Opened 2 years ago

Closed 21 months ago

#11299 closed Bug/Something is broken (fixed)

Roundcube exposes previous account user's baic information

Reported by: https://id.mayfirst.org/veggie Owned by: https://id.mayfirst.org/jamie
Priority: Urgent Component: Tech
Keywords: roundcube Cc: https://id.mayfirst.org/srevilak, https://id.mayfirst.org/jaimev
Sensitive: no

Description

Hello,

When I logged into an account's e-mail using Roundcube, it asked me to enter the name and email address to set up the initial identity (later also configurable through Settings/Identities). However, it already pre-populated this with a name and email address, seemingly from a previous user of the account. There were no email or contacts visible.

When a user/administrator deletes a user account through Mayfirst, it should make future accounts of the same name not have access to old data. (Where is the information on Roundcube identities, or the data that autopopulates them, stored -- in a database within Roundcube or in a separate databse in May First?)

I can correspond privately (by e-mail or a separate private ticket) if you need information on the specific account I found the bug in.

Thank you.

Change History (26)

comment:1 Changed 2 years ago by https://id.mayfirst.org/veggie

  • Summary changed from Roundcube exposes previous account user's baic information to Roundcube exposes previous account user's basic information

comment:2 Changed 2 years ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/srevilak added
  • Owner set to https://id.mayfirst.org/jaimev
  • Sensitive set
  • Status changed from new to assigned
  • Summary changed from Roundcube exposes previous account user's basic information to Roundcube exposes previous account user's baic information

Hi, thanks for the ticket,

What you describe should not happen. It is normal behaviour for roundcube to provide a default identity based on your username and the initial domain associated with your hosting order (that may not be the same domain you use for you e-mail address if a new domain was added to a hosting order later). User accounts are not re-used by mfpl in anyway unless a member chooses to do so with the accounts within their own hosting order.

I only mention the above to discard either of those possibilities but you do seem to be describing a distinct bug. I will attempt to reproduce this.

If you give me the username for the account and the default identity that appeared for you here I can investigate. I will mark this ticket as sensitive now so that only you and other support team members can review the details.

comment:3 Changed 2 years ago by https://id.mayfirst.org/veggie

Hi,

Thanks. The user name is

tara

and the default identity was

Name: xxxxxxxx Email: tara @ xxxxxxxx

Last edited 2 years ago by https://id.mayfirst.org/veggie (previous) (diff)

comment:4 Changed 2 years ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/jamie https://id.mayfirst.org/jaimev added; https://id.mayfirst.org/srevilak removed
  • Keywords roundcube added
  • Owner changed from https://id.mayfirst.org/jaimev to https://id.mayfirst.org/srevilak
  • Priority changed from Medium to Urgent

It looks like veggie has found a real bug I was able to repoduce. I logged into roundcube as user example from my own hosting order in floriberto and made changes to identity settings. I logged out, deleted that user and e-mail from my hosting order and created another user example and e-mail within the mayfirst hosting order in octavia. Logging in I saw my previous identity settings preserved. I added a contact address and changed language settings and logged out, deleted user example from mayfirst hosting order and then recreated that user again form within my own hosting order. All data was preserved.

I don't believe this bug would allow any user to see another user's e-mail as roundcube is only a proxy to that data elsewhere which is definitely isolated in separate accounts but all data that is associated with a user within roundcube's own database on stallman is not being properly deleted when a user is deleted. This is a privacy risk as addressbooks, filters, and other roundcube preferences are stored there.

I am escalating the priority of this ticket. I'm assiging to srevilak for now who can tell us more about how to clear out those db entires on stallman and also cc'ing jamie who will know how to make changes to control panel code to trigger those changes.

thank you for reporting this!

comment:5 Changed 2 years ago by https://id.mayfirst.org/veggie

Thanks for looking into this more thoroughly, and especially seeing that addressbooks are maintained in Roundcube after an account is deleted.

In addition to fixing the problem for the future, can the databases be scrubbed of data for users whose accounts have been deleted? (Possibly after generating a backup -- below I ask about how to figure out who to notify about possible compromises to their data, and a specific user may want to gauge if they had left any sensitive data that might have later been accessed.)

And are there records that can be programmatically scanned to check what id's have been used 2+ times in the past (at least since Roundcube was introduced -- when was that?) as members deleted/created users in their hosting order and through the control panel? And to check if anyone is currently using a user id that had been used before them? Depending on the scope of how much these have happened, there'd be different steps to take. Hopefully nobody's data was actually seen by anyone else and the number of people potentially affected is small.

If someone is using an id that was used before them, there's some thought needed to how to remove any previous user's information, while also taking care not to snoop into their current private Roundcube addressbooks and settings. Maybe Roundcube datestamps when addressbooks and settings change. (If there's lots of duplicate id's, this is more complicated to manage, but if it's only 0 or a handful, then it's less difficult.)

If a user id that was previously deactivated was used by a new user later, then there may be work to notify people of a possible security breach, letting them know that if they used Roundcube then future users of the same name may have seen that data. It may have never happened, but it seems right to make sure people are informed so that they can be fully aware of any risks to their data -- especially given how politically active people and groups are who use May First/People Link, and how important protecting their data may be.

These are all thoughts that come to mind for what makes sense. If there's protocols within May First/People Link for possible security breaches of data -- responding, fixing, reporting, investigating, auditing, preserving data for future analysis of the security breach, getting third-party support to look at the data -- which might mean there's more to do. A lot of activity has happened around not complying with illegal and unjust government actions and orders (one of the reasons I joined, for example, was hearing some of the internal and public response to the server seizure and Athens IMC subpoena and gag order), but that might be a different type of situation. I also don't know if there's legal responsibilities for the organization to consider the way Target, Home Depot, or T-Mobile/Experian might have to when data may have been compromised (in different ways).

Again, hopefully nobody's data was actually accessed incorrectly, but it seems important to be thorough.

Thanks again for your attention to this.

comment:6 Changed 2 years ago by https://id.mayfirst.org/srevilak

Tara,

Thank you for reporting this.

The MF/PL control panel manipulates user accounts at the operating system level. When you create a user, they get an operating system username, a password, membership in some groups, a home directory, and a mail folder. When you delete a user, all that stuff gets removed. For example, deleting a user deletes their home directory, and their home directory contains any email or filtering they've set up. In other words, deleting a user has the side effect of deleting any mail they might have had.

Roundcube is basically an IMAP client, like (say) Thunderbird. But there are a few differences. Thunderbird is a program that's run on your own computer, and is really intended for use by one person. Roundcube is a web application that's run on a server, and is intended for many people.

Because it's a hosted, multi-user application, roundcube needs someplace to store things like user preferences, address books, and the like. Roundcube has its own private database for that information, and it's separate from operating system accounts, and separate from the MF/PL control panel. From roundcube's perspective, there's no way to tell that a username has been recycled.

I agree with Jaime: this is definitely a problem we need to address (and again, thanks for bringing it to our attention). Deleting a user throught the control panel should also remove any hosted application data that was tied to that user account.

Roundcube is one example. I presume the same applies to horde, and any .dev instances of these applications we have.

Roundcube has a script to delete users. It works like this:

# Using development roundcube instance for demonstration.
0 roundcube-dev@stallman:/srv/roundcube-dev$ ./bin/deluser.sh mapp-crew
Successfully deleted user 60

comment:7 Changed 2 years ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/srevilak added; https://id.mayfirst.org/jamie removed
  • Owner changed from https://id.mayfirst.org/srevilak to https://id.mayfirst.org/jamie

Thanks for that info steve. I'm assiging to jamie now to see how we can trigger those deletions from the control panel.

comment:8 Changed 2 years ago by https://id.mayfirst.org/jamie

Hi all - thanks folks for the work on this ticket.

Fortunately, we discovered this problem a while ago (see #1532). We have cron jobs on both stallman (roundcube) and cero (horde) that purge all users that are deleted once a day.

However, I think it's important to revisit the issue to address some problems:

  • No logging. I took this opportunity to determine whether this script was working or not and had no real way to do it. So I've improved the scripts to provide more verbose logging (you can grep for "purge" in /var/log/syslog to see the results).
  • I then tested. It worked fine for horde (script reported finding the proper user to delete and purged it properly). However, with roundcube, the script found and deleted the user, however, after I logged in, my test address book entry was still there. I reviewed the command to purge the user, which was:
    # According to http://trac.roundcube.net/wiki/Howto_Config
    # deleting a user from the users table will delete them
    # from all tables due to cascading deletes
    su -c "psql -q -c \"DELETE FROM users WHERE username = '$safe_user'\"" roundcube
    

I tried running Steve's better alternative:

0 stallman:~# su -c "/srv/roundcube/bin/deluser.sh jamie-test" roundcube
Successfully deleted user 1840
0 stallman:~#

However, upon logging in as the same user - I am prompted to reset my from address, but my address book entry is still there. This is an outstanding issue that needs to be resolved.

  • Only runs once a day. I see no reason why we couldn't run this more often - like once an hour or every 15 minutes. Thoughts? Unfortunately it is non-trivial to get the control panel to trigger a deletion or I would go for that option.
  • What about other services? In particular I realize that ownCloud is quite important and could be more complicated to avoid deleting files that might be shared. Also, what about our XMPP server? Is data left-over there? Any other services?

comment:9 Changed 2 years ago by https://id.mayfirst.org/jaimev

Ticket #11737 is another instance of this "bug" in the wild. The identity configuration of the previous sara user appeared in the new sara user's interface which was a serious problem as in this case the previous user had defined an alternate reply to address and carbon copy address.

I was also able to check what happens in the horde interface for a recycled user this time. When attempting to login as sara I received the following error.

A fatal error has occurred
Horde_Prefs_Scope::serialize() must return a string or NULL
Details have been logged for the administrator.

Reloading the page allowed me to see the horde portal interface but the mail application was not available.

Last edited 2 years ago by https://id.mayfirst.org/jaimev (previous) (diff)

comment:10 follow-up: Changed 2 years ago by https://id.mayfirst.org/dkg

seems to me like in addition to ensuring that default addressbooks/etc are all removed on account purge, we might want a "cooling off" period for a user account, or at the very least for a mailbox. This is because a given account isn't just about the data that exists on mf/pl systems -- it's also about the way that other people use it.

For example, if my e-mail address foo@mayfirst.org, is in someone else's addressbook, they might be sending me mail regularly. If the account is deleted, and then someone else suddenly grabs the name, those messages will go to them, rather than bouncing.

Many other systems (e.g. riseup, yahoo) have a roughly 6 month window between when an account is deactivated and when the name can be reclaimed by others.

this window would also give us more than enough time to run the cleanup scripts on all the relevant hosted services.

comment:11 Changed 2 years ago by https://id.mayfirst.org/jaimev

  • Sensitive unset

comment:12 Changed 2 years ago by https://id.mayfirst.org/jaimev

Another twist, in #11737 we discovered that after the new user attempted to change the roundcube preferences and save their changes, the old preferences returned on the next login.

comment:13 in reply to: ↑ 10 Changed 2 years ago by https://id.mayfirst.org/srevilak

Replying to https://id.mayfirst.org/dkg:

seems to me like in addition to ensuring that default addressbooks/etc are all removed on account purge, we might want a "cooling off" period for a user account

I agree with dkg -- a cooling off period would be useful.

comment:14 Changed 2 years ago by https://id.mayfirst.org/jamie

The fundamental problem seems to be the one I identified in 8 above: the script to purge data from roundcube is simply not working.

This bug seems pretty crucial. I am traveling this week and will try to address it if I have Internet on my flight. If anyone else starts on it please update the ticket to let me know so we don't duplicate efforts.

comment:15 Changed 2 years ago by https://id.mayfirst.org/jamie

Woops - I didn't read this ticket carefully enough. I just tested the roundcube user purge code and it seemed to work (specifically, I logged in to the dev instance, created a contact, then ran the /usr/local/sbin/mf-roundcube-purge-dev-user script and the contact was deleted).

However, the latest problem is specifically with horde - and is not about a contact that remains, but about the identity code that remains.

comment:16 Changed 2 years ago by https://id.mayfirst.org/jaimev

We did seem problems with both horde and roundcube.

comment:17 follow-up: Changed 2 years ago by https://id.mayfirst.org/jamie

I checked the database of deleted users in the control panel and it seems very likely that both the user with old data was deleted many years ago and the new user was created shortly after the old user was deleted. Both happened before this fix was in place which explains why it has popped up. The fix we have in place carefully compares a list of all active users right now with a list of users in the webmail program and deletes any users in the webmail program that are not currently active.

As for the cooling off period - I agree that we should put one in place for user accounts (I think one or two days would be enough to ensure this script runs and would take care of the problem of a user being deleted by one member and then created by another on the same day).

However, I'm not sure it's a good idea for email addresses. You can only make an email address if you own the domain (you can't even make a @mayfirst.org address unless you have admin privileges).

I think people who own their own domain should have the ability to redirect email messages from one address to another (e.g. if they delete an email address for a staff person who left and then realize they need to redirect that email to their replacement). I think a cooling off period for email addresses would be frustrating without much security benefit.

I think this ticket should stay open to implement the user account cooling off period.

That leaves two remaining issues identified which I think should get their own tickets if we can replicate them:

  • Changing roundcube identity doesn't stick (12): I can't replicate this issue. I logged in, clicked the configuration icon, clicked identities, and changed to something else. Logged out and logged in and they were still changed.
  • Horde throws error when logging in as a user that has not been properly cleared out (9). I couldn't replicate this one either. I logged in to https://webmail.mayfirst.org/. Then logged out. Then ran mf-horde-purge-user on cero.mayfirst.org and logged in again without getting an error.

I hate to attribute too much to the uniqueness of #11737 - especially if there are bugs that need to be fixed, but I'm not sure how to replicate :(

comment:18 in reply to: ↑ 17 Changed 2 years ago by https://id.mayfirst.org/srevilak

Replying to https://id.mayfirst.org/jamie:

As for the cooling off period - I agree that we should put one in place for user accounts ... However, I'm not sure it's a good idea for email addresses.

I agree. To be more specific, I think the cooling off period should apply to linux user accounts (which have things like Maildirs and webmail logins).

After giving this some more thought, I think there are some edge cases to the cooling off period. I think the issue really boils down to a single username being recycled across different hosting orders. That's what leads to surprises. On the other hand, it's probably not necessary to impose a waiting period if a user account is deleted from a hosting order, then recreated in that same hosting order. Though I suspect that doesn't happen very often.

  • Changing roundcube identity doesn't stick (12): I can't replicate this issue. I logged in, clicked the configuration icon, clicked identities, and changed to something else. Logged out and logged in and they were still changed.

I'll open a ticket for this. Hopefully I'll have time to do some debugging this weekend.

Steve

comment:19 Changed 2 years ago by https://id.mayfirst.org/srevilak

Opened ticket:11750, to look into the issue of roundcube preferences/identity changes not sticking.

comment:20 Changed 22 months ago by https://id.mayfirst.org/jaimev

Another instance of this happening in ticket:11894

Last edited 22 months ago by https://id.mayfirst.org/jaimev (previous) (diff)

comment:21 follow-up: Changed 22 months ago by https://id.mayfirst.org/jamie

At last I have gotten to the bottom of this. It's the import_horde_contacts and import_horde_identities plugins in roundcube. We are properly purging data when a contact is deleted.... and then putting it right back if a user logs in with a user account that was present in horde.

These plugins were added when we first introduced roundcube to ease with a transition from horde to roundcube.

This explains why it was so hard to replicate - it only works if you login with a previously deleted user that had data in horde.

I disabled these two plugins via /srv/roundcube/config/config.inc.php

Steve - would you mind double checking my work and perhaps purging those plugins from our roundcube git repo?

I also re-tested after removing the plugins and the data does not re-appear.

comment:22 Changed 22 months ago by https://id.mayfirst.org/jaimev

Great catch jamie!

comment:23 in reply to: ↑ 21 Changed 22 months ago by https://id.mayfirst.org/srevilak

Replying to https://id.mayfirst.org/jamie:

At last I have gotten to the bottom of this. It's the import_horde_contacts and import_horde_identities plugins in roundcube.

Jamie -- great catch!

Steve - would you mind double checking my work and perhaps purging those plugins from our roundcube git repo?

I will do that this weekend.

Steve

comment:24 Changed 21 months ago by https://id.mayfirst.org/srevilak

Code prep

I removed import_horde_contacts import_horde_identities from $config['plugins'] in roundcube-dev/config/config.inc.php.

Then purged the horde plugins:

128 sunny:plugins$ git rm -r import_horde_contacts/
rm 'plugins/import_horde_contacts/import_horde_contacts.php'
0 sunny:plugins$ git rm -r import_horde_identities/
rm 'plugins/import_horde_identities/import_horde_identities.php'
0 sunny:plugins$

New tag

$ git tag -s roundcube-1.1.5-mfpl2

push

0 sunny:plugins$ git push gmo mfpl-release-1.1
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 341 bytes | 0 bytes/s, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: -------------------- Monkeysphere warning -------------------
remote: Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
remote: An OpenPGP key matching the ssh key offered by the host was found:
remote: 
remote: pub   2048R/0x7289694B648C92DA 2010-09-10
remote: uid                 [ unknown] ssh://moses.mayfirst.org
remote: sig!3        0x7289694B648C92DA 2010-09-10  ssh://moses.mayfirst.org
remote: sig!      X  0xCCD2ED94D21739E9 2010-11-13  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!      X  0xCCD2ED94D21739E9 2012-09-21  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!         0xA014C05A607B7535 2014-01-09  James McClelland <jamie@mayfirst.org>
remote: sig!      X  0xCCD2ED94D21739E9 2014-09-24  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: RSA key fingerprint is 58:c3:18:4b:11:e2:ab:17:e0:34:66:b5:f6:7a:81:4a.
remote: 
remote: -------------------- ssh continues below --------------------
remote: Host key verification failed.
remote: fatal: The remote end hung up unexpectedly

^CKilled by signal 2.

130 sunny:plugins$ git push gmo --tags
Counting objects: 1, done.
Writing objects: 100% (1/1), 836 bytes | 0 bytes/s, done.
Total 1 (delta 0), reused 0 (delta 0)
remote: -------------------- Monkeysphere warning -------------------
remote: Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
remote: An OpenPGP key matching the ssh key offered by the host was found:
remote: 
remote: pub   2048R/0x7289694B648C92DA 2010-09-10
remote: uid                 [ unknown] ssh://moses.mayfirst.org
remote: sig!3        0x7289694B648C92DA 2010-09-10  ssh://moses.mayfirst.org
remote: sig!      X  0xCCD2ED94D21739E9 2010-11-13  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!      X  0xCCD2ED94D21739E9 2012-09-21  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!         0xA014C05A607B7535 2014-01-09  James McClelland <jamie@mayfirst.org>
remote: sig!      X  0xCCD2ED94D21739E9 2014-09-24  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: RSA key fingerprint is 58:c3:18:4b:11:e2:ab:17:e0:34:66:b5:f6:7a:81:4a.
remote: 
remote: -------------------- ssh continues below --------------------
remote: Host key verification failed.
remote: fatal: The remote end hung up unexpectedly

roundcube.dev.mayfirst.org

0 roundcube-code@stallman:/srv/roundcube-dev$ git fetch gmo
remote: Counting objects: 6, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4 (delta 2), reused 0 (delta 0)
Unpacking objects: 100% (4/4), done.
From git://git.mayfirst.org/mfpl/roundcube
   9a9b4a0..1301f37  mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.5-mfpl2 -> roundcube-1.1.5-mfpl2
0 roundcube-code@stallman:/srv/roundcube-dev$ git tag -v roundcube-1.1.5-mfpl2
object 1301f37a684e67b08830dfb033c167e11331a654
type commit
tag roundcube-1.1.5-mfpl2
tagger Steve Revilak <steve@> 1469061313 -0400

Tagging for https://support.mayfirst.org/ticket/11299
gpg: Signature made Wed 20 Jul 2016 08:35:38 PM EDT
gpg:                using RSA key 0x3EB22DE4E594DCF2
gpg: Good signature from "Steve Revilak <steve@>"
gpg:                 aka "Steve Revilak <srevilak@>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6F09 15FF 59CE E093 56F4  BEEC E772 7C56 28C2 A300
     Subkey fingerprint: B482 D402 5CEF 25D1 C64C  3229 3EB2 2DE4 E594 DCF2

I suppose I should create a pgp key for roundcube-code, so that roundcube-code can sign my public key.

0 roundcube-code@stallman:/srv/roundcube-dev$ git checkout roundcube-1.1.5-mfpl2
Previous HEAD position was 9a9b4a0... Merge tag '1.1.5' into mfpl-release-1.1
HEAD is now at 1301f37... removed no-longer-needed horde plugins https://support.mayfirst.org/ticket/11299

roundcube.mayfirst.org

0 roundcube-code@stallman:/srv/roundcube$ git fetch gmo
remote: Counting objects: 6, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4 (delta 2), reused 0 (delta 0)
Unpacking objects: 100% (4/4), done.
From git://git.mayfirst.org/mfpl/roundcube
   9a9b4a0..1301f37  mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.5-mfpl2 -> roundcube-1.1.5-mfpl2
0 roundcube-code@stallman:/srv/roundcube$ git tag -v roundcube-1.1.5-mfpl2
object 1301f37a684e67b08830dfb033c167e11331a654
type commit
tag roundcube-1.1.5-mfpl2
tagger Steve Revilak <steve@> 1469061313 -0400

Tagging for https://support.mayfirst.org/ticket/11299
gpg: Signature made Wed 20 Jul 2016 08:35:38 PM EDT
gpg:                using RSA key 0x3EB22DE4E594DCF2
gpg: Good signature from "Steve Revilak <steve@>"
gpg:                 aka "Steve Revilak <srevilak@>"
...

0 roundcube-code@stallman:/srv/roundcube$ git checkout roundcube-1.1.5-mfpl2
Previous HEAD position was 9a9b4a0... Merge tag '1.1.5' into mfpl-release-1.1
HEAD is now at 1301f37... removed no-longer-needed horde plugins https://support.mayfirst.org/ticket/11299

comment:25 Changed 21 months ago by https://id.mayfirst.org/srevilak

  • Resolution set to fixed
  • Status changed from assigned to feedback

I think all the work for this ticket is done. Moving to feedback.

comment:26 Changed 21 months ago by automatic

  • Status changed from feedback to closed

No news is good news (we hope)! Given the lack of feedback, we think this ticket can be closed.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.