[BlueOnyx:22653] Re: Roundcube question
Michael Stauber
mstauber at blueonyx.it
Tue Jan 29 12:25:59 -05 2019
Hi Larry,
> Thanks, hmmm, looking at the server, the roundcube install seems
> to have all the pieces for the password plugin, it is just not configured.
> May have to play with this some.
I don't know that plugin, but I wonder if it's wise to use it. Depending
on how a Vsite is configured the PHP on it runs with the UID "apache" of
that of the siteAdmin who owns the /web-root.
That PHP has no privileges to make a system() call to change the
user-password on a system level.
Our RoundCube is configured to use the system-passwords. The IMAP and
SMTP connections it uses to fetch the emails use the login credentials
of the user that he supplied during login to RoundCube and they must
match the system credentials.
So one way or other you perhaps need to elevate RoundCube permissions so
that it can change system passwords and I wonder if that's such a good
idea considering what a feeble and frequently updating mess RoundCube
is. Now *if* there is a vulnerability in RoundCube or that plugin,
someone could use it to change *any* passwords on the box.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list