admin id stepped on during restore

9 posts / 0 new
Last post
#1 Tue, 03/10/2015 - 18:54
midol

admin id stepped on during restore

I recently set up a new server using Ubuntu 14.04 and installed Virtualmin GPL.

I made myself the admin user during installation.

I restored a site and found that I could no longer log in to virtualmin as thge admin user. I think this is because I had made myself an admin user in the restored domain in order to perform some site maintenance in the past. I speculate that when restoring the site my master admin privileges were nuked and I now have no master login available.

I use the same login credentials I was using a half hour ago and get different results, so I think the restrore must have been the problem.

Is there any history on the issue? or suggestions?

Dave

Tue, 03/10/2015 - 22:07
andreychek

Howdy,

When you say you made yourself an admin user during installation -- how did you go about doing that?

I'm just trying to see what your setup was so I can try and determine what might have broke.

-Eric

Wed, 03/11/2015 - 10:34
midol

I installed Ubuntu and had to create an admin user. That name was the same as a name in the restored domain. There was a permission error when restoring the domain while logged in as the domain owner so I logged out of VM then in again as the master admin. The restore went smoothly but the mailman lists feature needed to ber enabled and I found I was now logged in as an extra admin on the domain account. Since the user name is the same as the master admin name I can't log in as the master admin to turn on the feature, and in fact don't see any way to log in as master admin at all.

Dave

Wed, 03/11/2015 - 21:48
Joe
Joe's picture

Yep, Virtualmin will protect you from doing that with the root user, but I guess it doesn't check other user names. It should probably do a merge of permissions rather than resetting them...but, admin users on systems that don't usually have root access won't actually have a permissions list. They get special cased by Webmin.

In short: This is really old bug, but a very new form of it, that we didn't think of when solving it in the past.

Also, don't do that! Admin/root user has all rights to all domains, so there would never be a reason to make them the admin of anything, as they are the admin of everything. I think there can also be interesting side effects in terms of permissions for that domain.

To fix this: Edit the /etc/webmin/webmin.acl file, and modify the user in question to look like this (it'll be "username: " instead of "root: "):

root: backup-config change-user webmincron usermin webminlog webmin servers acl bacula-backup init passwd quota mount fsdump inittab ldap-client ldap-useradmin logrotate mailcap mon pam proc at cron sentry package-updates software man syslog syslog-ng system-status useradmin virtualmin-init security-updates etcd virtualmin-awstats apache bind8 bloctweet pserver dhcpd dovecot exim fetchmail frox jabber ldap-server majordomo mysql virtualmin-nginx nginx-webmin openslp postfix postgresql proftpd procmail qmailadmin mailboxes sshd samba sendmail spam squid sarg virtualmin-git virtualmin-mailman virtualmin-sqlite virtualmin-svn virtual-server wuftpd webalizer any-ini adsl-client bandwidth fail2ban ipsec krb5 firewall exports nis net xinetd inetd pap ppp-client pptp-client pptp-server stunnel shorewall shorewall6 tcpwrappers virtualmin-registrar idmapd filter burner grub lilo raid lvm fdisk lpadmin smart-status time vgetty iscsi-client iscsi-server iscsi-tgtd iscsi-target cluster-passwd cluster-copy cluster-cron cluster-shell cluster-software cluster-usermin cluster-useradmin cluster-webmin cfengine heartbeat history shell custom file tunnel phpini php-pear cpan htaccess-htpasswd ruby-gems telnet status ajaxterm updown virtualmin-dav virtualmin-htpasswd virtualmin-slavedns dfsadmin dnsadmin ipfilter ipfw smf authentic-theme

Then restart Webmin. This will re-grant you access to all the modules. You may still need to go into the Webmin->Webmin->Webmin Users->username page and click through to the Virtualmin module for this user and grant access to all domains.

You could also set a password for the "root" user on the system, and login to Webmin with that. It will automatically already have full privileges. That root user could then fix all of the problems with your admin user account in the Webmin Users module.

I'm trying to figure out how we could make this impossible (we've tried several times to make it an impossible mistake to make, but folks always seem to find new ways to accomplish it). ;-)

--

Check out the forum guidelines!

Wed, 03/11/2015 - 21:58
midol

Won't have access until tomorrow but will let you know!

Thu, 03/12/2015 - 18:05 (Reply to #5)
midol
root@bulkley:/etc/webmin# nano webmin.acl
root@bulkley:/etc/webmin# cp webmin.acl webmin.acl.old
root@bulkley:/etc/webmin# nano webmin.acl
root@bulkley:/etc/webmin# nano webmin.acl
root@bulkley:/etc/webmin# service webmin restart
Stopping Webmin server in /usr/share/webmin
Starting Webmin server in /usr/share/webmin
Pre-loaded virtual-server/virtual-server-lib-funcs.pl in virtual_server
Pre-loaded virtual-server/feature-unix.pl in virtual_server
Pre-loaded virtual-server/feature-dir.pl in virtual_server
Pre-loaded virtual-server/feature-dns.pl in virtual_server
Pre-loaded virtual-server/feature-mail.pl in virtual_server
Pre-loaded virtual-server/feature-web.pl in virtual_server
Pre-loaded virtual-server/feature-webalizer.pl in virtual_server
Pre-loaded virtual-server/feature-ssl.pl in virtual_server
Pre-loaded virtual-server/feature-logrotate.pl in virtual_server
Pre-loaded virtual-server/feature-mysql.pl in virtual_server
Pre-loaded virtual-server/feature-postgres.pl in virtual_server
Pre-loaded virtual-server/feature-ftp.pl in virtual_server
Pre-loaded virtual-server/feature-spam.pl in virtual_server
Pre-loaded virtual-server/feature-virus.pl in virtual_server
Pre-loaded virtual-server/feature-webmin.pl in virtual_server
Pre-loaded virtual-server/feature-virt.pl in virtual_server
Pre-loaded virtual-server/feature-virt6.pl in virtual_server
Pre-loaded WebminCore

so I started nano twice because I made a typo and exited without saving, second edit I replaced what was on the appropriate line after my user name with the text you supplied. After the restart I still get to be the extra admin on the domain rather that the master admin.

D

Thu, 03/12/2015 - 18:19 (Reply to #6)
midol

Sorry Eric,

I jumped the gun, after following your suggestion about a root password I now have master admin access and will sort out the rest. Many thanks for your help.

Dave

Thu, 03/12/2015 - 22:23 (Reply to #7)
andreychek

We're looking into this in the ticket Joe mentioned.

However, you do have the option to use the root user as you've done.

You can also create a new user, and give it sudo rights. With sudo rights, a normal user can be given Master User access.

-Eric

Wed, 03/11/2015 - 22:02
Joe
Joe's picture

I filed a ticket about this issue. I'm guessing Jamie can make it impossible to do this.

https://www.virtualmin.com/node/36510

--

Check out the forum guidelines!

Topic locked