This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Newly created user can use PERL script to read root files

4 posts / 0 new

Topic locked

Last post

#1 Thu, 01/24/2013 - 13:40

Ilia

Newly created user can use PERL script to read root files

Dear friends, hi!

I just created the new user by Virtualmin.

I can login as this user via ssh? Is there a way to disable this?
I can easily read and list all server data just by #!/bin/bash echo "Content-Type: text/plain" echo "" cat /etc/passwd ls -ls /

Is there a way to prevent it?

Any help would be very very appreciate!

Thanks!

#2 Thu, 01/24/2013 - 14:16

andreychek

Howdy,

Users can log into SSH by default... any user with a valid shell can do that. If you wish to prevent that, you can change the user's shell to something else... using "/bin/false" will make it so that they can only log into FTP, and not SSH.

Users can read any file that's world-readable, such as the /etc/passwd file.

There's some more details on that here in the security documentation:

http://www.virtualmin.com/documentation/security/faq

#3 Fri, 01/25/2013 - 02:28

Ilia

Now I got it, just edited /etc/passwd, found the referring user and changed it to "/bin/false".

But what do you mean by that reading world files is not dangerous? What about DB's where are they stored on var? Couldn't find it? Will other users will be able to access them too? Or they are created with certain grp and own with only owner permission to access it?

One more question (a little bit off the topic). Webmin->Servers->Apache Webserver - there I have my domains and also
1. Type: Virtual Server and Document Root: /var/www/html. 2. Type: Default Server and Document Root: /var/www/html. My question can I delete these and the directory /var/www ? What are these entries for?

Thanks!

Ilia

#4 Fri, 01/25/2013 - 08:51

andreychek

But what do you mean by that reading world files is not dangerous? What about DB's where are they stored on var? Couldn't find it? Will other users will be able to access them too? Or they are created with certain grp and own with only owner permission to access it?

You're correct, we certainly wouldn't want all users to be able to read the config files belonging to a given user, especially if they contain a database password.

Files in /home, by default, aren't visible to all users... only users belonging to that particular Virtual Server.

The permissions on the home directory, /home/USERNAME, prevents other users from being able to see files under that directory.

Type: Virtual Server and Document Root: /var/www/html. 2. Type: Default Server and Document Root: /var/www/html. My question can I delete these and the directory /var/www ? What are these entries for?

Sounds like you're seeing the default domain added by your distro, which exists before Virtualmin is installed. You should be able to remove that if you want, though they aren't likely to hurt anything.

-Eric

Topic locked