2015年1月5日 星期一

Roundcube使用password plugin (chpasswd driver)的方式

基本上參考這一篇
http://www.roundcubeforum.net/index.php?topic=21861.0
之前實作的時候一直碰到密碼更改失敗的情況,看log也看不出所以然,只看到Unable to execute sudo。原來sudoers裡頭預設有"Defaults    requiretty"這個設定,php在執行chpasswd是沒有console的,所以無法執行,照這篇文章修改就行。
1) enable password function

vi /var/www/html/roundcube/config/config.inc.php

- alter the following line as follows:

$config['plugins'] = array('password');

cd /var/www/html/roundcube/plugins/password
cp config.inc.php.dist config.inc.php

2) enable the password plugin

cd /var/www/html/roundcube/plugins/password
cp config.inc.php.dist config.inc.php

vi config.inc.php

- alter the following as follows:

$config['password_driver'] = 'chpasswd';

3) allow apache to run the script

visudo

- add to bottom

Defaults:apache !requiretty
apache ALL=(root) NOPASSWD: /usr/sbin/chpass-wrapper.py

4) add blacklisted users and minimum UID below

vi /var/www/html/roundcube/plugins/password/helpers/chpass-wrapper.py

BLACKLIST = (
    # add blacklisted users here comma separated
    'root'
)

if user.pw_uid < 494:
    sys.exit('Changing the password for user id < 494 is forbidden')

5) copy the helper to executable directory & set make it executable
   
cp /var/www/html/roundcube/plugins/password/helpers/chpass-wrapper.py /usr/sbin
chmod 755 /usr/sbin/chpass-wrapper.py

6) alter the driver to run the helper which in turn runs the driver (wraps it)

vi /var/www/html/roundcube/plugins/password/config.inc.php

old:
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2> /dev/null';
new:
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpass-wrapper.py 2> /dev/null';