Tags:
create new tag
view all tags

Feature Proposal: Sending password by mail is ugly

News

As an additional thought on the topic of avoiding password mail, there's InstallPasswordAddOn for DakarRelease which, with some minor changes, re-implements Cairo's InstallPassword function. There has been no discussion either here nor there, so this feature proposal should be considered irrelevant.

Motivation

Many TWiki sites don't really need a feature where unauthenticated users can reset passwords. This feature leads to security hazards which practically enforce that user's home pages are write-protected.

I concede that sites like http://twiki.org with gazillions of users might impose too much work for an admin if he has to reset the passwords of all forgetful users himself. But in a corporate intranet the situation is different:

  • There might be fewer users than on http://twiki.org
  • These users might use their TWiki often enough so that they don't forget their passwords
  • Or they are using external authentication anyway.

Description

We could, at least as a configuration option, restrict ResetPassword to the TWikiAdminGroup.

-- HaraldJoerg - 03 Nov 2005

Impact and Available Solutions

I've attached a patch against DakarRelease Revision 7286. This patch does not amend the ugly "Note to administrator" in ResetPassword.txt.

Documentation

A new configuration variable, $TWiki::cfg{PasswordResetByAdmin} controls whether anyone can reset user passwords. I'll simply quote the relevant part from the diff, the change in TWiki.cfg:

+# **BOOLEAN**
+# Users who forgot their passwords can have it reset to a random password which
+# is mailed to them.  This can be a security problem if user's mail addresses
+# are writeable by all users.  If you set {PasswordResetByAdmin} to a true value
+# then only members of the administrator group can initiate password reset.
+$cfg{PasswordResetByAdmin} = $FALSE;

Implementation

Index: lib/TWiki.cfg
===================================================================
--- lib/TWiki.cfg   (Revision 7286)
+++ lib/TWiki.cfg   (Arbeitskopie)
@@ -234,6 +234,13 @@
 # passwords.
 $cfg{PasswordManager} = 'TWiki::Users::HtPasswdUser';
 
+# **BOOLEAN**
+# Users who forgot their passwords can have it reset to a random password which
+# is mailed to them.  This can be a security problem if user's mail addresses
+# are writeable by all users.  If you set {PasswordResetByAdmin} to a true value
+# then only members of the administrator group can initiate password reset.
+$cfg{PasswordResetByAdmin} = $FALSE;
+
 # **PATH**
 # Path to the file that stores passwords, for the TWiki::Users::HtPasswdUser
 # password manager. You can use the <tt>htpasswd</tt> Apache program to create a new
Index: lib/TWiki/UI/Register.pm
===================================================================
--- lib/TWiki/UI/Register.pm   (Revision 7286)
+++ lib/TWiki/UI/Register.pm   (Arbeitskopie)
@@ -457,7 +457,16 @@
                 params => $TWiki::cfg{UsersWebName}.'.'.
                 $TWiki::cfg{SuperAdminGroup} );
         }
-    } else {
+    } elsif ( $TWiki::cfg{PasswordResetByAdmin}  and
+              not ($session->{user}->isAdmin()) ) {
+        # Single user, but password reset has been restricted
+        throw TWiki::OopsException
+            ( 'accessdenied', def => 'only_group',
+              web => $web, topic => $topic,
+              params => $TWiki::cfg{UsersWebName}.'.'.
+              $TWiki::cfg{SuperAdminGroup} );
+    }
+    else {
         # Anyone can reset a single password - important because by definition
         # the user cannot authenticate
         # Note that the passwd script must NOT authenticate!


Discussion:

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatext diff_RestrictResetPasswordToAdmin r1 manage 1.7 K 2005-11-03 - 23:10 HaraldJoerg diff against Dakar revision 7286
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2006-01-09 - HaraldJoerg
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.