[RCD] new helper script for more secure password changing with chpasswd

Kay Marquardt kay at rrr.de
Mon Feb 13 17:57:15 CET 2017


Hi all,

I updated roundcube on my new server to 1.3-beta and it worked like a 
charm, thanks for it.

on this new server I tested the password plugin and was not pleased to 
allow the webserver to call "sudo chpasswd". After some investigation 
and testing I ended up with a new helper script to call change password 
via ssh using the provided and excelent expect-passwd method.

Additionally I rewrote the chpasswd driver to provide the old password 
in a compatible way and extended it to pass error messages back to 
roundcube.

Are you interested in my changes and whats the best way to send them for 
review?

 From my config.php:

// chpasswd Driver options
// ---------------------
// Command to use (see "Sudo setup" in README)

// 2017-02-13: Remarks by Kay Marquardt kay at rrr.de
// allowing sudo chpasswd directly IMHO opens a security hole!
// any script on the webserver can change password for every user, incl. 
root
// $config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2>/dev/null';

// try to be more secure and use dovecot or pam methods
// if this is not possible in your setup you can increase security by
// sudo to a wrapper, where you can implement some security meassures

//    1. a simple wraper is provided by this plugin: 
helpers/chpasswrapper.py
//    2. move wrapper out of default location to a random place
//    3. change permissons of wrapper to root:www 770 to avoid changes 
by user or webserver
//    4. add some security meassures, i.e. limit userids where password 
can be changed
//    5. allow webserver sudo for wrapper only (see README)
// $config['password_chpasswd_cmd'] = 'sudo 
/<RANDOMPATH>/roundcube/wrapper/chpass-wrapper.py';

// IMHO the most flexible and secure method for users with interactive 
shell access is to use ssh with an expect script
// I modifed the chpasss driver to provide the old password needed, 
additionally it pass the script response in case of error.

//    1. I wrote a wrapper for the nice expect script provided by this 
plugin: helpers/chpass-wrapper-expect.py
//    2. move wrapper out of default location to a random place
//    3. change permissons of wrapper to root:www 770 to avoid changes 
by user or webserver
//    4. I add some security meassures and password policy, see wrapper 
for details
//    5. remove sudo rules you may have applied (see README)
$config['password_chpasswd_cmd'] = 
'/srv/www/database/roundcube/wrapper/chpass-wrapper-expect.py -ssh -host 
rrr.de';



Kay


More information about the dev mailing list