From: Paul L. <pa...@sq...> - 2006-11-15 12:36:53
|
On 11/15/06, Mathias Block <ma...@ww...> wrote: > On Wed, Nov 15, 2006 at 02:27:34AM -0800, Paul Lesniewski wrote: > > > > > I mean, root shouldn't be able to login into Squirrelmail. > > > > Plugins: Lockout > > > Lockout plugs in after logging into the imap system, so a root login > > > is actually performed before root is "locked out" by the plugin by > > > sending the session to the lockout page. > > 2) if you are so security conscious about root access, why are you > > trying to solve this problem in the mail client? > We do. Our imap client does not allow root access. It reacts with an > error, however, which is subsequently displayed by squirrelmail. > Sadly, this error is different from the "wrong password" message. > This might be the fault of the imap server, or a misconfiguration, and > I will look into this when time allows, but this seems to be the case > in several systems I've seen. This explains my assertion below. > > > > Therefore, you can check the root password against the > > > imap-server, squirrelmail will tell you if the password was wrong > > > and only lock you out it was correct. > > No, this is not correct. There is no way to check the root password; > > please note that the plugin will give the same error as if the pwd was > > wrong, and even simulates the login delay as such. > You are (mostly) right if the imap client reacts with a simple > "password wrong" message or allows root in. > However, the plugin does not redirect to the "wrong password" page but > to a "must be logged in" page. I see, this is an excellent observation. You can solve it by duplicating the HTML source of the "wrong password" page and using the plugin's $reverseLockout config setting to point to your copy of that page (although the resultant uri might give it away). In the next release I will provide a way to use the bad password text instead of the "must be logged in" text. (You can also change this in the code yourself in line 178 of functions.php) > - sqimap_login redirects with the message _("Unknown user or password > incorrect.") > - lockout redirects with the message _("You must be logged in to > access this page.") > Every user logging in with the correct password gets the last message > whereas by trying with the wrong password you get the first error. > > As I explained above, our configuration resulted in imap returning an > error when root successfully logged in, so theoretically you could > check if you had the correct password. This seems to be the case in > some standard out-of-the-box installations. I should not have assumed > this is standard behaviour. Thanks for correcting me here. |