User can browse through the whole filesystem, HELP!!!

The user can't see any passwords :-)

They only have what permissions are granted to them by the Linux permissions scheme, which certainly isn't going to allow them to view passwords (unless the passwords are stored in a world readable file, which is not the default).

Sensitive information should not be world readable. If in looking around, you feel otherwise, you're certainly able to tweak the permissions on the various files.

By default, though, files that shouldn't be readable by everyone aren't set to be world readable.

-Eric

Check to see if your web based FTP client gives you the ability to limit user's access to only their home folder's. In the past I have used net2ftp which has the ability to limit access to only home folders. You can also chroot (jail) a user into his home folder. This is what I have done for some of my user's. My preferred way to limit access. But having said that I also want to point out chrooting is being discourage by Virtulamin's developer Joe Cooper. You can search the forum as to why then make your own decision.

The virtualmin "File Manager" option gives users access to the complete filesystem as root. I can download /etc/shadow and see the contents. Shouldn't this be restricted to the normal filesystem permissions the user normaly has?

Martijn

The virtualmin "File Manager" option gives users access to the complete filesystem as root.

Hrm, I'm not seeing anything like that on my system. I just tested as a normal user, and the filemanager goes as far as preventing me from seeing anything other than my homedir.

Are you certain that the user in question doesn't have sudo access, or otherwise isn't considered a Master Admin?

-Eric

No, when I log in via ssh the user has the normal restrictions. Maybe I can see the whole filesystem because I "Switch to Server's Admin"?

The issue is not "Switch to Server's Admin" even when I log in as the user I can browse the complete filesystem and see all files.

when I log in as the user I can browse the complete filesystem and see all files.

When you say "log in as the user" -- what are you referring to there, logging in over SSH? SSH doesn't restrict users to a directory like FTP can, but you'd never be allowed to view a file that the filesystem permissions didn't allow.

So if you can log in over SSH as a given user, and view the shadow file, that means that user, for whatever reason, has rights to see the shadow file :-)

You may want to view the file permissions in question, as well as review the rights and groups of the user.

-Eric

Sorry, what i meant is when I log in to virtualmin as the actual virtualmin user I can browse all files with the file manager. When I log in with SSH as the virtualmin user I can only see the files which I have permission for. I'm 100% sure the file and user permissions are correct, the file manager is running with root permission.

Thanks, Martijn

Sorry, what i meant is when I log in to virtualmin as the actual virtualmin user I can browse all files with the file manager. When I log in with SSH as the virtualmin user I can only see the files which I have permission for. I'm 100% sure the file and user permissions are correct, the file manager is running with root permission.

Thanks, Martijn

Alright, well, I can't seem to reproduce the issue you're seeing on any of my systems.

I'd be happy to look into that further, but to do so, I'd need to login to your system both as your test user who can see the shadow file, as well as root, in order to review the various permissions and settings in play.

If that's okay, you can send me the login information for root and your test user via email using eric@virtualmin.com, and I'll take a look.

-Eric