webadmin-devel

[webmin-devel] A litle security fix

[Hernando F. <hf...@in...>]

Hi Jamie,

I was a problem when using "Webmin Servers Index" with many remote
servers with same IP address and diferent users ACLs.

Default ACLs uses the IP addresses to Index Servers and to check users
permissions. IE: You have "root" and "admin" users. You want to give
access to 192.168.0.27 to root but not admin. You set ACLs to root and
not admin but admin gains access because permissions are checked against
the server IP address. I changed this to check by ID that found in
servers index (I think it is a time perl function) and I solved this
issue.

Look the files yourself.

Best regards,

-- 
Hernando Furlan   -  [ i n t r a R e d e s   s r l ]
Piedras 264 - 2 A (C1070AAF) - Buenos Aires - ARGENTINA
Te.: (54 11) 4342-0049   -   http://www.intraredes.com/
mailto:her...@in...

Re: [webmin-devel] A litle security fix

[Jamie C. <jca...@we...>]

Thanks for the fix - I'm not sure why I didn't implement it this way in
the first place! I have incorporated it into the main Webmin codebase,
but with a small change to add backwards compatability so that existing
host-based ACLs still work.

 - Jamie

On Thu, 2004-05-13 at 07:16, Hernando Furlan wrote:
> Hi Jamie,
> 
> I was a problem when using "Webmin Servers Index" with many remote
> servers with same IP address and diferent users ACLs.
> 
> Default ACLs uses the IP addresses to Index Servers and to check users
> permissions. IE: You have "root" and "admin" users. You want to give
> access to 192.168.0.27 to root but not admin. You set ACLs to root and
> not admin but admin gains access because permissions are checked against
> the server IP address. I changed this to check by ID that found in
> servers index (I think it is a time perl function) and I solved this
> issue.
> 
> Look the files yourself.
> 
> Best regards,