Submitted by aitte on Tue, 02/26/2013 - 21:08
# ls -al /etc/webmin/servers
total 24
drwx--x--x 2 root bin 4096 Feb 16 22:30 .
drwxr-xr-x 122 root root 4096 Jan 28 05:38 ..
-rw------- 1 root root 1757 Feb 16 22:17 135918432059850.serv
-rw-r--r-- 1 root root 5 Feb 16 22:30 135918432059850.serv.lock
-rw-r--r-- 1 root root 1634 Feb 16 20:42 135918461764760.serv
-rw------- 1 root bin 124 Jan 24 00:44 config
cat /etc/webmin/servers/135918461764760.serv
pass=rootpwdhere
Not exactly a shining example of security or how to store root passwords.
Always ensure that .serv files have 600 permissions. I know, only root can read the files either way because of the folder they're in, but it looks bad.
As for the plaintext issue, I guess there's not much that can be done since multiple Cloudmin hosts need to be able to share systems, so passwords encrypted with per-host encryption keys won't work. Oh well.
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Tue, 02/26/2013 - 21:11 Comment #1
Those files shouldn't be readable by regular users, as the
/etc/webmin/serversdirectory isn't listable. However, 600 permissions would be an improvement - and is already the default for new VMs. I will make sure Cloudmin sets those permissions for existing VMs in future.Submitted by Issues on Tue, 03/12/2013 - 22:16 Comment #2
Automatically closed -- issue fixed for 2 weeks with no activity.