Issue with Users

7 posts / 0 new
Last post
#1 Mon, 11/21/2005 - 11:37
JasonEisert

Issue with Users

Installed virtualmin and so far so good. However I do have one issue.

When a user logs in to their panel and uses the Java based file manager they are able to browse the entire server.

Is there a way to make it so that they can not browse the server? Also, with SSH.

Mon, 11/21/2005 - 13:49
FaisalMehmood

Hi.

Jason go into the Virtualmin Servers and then click on the module Config option on the top.

In the module config option scroll down to see the file manager option and make sure it is set to home directory as YES.

Thanks.
Faisal.

Oh and for the SSH option, they are still working on that.

Mon, 11/21/2005 - 19:05
JasonEisert

That does appear to be checked. It does start me off in the correct folder but I have the option to go back with ..

When clicking on that I am able to keep going back all the way to the root of the server.

Mon, 11/21/2005 - 20:46
JasonEisert

This seems to be ok with webmin but is a problem in usermin.

Also, I have noticed that in the usermin module that the web mail does not work with the specified user. It will not display mail nor does it display the correct email address. It will show the user@hostname.

Mon, 11/21/2005 - 22:58
Joe
Joe's picture

Hey Jason,

To correct the File Manager problem in Usermin, you can set it the same as the Webmin File Manager using the Usermin Configuration module under the Webmin tab. Click on Module Configuration, File Manager, and select "Allow access to home and directories below.." It seems we forgot to setup Usermin in our installer! This will be fixed in the next release this week.

The mail problem you've noted is also evidence that we forgot Usermin existed for a moment. It's very embarassing for us. ;-)

To fix it:

Edit the Module Configuration for Read Mail

Change the "Mail storage format for Inbox" to "Qmail style directory (maildir)".

Change "Default hostname for From: addresses" to "From URL"

You probably also want to change "When deleting mail" to "Move to trash folder" as people have been spoiled by GMail/Yahoo Mail/etc. into expecting it. (That's not all they expect these days...we'll be working to make sure they aren't disappointed over the next few months.) ;-)

As was mentioned already, ssh is being worked on. It's a tougher problem and requires a lot of extra stuff--either a chroot environment, or a from-scratch shell that restricts the user...the problem there is then that we have to be able to trust the new shell not to introduce new and more dramatic security issues.

The next release does make some improvements however, which you can achieve right now by doing the following:

Edit the Default template in Server Templates (or any or all of your custom templates).

Find the option labeled "Add Apache user to Unix group for new servers?" Set it to "Yes, Apache user is apache".

A couple of options down, find "Permissions on website subdirectory". Set this to 750.

Now, to apply it to all of your existing domains, edit the secondary groups for Apache using the System:Users and Groups module. Add all of the domain users to the Apache users secondary group list (i.e. click on the Apache user in the Users list, and Ctrl-Click all of the domain user names in the Secondary groups multi-select box).

Finally, "chmod 0750 /home/*".

This will prevent users from "seeing" into other users homes. It won't prevent them from seeing the other users home directories or from dropping down into /home or /, however. I don't think that can be done with UNIX permissions (we can probably do it with SELinux though...but we'll have to write a huge set of custom policies, which is a nightmare to do--but it's certainly easier than writing a restricted shell from scratch, and probably easier for our users to customize, and there is a Webmin module for SELinux in a possibly maintained state).

To get more specific (and secure), I think you can safely disable all "other" modes:

chmod -R o-rwx /home/*

I'm unsure of the side-effects of this, particularly on things like Subversion, Mailman, etc. Since Apache is now in your group, it can read but not write (except where it is supposed to), so I think it is safe. But it is probably untested, though I think I did this exact thing on scipy.org, which is my "Real Life" Virtualmin test bed, with only good consequences.

Anyway, that gets us much closer to the goal--and better than most virtual hosting environments (for example, as discussed previously here in the forums, the FrontPage extensions make these kinds of permissions impossible, because SuExec doesn't work--so you have to use a restricted shell, or you can't restrict your users in any reasonable way).

Hope this helps. We'll be adding all of these things to the next release--and I'll probably whip up an upgrade script for folks who have already got their systems in production use (or far enough along that they don't want to uninstall Virtualmin and start from scratch). It's definitely enough steps to insure that half the folks who try it will get it wrong half the time they do it (and I'll get it wrong 90% of the time that I try it, because I'll try to do it from memory and I'll fail to remember everything).

--

Check out the forum guidelines!

Tue, 11/22/2005 - 15:38
JasonEisert

Thank you very much for your help.

I have noticed a few issues though you may still be working on them but thought I would post them.

I followed your instructions on the email and when using read mail / compose, email usernames show up as the logged in name and when using the URL presents a problem as well.

ex : if login is jason.demo and the IP of the server was used rather than typing in the username I get jason.demo@10.0.0.1 rather than jason@demo.com

This issue appears to be in multiple areas, scheduled mail, SSH Configuration are a few areas.

I was able to get the File manager to block showing other files. Thanks for your help.

If you want to use an apache options file you are able to browse the server. There is also no way to remove the options file (Or maybe i missed it) I know that

you can log in via FTP or the file manager to remove it.

Also, any where that there is a file that requires a path when clicking on the .. you are able to browse the server. I do notice that can not save anywhere but it stills gives the possible unwanted person borwosinf the server folder structure.

I think that mail issue seems to be the biggest issue for me right now. I have put SquirrelMail on the server for the time being.

In Virtualmin when creating a new virtual server if you select to creates a MySQL database it shows that there are two databases however looking in the MySQL server there is only one. If you do not create the database at the time of the virtual server creation then all is well.

Thanks again for all of your help

Jason

Tue, 11/22/2005 - 16:03
JasonEisert

I was able to figure out the browsing the server issue by going in to access control options in the usermin config tab.

However the email issue and the database issue still remains.

Thanks,

Jason