Good day to all.
Recently installed Virtualmin GPL on a VPS for me and my friends to have a self managed web server. I also use Plesk on another server for other websites. Wanted to give a try to Virtualmin and installed it.
The possibilities look very, very nice! Compliments to the coders! Still, I have a little question to which I can't see to find an answer.
I imagined that a virtual server owner wouldn't see other users servers but they do appear in his/her list when connected. Not only that, let's say I have created user wwwA and WWWb, both can see the other user virtual server and change properties of it. This is not exactly what I'd be looking for in terms of security.
I did untick and disable any option that could tell Virtualmin to allow users to create servers on other's domain and so on but still they do appear listed there and anybody can managed anything (except the physical server itself).
Did I miss something? Is this normal in the GPL version and maybe different in the Pro version?
Thanks, Ka.
Howdy,
A Virtual Server owner should only see domains that are part of their own account.
One thing to remember is that a user who has "sudo" access to the server is considered not just a Virtual Server owner, but a Master Admin -- who would have rights to see all accounts and all domains.
Are these particular users by chance users with sudo access?
-Eric
First of all, thanks for your reply. I didn't tick any option to give these users sudo access, actually they are in "email only" for the shell part. I might have missed something here or there but first created two "virtual servers / users" with the default settings, noticed that the first could see the servers and the other (and the second the first) so tried to play with the settings and created a third one, a fourth one. No matter what I do, all have access to all the servers.
When I login with the "non master admin" user, the others are shown as "server owner". Not administrator or anything related. I installed the latest GPL on Debian 5, with the latest patches as well.
Thanks again, Ka.
Howdy,
Yeah, adding a user to the sudoers file would typically be something done from the command line.
You had mentioned your server was for you and your friends -- I had just wondered if perhaps your friends all had sudo access already on the system. But that doesn't appear to be the case :-)
If those users did have sudo access, they would say "Master Admin" on the left, under their login name. It sounds like you're seeing "Server Owner" and not Master Admin, so that part is good.
Is there any chance you could post a screenshot or two of what you're seeing as a Virtual Server owner? That might help in diagnosing what's going on there.
Thanks!
-Eric
I can easily limit the "features" available and restrict them to what I actually want people to be able to do. I left normal and easy administration. They are friends and I trust them but they are not familiar with hosting and so on, less options is safer than all of them.
The issue I have is not with the features they have then, only that in the list of virtual servers they can administer, the full list of virtual servers on the physical server shows up. Also virtual servers belonging to the other owners. And not only they appear there but they can modify them (tried to change a description and other stuff and it worked).
While they are friends and I'm pretty sure nobody would mess with somebody's else server, leaving the possibility is not nice. I would have assumed that by default (default plan, account) that wouldn't have been possible. Maybe a bug of this release that wasn't showing up before? Or something wrong in my setup? Very strange as I used the defaults.
Thanks, Ka.
While they are friends and I'm pretty sure nobody would mess with somebody's else server, leaving the possibility is not nice
Yup, I agree!
I wasn't trying to suggest we shouldn't get this all figured out, I was purely explaining my thought process in the questions I was asking :-)
If you happen to have a screenshot or two of what the Virtual Server owner accounts are seeing, that would be helpful.
What you're seeing definitely sounds unusual, one Virtual Server owner shouldn't be able to see anothers domains :-)
-Eric
Don't worry, never got wrong what you said/typed. I'm more than grateful for your offer to help. Please don't get me wrong.
I'd love to put screenshots but that would mean publishing their domain names and I'd prefer not. It's not only my stuff there.
I could try to describe it but really it is a simple as (left sidebar): Virtualmin / Webmin link-button Login: theirlogin Server Owner Dropdown list with the virtual servers.
Create Virtual Server Edit Virtual Server Server Configuration Logs and Reports Administration Options Services Webmin Modules Add Servers List Virtual Servers System Information Logout
Nothing wrong there that I can see, except that the dropdown list lists all the servers on the machine, even the ones they don't own. And that they can modify any they want.
Thanks again, Ka.
Howdy,
Well, what you're describing is so unusual, that I'm interested in any clues that may appear somewhere in the user interface.
I understand that you don't wish to publicly show your domains -- is there any chance you could email me a few screenshots? Once I see them, we can continue our discussion here and try to figure out what's going on :-)
If that's okay, you can email those to me at eric@virtualmin.com.
Thanks!
-Eric