Menu
▾
▴
Re: [webmin-l] Webmin security issue
|
From: Jamie C. <jca...@we...> - 2017-04-23 19:52:22
|
Sudo-capable users having full root access in Webmin is expected .. because they can run any command as root when logging in via SSH, there's no security risk to them having root access in Webmin as well. On 23/Apr/2017 12:32 Waleed Alsanie <w....@gm...> wrote .. > The problem is that we are managing a server which runs behind a proxy. > Some users set their proxy authentication in http_proxy variable. > Unfortunately, users with sudo access can get the setting of the > environment variables of the other users through this unlimited access! > > On Sun, Apr 23, 2017 at 3:57 PM, Yehuda Katz <ye...@ym...> wrote: > > > This isn't a security issue in Webmin. > > > > When you give a user sudo access, they can access any other user's home > > directory without Webmin. The whole purpose of sudo is to allow users to > > have root privileges. > > You probably want to manage your users directly in Webmin. > > First, you need to disable the option "Allow users who can run all > > commands via sudo to login as root". This potion is in Webmin on > > /acl/edit_unix.cgi > > Then you need to configure Webmin with how to synchronize users with > > Ubuntu. > > See the documentation: http://doxfer.webmin.com/Webmin/Webmin_Users > > > > - Y > > > > > > On Sun, Apr 23, 2017 at 8:14 AM, Waleed Alsanie <w....@gm...> wrote: > > > >> Hello all, > >> > >> I have just found a security issue in Webmin working under Ubuntu. People > >> with sudo access can access Webmin and then can view all the users' home > >> directories with their files. Even if the files are protected, they still > >> can be viewed by users with sudo access through webmin! > >> > >> Is there any solution to this? > >> > >> Regards, > >> > >> ------------------------------------------------------------ > >> ------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> - > >> Forwarded by the Webmin mailing list at web...@li...urceforg > >> e.net > >> To remove yourself from this list, go to > >> http://lists.sourceforge.net/lists/listinfo/webadmin-list > >> > >> > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > - > > Forwarded by the Webmin mailing list at webadmin-list@lists. > > sourceforge.net > > To remove yourself from this list, go to > > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > > |
