Feature Proposal: Sending password by mail is ugly

News

As an additional thought on the topic of avoiding password mail, there's InstallPasswordAddOn for DakarRelease which, with some minor changes, re-implements Cairo's InstallPassword function. There has been no discussion either here nor there, so this feature proposal should be considered irrelevant.

Motivation

Many TWiki sites don't really need a feature where unauthenticated users can reset passwords. This feature leads to security hazards which practically enforce that user's home pages are write-protected.

I concede that sites like http://twiki.org with gazillions of users might impose too much work for an admin if he has to reset the passwords of all forgetful users himself. But in a corporate intranet the situation is different:

• There might be fewer users than on http://twiki.org
• These users might use their TWiki often enough so that they don't forget their passwords
• Or they are using external authentication anyway.

Description

We could, at least as a configuration option, restrict ResetPassword to the TWikiAdminGroup.

-- HaraldJoerg - 03 Nov 2005

Impact and Available Solutions

Documentation

A new configuration variable, $TWiki::cfg{PasswordResetByAdmin} controls whether anyone can reset user passwords. I'll simply quote the relevant part from the diff, the change in TWiki.cfg:

+# **BOOLEAN**
+# Users who forgot their passwords can have it reset to a random password which
+# is mailed to them.  This can be a security problem if user's mail addresses
+# are writeable by all users.  If you set {PasswordResetByAdmin} to a true value
+# then only members of the administrator group can initiate password reset.
+$cfg{PasswordResetByAdmin} = $FALSE;

Implementation

Index: lib/TWiki.cfg
===================================================================
--- lib/TWiki.cfg   (Revision 7286)
+++ lib/TWiki.cfg   (Arbeitskopie)
@@ -234,6 +234,13 @@
 # passwords.
 $cfg{PasswordManager} = 'TWiki::Users::HtPasswdUser';
 
+# **BOOLEAN**
+# Users who forgot their passwords can have it reset to a random password which
+# is mailed to them.  This can be a security problem if user's mail addresses
+# are writeable by all users.  If you set {PasswordResetByAdmin} to a true value
+# then only members of the administrator group can initiate password reset.
+$cfg{PasswordResetByAdmin} = $FALSE;
+
 # **PATH**
 # Path to the file that stores passwords, for the TWiki::Users::HtPasswdUser
 # password manager. You can use the <tt>htpasswd</tt> Apache program to create a new
Index: lib/TWiki/UI/Register.pm
===================================================================
--- lib/TWiki/UI/Register.pm   (Revision 7286)
+++ lib/TWiki/UI/Register.pm   (Arbeitskopie)
@@ -457,7 +457,16 @@
                 params => $TWiki::cfg{UsersWebName}.'.'.
                 $TWiki::cfg{SuperAdminGroup} );
         }
-    } else {
+    } elsif ( $TWiki::cfg{PasswordResetByAdmin}  and
+              not ($session->{user}->isAdmin()) ) {
+        # Single user, but password reset has been restricted
+        throw TWiki::OopsException
+            ( 'accessdenied', def => 'only_group',
+              web => $web, topic => $topic,
+              params => $TWiki::cfg{UsersWebName}.'.'.
+              $TWiki::cfg{SuperAdminGroup} );
+    }
+    else {
         # Anyone can reset a single password - important because by definition
         # the user cannot authenticate
         # Note that the passwd script must NOT authenticate!

Discussion: