Admin user on Ubuntu can be broken by assigning a domain to that user

A user in the forums found a new way to trigger the old bug that allows root to be set as the owner of a domain.

http://www.virtualmin.com/node/36495#comment-146134

I think we protect users from doing that with the root user, but on Ubuntu (and I guess other systems with sudo ALL users) it's possible to break the administrative user this way.

Seems like permissions ought to be merged, anyway, rather than replacing them. But that might be tricky with the special users like this.

Status: 
Closed (fixed)

Comments

I don't quite follow here ... did he restore a domain with the same admin username as the user with sudo capabilities used for logging in as root?

That's correct, the user had a Master Admin user setup with the username "example".

Upon restoring a Virtual Server that also contained a user named "example", the original user was no longer a Master Admin.

Ok, I see the bug here - there's no clash checking against existing users in that case. I will update this ticket when it's fixed (by blocking the restore of such domains).

This breakage will be impossible in the next Virtualmin release.

Automatically closed -- issue fixed for 2 weeks with no activity.