Roundcube Password plugin: Unable to execute

Hello I am getting the below error while doing the password change from the rouundcube. Please see the below log:

[15-Apr-2021 17:46:12 +0530]: PHP Error: Password plugin: Unable to execute /home/abc/public_html/roundcube/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user ‘alok.s@abc.in’ not known to Virtualmin in /home/abc/public_html/roundcube/plugins/password/drivers/virtualmin.php on line 50 (POST /?_task=settings&_action=plugin.password-save)

but the user is found in my Virtualmin, I don’t know what is the issue, this issue occurs with all the users.

Check attachment also.

Status: 
Needs review
Files: 
Virtualmin version: 
6.16
Webmin version: 
1.973

Comments

Ilia's picture
Submitted by Ilia on Fri, 04/16/2021 - 15:18

Hello,

At first you would need to compile chgvirtualminpasswd.c source into an executable and change permissions as described on the inside of the file. Considering that you run PHP under a specific user and not Apache user as in case of mod_php, the correct permissions would be root.username rather than root.apache.

However, we strongly discourage of using such implementation, as this is equivalent to creating a root capable exploit, as virtualmin command is meant to run by root user only.

I suggest finding a better way of changing user passwords.

The other work around would be is to hardcode the command virtualmin modify-user --domain $domain --user $username --pass $newpass found on password driver virtualmin.php into chgvirtualminpasswd.c and pass params to binary later in PHP script -- then it would safer. Even though with mentioned implementation above it would still be possible to change other users passwords. No acceptable as well. The right way would be is to check on C script for current unix user and make sure that it equals passed --user param.

Otherwise a domain owner (un-privileged user) with such exploit will be able to execute a command to delete all domains on your server, and/or do things domain owner is not meant to do. This is not something you would want!

I filed a request on RoundCube issue tracker roundcube/roundcubemail/issues/8007 asking them to fix this.

-r-sr-x--- 1 root apache 6256 Apr 19 11:34 chgvirtualminpasswd

-r-sr-x--- 1 root apache 6256 Mar 24 17:37 chgsaslpasswd

-r-sr-x--- 1 root apache 6256 Mar 24 17:37 chgdbmailusers

I have put this line "exec("$curdir/chgvirtualminpasswd modify-user --domain $domain --user $username --pass $newpass", $output, $returnvalue);"

in virtualmin.php but still getting

[19-Apr-2021 11:40:49 +0530]: <2jd2p7nv> PHP Error: Password plugin: Unable to execute /home/abc/public_html/roundcube/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user 'alok@abc' not known to Virtualmin in /home/abc/public_html/roundcube/plugins/password/drivers/virtualmin.php on line 49 (POST /?_task=settings&_action=plugin.password-save)