Menu
▾
▴
webadmin-list
|
From: Waleed A. <w....@gm...> - 2017-04-23 12:14:12
|
Hello all, I have just found a security issue in Webmin working under Ubuntu. People with sudo access can access Webmin and then can view all the users' home directories with their files. Even if the files are protected, they still can be viewed by users with sudo access through webmin! Is there any solution to this? Regards, |
|
From: Yehuda K. <ye...@ym...> - 2017-04-23 12:58:27
|
This isn't a security issue in Webmin. When you give a user sudo access, they can access any other user's home directory without Webmin. The whole purpose of sudo is to allow users to have root privileges. You probably want to manage your users directly in Webmin. First, you need to disable the option "Allow users who can run all commands via sudo to login as root". This potion is in Webmin on /acl/edit_unix.cgi Then you need to configure Webmin with how to synchronize users with Ubuntu. See the documentation: http://doxfer.webmin.com/Webmin/Webmin_Users - Y On Sun, Apr 23, 2017 at 8:14 AM, Waleed Alsanie <w....@gm...> wrote: > Hello all, > > I have just found a security issue in Webmin working under Ubuntu. People > with sudo access can access Webmin and then can view all the users' home > directories with their files. Even if the files are protected, they still > can be viewed by users with sudo access through webmin! > > Is there any solution to this? > > Regards, > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > |
|
From: Waleed A. <w....@gm...> - 2017-04-23 19:21:51
|
Thanks Yehuda, On Sun, Apr 23, 2017 at 3:57 PM, Yehuda Katz <ye...@ym...> wrote: > This isn't a security issue in Webmin. > > When you give a user sudo access, they can access any other user's home > directory without Webmin. The whole purpose of sudo is to allow users to > have root privileges. > You probably want to manage your users directly in Webmin. > First, you need to disable the option "Allow users who can run all > commands via sudo to login as root". This potion is in Webmin on > /acl/edit_unix.cgi > Then you need to configure Webmin with how to synchronize users with > Ubuntu. > See the documentation: http://doxfer.webmin.com/Webmin/Webmin_Users > > - Y > > > On Sun, Apr 23, 2017 at 8:14 AM, Waleed Alsanie <w....@gm...> wrote: > >> Hello all, >> >> I have just found a security issue in Webmin working under Ubuntu. People >> with sudo access can access Webmin and then can view all the users' home >> directories with their files. Even if the files are protected, they still >> can be viewed by users with sudo access through webmin! >> >> Is there any solution to this? >> >> Regards, >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> - >> Forwarded by the Webmin mailing list at web...@li...urceforg >> e.net >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > |
|
From: Waleed A. <w....@gm...> - 2017-04-23 19:32:45
|
The problem is that we are managing a server which runs behind a proxy. Some users set their proxy authentication in http_proxy variable. Unfortunately, users with sudo access can get the setting of the environment variables of the other users through this unlimited access! On Sun, Apr 23, 2017 at 3:57 PM, Yehuda Katz <ye...@ym...> wrote: > This isn't a security issue in Webmin. > > When you give a user sudo access, they can access any other user's home > directory without Webmin. The whole purpose of sudo is to allow users to > have root privileges. > You probably want to manage your users directly in Webmin. > First, you need to disable the option "Allow users who can run all > commands via sudo to login as root". This potion is in Webmin on > /acl/edit_unix.cgi > Then you need to configure Webmin with how to synchronize users with > Ubuntu. > See the documentation: http://doxfer.webmin.com/Webmin/Webmin_Users > > - Y > > > On Sun, Apr 23, 2017 at 8:14 AM, Waleed Alsanie <w....@gm...> wrote: > >> Hello all, >> >> I have just found a security issue in Webmin working under Ubuntu. People >> with sudo access can access Webmin and then can view all the users' home >> directories with their files. Even if the files are protected, they still >> can be viewed by users with sudo access through webmin! >> >> Is there any solution to this? >> >> Regards, >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> - >> Forwarded by the Webmin mailing list at web...@li...urceforg >> e.net >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > |
|
From: Jamie C. <jca...@we...> - 2017-04-23 19:52:22
|
Sudo-capable users having full root access in Webmin is expected .. because they can run any command as root when logging in via SSH, there's no security risk to them having root access in Webmin as well. On 23/Apr/2017 12:32 Waleed Alsanie <w....@gm...> wrote .. > The problem is that we are managing a server which runs behind a proxy. > Some users set their proxy authentication in http_proxy variable. > Unfortunately, users with sudo access can get the setting of the > environment variables of the other users through this unlimited access! > > On Sun, Apr 23, 2017 at 3:57 PM, Yehuda Katz <ye...@ym...> wrote: > > > This isn't a security issue in Webmin. > > > > When you give a user sudo access, they can access any other user's home > > directory without Webmin. The whole purpose of sudo is to allow users to > > have root privileges. > > You probably want to manage your users directly in Webmin. > > First, you need to disable the option "Allow users who can run all > > commands via sudo to login as root". This potion is in Webmin on > > /acl/edit_unix.cgi > > Then you need to configure Webmin with how to synchronize users with > > Ubuntu. > > See the documentation: http://doxfer.webmin.com/Webmin/Webmin_Users > > > > - Y > > > > > > On Sun, Apr 23, 2017 at 8:14 AM, Waleed Alsanie <w....@gm...> wrote: > > > >> Hello all, > >> > >> I have just found a security issue in Webmin working under Ubuntu. People > >> with sudo access can access Webmin and then can view all the users' home > >> directories with their files. Even if the files are protected, they still > >> can be viewed by users with sudo access through webmin! > >> > >> Is there any solution to this? > >> > >> Regards, > >> > >> ------------------------------------------------------------ > >> ------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> - > >> Forwarded by the Webmin mailing list at web...@li...urceforg > >> e.net > >> To remove yourself from this list, go to > >> http://lists.sourceforge.net/lists/listinfo/webadmin-list > >> > >> > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > - > > Forwarded by the Webmin mailing list at webadmin-list@lists. > > sourceforge.net > > To remove yourself from this list, go to > > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > > |
|
From: Andrey R. <anr...@ya...> - 2017-04-23 20:05:11
|
Greetings, Waleed Alsanie! > Unfortunately, users with sudo access can get the setting of the environment > variables of the other users through this unlimited access! The first question is WHY these users have sudo access in first place? -- With best regards, Andrey Repin Sunday, April 23, 2017 22:52:12 Sorry for my terrible english... |
|
From: Waleed A. <w....@gm...> - 2017-04-23 21:16:47
|
>Sudo-capable users having full root access in Webmin is expected .. >because they can run any command as root when logging in via SSH, >there's no security risk to them having root access in Webmin as well. Thanks Jamie, But they do not login via SSH. We installed Webmin to allow them to use it instead of ssh. >The first question is WHY these users have sudo access in first place? We want them to manage some activities in the server (starting up, shutdown, some files in the /var/www dir ... etc). However, the risk is that they have a full access to the user's command history and they can view their proxy credential in the settings of the environment variables! Regards, On Sun, Apr 23, 2017 at 10:52 PM, Andrey Repin <anr...@ya...> wrote: > Greetings, Waleed Alsanie! > > > Unfortunately, users with sudo access can get the setting of the > environment > > variables of the other users through this unlimited access! > > The first question is WHY these users have sudo access in first place? > > > -- > With best regards, > Andrey Repin > Sunday, April 23, 2017 22:52:12 > > Sorry for my terrible english... > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > |
|
From: Andrey R. <anr...@ya...> - 2017-04-23 22:35:12
|
Greetings, Waleed Alsanie! >>Sudo-capable users having full root access in Webmin is expected .. >>because they can run any command as root when logging in via SSH, >>there's no security risk to them having root access in Webmin as well. > Thanks Jamie, > But they do not login via SSH. Doesn't matter. > We installed Webmin to allow them to use it instead of ssh. Then let them use it. Why you're using wrong tools and demand them to work in the "right way"? >>The first question is WHY these users have sudo access in first place? > We want them to manage some activities in the server So, DO THAT. Don't substitute one (system sudo) for another (webmin permissions). -- With best regards, Andrey Repin Monday, April 24, 2017 01:25:13 Sorry for my terrible english... |
|
From: Waleed A. <w....@gm...> - 2017-04-24 11:09:15
|
I deleted the users from the sudoers group. I granted then an access to the File Manager module in webmin, and the surprise is that they still can access other users's files including .profile and everything which they cannot access through the ssh! On Mon, Apr 24, 2017 at 1:26 AM, Andrey Repin <anr...@ya...> wrote: > Greetings, Waleed Alsanie! > > >>Sudo-capable users having full root access in Webmin is expected .. > >>because they can run any command as root when logging in via SSH, > >>there's no security risk to them having root access in Webmin as well. > > > Thanks Jamie, > > But they do not login via SSH. > > Doesn't matter. > > > We installed Webmin to allow them to use it instead of ssh. > > Then let them use it. Why you're using wrong tools and demand them to work > in > the "right way"? > > >>The first question is WHY these users have sudo access in first place? > > We want them to manage some activities in the server > > So, DO THAT. Don't substitute one (system sudo) for another (webmin > permissions). > > > -- > With best regards, > Andrey Repin > Monday, April 24, 2017 01:25:13 > > Sorry for my terrible english... > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > |
|
From: Michael H. <mi...@hu...> - 2017-04-24 17:54:41
|
Waleed - Under Webmin .. Webmin Users select one of your users and then go back to "Available Webmin Modules". Find Filemanager, you'll see it is a clickable link. Click it - in there you can restrict access to particular folders, "Allow access to directories". Also change "Can Edit Configuration Module?" to No. Scroll down near the bottom to "Access Files As Unix User". The default may be root. Choose either the Webmin User, or a unix user you want. You may need to go into "Permissions For All Modules" to further restrict access to user/group selection, etc. Cheers! mph On 2017-04-24 04:09, Waleed Alsanie wrote: > I deleted the users from the sudoers group. I granted then an access to the File Manager module in webmin, and the surprise is that they still can access other users's files including .profile and everything which they cannot access through the ssh! > > On Mon, Apr 24, 2017 at 1:26 AM, Andrey Repin <anr...@ya...> wrote: > >> Greetings, Waleed Alsanie! >> >>>> Sudo-capable users having full root access in Webmin is expected .. >>>> because they can run any command as root when logging in via SSH, >>>> there's no security risk to them having root access in Webmin as well. >> >>> Thanks Jamie, >>> But they do not login via SSH. >> >> Doesn't matter. >> >>> We installed Webmin to allow them to use it instead of ssh. >> >> Then let them use it. Why you're using wrong tools and demand them to work in >> the "right way"? >> >>>> The first question is WHY these users have sudo access in first place? >>> We want them to manage some activities in the server >> >> So, DO THAT. Don't substitute one (system sudo) for another (webmin >> permissions). >> >> -- >> With best regards, >> Andrey Repin >> Monday, April 24, 2017 01:25:13 >> >> Sorry for my terrible english... >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> - >> Forwarded by the Webmin mailing list at web...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list [1] > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list Links: ------ [1] http://lists.sourceforge.net/lists/listinfo/webadmin-list |
|
From: Waleed A. <w....@gm...> - 2017-04-25 08:46:27
|
Thank you very much Michael! It works. It is still strange that Webmin allows users to access folders which they should access through their system login privileges. Regards, Waleed On Mon, Apr 24, 2017 at 8:54 PM, Michael Huntley <mi...@hu...> wrote: > Waleed - > > Under Webmin .. Webmin Users select one of your users and then go back to > "Available Webmin Modules". > > Find Filemanager, you'll see it is a clickable link. Click it - in there > you can restrict access to particular folders, "Allow access to > directories". > > Also change "Can Edit Configuration Module?" to No. Scroll down near the > bottom to "Access Files As Unix User". The default may be root. Choose > either the Webmin User, or a unix user you want. > > You may need to go into "Permissions For All Modules" to further restrict > access to user/group selection, etc. > > Cheers! > > mph > > > > On 2017-04-24 04:09, Waleed Alsanie wrote: > > I deleted the users from the sudoers group. I granted then an access to > the File Manager module in webmin, and the surprise is that they still can > access other users's files including .profile and everything which they > cannot access through the ssh! > > On Mon, Apr 24, 2017 at 1:26 AM, Andrey Repin <anr...@ya...> wrote: > >> Greetings, Waleed Alsanie! >> >> >>Sudo-capable users having full root access in Webmin is expected .. >> >>because they can run any command as root when logging in via SSH, >> >>there's no security risk to them having root access in Webmin as well. >> >> > Thanks Jamie, >> > But they do not login via SSH. >> >> Doesn't matter. >> >> > We installed Webmin to allow them to use it instead of ssh. >> >> Then let them use it. Why you're using wrong tools and demand them to >> work in >> the "right way"? >> >> >>The first question is WHY these users have sudo access in first place? >> > We want them to manage some activities in the server >> >> So, DO THAT. Don't substitute one (system sudo) for another (webmin >> permissions). >> >> >> -- >> With best regards, >> Andrey Repin >> Monday, April 24, 2017 01:25:13 >> >> Sorry for my terrible english... >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> - >> Forwarded by the Webmin mailing list at web...@li...urceforg >> e.net >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > - > Forwarded by the Webmin mailing list at webadmin-list@lists. > sourceforge.net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X