Package: roundcube-core Version: 1.3.13+dfsg.1-1~deb10u1 Severity: important
Hello, I'm on Debian stable (buster) and using roundcube together with php-fpm (and Debian's unattended-upgrade functionality for the security feed). Already the second time an (unattended )upgrade broke my roundcube setup resulting in the webinterface saying: config.inc.php was not found. What's happening is, that the upgrade - while maybe not entirely overriding (its custom values and credentials are still in place) - is definitely touching the config file located under /etc/roundcube/config.inc.php -- at least changing its permissions. So, while my config.inc.php is supposed to have the following permissions in order for everything to work: -rw-r----- 1 root php-roundcube [..] config.inc.php it looks like this after the upgrade: -rw-r----- 1 root www-data [..] config.inc.php which makes this file unreadable for the php-fpm process run under the user "php-roundcube". I kindly ask not to automatically change the config files' permissions during upgrades. If you think my use case is an edge case or I'm better off with a different solution to my issue I'm all ears. For the moment, though, I would assume using php-fpm (running under a different user than 'www-data') is quite common, as well as I think it's sane to expect custom configuration files' permissions not being changed during updates by default. Thanks a lot! mirko