Horde: Unable to get webmail password!

When accessing the Horde webmail page, we got a popup with the following text:

Unable to get webmail password!

And the login page was not displayed.

This error message comes from /usr/share/psa-horde/config/conf.php:

if (!($fd = fopen('/etc/psa-webmail/horde/.horde.shadow', 'r'))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}

So it failed while trying to read the password for the horde used from /etc/psa-webmail/horde/.horde.shadow.

If you look it up in Google, you’ll find a few pages suggesting one of these:

chmod 755 /etc /etc/psa-webmail /etc/psa-webmail/horde
chown root:apache /etc/psa-webmail/horde/.horde.shadow
chmod 640 /etc/psa-webmail/horde/.horde.shadow

or

chmod 755 /etc /etc/psa-webmail /etc/psa-webmail/horde
chown www-data:www-data /etc/psa-webmail/horde/.horde.shadow
chmod 640 /etc/psa-webmail/horde/.horde.shadow

Since our server runs Debian I went for the second one but it still didn’t work.
As the contents of the file seemed to be ok it was obviously a permission problem (as also pointed by those web pages). But the permissions set above didn’t work.
So my first solution was to change the permission on the .horde.shadow file as follows:

chmod 644 /etc/psa-webmail/horde/.horde.shadow

It then worked. Since the only difference is that I gave all users read access rights to the file. This is obviously not a very good solution. If I need to give access to other users, it means I have the wrong owner for the file.

Since I didn’t know which user horde was using (I had assumed it was using the apache user), I searched in the /etc/password file:

# cat /etc/passwd | grep horde
horde_sysuser:x:2523:2521:horde webmail user:/usr/share/psa-horde:/bin/false

OK, so the user is called horde_sysuser. I also found out it belongs to the group called horde_sysgroup (just lookup horde_sysuser in Google and you’ll find the right group or just check the /etc/group file).

So I changed the owner of the file:

chown horde_sysuser:horde_sysgroup /etc/psa-webmail/horde/.horde.shadow

And set back more restrictive permissions:

chmod 640 /etc/psa-webmail/horde/.horde.shadow

And it was still working !

Now the only remaining problem is that Plesk seems to change the permission of the file when applying some updates. So I’ll have to setup a cron job to change the owner and permissions just after a Plesk update until I’ve figured out how to teach Plesk not to mess with the file owner and permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *