Prevent regular webmin users from creating new custom commands

I see the server administrators is used on UI, but since its ambiguous (are we talking about the main server as the system or virtual server as a website?) and to be on the same page with you, guys, what I am going to talk about is not the superadmin or reseller, but the website owner who has Webmin login enabled.

We give such users a possibility to launch custom commands, for example, to restart a custom service through Webmin > Others > Custom Commands page. Luckily we can compose lot's of various useful commands or file editors on this page, so everything works just ok except one important security breach point: users can compose any custom commands and execute them as root user. And that's actually quite serious vulnerability, because you never know how much the end-user (with Admin login enabled) is inexperienced, but curious or in even worse scenario how much he is in fact experienced and malicious to break the whole system.

So my request is to leave the:

  • Create a new custom command
  • Create a new file editor
  • Create a new SQL command
  • Edit

buttons to SuperAdmins and reseller account owners, but to remove all of them from regular Webmin users' access, so they could use those composed for them custom command and editor buttons, but could not compose new ones.

Thanks for considerations.

Status: 
Closed (works as designed)

Comments

Joe's picture
Submitted by Joe on Mon, 10/15/2018 - 21:19 Pro Licensee

There's already ACLs for this, but I guess they default to more open than you want. You can edit the user in "Webmin Users", and then click through the warning about it being managed by Virtualmin, and in the Available Webmin Modules click on "Custom Commands". There you can turn off the ability to create and edit commands.

I'm not sure if we have a way to set ACLs for Webmin modules for Virtualmin users. I'll have to poke around.

Joe's picture
Submitted by Joe on Mon, 10/15/2018 - 21:23 Pro Licensee

There's probably a way to use Webmin groups to achieve what you're after, but I'll need to poke around a bit for figure out how.

Joe's picture
Submitted by Joe on Mon, 10/15/2018 - 21:26 Pro Licensee

Actually, groups probably introduce too much complexity here. So, forget that path.

Status: Active ยป Closed (works as designed)