How many "Master admin" users can I have?

4 posts / 0 new
Last post
#1 Sat, 01/28/2017 - 18:56
gr8kodr

How many "Master admin" users can I have?

Am in the process of learning Virtualmin/Webmin after many frustrating years with cPanel,
so I apologise in advance if my queries are covered elsewhere.
I do search, but don't always find a result.

I have just spun up a self-managed VPS, so I have no "host-side" support to speak of -
this is a good thing as it forces me to become more aware of my system

First steps after spinning up the (Ubuntu 16.04) server:

  1. run apt-get update to find any applicable updates
  2. add the ppa repository and install latest available Git (I will be using this later)
  3. install Virtualmin Pro via the link in my customer area

at this stage I do not have any user accounts on the system (other than root)
once Virtualmin install has completed...

  • login to my.machine.name:10000 as root, authenticating with root password

    not ideal on a production server, but is the only option I have at this stage
    because this is the first login after install, root automatically receives "Master admin" privs

  • complete post-install script (I just used defaults because I have no clue what I'm doing)
  • apply any applicable updates via Webmin
  • reboot the machine (as requested) to finish applying updates

As stated above, accessing anything on a production (publicly accessible) server is not good security practice
for that matter, logging into ANY system regularly as root should be avoided if at all possible

so (finally) my question is .... How do I add my machine owner account to the "Master admin" list?

Sat, 01/28/2017 - 19:09
gr8kodr

I forgot to mention ... my.machine.name:10000 shows as not secured in the browser

I assume this is because I haven't imported machines default SSL to Webmin, so I'm not overly concerned at this point

Sat, 01/28/2017 - 21:56
Joe
Joe's picture

Virtualmin and Webmin have quite fine-grained ACLs. This is an area that can be intimidating for someone coming from a system that's somewhat more fixed in how it works (e.g., there's no direct comparison to WHM and cPanel in Virtualmin...everyone logs into Webmin, and it's ACLs that determine which users can do what...some folks want to compare Usermin to cPanel and Webmin to WHM, but that's not accurate, and misrepresents how the pieces fit together). So, bear with me, as there's a number of answers to your question.

There is no limit to the number of master administrative users. Any user can be granted root level access to Webmin. There are a number of ways to do that. One would be to give the user "ALL" privileges in the sudoers file. Every user that can do everything under suexec will also be given full access in Webmin. In short: a root user in Webmin will automatically be a master administrator in Virtualmin. This is the simplest way to give a system user administrative access to Webmin/Virtualmin.

The other way is to grant a Webmin user full access to Virtualmin in the Webmin Users module (Webmin->Webmin->Webmin Users->Username->Servers->Virtualmin Virtual Servers). A Virtualmin created user cannot become a master administrator, as it'll get overwritten when making changes within Virtualmin to that user...so create a user just for this purposes in the Webmin Users module (it can be the same username and login as an existing system user). This method is more fine-grained. It is still not necessarily safe from privilege escalation concerns...it would be possible to grant a user access to features that could be used to either gain root or perform limited tasks as root.

But, it sounds like you want something a bit more restricted for your day-to-day Virtualmin usage, which is also possible. Because you have Virtualmin Pro, you've got reseller accounts, which can "own" many domain accounts and can switch to them and perform some management tasks on their behalf. That'd be the way to use Virtualmin without root-level access while still being able to manage many domains. By default, a reseller account will not be able to escalate to root. But, they will also be pretty limited in how they can interact with the system...maybe more than you want. That's customizable, but it is by necessity not a root-level user, and has many limits.

Or, you can create one "main" domain, and create the rest or your domains as sub-servers, and login as the domain owner user.

In either the reseller or domain owner user account case, your user would not have root privileges, and in the general case could not be used to escalate to root privileges (at least not in a default configuration...some Webmin modules can be used in dangerous ways, but the ones that are designed for working with Virtualmin, like File Manager, can be safely granted to users).

If you're doing this based on security concerns, you may also want to enable two-factor authentication (we support Google Authenticator and Authy as the token generator). There are other options for locking things down, but 2FA seems the best, to me.

The way I use Virtualmin is this:

I have a root level account, which I use for creating my domains, and setting up backups. I rarely login with this user.

I then have a domain, and optionally sub-servers that are related to the parent domain, under an account, which I use to manage that site and its sub-servers. For each "set" of sites I have a login. This workflow developed before the reseller accounts in Virtualmin got as flexible as they've become over the past few years...so this is probably not what I'd do today. But, it works, and isn't terribly inconvenient (and would work the same for GPL or Pro users). You probably want to find your way around the reseller account type, as it's pretty flexible and pretty safe, and doesn't usually require you to know too much about how Virtualmin users work.

As for the SSL warning, yes, you'd just want to create a new domain, setup a Let's Encrypt certificate for it (just a couple of clicks in Virtualmin), and then choose to use that certificate for Webmin, Usermin, and all of the other services Virtualmin manages. That's also just a couple of clicks to do.

If you run into problems with any of this, you can open up tickets in the support tracker, and usually get a response the same day (sometimes we get behind on the forums, as we're a small team with a huge user base).

--

Check out the forum guidelines!

Sun, 01/29/2017 - 13:32
gr8kodr

Thanks Joe

That did clear some of my confusions up

What I'm looking at doing next:
Log into the machine via SSH and create a sudo User (so I can stop using root)
Create a second "Super" User in Webmin and give them Reseller privs - this will be the equivalent of my cPanel/WHM master account
switch to "super" account in Webmin and remove "root" account - just to prevent Webmin using the machine's "God" account by default

This leads me to a followup question ...
Does my new Reseller account in Virtualmin also need to be added to the Machine's sudoers group?

Topic locked