Round Cube change Password - 4 years trying to make it work no go

Shinzan · May 18, 2020, 7:33pm

I followed these howtos
https://www.virtualmin.com/node/23427
http://www.virtualmin.com/files/roundcube_virtualmin_password_change.txt

Although this one seemed to be the big one – but also no go on any of these
https://forum.virtualmin.com/t/roundcube-change-password/52905/4

I have been using Virtualmin since Ubuntu was on Version 12 so probably 2013, I’ve actually installed it on 3 different servers at this point.

Currently I’ve got Ubuntu LTS 18 running on a pretty new proliant. I have NEVER gotten the roundcube password changer to work on any of the installs I’ve used.

When i change it I get the error “Cannot Change Password” which is not useful. Can anyone give me any sort of guidance?

I’m running php-FPM as my php mode and I’ve tried the actual user group of the domain idscp and www-data but neither work. Just executing the change password command from the shell works fine but the php script fails and I’m thinking its permission based???

chown root.www-data plugins/password/helpers/chgvirtualminpasswd
chown root.idscp plugins/password/helpers/chgvirtualminpasswd

I’ve tried everything I can think of

I did notice the drivers/virtualmin.php has changed quite a bit from the older versions I had to this version

class rcube_virtualmin_password
{
    function save($currpass, $newpass, $username)
    {
        $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
        $username = escapeshellarg($username);

        // Get the domain using virtualmin CLI:
        exec("$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only", $output_domain, $returnvalue);

        if ($returnvalue == 0 && count($output_domain) == 1) {
            $domain = trim($output_domain[0]);
        }
        else {
            rcube::raise_error(array(
                'code' => 600,
                'file' => __FILE__, 'line' => __LINE__,
                'message' => "Password plugin: Unable to execute $curdir/chgvirtualminpasswd or domain for mail-user '$username' not known to Virtualmin"
                ), true, false);

            return PASSWORD_ERROR;
        }

        $domain  = escapeshellarg($domain);
        $newpass = escapeshellarg($newpass);

        exec("$curdir/chgvirtualminpasswd modify-user --domain $domain --user $username --pass $newpass", $output, $returnvalue);

        if ($returnvalue == 0) {
            return PASSWORD_SUCCESS;
        }

        rcube::raise_error(array(
                'code' => 600,
                'file' => __FILE__, 'line' => __LINE__,
                'message' => "Password plugin: Unable to execute $curdir/chgvirtualminpasswd"
            ), true, false);

        return PASSWORD_ERROR;
    }
}

dimitrist · May 19, 2020, 8:47am

what does roundcube error.log say when you try to change pass?

i thought we had that working for some years now with a small edit, but with the new virtualmin.php in password plugin, that’s changed and it’s not working here either.
our problem in initial setup (years ago), was that virtualmin, was trying to change password for ‘user-domain.tld’ instead of ‘user@domain.tld’ (and that isn’t working), so a small hack in the php file was placed, to do the character replace and make it work… but checked it earlier, and that doesn’t work now…

so maybe an update on virtualmin instructions is needed…

dimitrist · May 19, 2020, 9:04am

not a php developer, just tried adding these 2 lines to virtualmin.php and it works again :
54a55,56

    $username = str_replace("-$domain", "", $username);
    $username = escapeshellcmd($username);

if someone has a better way of doing this, that’d be great…
we rely heavily on roundcube, since usermin has displaying issues with our native locale.

dimitrist · May 19, 2020, 9:18am

i’m just puzzled security-wise…
it seems that any roundcube user can run chgvirtualminpasswd (=virtualmin cli) with root permissions (!).
don’t know of a related roundcube exploit, but still makes me think potential issues…

any suggestions from virtualmin staff perhaps? can we limit that “virtualmin-cli” somehow, to only allow changing mail-user pass?

thanks in advance,

Shinzan · May 19, 2020, 4:38pm

Thanks for the info, I distincly remember the old version of this script had lots of case statements that tried to figure out what version format the virtualmin user was in was it domain.users@tld.com or domainuser@tld.com or domain-user@tld.com etc but this 3.0 version of the script doesn’t have it anymore, but even with the old virtualmin.php script i couldn’t get it to work either.

Here was my error from the log:

[19-May-2020 12:32:50 -0400]: <ligq3dle> PHP Error: Password plugin: Unable to execute /home/idscp/public_html/mail/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user ''username@tld.com'' not known to Virtualmin i$

so unfortunately that work around isn’t fixing me because $username is the correct user I am logged in as and using – wierd!


 function save($currpass, $newpass, $username)
    {
        $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
        $username = escapeshellarg($username);

        // Get the domain using virtualmin CLI:

         //hack  https://forum.virtualmin.com/t/round-cube-change-password-4-years-trying-to-make-it-work-no-go/105766
        $username = str_replace("-$domain", "", $username);
        $username = escapeshellcmd($username);
        // end hack


        exec("$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only", $output_domain, $returnvalue);

dimitrist · May 20, 2020, 7:19am

did you try running it manually from cli ? note, run this as web user with permissions to webmail, eg. :
/path/to/webmail/plugins/password/helpers/chgvirtualminpasswd modify-user --domain $domain --user user@domain.tld --pass $newpass
and see if that works, or possible errors.

Shinzan · May 20, 2020, 8:03pm

User user@tld.com updated successfully and it updated the password

the command ran was:

/home/domainuser/public_html/mail/plugins/password/helpers# ./chgvirtualminpasswd modify-user --domain 'domain.com' --user 'user@domain.com' --pass 'test' 

User user@domain.com updated successfully

Now I will say this syntax is not what the exec (); command is running which is:

 exec("$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only", $output_domain, $returnvalue);

Is that a factor at all?

dimitrist · May 21, 2020, 7:12am

this is the command to get the domain, from username. there’s another command for changing password, further down the file…

also make sure chgvirtualminpasswd permissions are according to official instructions…

Shinzan · May 21, 2020, 8:04pm

Yes that runs as it should from the shell and it returns:

Domain Username Description

myactual.com username myactualdomain 2020

the log file shows:

[21-May-2020 16:27:54 -0400]: <e14bfijn> PHP Error: Password plugin: Unable to execute /home/idscp/public_html/mail/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user ''userdomain.com'' not known to Virtualmin in /home/domain/public_html/mail/plugins/password/drivers/virtualmin.php on line 57 (POST /mail/?_task=settings&_action=plugin.password-save)

So i put this into the virtualmin.php


exec("$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only", $output_domain, $returnvalue);
 

        file_put_contents("/home/mydomain/public_html/mail/plugins/password/drivers/log.txt","$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only, $output_domain, $returnvalue");
 		
        if ($returnvalue == 0 && count($output_domain) == 1) {
            $domain = trim($output_domain[0]);
        }
        else {
            rcube::raise_error(array(
                'code' => 600,
                'file' => __FILE__, 'line' => __LINE__,
                'message' => "Password plugin: Unable to execute $curdir/chgvirtualminpasswd or domain for mail-user '$username' not known to Virtualmin" .print_r($output,true)
                ), true, false);

            return PASSWORD_ERROR;
        }

this is where processing of the virutalmin.php stops, i get the command into my makeshift log file, and if i run that command at the shell it returns the correct domain but php processing stops on error


[21-May-2020 17:00:01 -0400]: <e14bfijn> PHP Error: Password plugin: Unable to execute /home/idscp/public_html/mail/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user ''user-domain.com'' not known to Virtualmin in /home/idscp/public_html/mail/plugins/password/drivers/virtualmin.php on line 54 (POST /mail/?_task=settings&_action=plugin.password-save)

so if I take out your hack i get user-domain.com can’t be found and if i leave it in i get userdomain.com can’t be found.

Clearly something is not adding up on the user itself i guess.

Joe · May 21, 2020, 9:02pm

I’m pretty sure that’s a third party script…so, we don’t really have any insight into why it isn’t working (but it definitely does look like it needs a little tweaking based on your username format config).

If I understand it correctly, chgvirtualminpasswd is, I assume, a setuid wrapper of the virtualmin command (which is alarming).

If RoundCube has a password command that uses the regular passwd (hopefully without needing to setuid on a very dangerously powerful command like virtualmin, and that just asks for the old password to confirm), why not just use that? Virtualmin, by default, uses regular system users for email accounts. Changing passwords with passwd will change it for Usermin, too. This obviously may not apply if you’re doing something complicated, like LDAP or MySQL based users, or something, but most people are not.

Joe · May 21, 2020, 9:03pm

Oh, and you can also use Usermin. It has webmail and password change functionality built in, along with a bunch of other (optional) stuff.

Shinzan · May 21, 2020, 9:10pm

yes but regular users dont want to do that, they just want to change a password within webmail, so if a domain has 100 mail users they should just be able to change it in roundcube is the thought process.

If I should direct these questions elsewhere i definately dont mind, I just dont know where to do it.

I’m using the latest verison of everything

github.com

roundcube/roundcubemail/blob/master/plugins/password/drivers/virtualmin.php

<?php

/**
 * Virtualmin Password Driver
 *
 * Driver that adds functionality to change the users Virtualmin password.
 * The code is derrived from the Squirrelmail "Change Cyrus/SASL Password" Plugin
 * by Thomas Bruederli.
 *
 * It only works with virtualmin on the same host where Roundcube runs
 * and requires shell access and gcc in order to compile the binary.
 *
 * @version 3.0
 * @author Martijn de Munnik
 *
 * Copyright (C) The Roundcube Dev Team
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or

This file has been truncated. show original

Shinzan · May 22, 2020, 3:56am

So by putting in a makeshift logfile and finding where the code fails and pulling error messgaes i found this is the line that breaks

 exec("$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only", $output_domain, $returnvalue);

which evaluates to:

/home/domain/public_html/mail/plugins/password/helpers/chgvirtualminpasswd list-domains --mail-user 'user-domain.com' --name-only, Array, 2

so return value is 2 (code needs == 0) which is the error and the actual array contents after print_r are:

/usr/sbin/virtualmin must be run as root

[/code]

so where should i go from here seems im back at permissions somehow

Shinzan · May 22, 2020, 4:00am

Which led me to this old post:
https://virtualmin.com/node/23015

How can this be true, you can’t change the password as a user what? I can’t believe this – still troubleshooting

Got to here:

github.com/roundcube/roundcubemail

Change password issue in Virtualmin - Error: Could not save new password.

opened 11:49AM - 14 Dec 17 UTC

closed 08:32AM - 18 Dec 17 UTC

pankajpragma

need feedback

Hi, I have installed Roundcube v1.3.3 in Virtualmin version 5.05 and activa…ted "password" plugin by editing "/config/config.inc.php" ``` # /config/config.inc.php // List of active plugins (in plugins/ directory) $config['plugins'] = array( 'virtuser_file', 'archive', 'zipdownload', 'password', ); ``` Then rename "/plugins/password/config.inc.php.dist" to "/plugins/password/config.inc.php" and I can see Password reset field in "Roundcube > Settings > Password". <img src="http://storage2.static.itmages.com/i/17/1214/h_1513250239_7318713_1d45f2edc9.jpeg" /> But when I am trying to change password then it shows error: <strong>"Error: Could not save new password."</strong> It does check the current password so it means that it is able to connect to the database. I also tried to run following commands from "/plugins/password/helpers" directory: ``` gcc -o chgvirtualminpasswd chgvirtualminpasswd.c chown root:<FCGId domain owner user> chgvirtualminpasswd strip chgvirtualminpasswd chmod 4550 chgvirtualminpasswd ``` ``` # /plugins/password/config.inc.php $config['password_driver'] = 'virtualmin'; ``` But it is still showing the same error. Can anyone please help?

Then I re compiled and reset permissions on the file and got my return value 0 and count ==1

Problem is solved and plugin is working:

hope this pain point for me helps someone else.

dimitrist · May 22, 2020, 9:28am

yes, it’s alarming having a setuid virtualmin cli, ran by a web app…
so, tried to switch to chpasswd driver :

github.com

roundcube/roundcubemail/blob/master/plugins/password/README#L267


See config.inc.php.dist file for more info.




2.1.10. PAM (pam)
-----------------


This driver is for changing passwords of shell users authenticated with PAM.
Requires PECL's PAM extension to be installed (http://pecl.php.net/package/PAM).




2.1.11. Chpasswd (chpasswd)
---------------------------


Driver that adds functionality to change the systems user password via
the 'chpasswd' command. See config.inc.php.dist file.


Attached wrapper script (helpers/chpass-wrapper.py) restricts password changes
to uids >= 1000 and can deny requests based on a blacklist.




2.1.12.  LDAP - no PEAR (ldap_simple)

with some sudo setup

github.com

roundcube/roundcubemail/blob/master/plugins/password/README#L457




The check_strength() method, used for checking password strength has one argument: new password.
This method should return an array with tho elements:
  - Score: integer from 1 (week) to 5 (strong)
  - Reason for the score (optional)


Optionally a strength driver can contain a strength_rules() method. This has no arguments
and returns a string, or array of strings explaining the password strength rules.




4. Sudo setup
-------------


Some drivers that execute system commands (like chpasswd) require use of sudo command.
Here's a sample for CentOS 7:


# cat <<END >/etc/sudoers.d/99-roundcubemail
apache ALL=NOPASSWD:/usr/sbin/chpasswd
Defaults:apache !requiretty
<<END

but only get :
Account [user-domain] password has changed
not user@domain, and noticed smtp/imap/pop3 still use old pass…(!!) so not working…

using the virtualmin driver/wrapper :
Account [user@domain] password has changed
Account [user-domain] password has changed

and everything’s working…
@Joe, if you have any suggestions on this…

system · May 26, 2020, 9:40am

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.