Submitted by utweb-systems on Tue, 05/20/2014 - 09:22
Is there a way to prevent the free text modification of the apache virtual host config in Virtualmin? We are observing a behavior from our security testing that they are entering invalid apache configuration and it is impacting our ability to restart apache.
Obviously this is a risk to the stability of the web service if any site owner can effectively prevent apache from starting.
Thanks,
-Alex
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Tue, 05/20/2014 - 13:42 Comment #1
Is this being done by the root user, or as a domain owner? Owners of domains (and resellers) shouldn't have the permissions to edit the Apache config manually.
Submitted by utweb-systems on Tue, 05/20/2014 - 17:05 Comment #2
Jamie,
It was a domain owner. I double-check (by impersonating their account) and was able to confirm they aren't manually editing the configs. However, the problem we are seeing is shown in this excerpt (3rd item is what causes apache to fail to start):
Thanks,
-Alex
Submitted by JamieCameron on Tue, 05/20/2014 - 19:25 Comment #3
That config looks bad - how exactly did they get created?
Submitted by utweb-systems on Thu, 05/22/2014 - 09:38 Comment #4
Jamie,
It was all done as a virtual server owner using the Apache module (on the webmin side) with no additional permissions.
Thanks,
-Alex
Submitted by JamieCameron on Thu, 05/22/2014 - 12:45 Comment #5
The simplest fix is to prevent domain owners from being able to access the Apache module - this can be done at System Settings -> Server Templates -> Default settings -> Administrator's Webmin modules.
Submitted by utweb-systems on Thu, 05/29/2014 - 12:01 Comment #6
Jamie,
Thanks for the feedback. That is our plan (as that module gives more access than we really want to grant our users anyway).
Thanks,
-Alex