scottk/Mailu-OIDC
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/Mailu-OIDC.git synced 2025-10-31 01:57:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Hardening: run the http and php as different users

Browse Source
This commit is contained in:
Florent Daigniere
2022-11-13 13:44:35 +01:00
parent d7b80e94a4
commit 06c0c78956
3 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
webmails/Dockerfile
View File

@@ -41,8 +41,9 @@ RUN set -euxo pipefail \
; cd roundcube \ ; cd roundcube \
; rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \ ; rm -rf CHANGELOG.md SECURITY.md INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
; ln -sf index.php /var/www/roundcube/public_html/sso.php \ ; ln -sf index.php /var/www/roundcube/public_html/sso.php \
; chmod -R u+w,a+rX /var/www/roundcube \ ; chown -R root:root /var/www/roundcube/ \
; chown -R nginx:nginx /var/www/roundcube \ ; chown -R mailu:mailu /var/www/roundcube/temp /var/www/roundcube/logs \
; chmod -R a+rX /var/www/roundcube \
; rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} ; rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query}
COPY roundcube/config/config.inc.php /conf/ COPY roundcube/config/config.inc.php /conf/
@@ -60,8 +61,8 @@ RUN set -euxo pipefail \
; curl -sLo /dev/shm/snappymail.tgz.asc ${SNAPPYMAIL_URL}.asc \ ; curl -sLo /dev/shm/snappymail.tgz.asc ${SNAPPYMAIL_URL}.asc \
; gpg --status-fd 1 --verify /dev/shm/snappymail.tgz.asc \ ; gpg --status-fd 1 --verify /dev/shm/snappymail.tgz.asc \
; tar xzf /dev/shm/snappymail.tgz \ ; tar xzf /dev/shm/snappymail.tgz \
; chmod -R u+w,a+rX /var/www/snappymail \ ; chmod -R a+rX /var/www/snappymail \
; chown -R nginx:nginx /var/www/snappymail ; chown -R root:root /var/www/snappymail
# SnappyMail login # SnappyMail login
COPY snappymail/login/include.php /var/www/snappymail/ COPY snappymail/login/include.php /var/www/snappymail/

4
webmails/php-webmail.conf
View File

@@ -11,8 +11,8 @@ catch_workers_output = 1
; Unix user/group of processes ; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group ; Note: The user is mandatory. If the group is not set, the default user's group
; will be used. ; will be used.
user = nginx user = mailu
group = nginx group = mailu
; The address on which to accept FastCGI requests. ; The address on which to accept FastCGI requests.
; Valid syntaxes are: ; Valid syntaxes are:

3
webmails/start.py
View File

@@ -110,8 +110,7 @@ conf.jinja("/defaults/application.ini", context, "/data/_data_/_default_/configs
conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini") conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini")
# setup permissions # setup permissions
os.system("chown -R nginx:nginx /data /var/www") os.system("chown -R mailu:mailu /data")
os.system("chmod -R a+rX /var/www/")
# Configure nginx # Configure nginx
conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf") conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf")