Anyone can become root... whoever logs in then all user have the rights of that user

I submitted this though email but I'm beginning to net trust email as much as I used to with spam and overzellous admins against spam oput there.

For all I know you responded and didn't receive it so I'm going to just keep an eye on this ticket thread.

Anyway I thought it would be better do this though the ticket system because I already thought of some notes I should add to this.

This seems top be related only to the virtualmin and usermin web interface.

People who login though outlook or thunderbird don't cause all users to get access to the logged in persons mail.

I can be fooling around as a root user and if someone logs into the usermin or webmin interface all of the sudden I lose all rights because I'm all of the sudden that other user.

Also if a normal user is using their virtualmin or usermin web interface and I happen to login as root then they will all of the sudden become root.

A malicious user could at that point change my root password if they wanted to but I have no users like this on my system so my worry is what damage they may do inadvertently to the system.

Here is a repost of the email.

I usually run firefox and IE side by side because they don’t share sessions. Firefox logged in as root user and IE logged in as the user of a virtual server so I can see what the non root user is seeing.

I noticed in the past couple of days that if I log in as a regular user in IE and then login as root under firefox, when I return to IE where the non root user is logged in I find that they are magically root.

So I log that user out of the magic root session and log back in as non root user and then my firefox session is now converted to the non root user I just logged into with IE

So this happens in reverse too.

I thought it may be a browser issue sharing sessions between unlike browsers on the same computer so I tried this with 2 different computers. Same thing happens.

I also noticed this while in a support session with one of my clients over a VNC session across the state. I noticed his non root Virtualmin session had become root out of nowhere because I re-logged in as root on my machine after being converted to non root by his logging in as non root from hundreds of miles away.

Fortunately this is a private server so I have few worries about my users however I don’t need them to make any mistakes and delete a bunch of stuff.

I checked for root kits and that came up negative.

I rebooted the server and my local computer,

My server is hosted on vpslink.com which is based on openvz

Centos/Virtualmin Pro setup.

I’m in the Midwest, the server’s data center is in Seattle Washington and the support session was in Canada I think. The guy is a pilot and was in a hotel room at the time of the support call.

So it appears whatever is going on is server side since it’s not confined to my computer or LAN

The 2 significant things that have happened recently is a yum update which brought it a couple of minor Virtualmin Pro updates and also the vpslink upgraded the hardware my openvz vps server is hosted on.

Any ideas as to what I should look for?

Thanks ahead,
John

Status: 
Closed (fixed)