----- Original Message -----
From: Joe Cooper <joe@...>
Sent: Friday, September 27, 2002 2:00 PM
Subject: Re: user starting webmin
> That's all well and good, but Webmin can't do that right now. Webmin
> can only do what it's permissions say it can do, and so won't do
> anything as a non-root user.
> Also, I would argue that the reason ssh had such troubles was because C
> code is never guaranteed to be free from overflow bugs and other
> exploitable quirks. Webmin, being written in a higher level language,
> is immune to most such overflow problems. The only flaws that can be
> exploited are design flaws--not off-by-one or 'forgot to do bounds
> checking' errors. Webmin isn't the /most/ secure choice out there, but
> it is historically more secure than OpenSSH.
> I believe you are underestimating (even by saying it would be a 'pain')
> the problems that would have to be solved to have Webmin drop privileges.
> If, for example, we had a root parent process that spawned a
> non-privileged child process (running as 'nobody' or 'webmin'), Webmin
> would then have the choice of passing everything up to the root process
> for actual work (and thus we're in the same boat we're in now except
> with one more layer in which exploitable bugs can appear), or choosing
> the 'correct' permissions for any given task. Have you thought about
> how many different users and groups Webmin would have to know about and
> shift into in order to do the things it does?
> For example, reading logs. This /surely/ doesn't require root
> permission! Yet, it would require a su to some user for logs that are
> not world readable (and a lot of them aren't). Reading mail...have to
> su to the user who owns the box. Restarting system services...have to
> be root for that. Etc. etc. The clever ways to get around this problem
> take us back to 'always running as root' since the cleverness would
> require Webmin to choose the right user intelligently, and thus could
> possibly be manipulated into running as any user if there were bugs in
> the code. Anyway, being able to su to any user requires root so we're
> back to hitting the root Webmin for everything--so just adding another
> layer that might be exploited.
> Usermin, on the other hand, could and probably should spawn a new child
> process that drops to user privs whenever a user logs in. I don't know
> how to do it though--HTTP is stateless...Every page view is a new login,
> so how does one safely and efficiently spawn a new non-privileged child
> on every request. Again we're back to the root Usermin doing the
> administration of an army of non-privileged children. Every request
> will still hit the root Webmin before the child is spawned.
> If you can think of a way to do this via a stateless protocol like HTTP,
> I would /love/ to hear it. I can't think of any reasonable way to
> implement it that would actually work. But then, I might be missing
> james.oden@... wrote:
> > Actually, Joe that is a major major problem in webmin's architecture
> > security stand point.
> > Yes there are many things were root priveleges are necessary, but there
> > just as many were they
> > are not. This was what the big ruckus over in the OpenSSH camp was
> > a couple months ago, in that
> > having sshd run as root for all of its code causes lots and lots of
> > problems and opens so many ways to do
> > the wrong thing (from a code stand point). The model they came up with
> > to essentially run sshd as
> > two processes. One was a small little tiny program that provided all
> > root functionality, and the other ran as
> > a non privileged user. Most of the code ran in a non privileged state
> > thus there was less chance
> > of problems. Would it be a pain to impose such a model or any other
> > allowed webmin to be in
> > non-privileged mode while it could be. Absolutely. I have seen the
> > and the thought makes me
> > shudder. Should it be looked at long term? Yes it should. Will it be
> > looked at? I won't even try to answer that.
> > Cheers...james
> > Joe Cooper <joe@... on 09/27/2002
> > AM
> > Please respond to webadmin-list@...
> > Sent by: webadmin-list-admin@...
> > To: webadmin-list@...
> > cc:
> > Subject: Re: user starting webmin
> > What could possibly be accomplished by this?
> > Think about what tasks Webmin performs...Could it do the vast majority
> > of them without having root privileges?
> > Stephan Goeldi wrote:
> >>Isn't it a good idea to start webmin not as root but as a user with
> > limited
> >>If yes, which command is needed to tell /etc/init.d, that the service
> > should
> >>be started by a different user?
> > --
> > Joe Cooper <joe@...>
> > Web caching appliances and support.
> > http://www.swelltech.com
> Joe Cooper <joe@...>
> Web caching appliances and support.
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Forwarded by the Webmin mailing list at
> To remove yourself from this list, go to