Crucial: roundcubemail always writes debug logs!

Henning henne.gwath at gmx.de
Thu May 29 21:49:59 CEST 2014


Hi!

I found the root of the problem in the file
/usr/share/roundcubemail/plugins/kolab_auth/kolab_auth.php, there it reads:

        // Enable debug logs per-user, this enables logging only after
        // user has logged in
        if (!empty($_SESSION['username']) &&
$rcmail->config->get('kolab_auth_auditlog')) {
            $rcmail->config->set('debug_level', 1);
            $rcmail->config->set('devel_mode', true);
            $rcmail->config->set('smtp_log', true);
            $rcmail->config->set('log_logins', true);
            $rcmail->config->set('log_session', true);
            $rcmail->config->set('memcache_debug', true);
            $rcmail->config->set('imap_debug', true);
            $rcmail->config->set('ldap_debug', true);
            $rcmail->config->set('smtp_debug', true);
            $rcmail->config->set('sql_debug', true);

            // SQL debug need to be set directly on DB object
            // setting config variable will not work here because
            // the object is already initialized/configured
            if ($db = $rcmail->get_dbh()) {
                $db->set_debug(true);
            }
        }

The option kolab_auth_auditlog is enabled by default. According to the
comment line it seems to be reasonable...
(/etc/roundcubemail/kolab_auth.inc.php):

// Enable audit logging for abuse of administrative privileges.
$rcmail_config['kolab_auth_auditlog'] = true;

Why, has the kolab_auth_auditlog to enable debugging for all users,
always? There are plaintext passwords logged verbosely, although
disabled by global roundcube settings! Is this intended?

For the moment, I just commented the whole php code block postet above.

regards,
Henning


Am 29.05.2014 18:07, schrieb Henning:
> No, it can't be disabled! Setting logging to syslog and disable it from
> there.
> 
> Am 29.05.2014 17:59, schrieb Henning:
>> Hi,
>>
>> I just noticed, that, although set
>>
>> $config['debug_level'] = 1;
>> $config['ldap_debug'] = false;
>>
>> roundcubemail is logging verbose (including plaintext passwords!).
>>
>> This can be only disabled by setting
>>
>> $config['debug_level'] = 0;
>>
>> Is this intended? Logging enabled means password logging? Couldn't!
>>
>> Henning
>>


More information about the users mailing list