Rspamd web interface asks for password from Applications section only

carsten · 2019-04-24 16:50:33 UTC

I cannot open the rspam interface from the applications menu in the cockpit any more. Neither with root nor with admin as the user. It asks for a password. When I enter admin and the admin password it works, however it used to work without entering a password.

How to fix this?

EDIT 04/25/19: Result from discussion
From the email section the rspamd-website opens without asking for a password. The same should be from the Applications section, so the current behaviour is a bug which should be fixed.

pike · 2019-04-24 17:40:51 UTC

No fix because (IMVHO) this is a good way to acces.

danb35 · 2019-04-24 17:46:25 UTC

Why? If you’re already logged in as the system administrator, why should you have to re-authenticate to another web application linked from the same interface? The prior behavior was more appropriate.

carsten · 2019-04-24 18:46:00 UTC

No, the other applications like evebox also open without asking for a password again, if you were already logged in. They only ask for password, if you have not logged in the management interface.

This should always the behaviour. Single-Sign-On. No-one likes to type in the password multiple times, when we wants to navigate to some view in the management interface.

This also WAS the behaviour, but somehow got broken. So please fix it.

stephdl · 2019-04-24 18:47:04 UTC

Not in front of a computer, so all is from memory, you can either login with the admin user or with the rspamd user, the password is stored in /var/lib/nethserver/secret/rspamd

There is no ssso we only give the user/password in the url

pike · 2019-04-24 20:03:13 UTC

The URL is random but… sometimes could be got. Therefore, user request will save the issue for attack the setup.

danb35 · 2019-04-24 20:17:26 UTC

Shouldn’t the user authentication to the server manager be able to carry over to another application on the same server? Why would it depend on secrecy of the URL?

fasttech · 2019-04-24 22:56:43 UTC

What’s silly is that from Applications, login is demanded… but from the Email - Filter - Rspamd link credentials are just passed, then you can use the link in Applications which no longer demands the pwd and just opens the page… because the browser has the login. I noticed this long ago.

carsten · 2019-04-25 04:50:46 UTC

That’s interesting. I can confirm, that from the Email section the rspamd-website opens without asking for a password. The same should be from the Applications section. Maybe I am wrong, but I think at some time it worked also from applications without a password. In any case, it is a bug, which should be fixed.

How to file a bug? Should I open one github? I changed the category to “Bug”.

stephdl · 2019-04-25 07:13:19 UTC

Confirmed, the password is not prompted in the applications link

github.com

NethServer/nethserver-mail/blob/master/filter/usr/share/nethesis/NethServer/Module/Dashboard/Applications/Rspamd.php

<?php
namespace NethServer\Module\Dashboard\Applications;

/*
 * Copyright (C) 2017 Nethesis S.r.l.
 *
 * This script is part of NethServer.
 *
 * NethServer is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * NethServer is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with NethServer.  If not, see <http://www.gnu.org/licenses/>.

This file has been truncated. show original

This how to give the password/url

github.com

NethServer/nethserver-mail/blob/master/filter/usr/share/nethesis/NethServer/Template/Mail/Filter.php

<?php

/* @var $view Nethgui\Renderer\Xhtml */

$virusCheckbox = $view->checkBox('VirusCheckStatus', 'enabled')
    ->setAttribute('uncheckedValue', 'disabled');

// send some translated strings to the javascript context:
$view->includeTranslations(array(
    'New SB',
    'New RW',
    'New SW',
    'Delete',
    'Done',
    'Update',
    'allow To',
    'allow From',
    'deny To',
    'deny From',
));

This file has been truncated. show original

You could open a bug, but the effort are going now to cockpit

carsten · 2019-04-25 09:40:52 UTC

Will it be fixed in the next update?

davidep · 2019-04-26 07:50:08 UTC

Do you mean this?

It is so since the first release of Rspamd in NS7, probably because the Applications section can be accessed by non-admins users: we cannot grant them access to Rspamd admin interface from there.

Instead we are sure the Email > Filter page can be accessed by admins only. Furthermore, as root credentials cannot be used by the Apache PAM helper, we added a special “rspamd” login for those installations without accounts provider.

I’m sorry but I don’t think this can be considered a bug. It works in this way for the reason above.

In the Cockpit App it is implemented in a similar way.

fasttech · 2019-04-26 16:59:29 UTC

Sounds fair to me.