Menu
▾
▴
Re: [webmin-l] Webmin security issue
|
From: Waleed A. <w....@gm...> - 2017-04-23 19:32:45
|
The problem is that we are managing a server which runs behind a proxy. Some users set their proxy authentication in http_proxy variable. Unfortunately, users with sudo access can get the setting of the environment variables of the other users through this unlimited access! On Sun, Apr 23, 2017 at 3:57 PM, Yehuda Katz <ye...@ym...> wrote: > This isn't a security issue in Webmin. > > When you give a user sudo access, they can access any other user's home > directory without Webmin. The whole purpose of sudo is to allow users to > have root privileges. > You probably want to manage your users directly in Webmin. > First, you need to disable the option "Allow users who can run all > commands via sudo to login as root". This potion is in Webmin on > /acl/edit_unix.cgi > Then you need to configure Webmin with how to synchronize users with > Ubuntu. > See the documentation: http://doxfer.webmin.com/Webmin/Webmin_Users > > - Y > > > On Sun, Apr 23, 2017 at 8:14 AM, Waleed Alsanie <w....@gm...> wrote: > >> Hello all, >> >> I have just found a security issue in Webmin working under Ubuntu. People >> with sudo access can access Webmin and then can view all the users' home >> directories with their files. Even if the files are protected, they still >> can be viewed by users with sudo access through webmin! >> >> Is there any solution to this? >> >> Regards, >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> - >> Forwarded by the Webmin mailing list at web...@li...urceforg >> e.net >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > |
