euxo pipefail \ ; cd roundcube \ ; rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \ ; ln -sf index.php /var/www/roundcube/public_html/sso.php \ - ; chmod -R u+w,a+rX /var/www/roundcube \ - ; chown -R nginx:nginx /var/www/roundcube \ + ; chown -R root:root /var/www/roundcube/ \ + ; chown -R mailu:mailu /var/www/roundcube/temp /var/www/roundcube/logs \ + ; chmod -R a+rX /var/www/roundcube \ ; rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} COPY roundcube/config/config.inc.php /conf/ @@ -60,8 +61,8 @@ RUN set -euxo pipefail \ ; curl -sLo /dev/shm/snappymail.tgz.asc ${SNAPPYMAIL_URL}.asc \ ; gpg --status-fd 1 --verify /dev/shm/snappymail.tgz.asc \ ; tar xzf /dev/shm/snappymail.tgz \ - ; chmod -R u+w,a+rX /var/www/snappymail \ - ; chown -R nginx:nginx /var/www/snappymail + ; chmod -R a+rX /var/www/snappymail \ + ; chown -R root:root /var/www/snappymail # SnappyMail login COPY snappymail/login/include.php /var/www/snappymail/ diff --git a/webmails/php-webmail.conf b/webmails/php-webmail.conf index 47c1f6dd..18a1f66e 100644 --- a/webmails/php-webmail.conf +++ b/webmails/php-webmail.conf @@ -11,8 +11,8 @@ catch_workers_output = 1 ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. -user = nginx -group = nginx +user = mailu +group = mailu ; The address on which to accept FastCGI requests. ; Valid syntaxes are: diff --git a/webmails/start.py b/webmails/start.py index c2bd87b7..06b90351 100755 --- a/webmails/start.py +++ b/webmails/start.py @@ -110,8 +110,7 @@ conf.jinja("/defaults/application.ini", context, "/data/_data_/_default_/configs conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini") # setup permissions -os.system("chown -R nginx:nginx /data /var/www") -os.system("chmod -R a+rX /var/www/") +os.system("chown -R mailu:mailu /data") # Configure nginx conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf")