Re: Module removed from user acl hangs around...

[Jamie C. <jca...@we...>]

jam...@te... wrote:

> Hi All,
> 
> I noticed a behaviour of webmin that at first look seems most troubling.
> Here is the
> scenario:
> 
>      1) Add a user.
>      2) Add a module to the user.
>      3) Configure the module for the user.
>      4) At some later point remove the module from the user list of
> modules.
> 
> After step 3 is completed an acl in file called:
> 
>      /etc/webmin/mod_name/user.acl
> 
> will be created.  When you do step 4, remove the module, the acl hangs
> around (i.e. it does
> not get deleted).   I am not sure if this could be exploited or even lends
> itself to a
> writer of a module shooting themselves in the foot and allowing what was
> not intended
> to be allowed.  Even still I don't think its the right thing to do.  Is
> this seen as a
> problem by any others?


That is actually a feature, so that if you give the module back to the
user in future he will have the same access control settings as before.

  - Jamie