#4271 Feature: make default module ownership/permissions configurable

All
closed-fixed
nobody
None
5
2013-07-21
2013-07-17
Danny Sauer
No

I'm running Webmin suid under Apache, which I know already makes my situation a bit of an oddity. When I install a module, the install_webmin_module function does this:

foreach my $m (@permmods) {
        system("chown -R root $config_directory/$m");
        system("chgrp -R bin $config_directory/$m");
        system("chmod -R og-rw $config_directory/$m");
        }
}

While I'd philosophically prefer that to be pure perl, the thing that actually bugs me is that I need the ownership to be root:apache with regular files 0640, directories 0750, and anything executable 1750. Technically I can do this with a postinstall script, but it'd be handy if I could simply make the group configurable. Maybe, as long as I'm dreaming, there could be something like this in the config:

module_group=apache
suid_root_modules=1

which causes the permissions to instead do "chmod -R g=u,g-w,o-rw" and then an "if executable add suid bit" fine | chmod" kind of thing.

Discussion

  • Jamie Cameron
    Jamie Cameron
    2013-07-19

    How about if the permissions were copied from an existing script in Webmin root directory? That would preserve consistency with whatever you've setup manually.

    BTW, I recommend against running Webmin under Apache unless you have very very specialized requirements (like a low-memory embedded system). If you just want to share port 80, it is better to use proxying.

     
  • Danny Sauer
    Danny Sauer
    2013-07-20

    Yes, using a --reference in chown/chmod would be fine too, and wouldn't require a config file change.

    I'm running under Apache, FWIW, mostly to get Kerberos authentication via negotiate. It also makes tying into my failover system slightly easier, as there's only one daemon to monitor and fewer logs to manage - but mostly GSSAPI negotiate is what I needed. If this bug is resolved by implementing that auth mechanism, that's cool too. :)

     
  • Jamie Cameron
    Jamie Cameron
    2013-07-21

    • status: open --> closed-fixed