Home > Open Source, Postfix > Squirrel Mail ~ Change Password Plugins Fails

Squirrel Mail ~ Change Password Plugins Fails

While working with squirrelmail in UMK mailserver, I encountered one strange problem. When I installed the change_password plugin, it failed to operate. A user cannot change his password even though the current password he entered is correct. Even worse, when i disable $confirmNewPass and $confirmOldPass in the config.php file, the same error keep hunting my users.

Although the plugin worked when run in bash shell but not from the website. Quite an interesting situation.

chpasswd_error

Further investigation shows that there is something wrong when the script is run from the website. SELinux is preventing the plugin from being run correctedly. The output of dmesg is like this:

audit(1184206216.485:2): avc: denied { execute } for pid=3140 comm=”chpasswd” name=”ld.so.cache” dev=hda4 ino=457427 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file

audit(1184206216.486:3): avc: denied { setuid } for pid=3140 comm=”chpasswd” capability=7 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=capability

audit(1184206228.873:4): avc: denied { execute } for pid=3142 comm=”chpasswd” name=”ld.so.cache” dev=hda4 ino=457427 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file

audit(1184206228.874:5): avc: denied { setuid } for pid=3142 comm=”chpasswd” capability=7 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=capability

Firstly, I am not sure what is going on but there is some security prevention involved. Later after I did some googling I realized that SELinux is the cause of the problem. This is the SELinux status on the machine:

[root@mail ~]# getenforce
Enforcing

[root@mail change_passwd]# getsebool -a
allow_syslog_to_console –> inactive
allow_ypbind –> inactive
dhcpd_disable_trans –> inactive
httpd_builtin_scripting –> active
httpd_disable_trans –> inactive
httpd_enable_cgi –> active
httpd_enable_homedirs –> active
httpd_ssi_exec –> active
httpd_tty_comm –> inactive
httpd_unified –> active
mysqld_disable_trans –> inactive
named_disable_trans –> inactive
named_write_master_zones –> inactive
nscd_disable_trans –> inactive
ntpd_disable_trans –> inactive
pegasus_disable_trans –> inactive
portmap_disable_trans –> inactive
postgresql_disable_trans –> inactive
snmpd_disable_trans –> inactive
squid_disable_trans –> inactive
syslogd_disable_trans –> inactive
use_nfs_home_dirs –> inactive
use_samba_home_dirs –> inactive
use_syslogng –> inactive
winbind_disable_trans –> inactive
ypbind_disable_trans –> inactive

Now I have to disabled the appropriate SELinux boolean. but… which is the correct one? hmm…. Well i think it is better to just disable the SELinux first and figure out the boolean later.

I disabled the SELinux using this command

[root@mail change_passwd]# setenforce 0
[root@mail change_passwd]# getenforce
Permissive

And wow… the new plugin run smoothly after that.

chpasswd_corrected

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: