From: <jam...@te...> - 2002-06-24 20:51:01
|
Hi All, I noticed a behaviour of webmin that at first look seems most troubling. Here is the scenario: 1) Add a user. 2) Add a module to the user. 3) Configure the module for the user. 4) At some later point remove the module from the user list of modules. After step 3 is completed an acl in file called: /etc/webmin/mod_name/user.acl will be created. When you do step 4, remove the module, the acl hangs around (i.e. it does not get deleted). I am not sure if this could be exploited or even lends itself to a writer of a module shooting themselves in the foot and allowing what was not intended to be allowed. Even still I don't think its the right thing to do. Is this seen as a problem by any others? Cheers...james |
From: <ra...@si...> - 2002-06-24 21:18:34
|
Has there ever been a consideration of releasing Webmin updates as a patch for sites where Webmin was installed a a package? Using the "Update" selection effectivly installs a new tarball, and then transfers the older configuration to the new, leaving around the old installation (unless, of course, they choose to remove the old version, but that could make havoc of the installed package). rf |
From: Jamie C. <jca...@we...> - 2002-06-25 00:43:31
|
ra...@si... wrote: > > Has there ever been a consideration of releasing Webmin updates as a > patch for sites where Webmin was installed a a package? Using the > "Update" selection effectivly installs a new tarball, and then transfers > the older configuration to the new, leaving around the old installation > (unless, of course, they choose to remove the old version, but that could > make havoc of the installed package). Someone else suggested that to me recently as well - instead of upgrading your entire webmin install, you could just install updates to bring your install up to the most recent version. Sort of like how Debian does things in a way .. Currently this isn't possible because updates can only effect modules, not the core code. Also, there would have to be two sets of updates - one for bug fixes and one for new features, just like Debian's 'stable' and 'unstable' branches. However, I might implement it for some future versions of webmin .. - Jamie |
From: Jamie C. <jca...@we...> - 2002-06-25 01:27:17
|
jam...@te... wrote: > Hi All, > > I noticed a behaviour of webmin that at first look seems most troubling. > Here is the > scenario: > > 1) Add a user. > 2) Add a module to the user. > 3) Configure the module for the user. > 4) At some later point remove the module from the user list of > modules. > > After step 3 is completed an acl in file called: > > /etc/webmin/mod_name/user.acl > > will be created. When you do step 4, remove the module, the acl hangs > around (i.e. it does > not get deleted). I am not sure if this could be exploited or even lends > itself to a > writer of a module shooting themselves in the foot and allowing what was > not intended > to be allowed. Even still I don't think its the right thing to do. Is > this seen as a > problem by any others? That is actually a feature, so that if you give the module back to the user in future he will have the same access control settings as before. - Jamie |