I see the server administrators
is used on UI, but since its ambiguous (are we talking about the main server as the system or virtual server as a website?) and to be on the same page with you, guys, what I am going to talk about is not the superadmin or reseller, but the website owner who has Webmin login enabled.
We give such users a possibility to launch custom commands, for example, to restart a custom service through Webmin > Others > Custom Commands page. Luckily we can compose lot's of various useful commands or file editors on this page, so everything works just ok except one important security breach point: users can compose any custom commands and execute them as root user. And that's actually quite serious vulnerability, because you never know how much the end-user (with Admin login enabled) is inexperienced, but curious or in even worse scenario how much he is in fact experienced and malicious to break the whole system.
So my request is to leave the:
- Create a new custom command
- Create a new file editor
- Create a new SQL command
- Edit
buttons to SuperAdmins and reseller account owners, but to remove all of them from regular Webmin users' access, so they could use those composed for them custom command and editor buttons, but could not compose new ones.
Thanks for considerations.
Comments
There's already ACLs for this, but I guess they default to more open than you want. You can edit the user in "Webmin Users", and then click through the warning about it being managed by Virtualmin, and in the Available Webmin Modules click on "Custom Commands". There you can turn off the ability to create and edit commands.
I'm not sure if we have a way to set ACLs for Webmin modules for Virtualmin users. I'll have to poke around.
There's probably a way to use Webmin groups to achieve what you're after, but I'll need to poke around a bit for figure out how.
Actually, groups probably introduce too much complexity here. So, forget that path.
Submitted by yngens on Tue, 10/16/2018 - 00:29 Comment #4
After I tuned up settings per https://www.virtualmin.com/node/59123 the loose permissions are somehow gone, so deem this one addressed. Thanks!
Submitted by yngens on Tue, 10/16/2018 - 00:29 Comment #5