Submitted by Hal9000 on Sat, 02/08/2014 - 10:32
I am using Roundcube webmail and in order to allow users to change their password from within the webmail, I use the included password plugin which has a virtualmin driver. However, all this is is passing on the commands to the main virtualmin binary running as root.
This could have security implications since if someone manages to alter the PHP code he can execute virtually any virtualmin command.
So wouldn't it be nice if there was a binary just for changing user passwords, which also doesn't need to be run as root.
Something like this:
/usr/sbin/virtualmin-passwd --user myusername --password currentpassword --newpassword mynewpassword
Status:
Closed (works as designed)
Comments
Submitted by JamieCameron on Sat, 02/08/2014 - 12:05 Comment #1
That isn't possible, sorry ... Virtualmin scripts need to be run as root in order to have permissions to update files like /etc/shadow. Instead the plugin should use the Virtualmin HTTP API to do the password change, which does not require running PHP as root.
Submitted by Hal9000 on Sat, 02/08/2014 - 12:35 Comment #2
Ok, thanks! I will modify the plugin and submit it to the roundcube devs.