Rspamd web interface asks for password from Applications section only

rspamd

(Carsten Härle) #1

I cannot open the rspam interface from the applications menu in the cockpit any more. Neither with root nor with admin as the user. It asks for a password. When I enter admin and the admin password it works, however it used to work without entering a password.

How to fix this?

EDIT 04/25/19: Result from discussion
From the email section the rspamd-website opens without asking for a password. The same should be from the Applications section, so the current behaviour is a bug which should be fixed.


(Michael Kicks) #2

No fix because (IMVHO) this is a good way to acces.


(Dan) #3

Why? If you’re already logged in as the system administrator, why should you have to re-authenticate to another web application linked from the same interface? The prior behavior was more appropriate.


(Carsten Härle) #4

No, the other applications like evebox also open without asking for a password again, if you were already logged in. They only ask for password, if you have not logged in the management interface.

This should always the behaviour. Single-Sign-On. No-one likes to type in the password multiple times, when we wants to navigate to some view in the management interface.

This also WAS the behaviour, but somehow got broken. So please fix it.


(Stéphane de Labrusse) #5

Not in front of a computer, so all is from memory, you can either login with the admin user or with the rspamd user, the password is stored in /var/lib/nethserver/secret/rspamd

There is no ssso we only give the user/password in the url


(Michael Kicks) #6

The URL is random but… sometimes could be got. Therefore, user request will save the issue for attack the setup.


(Dan) #7

Shouldn’t the user authentication to the server manager be able to carry over to another application on the same server? Why would it depend on secrecy of the URL?


#8

What’s silly is that from Applications, login is demanded… but from the Email - Filter - Rspamd link credentials are just passed, then you can use the link in Applications which no longer demands the pwd and just opens the page… because the browser has the login. I noticed this long ago.


(Carsten Härle) #9

That’s interesting. I can confirm, that from the Email section the rspamd-website opens without asking for a password. The same should be from the Applications section. Maybe I am wrong, but I think at some time it worked also from applications without a password. In any case, it is a bug, which should be fixed.

How to file a bug? Should I open one github? I changed the category to “Bug”.


(Stéphane de Labrusse) #10

Confirmed, the password is not prompted in the applications link

This how to give the password/url

You could open a bug, but the effort are going now to cockpit


(Carsten Härle) #11

Will it be fixed in the next update?


(Davide Principi) #12

Do you mean this?

image

It is so since the first release of Rspamd in NS7, probably because the Applications section can be accessed by non-admins users: we cannot grant them access to Rspamd admin interface from there.

Instead we are sure the Email > Filter page can be accessed by admins only. Furthermore, as root credentials cannot be used by the Apache PAM helper, we added a special “rspamd” login for those installations without accounts provider.

I’m sorry but I don’t think this can be considered a bug. It works in this way for the reason above.

In the Cockpit App it is implemented in a similar way.


#13

Sounds fair to me.