[Kolab-devel] Crucial: roundcubemail always writes debug logs!
Henning
henne.gwath at gmx.de
Thu May 29 21:50:21 CEST 2014
Hi!
I found the root of the problem in the file
/usr/share/roundcubemail/plugins/kolab_auth/kolab_auth.php, there it reads:
// Enable debug logs per-user, this enables logging only after
// user has logged in
if (!empty($_SESSION['username']) &&
$rcmail->config->get('kolab_auth_auditlog')) {
$rcmail->config->set('debug_level', 1);
$rcmail->config->set('devel_mode', true);
$rcmail->config->set('smtp_log', true);
$rcmail->config->set('log_logins', true);
$rcmail->config->set('log_session', true);
$rcmail->config->set('memcache_debug', true);
$rcmail->config->set('imap_debug', true);
$rcmail->config->set('ldap_debug', true);
$rcmail->config->set('smtp_debug', true);
$rcmail->config->set('sql_debug', true);
// SQL debug need to be set directly on DB object
// setting config variable will not work here because
// the object is already initialized/configured
if ($db = $rcmail->get_dbh()) {
$db->set_debug(true);
}
}
The option kolab_auth_auditlog is enabled by default. According to the
comment line it seems to be reasonable...
(/etc/roundcubemail/kolab_auth.inc.php):
// Enable audit logging for abuse of administrative privileges.
$rcmail_config['kolab_auth_auditlog'] = true;
Why, has the kolab_auth_auditlog to enable debugging for all users,
always? There are plaintext passwords logged verbosely, although
disabled by global roundcube settings! Is this intended?
For the moment, I just commented the whole php code block postet above.
regards,
Henning
More information about the devel
mailing list