new helper script for more secure password changing with chpasswd

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

new helper script for more secure password changing with chpasswd

Kay Marquardt
Hi all,

I updated roundcube on my new server to 1.3-beta and it worked like a
charm, thanks for it.

on this new server I tested the password plugin and was not pleased to
allow the webserver to call "sudo chpasswd". After some investigation
and testing I ended up with a new helper script to call change password
via ssh using the provided and excelent expect-passwd method.

Additionally I rewrote the chpasswd driver to provide the old password
in a compatible way and extended it to pass error messages back to
roundcube.

Are you interested in my changes and whats the best way to send them for
review?

 From my config.php:

// chpasswd Driver options
// ---------------------
// Command to use (see "Sudo setup" in README)

// 2017-02-13: Remarks by Kay Marquardt [hidden email]
// allowing sudo chpasswd directly IMHO opens a security hole!
// any script on the webserver can change password for every user, incl.
root
// $config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2>/dev/null';

// try to be more secure and use dovecot or pam methods
// if this is not possible in your setup you can increase security by
// sudo to a wrapper, where you can implement some security meassures

//    1. a simple wraper is provided by this plugin:
helpers/chpasswrapper.py
//    2. move wrapper out of default location to a random place
//    3. change permissons of wrapper to root:www 770 to avoid changes
by user or webserver
//    4. add some security meassures, i.e. limit userids where password
can be changed
//    5. allow webserver sudo for wrapper only (see README)
// $config['password_chpasswd_cmd'] = 'sudo
/<RANDOMPATH>/roundcube/wrapper/chpass-wrapper.py';

// IMHO the most flexible and secure method for users with interactive
shell access is to use ssh with an expect script
// I modifed the chpasss driver to provide the old password needed,
additionally it pass the script response in case of error.

//    1. I wrote a wrapper for the nice expect script provided by this
plugin: helpers/chpass-wrapper-expect.py
//    2. move wrapper out of default location to a random place
//    3. change permissons of wrapper to root:www 770 to avoid changes
by user or webserver
//    4. I add some security meassures and password policy, see wrapper
for details
//    5. remove sudo rules you may have applied (see README)
$config['password_chpasswd_cmd'] =
'/srv/www/database/roundcube/wrapper/chpass-wrapper-expect.py -ssh -host
rrr.de';



Kay
_______________________________________________
Roundcube Development discussion mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/dev