Crucial: roundcubemail always writes debug logs!
Henning
henne.gwath at gmx.de
Thu May 29 21:49:59 CEST 2014
Hi!
I found the root of the problem in the file
/usr/share/roundcubemail/plugins/kolab_auth/kolab_auth.php, there it reads:
// Enable debug logs per-user, this enables logging only after
// user has logged in
if (!empty($_SESSION['username']) &&
$rcmail->config->get('kolab_auth_auditlog')) {
$rcmail->config->set('debug_level', 1);
$rcmail->config->set('devel_mode', true);
$rcmail->config->set('smtp_log', true);
$rcmail->config->set('log_logins', true);
$rcmail->config->set('log_session', true);
$rcmail->config->set('memcache_debug', true);
$rcmail->config->set('imap_debug', true);
$rcmail->config->set('ldap_debug', true);
$rcmail->config->set('smtp_debug', true);
$rcmail->config->set('sql_debug', true);
// SQL debug need to be set directly on DB object
// setting config variable will not work here because
// the object is already initialized/configured
if ($db = $rcmail->get_dbh()) {
$db->set_debug(true);
}
}
The option kolab_auth_auditlog is enabled by default. According to the
comment line it seems to be reasonable...
(/etc/roundcubemail/kolab_auth.inc.php):
// Enable audit logging for abuse of administrative privileges.
$rcmail_config['kolab_auth_auditlog'] = true;
Why, has the kolab_auth_auditlog to enable debugging for all users,
always? There are plaintext passwords logged verbosely, although
disabled by global roundcube settings! Is this intended?
For the moment, I just commented the whole php code block postet above.
regards,
Henning
Am 29.05.2014 18:07, schrieb Henning:
> No, it can't be disabled! Setting logging to syslog and disable it from
> there.
>
> Am 29.05.2014 17:59, schrieb Henning:
>> Hi,
>>
>> I just noticed, that, although set
>>
>> $config['debug_level'] = 1;
>> $config['ldap_debug'] = false;
>>
>> roundcubemail is logging verbose (including plaintext passwords!).
>>
>> This can be only disabled by setting
>>
>> $config['debug_level'] = 0;
>>
>> Is this intended? Logging enabled means password logging? Couldn't!
>>
>> Henning
>>
More information about the users
mailing list