On 11/15/06, Mathias Block <mathias@...> wrote:
> On Wed, Nov 15, 2006 at 02:27:34AM -0800, Paul Lesniewski wrote:
> > > > > I mean, root shouldn't be able to login into Squirrelmail.
> > > > Plugins: Lockout
> > > Lockout plugs in after logging into the imap system, so a root login
> > > is actually performed before root is "locked out" by the plugin by
> > > sending the session to the lockout page.
> > 2) if you are so security conscious about root access, why are you
> > trying to solve this problem in the mail client?
> We do. Our imap client does not allow root access. It reacts with an
> error, however, which is subsequently displayed by squirrelmail.
> Sadly, this error is different from the "wrong password" message.
> This might be the fault of the imap server, or a misconfiguration, and
> I will look into this when time allows, but this seems to be the case
> in several systems I've seen. This explains my assertion below.
> > > Therefore, you can check the root password against the
> > > imap-server, squirrelmail will tell you if the password was wrong
> > > and only lock you out it was correct.
> > No, this is not correct. There is no way to check the root password;
> > please note that the plugin will give the same error as if the pwd was
> > wrong, and even simulates the login delay as such.
> You are (mostly) right if the imap client reacts with a simple
> "password wrong" message or allows root in.
> However, the plugin does not redirect to the "wrong password" page but
> to a "must be logged in" page.
I see, this is an excellent observation. You can solve it by
duplicating the HTML source of the "wrong password" page and using the
plugin's $reverseLockout config setting to point to your copy of that
page (although the resultant uri might give it away). In the next
release I will provide a way to use the bad password text instead of
the "must be logged in" text. (You can also change this in the code
yourself in line 178 of functions.php)
> - sqimap_login redirects with the message _("Unknown user or password
> - lockout redirects with the message _("You must be logged in to
> access this page.")
> Every user logging in with the correct password gets the last message
> whereas by trying with the wrong password you get the first error.
> As I explained above, our configuration resulted in imap returning an
> error when root successfully logged in, so theoretically you could
> check if you had the correct password. This seems to be the case in
> some standard out-of-the-box installations. I should not have assumed
> this is standard behaviour. Thanks for correcting me here.