I have been using Virtualmin since Ubuntu was on Version 12 so probably 2013, I’ve actually installed it on 3 different servers at this point.
Currently I’ve got Ubuntu LTS 18 running on a pretty new proliant. I have NEVER gotten the roundcube password changer to work on any of the installs I’ve used.
When i change it I get the error “Cannot Change Password” which is not useful. Can anyone give me any sort of guidance?
I’m running php-FPM as my php mode and I’ve tried the actual user group of the domain idscp and www-data but neither work. Just executing the change password command from the shell works fine but the php script fails and I’m thinking its permission based???
what does roundcube error.log say when you try to change pass?
i thought we had that working for some years now with a small edit, but with the new virtualmin.php in password plugin, that’s changed and it’s not working here either.
our problem in initial setup (years ago), was that virtualmin, was trying to change password for ‘user-domain.tld’ instead of ‘user@domain.tld’ (and that isn’t working), so a small hack in the php file was placed, to do the character replace and make it work… but checked it earlier, and that doesn’t work now…
so maybe an update on virtualmin instructions is needed…
i’m just puzzled security-wise…
it seems that any roundcube user can run chgvirtualminpasswd (=virtualmin cli) with root permissions (!).
don’t know of a related roundcube exploit, but still makes me think potential issues…
any suggestions from virtualmin staff perhaps? can we limit that “virtualmin-cli” somehow, to only allow changing mail-user pass?
Thanks for the info, I distincly remember the old version of this script had lots of case statements that tried to figure out what version format the virtualmin user was in was it domain.users@tld.com or domainuser@tld.com or domain-user@tld.com etc but this 3.0 version of the script doesn’t have it anymore, but even with the old virtualmin.php script i couldn’t get it to work either.
Here was my error from the log:
[19-May-2020 12:32:50 -0400]: <ligq3dle> PHP Error: Password plugin: Unable to execute /home/idscp/public_html/mail/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user ''username@tld.com'' not known to Virtualmin i$
so unfortunately that work around isn’t fixing me because $username is the correct user I am logged in as and using – wierd!
function save($currpass, $newpass, $username)
{
$curdir = RCUBE_PLUGINS_DIR . 'password/helpers';
$username = escapeshellarg($username);
// Get the domain using virtualmin CLI:
//hack https://forum.virtualmin.com/t/round-cube-change-password-4-years-trying-to-make-it-work-no-go/105766
$username = str_replace("-$domain", "", $username);
$username = escapeshellcmd($username);
// end hack
exec("$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only", $output_domain, $returnvalue);
did you try running it manually from cli ? note, run this as web user with permissions to webmail, eg. : /path/to/webmail/plugins/password/helpers/chgvirtualminpasswd modify-user --domain $domain --user user@domain.tld --pass $newpass
and see if that works, or possible errors.
[21-May-2020 16:27:54 -0400]: <e14bfijn> PHP Error: Password plugin: Unable to execute /home/idscp/public_html/mail/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user ''userdomain.com'' not known to Virtualmin in /home/domain/public_html/mail/plugins/password/drivers/virtualmin.php on line 57 (POST /mail/?_task=settings&_action=plugin.password-save)
So i put this into the virtualmin.php
exec("$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only", $output_domain, $returnvalue);
file_put_contents("/home/mydomain/public_html/mail/plugins/password/drivers/log.txt","$curdir/chgvirtualminpasswd list-domains --mail-user $username --name-only, $output_domain, $returnvalue");
if ($returnvalue == 0 && count($output_domain) == 1) {
$domain = trim($output_domain[0]);
}
else {
rcube::raise_error(array(
'code' => 600,
'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Unable to execute $curdir/chgvirtualminpasswd or domain for mail-user '$username' not known to Virtualmin" .print_r($output,true)
), true, false);
return PASSWORD_ERROR;
}
this is where processing of the virutalmin.php stops, i get the command into my makeshift log file, and if i run that command at the shell it returns the correct domain but php processing stops on error
[21-May-2020 17:00:01 -0400]: <e14bfijn> PHP Error: Password plugin: Unable to execute /home/idscp/public_html/mail/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user ''user-domain.com'' not known to Virtualmin in /home/idscp/public_html/mail/plugins/password/drivers/virtualmin.php on line 54 (POST /mail/?_task=settings&_action=plugin.password-save)
so if I take out your hack i get user-domain.com can’t be found and if i leave it in i get userdomain.com can’t be found.
Clearly something is not adding up on the user itself i guess.
I’m pretty sure that’s a third party script…so, we don’t really have any insight into why it isn’t working (but it definitely does look like it needs a little tweaking based on your username format config).
If I understand it correctly, chgvirtualminpasswd is, I assume, a setuid wrapper of the virtualmin command (which is alarming).
If RoundCube has a password command that uses the regular passwd (hopefully without needing to setuid on a very dangerously powerful command like virtualmin, and that just asks for the old password to confirm), why not just use that? Virtualmin, by default, uses regular system users for email accounts. Changing passwords with passwd will change it for Usermin, too. This obviously may not apply if you’re doing something complicated, like LDAP or MySQL based users, or something, but most people are not.
yes but regular users dont want to do that, they just want to change a password within webmail, so if a domain has 100 mail users they should just be able to change it in roundcube is the thought process.
If I should direct these questions elsewhere i definately dont mind, I just dont know where to do it.