Automated installation / autofill / php issues / apache config

Community Feedback
1

Hi there -

thank you very much for passbolt - it is nice to see a capable open source password manager :smiley:

While playing around with the passbolt package for Debian 12 , I came across a few issues - it would be really great to get some feedback on this!

1.) Is it possible to install passbolt without user intervention. ie. without clicking through the web installer? After preseeding the dpkg, getting the keyring ready and templating passbolt.php, passbolt rightly complains about an empty database. Would it help to populate the db with a post-installation dump?

2.) Is it right that the browser extensions provide an autofill-/autosave feature in the pro version that works more or less reliably with Firefox and browsers based on blink? Searching through the forum, I got conflicting information on this :slight_smile:

3.) a biggie: it doesn’t seem possible to run passbolt with a dedicated php account (ie.: not as www-data) - doing so is a good thing in shared hosting environments. Trying to get it to work requires fixing permissions via posix-acls in a few places, it breaks sending out emails after self-registration with messages like this:
“error: [Cake\Http\Exception\InternalErrorException] The OpenPGP server key defined in the config cannot be used to decrypt. The key $redacted cannot be used to decrypt. get_key failed in /usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php on line 117” in cron-error.log.

This can be fixed by changing the ownership of /var/lib/passbolt/.gnupg/ and below to www-data. However, this completely breaks authorisation in the web interface and needs to be reverted to the php account passbolt is running as to make the web interface working again. Please note that both www-data and the php-account have read access to the gpg keyring - I remember dimly that gpg is rather picky about this and refuses to work if reading_account != owner_of_the_keyring .

Would it be possible to have the cron-stuff running as the php user as well?

Thank you very much for your answers,
Thoralf.

1 Like
2

I forgot to mention that in order to make passbolt play along nicely with apache, the following rewrite rule:

    rewritecond %{REQUEST_FILENAME} !-f 
    rewriterule ^ index.php [L]

… needs somehow to be applied to the passbolt vhost.

there are a few mentions in the forum of putting in it /usr/share/php/passbolt/webroot/.htaccess-file , which works. adding it to the apache configuration like this:

<directory "/usr/share/php/passbolt/webroot">
    options followsymlinks
    directoryindex index.php
    rewriteengine on
    rewritecond %{REQUEST_FILENAME} !-f 
    rewriterule ^ index.php [L] 
</directory>

is another (and more performant) option.

1 Like
3

Hello @thoralf ,

  1. Yes, the team is working on a Ansible playbook that could facilitate the automatic deployment if that is an option.
  2. The autofill/save feature is part of the CE and PRO version, based on which url you are if there are corresponding URI, passbolt will be able to autofill credentials.
  3. that is difficult to answer that question without knowing a bit more about your installation like what is your distro, what procedure did you follow to setup your instance. In general we do advice to have only passbolt installed on your VM.
  4. Yes I suppose it can

May I ask why why you have this kind of setup? The maintenance and finding the source of potential issue will be (and is already) quite hard.

Max

2 Likes