Hi all,
I updated roundcube on my new server to 1.3-beta and it worked like a charm, thanks for it.
on this new server I tested the password plugin and was not pleased to allow the webserver to call "sudo chpasswd". After some investigation and testing I ended up with a new helper script to call change password via ssh using the provided and excelent expect-passwd method.
Additionally I rewrote the chpasswd driver to provide the old password in a compatible way and extended it to pass error messages back to roundcube.
Are you interested in my changes and whats the best way to send them for review?
From my config.php:
// chpasswd Driver options // --------------------- // Command to use (see "Sudo setup" in README)
// 2017-02-13: Remarks by Kay Marquardt kay@rrr.de // allowing sudo chpasswd directly IMHO opens a security hole! // any script on the webserver can change password for every user, incl. root // $config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2>/dev/null';
// try to be more secure and use dovecot or pam methods // if this is not possible in your setup you can increase security by // sudo to a wrapper, where you can implement some security meassures
// 1. a simple wraper is provided by this plugin: helpers/chpasswrapper.py // 2. move wrapper out of default location to a random place // 3. change permissons of wrapper to root:www 770 to avoid changes by user or webserver // 4. add some security meassures, i.e. limit userids where password can be changed // 5. allow webserver sudo for wrapper only (see README) // $config['password_chpasswd_cmd'] = 'sudo /<RANDOMPATH>/roundcube/wrapper/chpass-wrapper.py';
// IMHO the most flexible and secure method for users with interactive shell access is to use ssh with an expect script // I modifed the chpasss driver to provide the old password needed, additionally it pass the script response in case of error.
// 1. I wrote a wrapper for the nice expect script provided by this plugin: helpers/chpass-wrapper-expect.py // 2. move wrapper out of default location to a random place // 3. change permissons of wrapper to root:www 770 to avoid changes by user or webserver // 4. I add some security meassures and password policy, see wrapper for details // 5. remove sudo rules you may have applied (see README) $config['password_chpasswd_cmd'] = '/srv/www/database/roundcube/wrapper/chpass-wrapper-expect.py -ssh -host rrr.de';
Kay