Webmin / Bugs / #4271 Feature: make default module ownership/permissions configurable

#4271 Feature: make default module ownership/permissions configurable

Milestone: All

Status: closed-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2013-07-21

Created: 2013-07-17

Creator: Danny Sauer

Private: No

I'm running Webmin suid under Apache, which I know already makes my situation a bit of an oddity. When I install a module, the install_webmin_module function does this:

:::perl
foreach my $m (@permmods) {
        system("chown -R root $config_directory/$m");
        system("chgrp -R bin $config_directory/$m");
        system("chmod -R og-rw $config_directory/$m");
        }
}

While I'd philosophically prefer that to be pure perl, the thing that actually bugs me is that I need the ownership to be root:apache with regular files 0640, directories 0750, and anything executable 1750. Technically I can do this with a postinstall script, but it'd be handy if I could simply make the group configurable. Maybe, as long as I'm dreaming, there could be something like this in the config:

module_group=apache
suid_root_modules=1

which causes the permissions to instead do "chmod -R g=u,g-w,o-rw" and then an "if executable add suid bit" fine | chmod" kind of thing.

Discussion

Jamie Cameron - 2013-07-19

How about if the permissions were copied from an existing script in Webmin root directory? That would preserve consistency with whatever you've setup manually.

BTW, I recommend against running Webmin under Apache unless you have very very specialized requirements (like a low-memory embedded system). If you just want to share port 80, it is better to use proxying.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Danny Sauer - 2013-07-20

Yes, using a --reference in chown/chmod would be fine too, and wouldn't require a config file change.

I'm running under Apache, FWIW, mostly to get Kerberos authentication via negotiate. It also makes tying into my failover system slightly easier, as there's only one daemon to monitor and fewer logs to manage - but mostly GSSAPI negotiate is what I needed. If this bug is resolved by implementing that auth mechanism, that's cool too. :)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-07-21

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-07-21

Ok, I'll make chown / chmod copy permissions from the existing config in the next release. The relevant commit is : https://github.com/webmin/webmin/commit/3a654963bf862885dc2eea30cb9778617c030f42

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Feature: make default module ownership/permissions configurable

A web-based interface for system administration of UNIX

Group

Searches

Help

#4271 Feature: make default module ownership/permissions configurable

Discussion