Roundcube Community Forum

 

Password Plugin for Virtualmin (Fixed/Solved)

Started by leewells, April 22, 2015, 03:53:34 AM

Previous topic - Next topic

leewells

I'm not sure where this "should" go.  But at any rate, I'm a Webmin fan and some of my user's biggest complaints about Roundcube was that it did not allow virtualmin/webmin users to change thier passwords from within the client.

I did some research and found that it wasn't quite the case, I found that inside the password plugin there is some... strange support for it that requires compiling a binary and then running said binary as root (oh, heck no).  I wanted a simpler solution that was secure (without publishing a rooted binary or having to use a privelaged login) and came up with a method that doesn't reinvent the wheel it is just forced to do more.

So I came up with this replacement file for the /plugins/password/drivers/virtualmin.php file:


<?php

/**
 * Virtualmin Password Driver Fixed
 *
 * 
 * Adapted and fixed by LeeWells
 *
 * This script can run the server from ANY host, just replace localhost with the remote host
 * that virtualmin runs on.
 *
 * @version 1.0
 * @author LeeWells
 *
 * Copyright (C) 2005-2013, LeeWells
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see http://www.gnu.org/licenses/.
 */

class rcube_virtualmin_password
{
    function 
save($currpass$newpass)
    {
        
$rcmail   rcmail::get_instance();
        
$format   $rcmail->config->get('password_virtualmin_format'0);
        
$username $_SESSION['username'];
$cook   = md5($username);

        
$username escapeshellcmd($username);
        
$newpass  escapeshellcmd($newpass);
        
$curdir   RCUBE_PLUGINS_DIR 'password/helpers';

$curl_handle curl_init ("https://localhost:20000/session_login.cgi?user=$username&pass=$currpass");
 
curl_setopt($curl_handleCURLOPT_COOKIEJAR'usermin.'.$cook.'.txt');
curl_setopt($curl_handleCURLOPT_COOKIEFILE'usermin.'.$cook.'.txt');
curl_setopt($curl_handleCURLOPT_USERAGENT'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0');
curl_setopt($curl_handleCURLOPT_RETURNTRANSFER1);
curl_setopt($curl_handleCURLOPT_HEADER1);
curl_setopt($curl_handleCURLOPT_STDERR,  fopen('php://stdout''w'));
curl_setopt($curl_handleCURLOPT_FOLLOWLOCATION1);
$output curl_exec ($curl_handle);
curl_close($curl_handle);

$post_array2 = array( 'old' => $currpass'new1' => $newpass'new2' => $newpass, );
$curl_handle curl_init ("https://localhost:20000/changepass/changepass.cgi");
curl_setopt($curl_handleCURLOPT_POST3);
curl_setopt($curl_handleCURLOPT_POSTFIELDS'old='.$currpass.'&new1='.$newpass.'&new2='.$newpass);
curl_setopt($curl_handleCURLOPT_COOKIEJAR'usermin.'.$cook.'.txt');
curl_setopt($curl_handleCURLOPT_COOKIEFILE'usermin.'.$cook.'.txt');
curl_setopt($curl_handleCURLOPT_USERAGENT'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0');
curl_setopt($curl_handleCURLOPT_RETURNTRANSFER1);
curl_setopt($curl_handleCURLOPT_REFERER'https://localhost:20000/changepass/');
curl_setopt($curl_handleCURLOPT_HEADER1);
 
$content curl_exec ($curl_handle);
curl_close($curl_handle);

$newcontent explode('</tt>'$content);
$success explode('.'$newcontent[1]);
if($success[0] == ' has been changed successfully')
{
return PASSWORD_SUCCESS;
} else {
            
rcube::raise_error(array(
                
'code' => 600,
                
'type' => 'php',
                
'file' => __FILE__'line' => __LINE__,
                
'message' => $success[0]
                ), 
truefalse);
return PASSWORD_ERROR;
}
    }
}


No domain variables, or configuration is needed. Notice in the code what happens here.  Firstly, we're using the logged in user's credentials to login to usermin using curl, and then request the new password there, grabbing any erorrs and returning that instead of using a rooted binary.

Hopefully that helps anyone out there looking to have password changing abilities for Roundcube without publishing a rooted binary to your web folder :)

luizlopes85

This works! Is super easy. No need to access the CLI or chown, chmod nothing.

Just copy the content on the virtualmin.php file and replace the 'localhost' with the 'yourdomain.com'. That´s it"

Thank you so much.

luizlopes85

This works, but you need to install a ssl cert.If you don´t have it, the curl is not going to be able to access the url:2000.

jacdevph

I tried this on my Virtualmin, and I've already replaced the domain, but it's not working.