Virtualmin/Webmin Security

8 posts / 0 new
Topic locked
Last post
#1 Sat, 03/15/2008 - 00:20
ishobr@ladangnet.com

Virtualmin/Webmin Security

I have been using webmin+Virtual for about 2 years now and using Virtualmin Pro since last week :)

I think security still get very little attention by Virtualmin/Webmin developer.

For example: When I install Virtualmin on Centos, any user can read some of config and acls files (file mode 0644, folder mode 0755) in /etc/webmin. Some config files contain user password and mysql access password.

Another concern, it is better if Webmin/Virtualmuin have security hardening module by default to improve OS security in general.

Post edited by: ishobr@ladangnet.com, at: 2008/03/15 00:31<br><br>Post edited by: ishobr@ladangnet.com, at: 2008/03/15 00:58

Sat, 03/15/2008 - 01:05
Joe
Joe's picture

<div class='quote'>For example:
When I install Virtualmin on Centos, any user can read some of config and acls files (file mode 0644, folder mode 0755) in /etc/webmin. Some config files contain user password and mysql access password.</div>

What file can a non-root user read that contains passwords? That'd be a bug. I'm unaware of any that meet that description.

<div class='quote'>Another concern, it is better if Webmin/Virtualmuin have security hardening module by default to improve OS security in general.</div>

If you're aware of a security issue, let us know and we'll fix it quick. As I mentioned, I'm unaware of any at this time.

--

Check out the forum guidelines!

Sat, 03/15/2008 - 02:53 (Reply to #2)
ishobr@ladangnet.com

Ok.
All of domain-name.acl files in /etc/webmin/mysql is world readable. There are password and db user there. For standar virtualmin dbuser and dbpasswd exactly same as virtualmin user and password.

I think /ect/webmin at least should be 0750 or 0700 if there are no non-root need read access to the directory.

Somethink like Bastille Linux hardening script should be also integrated as webmin module.

Sat, 03/15/2008 - 10:50 (Reply to #3)
Joe
Joe's picture

<div class='quote'>All of domain-name.acl files in /etc/webmin/mysql is world readable. There are password and db user there. For standar virtualmin dbuser and dbpasswd exactly same as virtualmin user and password.</div>

Those files are not accessible to non-root users on any of my systems. Are you sure these files are actually reachable by non-root users on your system? Just because they have the read bit set, doesn't mean that a user can see them--the directory also needs to have rx permissions.

For example:

-bash-3.00$ less /etc/webmin/mysql/virtualmin.acl
/etc/webmin/mysql/virtualmin.acl: Permission denied

If they are actually accessible on your system, something is wrong, as that is not the default.

<div class='quote'>Somethink like Bastille Linux hardening script should be also integrated as webmin module.</div>

I would disagree with this. I've talked about Bastille and similar projects in the past. I believe they provide a false sense of security, distract administrators from more effective security practices (strong passwords, keeping software up to date, don't run unnecessary services), and often break conventions that cause mysterious failures. I can't stop anyone from implementing a Bastille Linux module, but I certainly won't be pushing for it.

Again, if there are security issues in Webmin or Usermin or Virtualmin, we want to know about it, and we want to fix it.

--

Check out the forum guidelines!

Sat, 03/15/2008 - 15:21 (Reply to #4)
ishobr@ladangnet.com

<div class='quote'>Those files are not accessible to non-root users on any of my systems. Are you sure these files are actually reachable by non-root users on your system? Just because they have the read bit set, doesn't mean that a user can see them--the directory also needs to have rx permissions.

For example:

-bash-3.00$ less /etc/webmin/mysql/virtualmin.acl

/etc/webmin/mysql/virtualmin.acl: Permission denied

If they are actually accessible on your system, something is wrong, as that is not the default.</div>

Yes, i am sure about it.
I can reproduce this in Fedora 8. installing Webmin/Virtualmin GPL manually using RPM packages from webmin.com.
I also can reproduce this on Centos 4/5 in an OpenVZ VN using install script install.sh.

This is screenshoot on one of my OpenVZ VN:

[root@server ~]# ls -ltr /etc/ | grep webmin
drwxr-xr-x 121 root root 3072 Mar 16 07:10 webmin

[root@server etc]# ls -ltr /etc/webmin/
total 134
-rw-r--r-- 1 root root 12 Mar 16 07:06 var-path
-rwxr-xr-x 1 root root 159 Mar 16 07:06 stop
-rwxr-xr-x 1 root root 237 Mar 16 07:06 start
drwxr-xr-x 2 root root 1024 Mar 16 07:06 spam
drwxr-xr-x 2 root root 1024 Mar 16 07:06 software
drwxr-xr-x 2 root root 1024 Mar 16 07:06 smf
drwxr-xr-x 2 root root 1024 Mar 16 07:06 smart-status
drwxr-xr-x 2 root root 1024 Mar 16 07:06 shorewall
drwxr-xr-x 2 root root 1024 Mar 16 07:06 shell
drwxr-xr-x 2 root root 1024 Mar 16 07:06 servers
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sentry
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sendmail
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sarg
drwxr-xr-x 2 root root 1024 Mar 16 07:06 samba
-rwxr-xr-x 1 root root 48 Mar 16 07:06 restart
-rwxr-xr-x 1 root root 166 Mar 16 07:06 reload
drwxr-xr-x 2 root root 1024 Mar 16 07:06 raid
drwxr-xr-x 2 root root 1024 Mar 16 07:06 quota
drwxr-xr-x 2 root root 1024 Mar 16 07:06 qmailadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pserver
drwxr-xr-x 2 root root 1024 Mar 16 07:06 proftpd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 procmail
drwxr-xr-x 2 root root 1024 Mar 16 07:06 proc
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pptp-server
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pptp-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ppp-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 phpini
-rw-r--r-- 1 root root 14 Mar 16 07:06 perl-path
drwxr-xr-x 2 root root 1024 Mar 16 07:06 passwd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pap
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pam
drwxr-xr-x 2 root root 1024 Mar 16 07:06 openslp
drwxr-xr-x 2 root root 1024 Mar 16 07:06 nis
drwxr-xr-x 2 root root 1024 Mar 16 07:06 net
drwxr-xr-x 2 root root 1024 Mar 16 07:06 mount
drwxr-xr-x 2 root root 1024 Mar 16 07:06 mon
-rw------- 1 root bin 9 Mar 16 07:06 miniserv.users
-rw------- 1 root bin 1437 Mar 16 07:06 miniserv.pem
drwxr-xr-x 2 root root 1024 Mar 16 07:06 man
drwxr-xr-x 2 root root 1024 Mar 16 07:06 majordomo
drwxr-xr-x 2 root root 1024 Mar 16 07:06 mailcap
drwxr-xr-x 2 root root 1024 Mar 16 07:06 lvm
drwxr-xr-x 2 root root 1024 Mar 16 07:06 lpadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 logrotate
drwxr-xr-x 2 root root 1024 Mar 16 07:06 lilo
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ldap-server
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ldap-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 krb5
drwxr-xr-x 2 root root 1024 Mar 16 07:06 jabber
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ipsec
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ipfw
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ipfilter
drwxr-xr-x 2 root root 1024 Mar 16 07:06 inittab
drwxr-xr-x 2 root root 1024 Mar 16 07:06 inetd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 idmapd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 htaccess-htpasswd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 heartbeat
drwxr-xr-x 2 root root 1024 Mar 16 07:06 grub
drwxr-xr-x 2 root root 1024 Mar 16 07:06 fsdump
drwxr-xr-x 2 root root 1024 Mar 16 07:06 frox
drwxr-xr-x 2 root root 1024 Mar 16 07:06 firewall
drwxr-xr-x 2 root root 1024 Mar 16 07:06 filter
drwxr-xr-x 2 root root 1024 Mar 16 07:06 file
drwxr-xr-x 2 root root 1024 Mar 16 07:06 fetchmail
drwxr-xr-x 2 root root 1024 Mar 16 07:06 fdisk
drwxr-xr-x 2 root root 1024 Mar 16 07:06 exports
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dovecot
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dnsadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dhcpd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dfsadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 custom
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-webmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-usermin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-useradmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-software
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-shell
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-passwd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-cron
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-copy
drwxr-xr-x 2 root root 1024 Mar 16 07:06 change-user
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cfengine
drwxr-xr-x 2 root root 1024 Mar 16 07:06 burner
drwxr-xr-x 2 root root 1024 Mar 16 07:06 bandwidth
drwxr-xr-x 2 root root 1024 Mar 16 07:06 bacula-backup
drwxr-xr-x 2 root root 1024 Mar 16 07:06 backup-config
drwxr-xr-x 2 root root 1024 Mar 16 07:06 at
drwxr-xr-x 2 root root 1024 Mar 16 07:06 adsl-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 acl
drwxr-xr-x 2 root root 1024 Mar 16 07:06 xinetd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 wuftpd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 webminlog
drwxr-xr-x 2 root root 1024 Mar 16 07:06 webmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 webalizer
drwxr-xr-x 2 root root 1024 Mar 16 07:06 vgetty
-rw-r--r-- 1 root root 6 Mar 16 07:06 version
drwxr-xr-x 2 root root 1024 Mar 16 07:06 usermin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 updown
drwxr-xr-x 2 root root 1024 Mar 16 07:06 tunnel
drwxr-xr-x 2 root root 1024 Mar 16 07:06 time
drwxr-xr-x 2 root root 1024 Mar 16 07:06 telnet
drwxr-xr-x 2 root root 1024 Mar 16 07:06 syslog-ng
drwxr-xr-x 2 root root 1024 Mar 16 07:06 syslog
drwxr-xr-x 2 root root 1024 Mar 16 07:06 stunnel
drwxr-xr-x 2 root root 1024 Mar 16 07:06 status
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sshd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 squid
drwxr-xr-x 2 root root 1024 Mar 16 07:06 init
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cpan
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cron
-rwxr-xr-x 1 root root 196 Mar 16 07:06 uninstall.sh
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ldap-useradmin
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-mailman
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-dav
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-registrar
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-svn
drwxr-xr-x 2 root root 1024 Mar 16 07:08 security-updates
drwxr-xr-x 2 root root 1024 Mar 16 07:08 php-pear
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-awstats
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-htpasswd
drwxr-xr-x 2 root root 1024 Mar 16 07:09 ruby-gems
-rw------- 1 root root 1059 Mar 16 07:09 webmin.acl
drwxr-xr-x 2 root root 1024 Mar 16 07:09 virtualmin-init
-rw------- 1 root bin 823 Mar 16 07:10 miniserv.conf
-rw-r--r-- 1 root root 452 Mar 16 07:10 config
drwxr-xr-x 2 root root 1024 Mar 16 07:10 postfix
drwxr-xr-x 2 root root 1024 Mar 16 07:10 virtual-server
drwxr-xr-x 2 root root 1024 Mar 16 07:10 useradmin
drwxr-xr-x 2 root root 1024 Mar 16 07:10 postgresql
drwxr-xr-x 2 root root 1024 Mar 16 07:10 mysql
drwxr-xr-x 2 root root 1024 Mar 16 07:10 mailboxes
drwxr-xr-x 2 root root 1024 Mar 16 07:10 bind8
drwxr-xr-x 2 root root 1024 Mar 16 07:11 apache

Sat, 03/15/2008 - 15:43 (Reply to #5)
ishobr@ladangnet.com

Additional screenshot after adding new domain in virtualmin:

[admin@server ~]$ ls -l /etc/webmin/mysql/
total 2
-rw-r--r-- 1 root root 391 Mar 16 07:10 config
-rw-r--r-- 1 root root 140 Mar 16 07:37 mytestdomain.acl
[admin@server ~]$ cat /etc/webmin/mysql/mytestdomain.acl
create=0
noconfig=1
pass=test08 &lt;-----
stop=0
dbs=mytestdomain mytestdomain
buser=mytestdomain
edonly=0
bpath=/
delete=0
user=mytestdomain &lt;-----
perms=0

Mon, 04/07/2008 - 01:22 (Reply to #6)
trex

indeed he does have a point .. tested on centos

-sh-3.1$ cat /etc/webmin/mysql/domain.acl
create=0
noconfig=1
pass=12345 *******
stop=0
dbs=domain domain1
buser=domain
edonly=0
bpath=/
delete=0
user=domain *******
perms=0

--------------------------------

this was from a normal user created with virtualmin..

Mon, 04/07/2008 - 01:24 (Reply to #7)
trex

altho on my end ls -l /etc/webmin/mysql/ does not work

-sh-3.1$ ls -l /etc/webmin/mysql/
ls: /etc/webmin/mysql/: Permission denied

Topic locked