ispconfig3_roundcube security

Discussion in 'General' started by Milos Djakonovic, Feb 18, 2021.

  1. Milos Djakonovic

    Milos Djakonovic New Member

    Is there any additional security advice or guideline for using ispconfig3_roundcube plugin? Should it be used as it is documented?

    I’m asking because it requires a remote user with client functions and server functions which gives user permission to alter core system settings. So, security of a whole system turns not to be better than security of currently running copy of Roundcube webmail. It’s actually even worse, as it’s up to what www-data system user is capable of accessing, given that RC operates under www-data user (which is default). So, outdated or compromised PHP script running under default webserver’s user only needs to know what to look for (ok, and to be able to execute arbitrary code, and not to be chroot-ed somewhere).

    I apologize for probably missing something big but this seems to me like an important subject. I already think about writing script which will be sudo-ed as another user, which will have access to particular dbispconfig tables...
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No, you pretty well nailed it, pending discussion below. In very recent ISPConfig versions (I think 3.2.2? If not, definitely nightly builds) there is now a permission labeled 'Roundcube plugins functions' which you can assign your remote user and it improves that quite a lot. Ie. you don't need to assign client and server functions, only that single 'Roundcube plugins functions'.

    In a properly configured system, no client sites will run as www-data. But that is prone to user error; you should uninstall all mod_php versions, and ensure every site has suexec enabled. We could/should even improve the ISPConfig ui to make it difficult/impossible to not use suexec (feel free to file an rfe for that in the issue tracker if you wish).

    That leaves non-client sites to consider, which would commonly be roundcube and phpmyadmin, and other local additions. Checking a system here, I think neither site (roundcube or phpmyadmin) will have open_basedir in effect, and neither is chroot, both of which would help. <hint>Definitely room for some improvement if you want to work on that and post in the Tips & Tricks forum.</hint> :)
    Th0m likes this.

Share This Page