IMP: User password changes with Cyrus SASL

Marc Giannoni marc@archela.com
Fri, 27 Oct 2000 20:13:28 +0000 (GMT)


Date: Fri, 27 Oct 2000 20:02:29 +0000 (GMT)
From: Marc Giannoni <marc@archela.com>
Reply-To: Marc Giannoni <marc@archela.com>
Subject: IMP: User password changes with Cyrus SASL
To: imp@lists.horde.org

How to enable user password changes when using Cyrus SASL and "sasldb".
======================================================================

Cyrus SASL database authentication allows your Cyrus/IMP installation
to host mail users without requiring a Unix Shell account!

NOTE:
This "patch" only covers the "sasldb" case when using Cyrus SASL.  Kerberos
and PAM authentication mechanisms will require other techniques to enable
user password manipulations.

Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
user passwords in the "sasldb" database.  This patch attempts to use
this utility to perform password manipulations required by your IMP
users without any administrative interaction.   Unfortunately, this
scheme requires that the "saslpasswd" utility be run as the "cyrus"
user - a horrible security problem since I've chosen to SUID a small
script which will allow this to happen.  


The Cyrus SASL implementation includes an API which will allow 
this kind database manipulation to be scripted entirely within php, 
a much more secure implementation.  Anybody interested in implementing 
this method merely needs to replace the "sasl_chpass.sh" shell script 
with the appropriate SASL API calls, and enshure that it links with 
the SASL library.  Other techniques that improve security are welcome!


New File: imp/templates/passwd/saslpassd_input.inc
==================================================

# diff poppassd_input.inc saslpassd_input.inc
17c17
< <form action="<?php $sess->purl($default->root_url . '/poppassd.php3') ?>"
method="post">
---
> <form action="<?php $sess->purl($default->root_url . '/saslpassd.php3') ?>"
method="post">

New File: imp/saslpassd.php3
============================

# diff poppassd.php3 saslpassd.php3
94,145c94
<
<               /* OK, the input data seems to be OK, connect */
<               $passd = fsockopen($poppassd_server, $poppassd_port, &$errno,
&$errstr);
<               if (!$passd){
<                       $errortype = "Password Server: $errno($errstr)";
<                       include
"$default->include_dir/passwd/poppassd_error.inc";
<               } else {
<                       $input = fgets($passd, 128);
<                       if (!(substr($input, 0, 3) == 200)) {
<                               fclose($passd);
<                               $errortype = 'no_connect';
<                               include
"$default->include_dir/passwd/poppassd_error.inc" ;
<                       }
<                       $output = 'user ' . $imp->user . "\n";
<                       fputs($passd,$output);
<
<                       $input = fgets($passd, 128);
<                       if (!(substr($input, 0, 3) == 200)) {
<                               fclose($passd);
<                               $errortype = $input;
<                       }
<                       $output = "pass " . $imp->pass . "\n";
<                       fputs($passd,$output);
<   
<                       $input = fgets($passd, 128);
<                       if (!(substr($input, 0, 3) == 200)) {
<                               fclose($passd);
<                               $errortype = $input;
<                               include
"$default->include_dir/passwd/poppassd_error.inc";
<                       }
<                       $output = "newpass $new_pass\n";
<                       fputs($passd,$output);
<   
<                       $input = fgets($passd, 128);
<                       if (!(substr($input, 0, 3) == 200)) {
<                               fclose($passd);
<                               $errortype = $input;
<                               include
"$default->include_dir/passwd/poppassd_error.inc";
<                       $output = "quit\n";
<                       fputs($passd, $output);
<   
<   
<                       $input = fgets($passd, 128);
<                       if (!(substr($input, 0, 3) == 200)) {
<                               fclose($passd);
<                               $errortype = $input;
<                               include
"$default->include_dir/passwd/poppassd_error.inc";
<                       }
<                       fclose($passd);
<   
---

---
>               system(escapeshellcmd("./config/sasl_chpass.sh $username
$new_pass"));
155c104
<               include "$default->include_dir/passwd/poppassd_input.inc";
---
>               include "$default->include_dir/passwd/saslpassd_input.inc";
158c107
<   include "$default->include_dir/passwd/poppassd_input.inc";
---
>   include "$default->include_dir/passwd/saslpassd_input.inc";
#

New File: imp/config/sasl_chpass.sh:
====================================

#!/bin/sh
/usr/local/sbin/saslpasswd -d $1
echo $2 | /usr/local/sbin/saslpasswd -p -c $1


Do not forget to: 
=================
      "chown cyrus:nobody config/sasl_chpass.sh"
      "chmod 4550 config/sasl_chpass.sh"

<<<<<<<<<<<<<<<<< YIKES, that's the Nasty One!>>>>>>>>>>>>>>>>>>>>>>>



-------------------------------------------------
This mail sent through IMP: archela.com