Kay Marquardt
2017-02-13 16:57:15 UTC
Hi all,
I updated roundcube on my new server to 1.3-beta and it worked like a
charm, thanks for it.
on this new server I tested the password plugin and was not pleased to
allow the webserver to call "sudo chpasswd". After some investigation
and testing I ended up with a new helper script to call change password
via ssh using the provided and excelent expect-passwd method.
Additionally I rewrote the chpasswd driver to provide the old password
in a compatible way and extended it to pass error messages back to
Are you interested in my changes and whats the best way to send them for
From my config.php:
// chpasswd Driver options
// ---------------------
// Command to use (see "Sudo setup" in README)
// 2017-02-13: Remarks by Kay Marquardt ***@rrr.de
// allowing sudo chpasswd directly IMHO opens a security hole!
// any script on the webserver can change password for every user, incl.
// $config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2>/dev/null';
// try to be more secure and use dovecot or pam methods
// if this is not possible in your setup you can increase security by
// sudo to a wrapper, where you can implement some security meassures
// 1. a simple wraper is provided by this plugin:
// 2. move wrapper out of default location to a random place
// 3. change permissons of wrapper to root:www 770 to avoid changes
by user or webserver
// 4. add some security meassures, i.e. limit userids where password
can be changed
// 5. allow webserver sudo for wrapper only (see README)
// $config['password_chpasswd_cmd'] = 'sudo
// IMHO the most flexible and secure method for users with interactive
shell access is to use ssh with an expect script
// I modifed the chpasss driver to provide the old password needed,
additionally it pass the script response in case of error.
// 1. I wrote a wrapper for the nice expect script provided by this
plugin: helpers/chpass-wrapper-expect.py
// 2. move wrapper out of default location to a random place
// 3. change permissons of wrapper to root:www 770 to avoid changes
by user or webserver
// 4. I add some security meassures and password policy, see wrapper
for details
// 5. remove sudo rules you may have applied (see README)
$config['password_chpasswd_cmd'] =
'/srv/www/database/roundcube/wrapper/chpass-wrapper-expect.py -ssh -host
I updated roundcube on my new server to 1.3-beta and it worked like a
charm, thanks for it.
on this new server I tested the password plugin and was not pleased to
allow the webserver to call "sudo chpasswd". After some investigation
and testing I ended up with a new helper script to call change password
via ssh using the provided and excelent expect-passwd method.
Additionally I rewrote the chpasswd driver to provide the old password
in a compatible way and extended it to pass error messages back to
Are you interested in my changes and whats the best way to send them for
From my config.php:
// chpasswd Driver options
// ---------------------
// Command to use (see "Sudo setup" in README)
// 2017-02-13: Remarks by Kay Marquardt ***@rrr.de
// allowing sudo chpasswd directly IMHO opens a security hole!
// any script on the webserver can change password for every user, incl.
// $config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2>/dev/null';
// try to be more secure and use dovecot or pam methods
// if this is not possible in your setup you can increase security by
// sudo to a wrapper, where you can implement some security meassures
// 1. a simple wraper is provided by this plugin:
// 2. move wrapper out of default location to a random place
// 3. change permissons of wrapper to root:www 770 to avoid changes
by user or webserver
// 4. add some security meassures, i.e. limit userids where password
can be changed
// 5. allow webserver sudo for wrapper only (see README)
// $config['password_chpasswd_cmd'] = 'sudo
// IMHO the most flexible and secure method for users with interactive
shell access is to use ssh with an expect script
// I modifed the chpasss driver to provide the old password needed,
additionally it pass the script response in case of error.
// 1. I wrote a wrapper for the nice expect script provided by this
plugin: helpers/chpass-wrapper-expect.py
// 2. move wrapper out of default location to a random place
// 3. change permissons of wrapper to root:www 770 to avoid changes
by user or webserver
// 4. I add some security meassures and password policy, see wrapper
for details
// 5. remove sudo rules you may have applied (see README)
$config['password_chpasswd_cmd'] =
'/srv/www/database/roundcube/wrapper/chpass-wrapper-expect.py -ssh -host