From: <sm...@gu...> - 2010-09-10 12:09:23
|
> > > sm-19 wrote: >> >> I'm making a strong assumption this issue with compiling 'chpasswd' from a >> tar -xvzf change_passwd-4.3beta7-1.2.8.tar.gz file may be specific to FreeBSD; again I'm no way a programmer; here we go ... >> > Use change_pass plugin. It is safer. I did look for your suggestion, but there doesn't seem to be a plugin by the exact name you provided. We've traveled to far to just drop this and start over. I have learned and discovered a few things about this existing plugin that may help me in the future with SquirrelMail. > -- > View this message in context: > http://old.nabble.com/Research----change_passwd-4.3beta7-1.2.8.tar.gz----FreeBSD-7.1-RELEASE-tp29671822p29674343.html Sent from the squirrelmail-plugins mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------------ Automate Storage Tiering Simply > Optimize IT performance and efficiency through flexible, powerful, automated storage tiering capabilities. View this brief to learn how you can reduce costs and improve performance. > http://p.sf.net/sfu/dell-sfdev2dev > ----- > squirrelmail-plugins mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins > |
From: <sm...@gu...> - 2010-09-11 11:38:04
|
> sm-19 wrote: >> As it is now, using just the one (1) plugin with its config.php directive >> that uses the systems' 'pw' owned by 'root' and using the web-server 'group', I hope we're pretty safe until SM-1.5 is ported to FreeBSD which, >> as you pointed out, has the 'change_password' plugin merged. >> Is my thinking not sane to this point? > SquirrelMail 1.5 includes change_password plugin, but this plugin is not based on change_passwd plugin. change_password plugin is completely different and it does not support features provided by change_passwd plugin. Perhaps I wasn't clear. I was not saying that "change_password" within SM-1.5 is compatible with "chpasswd". I did say that we will continue to use chpasswd in the existing install of SM until which time SM-1.5 is ported to FreeBSD. We don't need the dependency that's required by "chasspassword", hence if its not in the base FBSD system/SM we aren't interested at this point in time. Please don't misunderstand and take this as " we aren't open to your suggestion(s) or recommendation(s); we currently have 'chpasswd' working in a secure enough manner and will continue with it until the above takes places (SM-1.5 is ported to FreeBSD). P.S. If chpasswd was so unsafe, admittedly it comes with a warning, would the authors and/or dev team continue and allow it to be downloaded and installed? > Your thinking is not sane. People are saying that your password changing ^ method is very unsafe and you continue to ignore it. I've always been certifiable so... As far as "people are saying" there have been only two (2) people during this discussion who have, in your words "saying that your password changing method is very unsafe" (Tomas and Reko Turja), but I haven't seen any current/recent evidence where the 'chpasswd' plugin and any mechanism it uses, for the lack of a better term on my part, has been compromised, circumvented or otherwise been trashed. If anyone can point me/us to such a document, we would been more than happy to stop and read it thoroughly. What do you think folks? > -- > Tomas > -- > View this message in context: > http://old.nabble.com/Re%3A-Re-search----change_passwd-4.3beta7-1.2.8.tar.gz----FreeBSD-7.1-RELEASE-tp29676184p29683827.html Sent from the squirrelmail-plugins mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing > http://p.sf.net/sfu/novell-sfdev2dev > ----- > squirrelmail-plugins mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins |
From: Paul L. <pa...@sq...> - 2010-09-11 18:48:16
|
On Sat, Sep 11, 2010 at 4:37 AM, <sm...@gu...> wrote: >> sm-19 wrote: >>> As it is now, using just the one (1) plugin with its config.php directive >>> that uses the systems' 'pw' owned by 'root' and using the web-server > 'group', I hope we're pretty safe until SM-1.5 is ported to FreeBSD > which, >>> as you pointed out, has the 'change_password' plugin merged. >>> Is my thinking not sane to this point? >> SquirrelMail 1.5 includes change_password plugin, but this plugin is not > based on change_passwd plugin. change_password plugin is completely > different and it does not support features provided by change_passwd > plugin. > > Perhaps I wasn't clear. I was not saying that "change_password" within > SM-1.5 is compatible with "chpasswd". I did say that we will continue to > use chpasswd in the existing install of SM until which time SM-1.5 is > ported to FreeBSD. We don't need the dependency that's required by > "chasspassword", hence if its not in the base FBSD system/SM we aren't > interested at this point in time. > > Please don't misunderstand and take this as " we aren't open to your > suggestion(s) or recommendation(s); we currently have 'chpasswd' working > in a secure enough manner and will continue with it until the above takes > places (SM-1.5 is ported to FreeBSD). > > P.S. If chpasswd was so unsafe, admittedly it comes with a warning, would > the authors and/or dev team continue and allow it to be downloaded and > installed? > >> Your thinking is not sane. People are saying that your password changing > ^ method is very unsafe and you continue to ignore it. > > I've always been certifiable so... As far as "people are saying" there > have been only two (2) people during this discussion who have, in your > words "saying that your password changing method is very unsafe" (Tomas > and > Reko Turja) Wrong. Three. You forgot me. >, but I haven't seen any current/recent evidence where the > 'chpasswd' plugin and any mechanism it uses, for the lack of a better term > on my part, has been compromised, circumvented or otherwise been trashed. It doesn't have to be compromised to be unsafe. You obviously didn't read the plugin documentation before you started. > If anyone can point me/us to such a document, we would been more than > happy to stop and read it thoroughly. What do you think folks? You didn't read the documentation thoroughly to begin with. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: <sm...@gu...> - 2010-09-11 22:26:01
|
>> If anyone can point me/us to such a document, we would been more than happy to stop and read it thoroughly. What do you think folks? > > You didn't read the documentation thoroughly to begin with. Didn't think is was necessary once I got to the part about --using the default configuration--. I just expected it to work. I'm not the only one who is/was having the same issue with this very same plugin. How is anyone to know this was written for and/or only tested on a linux box? Currently this will do (for us). > > -- > Paul Lesniewski > SquirrelMail Team > Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php > > ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing > http://p.sf.net/sfu/novell-sfdev2dev > ----- > squirrelmail-plugins mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins > > |
From: Felix C. <fe...@ac...> - 2010-09-12 07:30:32
|
Apparently it is the administrator's discretion to jeopardise his users. The chpasswd-based plugin has not been secure to begin with; Paul, would you consider moving it to the "Obsolete" category? Perhaps that would discourage some not-so-bright admins... Thank you for the excellent work. Felix ----- Original Message ----- From: <sm...@gu...> To: "Squirrelmail Plugins Mailing List" <squ...@li...> Sent: Sunday, September 12, 2010 01:25 Subject: Re: [SM-PLUGINS] Re search -- change_passwd-4.3beta7-1.2.8.tar.gz-- FreeBSD-7.1-RELEASE >> If anyone can point me/us to such a document, we would been more than happy to stop and read it thoroughly. What do you think folks? > > You didn't read the documentation thoroughly to begin with. Didn't think is was necessary once I got to the part about --using the default configuration--. I just expected it to work. I'm not the only one who is/was having the same issue with this very same plugin. How is anyone to know this was written for and/or only tested on a linux box? Currently this will do (for us). > > -- > Paul Lesniewski > SquirrelMail Team > Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php > > ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing > http://p.sf.net/sfu/novell-sfdev2dev > ----- > squirrelmail-plugins mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins > > ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev ----- squirrelmail-plugins mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squ...@li... List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins |
From: Paul L. <pa...@sq...> - 2010-09-12 08:15:34
|
Please do not top-post. Please review the posting guidelines if in doubt. >>>> If anyone can point me/us to such a document, we would been more than >>>> happy to stop and read it thoroughly. What do you think folks? >>> >>> You didn't read the documentation thoroughly to begin with. >> >> Didn't think is was necessary once I got to the part about --using the >> default configuration--. I just expected it to work. I'm not the only >> one who is/was having the same issue with this very same plugin. How is >> anyone to know this was written for and/or only tested on a linux box? >> >> Currently this will do (for us). > > Apparently it is the administrator's discretion to jeopardise his users. > The chpasswd-based plugin has not been secure to begin with; Security is always relative. The plugin can safely be used in some environments. > Paul, would you > consider moving it to the "Obsolete" category? Perhaps that would discourage > some not-so-bright admins... No, sorry. It still has its use. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: <sm...@gu...> - 2010-09-12 16:41:18
|
> >> Paul, would you >> consider moving it to the "Obsolete" category? Perhaps that would >> discourage >> some not-so-bright admins... > > No, sorry. It still has its use. I've already confessed to not being a programmer, however my common sense says, that if a code is insecure, warning or not --admin's discretion or not, don't provide or otherwise offer it for use. Paul has stated he would not move it to the obsolete category; his choice. However, the item that's in the subject line was not available from the plugin page; I requested it because the version offered from within the plugin list was not compatible with the installed compat~ plugin. At the time of the request, not knowing that the version Paul supplied was going to be 'beta'. In addition, as previously stated, Paul never posted this (chpasswd plugin) was written for linux (chpasswd). Enough of this; if its not secure remove it. If you choose not to remove it, I only see a damaged history for SquirrelMail and/or its plugins. We will continue to use SM until something drastic takes place that points to code or erratic/incomplete instructions. Bottom line: 1) The chpasswd binary, in its native form, currently does not work on FreeBSD-7.3-RELEASE. -- Using the next item, as of this writing, appears to be the easiest way for a novice to get this plugin to work on/with FreeBSD-7.3-release. Going with any other method involves more configuration and dependancies; that I've seen thus far. 2) Using "$pathToPw = " in the /change_passwd/config.php file is currently the fastest and easiest way to get this plugin working on the FreeBSD version above. I'm not about to check other FBSD version to find out. We are currently set with -- "$pathToPw = ". > > -- > Paul Lesniewski > SquirrelMail Team > Please support Open Source Software by donating to SquirrelMail! > http://squirrelmail.org/donate_paul_lesniewski.php > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing > http://p.sf.net/sfu/novell-sfdev2dev > ----- > squirrelmail-plugins mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins > > |
From: Reko T. <rek...@li...> - 2010-09-10 14:30:16
|
-------------------------------------------------- From: <sm...@gu...> Sent: Friday, September 10, 2010 3:09 PM To: "Squirrelmail Plugins Mailing List" <squ...@li...> Subject: Re: [SM-PLUGINS] Re search -- change_passwd-4.3beta7-1.2.8.tar.gz-- FreeBSD-7.1-RELEASE > I did look for your suggestion, but there doesn't seem to be a > plugin by > the exact name you provided. We've traveled to far to just drop > this and > start over. I have learned and discovered a few things about this > existing plugin that may help me in the future with SquirrelMail. I've been running Squirrel on FreeBSD from about 2003 onwards (4.x->8.x) and i can recommend change_pass plugin as well. Poppassd needed for installation can easily be installed from the ports and the rest is painless. Of course I recommend running the daemon from inetd and then firewalling the port from everywhere but localhost keeping it out of reach of kiddies. -Reko |
From: Reko T. <rek...@li...> - 2010-09-10 14:35:14
|
-------------------------------------------------- From: <sm...@gu...> Sent: Friday, September 10, 2010 3:09 PM To: "Squirrelmail Plugins Mailing List" <squ...@li...> Subject: Re: [SM-PLUGINS] Re search -- change_passwd-4.3beta7-1.2.8.tar.gz-- FreeBSD-7.1-RELEASE Forgot the link to the plugin in question, sorry... http://www.squirrelmail.org/plugin_view.php?id=21 -Reko |
From: Tomas K. <to...@us...> - 2010-09-10 16:20:40
|
2010.09.10 15:09 sm...@gu... rašė: >> >> >> sm-19 wrote: >>> >>> I'm making a strong assumption this issue with compiling 'chpasswd' >>> from a >>> tar -xvzf change_passwd-4.3beta7-1.2.8.tar.gz file may be specific to > FreeBSD; again I'm no way a programmer; here we go ... >>> >> Use change_pass plugin. It is safer. > > I did look for your suggestion, but there doesn't seem to be a plugin by > the exact name you provided. We've traveled to far to just drop this and > start over. I have learned and discovered a few things about this > existing plugin that may help me in the future with SquirrelMail. SquirrelMail plugins page lists seven password plugins. Could you check filenames of those plugins? http://www.squirrelmail.org/plugin_view.php?id=21 You do understand that change_passwd plugin on FreeBSD uses password changing utility with admin privileges and without password verification. Even if you manage to compile chpasswd it does not mean a thing. How do you know that it will handle FreeBSD password hashes correctly? change_pass plugin does not use program execution functions in PHP and uses password changing service included in FreeBSD ports repository. It is safer than suexec program called in PHP. poppass service in FreeBSD repository should know FreeBSD password format and should be able to handle it. Password changing is the only function of poppass service. If it does not work, then there is no point of including it in FreeBSD ports repository. -- Tomas |
From: <sm...@gu...> - 2010-09-11 02:20:23
|
This is in response to both Reko Turja and Tomas Kuliavas. Thank you for your input. I will continue to use the change_passwd-4.3beta7 and it's config.php directive that employs the use of the system's 'pw'. Simply because I don't have to keep installing stuff in support of (dependencies). Using your suggestion located @ http://www.squirrelmail.org/plugin_view.php?id=21 calls for the installation of another port. While I understand its a painless install, I think about what happens when its time to upgrade and something breaks; it has happened before. If that takes place (an ugrade breaking something), Instead of just needed to troubleshoot one (1) plugin, I may have to troubleshoot the initial plugin in addition to its required port. As it is now, using just the one (1) plugin with its config.php directive that uses the systems' 'pw' owned by 'root' and using the web-server 'group', I hope we're pretty safe until SM-1.5 is ported to FreeBSD which, as you pointed out, has the 'change_password' plugin merged. Is my thinking not sane to this point? I'm still not sure why change_passwd-4.3beta7 doesn't work Out-Of_The_Box (OOB) within FreeBSD-7.3-RELEASE --that may be a horse better left for riding another day. I truly hope php doesn't develop any security issues that will affect the use of this plugin until which time SM-1.5 is ported. Thanks again folks. > 2010.09.10 15:09 sm...@gu... raÅ¡Ä: >>> sm-19 wrote: >>>> I'm making a strong assumption this issue with compiling 'chpasswd' from a >>>> tar -xvzf change_passwd-4.3beta7-1.2.8.tar.gz file may be specific to >> FreeBSD; again I'm no way a programmer; here we go ... >>> Use change_pass plugin. It is safer. >> I did look for your suggestion, but there doesn't seem to be a plugin by >> the exact name you provided. We've traveled to far to just drop this and >> start over. I have learned and discovered a few things about this existing plugin that may help me in the future with SquirrelMail. > SquirrelMail plugins page lists seven password plugins. Could you check filenames of those plugins? > http://www.squirrelmail.org/plugin_view.php?id=21 > You do understand that change_passwd plugin on FreeBSD uses password changing utility with admin privileges and without password verification. > Even if you manage to compile chpasswd it does not mean a thing. How do you know that it will handle FreeBSD password hashes correctly? > change_pass plugin does not use program execution functions in PHP and uses password changing service included in FreeBSD ports repository. It is > safer than suexec program called in PHP. poppass service in FreeBSD repository should know FreeBSD password format and should be able to handle it. Password changing is the only function of poppass service. If it does not work, then there is no point of including it in FreeBSD ports > repository. > -- > Tomas > ------------------------------------------------------------------------------ Automate Storage Tiering Simply > Optimize IT performance and efficiency through flexible, powerful, automated storage tiering capabilities. View this brief to learn how you can reduce costs and improve performance. > http://p.sf.net/sfu/dell-sfdev2dev > ----- > squirrelmail-plugins mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.plugins List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins |
From: Tomas K. <to...@us...> - 2010-09-11 09:34:54
|
sm-19 wrote: > > As it is now, using just the one (1) plugin with its config.php directive > that uses the systems' 'pw' owned by 'root' and using the web-server > 'group', I hope we're pretty safe until SM-1.5 is ported to FreeBSD which, > as you pointed out, has the 'change_password' plugin merged. > > Is my thinking not sane to this point? > SquirrelMail 1.5 includes change_password plugin, but this plugin is not based on change_passwd plugin. change_password plugin is completely different and it does not support features provided by change_passwd plugin. Your thinking is not sane. People are saying that your password changing method is very unsafe and you continue to ignore it. -- Tomas -- View this message in context: http://old.nabble.com/Re%3A-Re-search----change_passwd-4.3beta7-1.2.8.tar.gz----FreeBSD-7.1-RELEASE-tp29676184p29683827.html Sent from the squirrelmail-plugins mailing list archive at Nabble.com. |