Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: Russ F. <ru...@to...> - 2006-08-25 11:51:41
|
On 25 Aug 2006, at 11:59, Munzir Taha (=D9=85=D9=86=D8=B0=D8=B1 =D8=B7=D9=87= ) wrote: > On Friday 25 August 2006 08:47, Jamie Cameron wrote: >> On 24/Aug/2006 22:30 Munzir Taha wrote .. >> >>> On Thursday 24 August 2006 18:38, Jamie Cameron wrote: >>>> On 24/Aug/2006 05:07 Munzir Taha wrote .. >>>> > >>> The real problem is having the root password on this file >>> /etc/webmin/servers/1108941386.serv >>> May be this is because I am monitoring another server from webmin. >> >> That's right .. the master Webmin needs to store the password of the >> other server. >> >>>> And the files are only readable by root, so >>>> there is no security risk from normal users.. >>> >>> As I read the vulnerability discovered in webmin 1.29- would =20 >>> allow any >>> anonymous user to read any system file whatever the permissions =20 >>> are. In >>> such cases the administrator need some time to provide the patch. >>> Afterall, this is why the system root password is not only kept in >>> non-readable by everyone shadow file but also kept encrypted. >> >> Keeping it one-way encrypted like in the shadow file is OK for =20 >> validating >> users, but not for automatically logging into other systems like =20 >> Webmin >> does.. > > I don't know how webmin works but isn't there there any way to =20 > encrypt it > while not losing webmin features? It could at least be encrypted with a private key and then decrypted =20 inside Webmin to pass to the other systems. This would add to the =20 inconvenience of abusing the password, should it be viewed, but any =20 impression of this being a secure solution is an illusion. Even using asymmetric keys, as in ssh, Webmin would still hold some =20 credential which could be copied and abused. It's an intractable problem. --r Russ Ferriday - Topia Systems - multilingual content management contact: ru...@to... - (+44) (0)2076 1777588 - skype: ferriday a member of the evenios group |
