Hardening: run the http and php as different users

main
Florent Daigniere 2 years ago
parent d7b80e94a4
commit 06c0c78956

@ -41,8 +41,9 @@ RUN set -euxo pipefail \
; cd roundcube \ ; cd roundcube \
; rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \ ; rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
; ln -sf index.php /var/www/roundcube/public_html/sso.php \ ; ln -sf index.php /var/www/roundcube/public_html/sso.php \
; chmod -R u+w,a+rX /var/www/roundcube \ ; chown -R root:root /var/www/roundcube/ \
; chown -R nginx:nginx /var/www/roundcube \ ; chown -R mailu:mailu /var/www/roundcube/temp /var/www/roundcube/logs \
; chmod -R a+rX /var/www/roundcube \
; rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} ; rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query}
COPY roundcube/config/config.inc.php /conf/ COPY roundcube/config/config.inc.php /conf/
@ -60,8 +61,8 @@ RUN set -euxo pipefail \
; curl -sLo /dev/shm/snappymail.tgz.asc ${SNAPPYMAIL_URL}.asc \ ; curl -sLo /dev/shm/snappymail.tgz.asc ${SNAPPYMAIL_URL}.asc \
; gpg --status-fd 1 --verify /dev/shm/snappymail.tgz.asc \ ; gpg --status-fd 1 --verify /dev/shm/snappymail.tgz.asc \
; tar xzf /dev/shm/snappymail.tgz \ ; tar xzf /dev/shm/snappymail.tgz \
; chmod -R u+w,a+rX /var/www/snappymail \ ; chmod -R a+rX /var/www/snappymail \
; chown -R nginx:nginx /var/www/snappymail ; chown -R root:root /var/www/snappymail
# SnappyMail login # SnappyMail login
COPY snappymail/login/include.php /var/www/snappymail/ COPY snappymail/login/include.php /var/www/snappymail/

@ -11,8 +11,8 @@ catch_workers_output = 1
; Unix user/group of processes ; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group ; Note: The user is mandatory. If the group is not set, the default user's group
; will be used. ; will be used.
user = nginx user = mailu
group = nginx group = mailu
; The address on which to accept FastCGI requests. ; The address on which to accept FastCGI requests.
; Valid syntaxes are: ; Valid syntaxes are:

@ -110,8 +110,7 @@ conf.jinja("/defaults/application.ini", context, "/data/_data_/_default_/configs
conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini") conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini")
# setup permissions # setup permissions
os.system("chown -R nginx:nginx /data /var/www") os.system("chown -R mailu:mailu /data")
os.system("chmod -R a+rX /var/www/")
# Configure nginx # Configure nginx
conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf") conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf")

Loading…
Cancel
Save