I inherited a Passbolt instance set up for my organization. Unfortunately, I made some (obviously wrong ) assumptions of how the system works. Wanting to reorganize the users and groups, I removed a couple of inactive users, and i deleted every existing group.
The problem is that, as I deleted the groups, suddenly my list of visible passwords went from about 200 to a mere 8, and the other users cannot see a single one. I don’t know whether the passwords are still somewhere in the database, just invisible to me, or whether they are actually lost. The system is new to me, as is the hosting solution, so it’s been a slow process figuring out how it all fits together.
Our Passbolt instance is self-hosted in Amazon EC2. If there’s a database I couldn’t find it, and neither could I find the install directory when I logged in via SSH. There don’t seem to have been any automatic snapshots taken, either, so I cannot just roll back my instance or volume.
Would anybody have any suggestions of how to proceed, or any insights I could use into how Passbolt works and where it went wrong?
Since you aren’t familiar with this install you’ll probably need to poke around a bit to see where everything is. Typically the database will be running on the same server but it isn’t a requirement. Could you check if you have the following directory? /etc/passbolt
If you do then you’ll have the package install and not the from source install. In /etc/passbolt there should be a passbolt.php file and this will have more information about your configuration options. Let me know if that exists and if there is a section with your database connection information in there and I can get you some queries to check if you still have the resources in the database or if they are gone.
Thank you for the welcome, and for your quick and kind reply
I do have the /etc/passbolt directory. I found passbolt.php, got my database location (localhost) and credentials, so I could access it and poke around. I found the table “resources”, which looks like is the one I’m looking for, and it seems to have all of the passwords in it still!
I guess now what I need to know is what command to run to reassign them. Do they attach to a particular user or to a group? I wasn’t clear on that. Would you mind helping me with this?
Well the resources being in the database is a great start!
We do have a page on roles and permissions that you’ll want to take a look at as it’ll help understanding who can do what in regards to resources.
In short passwords are encrypted individually for users and only users with the owner permission can share them with other users or groups. When you deleted the groups you likely removed access to a lot of these and they should be sitting in individual users’ accounts now. I do have a query that can be useful here so you know who to go to so that you can get these passwords shared:
select count(resources.id),
users.username
from secrets
inner join users on users.id=secrets.user_id
inner join resources on resources.id=secrets.resource_id
where resources.id in (select secrets.resource_id
from secrets
inner join users on users.id=secrets.user_id
group by secrets.resource_id
having count(users.username) = 1
)
group by users.username;
This will give you a count of passwords for each user where that user is the only one with access.
Additionally here is another query
select resources.name,
users.username
from secrets
inner join users on users.id=secrets.user_id
inner join resources on resources.id=secrets.resource_id
where resources.id in (select secrets.resource_id
from secrets
inner join users on users.id=secrets.user_id
group by secrets.resource_id
having count(users.username) = 1
)
order by users.username;
This will give you the name of the resource and the sole owner of it instead of a count.
With those two you’ll have a good idea of which team members have access to the passwords you most need to share.
Thank you! That resource you shared about roles and permissions is exactly what i needed to understand how the system works.
I ran both SQL queries, and from the looks of it, the vast majority (about 180) of the passwords in the “resources” database seem to be ownerless. I suppose they must have been shared by the person who set up the system, who is no longer working with us and so I removed his account.
I don’t know if this is relevant or not, but I see that most of the rows in the “resources” table have the flag “deleted” set to 1.
Can those missing passwords be somehow recovered? I guess that also tells a cautionary tale for me: since all of these are organizational passwords, they shouldn’t be tied to any individual, and I should create a new username on an organizational level to hold ownership over all of them, so that we don’t lose them as people come and go. Is that right?
If those are deleted and were all assigned to the one who left/was deleted then those aren’t going to be recoverable in the system. If you have that user’s recovery kit, passbolt passphrase, and access to all of their old emails you might have a chance at manually decrypting the content from the emails(if that setting was turned on) but that is probably not going to be a viable option here. I’d do another check for any backups or snapshots that you can find here as rolling back will be the best option.
As for sharing and who should own resources typically I recommend using groups for that. It makes it easier to share with people as you can just add them to the proper group and remove them when needed. This also is a safeguard against having a single user be the only one with ownership. This also makes sure that you can track who is doing what as an admin account tied to a general email address like it@yourdomain.tld would mean it could be a few different people doing an action with that address assuming you’ve shared access.
Alright. Thank you very much for all your help! If nothing else, I learned better how the system works and what mistakes to avoid.
There’s only one doubt I have: suppose that “Prakash” joins the team and he adds a couple of passwords, shares them with the group “Web Development.” Now suppose that Prakash leaves and hence we remove his user from Passbolt. Will the passwords that he shared with “Web Development” stay? Who owns those now?
