Menu

#4518 No privilege drop when creating virtual hosts

1.720
closed-fixed
nobody
drop root privs (1)
5
2014-12-10
2014-12-10
kurczaq
No

Hi

when creating a virtual host with webmin apache module, webmin will create a root-owned directory, when the document root does not exist.

To reproduce: use unpriv webmin user and create a virtual host, result:

drwxr-sr-x+ 2 root root 4096 Dec 10 01:04 www.usertest.com/

I'm afraid this can be eventually escalated further...

Discussion

  • kurczaq

    kurczaq - 2014-12-10

    to be complete:

    I have the "admin" user setup in the webmin users module as:

    Browse files as Unix user: vhost
Users visible in user chooser: wwwrun vhost
Groups visible in group chooser: www

    I ASSUMED this will effectively limit the user admin permissions in webmin! However is not the case for creating virtual hosts - does mkdir as root!

     

  • Jamie Cameron

    Jamie Cameron - 2014-12-10
    • status: open --> closed-fixed
     

  • Jamie Cameron

    Jamie Cameron - 2014-12-10

    Thanks for pointing this out - this will be fixed in the next Webmin release.

     

Log in to post a comment.