Roundcube Community Forum
Third Party Contributions => Old Style Plug-Ins => Topic started by: kali on September 04, 2006, 05:55:00 PM
-
Any interest from the community?
I'm pretty sure I can use the VERY pretty integration already done for IMAP passwd change and use the chpasswd utility for changing system passwords for users (using /etc/passwd or /etc/shadow). Useful if users are local systems users (ie. home directories, samba, uw-imap etc.)
If there is interest - I'll get to this. Seems very straightforward (and secure!) given the work and bug fixes already incorporated into this and squirrel's mod.
-
Kali,
I, for one, am quite interested. We also connect (currently) to a SquirrelMail installation on a redhat server.
Thank you, in advance, for any work that you do in this regard.
bozhe
-
I have looked at the existing scripts (for "pretty" integration into RC) and the pw change scripts (from SM which are very good). Here's my problem - it requires changes to multiple RC files in order to gracefully add this tab to the preferences area, but is pretty doable.
This in turn, however, will require a new .patch for every version to patch. One of the really nice things that Squirrel did was to design a plug-in schema so that core code could change and plugins could stay the same. Early on, some of the plugins for squirrel also required new patch files for each and every version of the app (notably the nice icons patch) and that was just not long-term sustainable.
So - for now, I'm looking at just linking from the login page to a distinct change password page (ssl) or from within RC (add to footers) so that users are already authenticated and can pick up the $user attribute.
-
when u say default value for activation is 1. Do i need to alter something in the script or do u have a mysql code u can send me which i can alter to fit my domain because i can run it directly in phpmyadmin, becaue i think the problem is coming from mysql.
cheers matt
-
Very interesting kali. Do you need support in PHP development? let me know, maybe I can give you a hand. Actually my server store the passwords in shadow files, like you said and I would like to let my users to change their password through RC.
PM me so I can provide you with my MSN or Gtalk.
-
Hi Heritz - very nice offer.
I currently have it running quite successfully as a secure cgi script which just links from RC. Easy- no mod to RC while it's changing so much (other than the link). Would, of course, be "nicer" if it was a tab in preferences.... but unless I'm missing something, that will require a new patch for each released version.
What do you think?
-
Ya well, you will need a "plugin patch" for each release. I am not a CGI expert, but if we can translate the CGI code and apply it to PHP we can create a really nice mod.
I really don't care about making a "patch" for each release, the changes will be minimal and this guys release a new version every 3 months or more, which is not that bad.
Actually there is an excellent patch that modify the password stored in mysql databases. It works if you configure your server to store the passwords in MYSQL DB; in our case, the passwords are stored in shadow files, encrypted with md5crypt which is kinda different.
The patch is already done, with the preferences tab and all that stuff. We can take that patch, use the template files, and work over the "main core" file to make it able to edit the passwords in shadow files.
cPanel has a CGI script that let you edit the password in the e.mail accounts. Are you using that script? I mean, we can use it to start browsing the commands.
-
Changing passwords in MySQL is "easy" - as the PHP script already has defacto access to the database. Reason it is almost always a cgi to change shadow pw's is that you need root access to do so (which the web server, and therefore any PHP script, does not have - or at least should not have). So the cgi for this purpose is typically a setuid program which can then access/modify the shadow pw file.
Password changing itself is fairly trivial, as you can even call the system passwd utility via cgi - but again, you either need that user's credentials or root (the more usual approach).
-
So, the solution for us is to use a CGI script. The thing is, using a CGI script under a secure conection will ask the user again for an username and password.
My question is, how are you validating the access to that script? I mean, if you don't secure it, anyone can access to the script and hack the accounts.
-
So, the solution for us is to use a CGI script. The thing is, using a CGI script under a secure conection will ask the user again for an username and password.
Yes, that is correct. I've not really played with this, BUT - 1. that may not be a bad thing (verify username/pw to proceed) and 2. it would not be hard to pass that value to the script if one wanted.
My question is, how are you validating the access to that script? I mean, if you don't secure it, anyone can access to the script and hack the accounts.
At the moment that too is correct - although allowing access only via referral from RC is possible (I suppose). As to "security" - that is a tricky one. You suggest that allowing global access to the script is not "secure", but I don't see how that is any less secure than allowing global access to the webmail app itself which in turn allows access to the script. In either case - one needs an existing (and valid) id/pw pair to proceed.
The pw change cgi requires input of id - existing pw - and new pw (twice) to proceed. If it fails - it's logged, and takes it's time giving a new screen (to thwart rapid dictionary attacks). Personally - I see this as no different than having an SSH daemon listening and available to "the world".
Perhaps in more practical terms - I only have a reference to the pw change cgi from within rc and then it is a cryptic url (which as a link is easy - but is not easy to guess or scan from outside).
-
Just as follow up - this thread has gotten me more interested in the "feature"!
I now have the "Change Password" nicely incorporated as a tab on the Preferences page. Instead of creating frames and more functionality within RC itself - it just pops up a new window for PW change, then closes (leaving you back within RC). The benefit of this approach is that it is a very simple one-line patch to one RC file (which adds the additional tab which pops up the new pw change window).
I can package this and publish if any are interested....
-
I am insterested, do it now. Need hosting for this man? if you need it, let me know.
-
It's complete.
Heritz - I've mailed to you for any comments etc. you may have.
If others are interested - I'll host a link for download.
This plugin basically allows "local users" (using /etc/passwd or /etc/shadow) to change their passwords. This includes anyone using UW-Imap, or other services (FTP, Samba etc.) where local accounts are needed.
-
I think is many people interested this plugin, then maybe you put link to this plugin on forum :)
-
FIRST RELEASE of Local User Password Change Plug-in
http://www.kalisystems.com/rc-changepw/
-
Plugin is the best, thx :)
-
Plugin is the best, thx :)
Thanks! 8)
Feedback, suggestions welcome. It's working very well for me - and is quite easy. I also intend to keep the cgi current for RC and continue to host it.
-
Well guys,
I just tried the kali's plugin and it didn't work in my cPanel installation. So I decided to make a plugin for my cPanel installation and it's working as hell at this moment. I expect to publish the plugin this weekend so all the cPanel users can have this change password utility.
Its based on CURL. Regards,
-
Heritz -- in all fairness to this plugin, your users are not stored in /etc/passwd or /etc/shadow (see title of thread). Just as this plugin will not work with ldap user databases...
-
Yeah, but I just made a plugin for cPanel installations since cPanel installations store all the passwords in different directories.
-
Yeah, but I just made a plugin for cPanel installations since cPanel installations store all the passwords in different directories.
Are you willing to share to sahre this plugin? There alot of cpanel people outthere that are interested in this.
-
Yes, I will publish the plugin. I am trying to find the best way to make it "easy" to install.
-
Do you guys know how to generate a unix patch file? I mean, those with lots of ++++++++++ and stuff? Would be easier for me to generate a patch file like that.
The cPanel patch is very similar to the "pretty change password" patch published in this forum, there is just a difference in the core files.
-
Do you guys know how to generate a unix patch file? I mean, those with lots of ++++++++++ and stuff? Would be easier for me to generate a patch file like that.
The cPanel patch is very similar to the "pretty change password" patch published in this forum, there is just a difference in the core files.
Personally I think the way go to is provide the modified files plus instructions of where these need to be uploaded to. Or to provide a patched version where user only has to change thier config files. thanks..that my2cents
-
Ok, perfect. Working on it.
-
Ok, perfect. Working on it.
:'( waiting anxiously for this mode..after the remote email account creation mod this is the mod that has been missing in RC
-
Do you have SSH access to your cPanel server? can you please check if you have this file in your server?
/usr/local/cpanel/base/dowebmailpasswd.cgi
This file comes with all the cPanel installations. And its needed to install the plugin. I just want to be sure if you have it as I do.
-
Do you have SSH access to your cPanel server? can you please check if you have this file in your server?
/usr/local/cpanel/base/dowebmailpasswd.cgi
This file comes with all the cPanel installations. And its needed to install the plugin. I just want to be sure if you have it as I do.
I am hosted on site5 with a shared server and I could not find the file in sitemanager or by ftp. I have requested shell access but I have no idea how to use that thing. However I have a piece of code that might be help you write this plugin for even those that do not have shell access.It works by logining into cpanel and then changing password and closing file. It can be amde to redirect to inbox or wherever.
Changepass.php-- just a form.
<?php //changepass.php?>
<style type="text/css">
td
{
color: #014D5F;
}
</style>
<table cellpadding="2" cellspacing="2" border="0" align="center">
<tr><td> Change Password</td></tr>
</table>
<form name="emsignup" method="POST" action="cppass.php" autocomplete="off">
<table cellpadding="5" cellspacing="2" border="0" align="center">
</td>
</tr>
<tr>
<td bgcolor="#DDDDDD">User Name: </td><td bgcolor="#DDDDDD"><input type="text" name="NewEmail"> </td>
</tr>
<tr>
<td bgcolor="#DDDDDD">New Password: </td><td bgcolor="#DDDDDD"><input type="text" name="Password"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Change" class="button"></td>
</tr>
</table>
</form>
The guts:
cppass.php
//cppass.php
// cPanel info
$cpuser = 'username'; // cPanel username
$cppass = 'password'; // cPanel password
$cpdomain = 'domain.com'; // cPanel domain or IP
$cpskin = 'skin'; // cPanel skin. Mostly x or x2, na4 etc
$edomain = 'domain.com'; // email domain (usually same as cPanel domain above)
$euser = $_POST['NewEmail'];
$epass = $_POST['Password'];
if ( $euser == "" OR $epass == "" ) {
$ermsg = "All fields of the form must be completed.";
}
###############################################################
# END OF SETTINGS
###############################################################
// change password of entered email account
$f = fopen ("http://$cpuser:$cppass@$cpdomain:2082/frontend/$cpskin/mail/poppasswordchanged.html?email=$euser&domain=$edomain&password=$epass", "r");
// note the 'poppasswordchanged.html' changes depending on your cp version
if (!$f) {
die('Cannot change password. Possible reasons: "fopen" function allowed on your server, PHP is running in SAFE mode');
}
// Check result
while (!feof ($f)) {
$line = fgets ($f, 1024);
if (ereg ("already exists!", $line, $out)) {
die('Such email account already exists.');
}
}
fclose($f);
echo "Password for $euser@$edomain has been changed to $epass.";
?>
I think finding a way to include this in RC will make it much easier tha SSH or telnet. On the pretty password change they have a file called password.inc in program/steps/settings/passwd.inc , where I think you can incorprate this code. Just get username and domain from RC and have user enter new password log them into cp and change their password and redirect to inbox or back to settings.
::) Now if only I coud do that
-
Yes bro, actually my patch does what you said, but mine doesn't use the poppasswordchanged.html. Mine use a CGI script that all the cPanel installations have.
I made it using CURL and it works basically like you said. I took the program/steps/settings/passwd.inc and I changed it to make it work using the CGI script.
You wont need SSH access or something to use this patch. Its completely friendly and there is no "avanced" knowledge requirements.
I am creating a package for this. I will make a new thread as soon as I have everything set up.
-
Yes bro, actually my patch does what you said, but mine doesn't use the poppasswordchanged.html. Mine use a CGI script that all the cPanel installations have.
I made it using CURL and it works basically like you said. I took the program/steps/settings/passwd.inc and I changed it to make it work using the CGI script.
You wont need SSH access or something to use this patch. Its completely friendly and there is no "avanced" knowledge requirements.
I am creating a package for this. I will make a new thread as soon as I have everything set up.
oh ok thanks will be anxiously waiting for this mod
-
Ok the patch for cPanel is on:
http://roundcubeforum.net/forum/index.php?topic=711.0
Enjoy!
-
Hi I'm using RC on Ubuntu 6.06 server with ISPConfig, I applied the patch an everything was done with success, but when I try to change a password allways receive the warning: You are not authorized to change password
I've checked syslog and it have this error: chetcpasswd.cgi: You are not authorized to change password, IPAddress 192.168.5.10
It seems that my IP is not allowed but I've the /etc/chetcpasswd.allow file with 0.0.0.0 that shouldn't hapend!
Any ideas?!
Thanks.
MF
-
I receive this erron in my cpanel instalation.
When i click on any tab (My Email, Adress Book, Personal Settings) after i installed this plugin.
The erro is:
Not Found
The server was not able to find the document (/roundcube/) you requested
Please check the url and try again. You might also want to report
this error to your webhost.
Im search files for this problem but i wont get it.
-
Hi there,
I'm using Debian Sarge, and installed the plugin. But no luck. I get the error: 'Not authorized to change password.'
Any ideas? I really want this to work.
TNX
Mando....
-
What version of "change password" are you running? Heritz version for cpanel or my version for local users? They are quite different - and change pw's in very different locations under different permissions.
-
What version of "change password" are you running? Heritz version for cpanel or my version for local users? They are quite different - and change pw's in very different locations under different permissions.
I'm using the version for local users. I'm not using cpanel.
Just a clean install of Debian en the plugin.
TNX,
Mando
-
In which case.... please check to be sure of following:
You put chetcpasswd.allow in /etc with allowed ip (eg 0.0.0.0 for all)
The install was run such that the cgi script has correct permissions.
-
In which case.... please check to be sure of following:
You put chetcpasswd.allow in /etc with allowed ip (eg 0.0.0.0 for all)
The install was run such that the cgi script has correct permissions.
I've done all that. The readme file is very clear. Permissins are good. Mayby it has something to do with Debian it self?
Mando...
-
Check /etc/passwd and /etc/shadow --- are the local users you are trying to change located there as line items? ie - these are not virtual mail users of some sort?
-
I receive this erron in my cpanel instalation.
When i click on any tab (My Email, Adress Book, Personal Settings) after i installed this plugin.
The erro is:
Not Found
The server was not able to find the document (/roundcube/) you requested
Please check the url and try again. You might also want to report
this error to your webhost.
Im search files for this problem but i wont get it.
No one knows what are make this error?
-
Check /etc/passwd and /etc/shadow --- are the local users you are trying to change located there as line items? ie - these are not virtual mail users of some sort?
/etc/passwd and /etc/shadow are okay. No virtual mail users. I use Exim and Courier-imap. I created the file: /etc/courier/userdb and chmod this to 600. I also created the files: /etc/courier/userdb.dat and /etc/courier/userdbshadow.dat.
Could this be the problem? I don't know. I followed the steps from the Linux Bible.
TNX
Mando
-
Hey, couple things, RC is kick ass! Next, this mod is going to be kick ass when I can get it working ;-)
I've done the install in the README, created the /etc/chetcpasswd.allow file with 0.0.0.0 (I've even tried my local IP of 10.10.10.97, no go). When I try to access the Password tab I get:
Authorization file not found. Please README
So I've double checked everything and it all goes through (pretty simple to setup, I thought so ;-) ). Any help here would be awesome.
Thanks.
-
Hi Joshenry,
I need to update the README. The new version creates a separate directory called /etc/chetcpasswd and two files are located there. The .allow file and the .conf file. That is where the .allow needs to be!
Sorry - please try that and let me know.
-
Sweet, works no problem now! Nice app, great job and THanks! :-D
-
Sweet, works no problem now! Nice app, great job and THanks! :-D
Glad it worked! I am updating the code for a non-critical security fix and will update the README as well. Thanks for that catch!
-
Where can I download the latest update for cpanel. Sounds like it could be very useful.
Thanks in advance.
-
Where can I download the latest update for cpanel. Sounds like it could be very useful.
Thanks in advance.
Hi jpweb,
For cpanel - you need to look at Heritz's thread with a plug-in that works for that environment.
-
Thanks ill try to find it.
-
Just a note here to try an pretty this up. Is there a way you can make the window without menus, fit to size of the text, have a close button when finished? Just to sexy it up a bit.
-
Hey Josh,
Opening a new window with no menus is "easy". Just edit the link (part of the patch) to include the call menubar = no and it will work. The "Cancel" button already has the function to close the window. I could rename the button "Close" I suppose.........
-
Hey Josh,
Opening a new window with no menus is "easy". Just edit the link (part of the patch) to include the call menubar = no and it will work. The "Cancel" button already has the function to close the window. I could rename the button "Close" I suppose.........
Alright. But for the Close button I was thinking once the password has been changed it brings you to a plain window that says the password has been changed then you go to the X to close the window. Can a close button be thrown onto that screen?
What file will that be in for that code or will I have to re-apply the patch?
Thanks again for a sweet mod.
-
I think the window that confirms success is only there for 5 seconds - then returns to the change password window. This is because if there is a fail - it returns for another try. Once back to the change pw screen, the Cancel button will close the window and return you to RC.
Like I said - I should rename that button "Close".
-
Heh, I never waited that long for the window to refresh itself. In my opinion (take it or leave it, doesn't matter) It would be good to have that information that the password has been changed on the same window or if it needs to go into a separate window then make that window say "Success, Password has been change" with a close button on that window.
The Cancel button on the first window is just fine the way it is, but I noticed that the cancel button doesn't close the window, just gets rid of the app. I just misunderstood how everything worked together.
-
Will this patch work with the SVN?
I'm trying to follow the install instructions but nothing seems to be working. I'm not too sure if I'm doing it right. My site is hosted on a shared server with bluehost. If I log into SSH/Shell access my file directory system is as follows:
/home/myBHusername/www/cgi-bin
When I follow the instructions am I right in assuming I just need to put all the above in, i.e. like this:
./configure --enable-cgidir=/home/myBHusername/www/cgi-bin
or just use usr/www/cgi-bin?
when I try any of the above I get all the "checking.... yes" output, but then can't seem to find the file in the cgi-bin directory and when I then try "make" I get all sorts of errors including:
(http://img120.imageshack.us/img120/6910/untitledlk2.th.jpg) (http://img120.imageshack.us/my.php?image=untitledlk2.jpg)
Any help anyone?
-
Do you have root access to the server? The "permission denied" part of the screenshot indicates that you do not have permission to access the right header files.
If this is a shared server - then do you actually have "root" access? A change password program needs root access to change system users' passwords.
-
How would I tell? (be nice, I'm still learning!) I can cd .. all the way back to /root, how do I tell if I have read/write access?
-
I guess this output means no root access?
touch /root/test.html
touch: cannot touch '/root/test.html': Permission denied
Does this mean this plug-in is no good for me?
-
I guess this output means no root access?
touch /root/test.html
touch: cannot touch '/root/test.html': Permission denied
Does this mean this plug-in is no good for me?
The short answer is "yes", you probably cannot use this plug-in. What IMAP server is running? That might make a difference (some imap servers store user info in other files rather than system user).
-
The IMAP server is Courier.
In the /home/myBHusername/ directory there is an etc/ folder that contains the shadow and shadow,v files. Aren't these the ones that contain the imap passwords?
In the same /home/myBHusername/ directory there is a mail folder with all the courier files.
I guess I have write access to /home/, just not /root/
-
Just another thought. Could this be integrated into the tab rather then a popup? I've just been playing with it and I think it would look uber sexy just integrated directly into the tab rather then what I mentioned before.
-
Just another thought. Could this be integrated into the tab rather then a popup? I've just been playing with it and I think it would look uber sexy just integrated directly into the tab rather then what I mentioned before.
I completely agree. However, and this is a big deal, integrating into the tab requires changes to several of the RC files which generate that tab - and therefore could change with each SVN release. My view was to try to avoid having to do anything more than add the "link" which is an extremely simple patch. There is another plug-in which does exactly that - and the required patching/modifications to RC files restricts it to specific versions (or endless version specific updates - which I'm not willing to do).
If you search on this subject - you'll see how much has to be done to RC to make it "sexy" within the tab. It is definitely not trivial.
Having said that - if you are offering to write the patches, I'll gladly add it to the site!! 8)
-
haha. if you want the product to work you don't want me writing patches ;-)
That sucks it's going to be a pain. Maybe they'll include it in one of the future patches cause this is a sweet addon.
-
In the table users there is no password field. I installed the freemail addon i found on this forum and nou i have a useraccounts table that has both password and username fields. The problem is that i get this error:
[Thu Mar 29 12:45:49 2007] [error] PHP Notice: DB Error: no such field Query: UPDATE useraccounts SET password = ('XXXXl') WHERE username='xxx@xxx.xx' OR (username='xxx@xxx.xx' AND domain_name = '') [nativecode=1054 ** Unknown column 'domain_name' in 'where clause'] in /home/xxxxxx/public_html/imail/program/include/bugs.inc on line 80
And if i put the users table:
[Thu Mar 29 12:58:44 2007] [error] PHP Notice: DB Error: no such field Query: UPDATE users SET password = ('xxxx') WHERE username='xxxx@xxxxx.xx' OR (username='xxxx@xxxxx.xxx' AND domain_name = '') [nativecode=1054 ** Unknown column 'domain_name' in 'where clause'] in /home/xxxxx/public_html/imail/program/include/bugs.inc on line 80
I use the roundcube I got on the author's site, Installed and works. When I change the password I get the succesful message but the password as you can see, doesn't change. Any help will be grately appriciated! ???
-
Thank you very mucho for this great plugin :) ;)
-
Thank you very mucho for this great plugin :) ;)
You're welcome! I have not updated in a long while - although I use it myself for my clients. I'll check if there is a good update to this and post if there is a change of code.
-
Yes, you can update the skin and make it more like the default skin of roundcube so that is integrates better, the last release is working excellent for a big client I have,again, thanks a lot ;D. I'll be waiting for an update... :P
-
Any interest from the community?
I'm pretty sure I can use the VERY pretty integration already done for IMAP passwd change and use the chpasswd utility for changing system passwords for users (using /etc/passwd or /etc/shadow). Useful if users are local systems users (ie. home directories, samba, uw-imap etc.)
If there is interest - I'll get to this. Seems very straightforward (and secure!) given the work and bug fixes already incorporated into this and squirrel's mod.
Hi, kali
Pls, recommend me about roundcube+localuser/passwd