Don’t get all bent out of shape! Read through my post because we are on the same page here…
1 Like
The best is to use key authentication or a super complex password with 2FA, both combined with Fail2Ban or a similar tool.
Yep, you’re right, I was just bouncing off of your comment about the terminal. Some others seemingly don’t want that behavior, but I think it’s the obvious right thing.
I think people should still be aware, however, that a sudo ALL user in Webmin has the ability to use all the modules and such with no limits, by default; that’s expected/intended (after all if you have sudo ALL privileges, you can sudo su - to become root or sudo to change anything on the system. This isn’t “privilege escalation” in the security exploit sense…a user with sudo ALL is already root-capable.
1 Like
That doesn’t make it ineffective. You are treating a platitude as a gold standard here. It is just one more facet to keep the truly inept from using up your resources trying.
Yes, I always use a key, complex pass and 2FA along with Fail2ban PLUS I set a trust zone on firewalld with a ipset allow list with my IPs that log into Webmin…
Yeah, that’s why I said I don’t disagree in the first place. 
Personally, most terminal work is ssh via keys to a non standard port. I rarely use the built in terminal but I set up one user with all privileges to login to my WM/VM instance. For me it seems silly to have that user having to sudo in the terminal when it isn’t expected elsewhere. This is the same as asking for sudo every time you make a change in the gui. (And yes, in this case for me, the terminal is just one of the gui modules.)
I’ve logged into my instance as a privileged user, I expect the privileges to be universal. Asking for a root login goes against my 25 years of Linux experience. But, that’s me I guess.
As Virtualmin uses a customized version of Webmin, I’d ask you don’t do this for that version. I’d suspect most VM users consider this a work environment.
Sure, that’s a valid point too! We’ll make it tweakable in the Terminal module ACLs, allowing sudo-capable users to directly log in as root@host:~#.
1 Like
Should there be a pool on how many posts there will be on this after the next update changes the behavior? Only half joking here.
Oh, it’ll suck. We’ll see dozens of confused people who don’t read the release notes when we roll out new versions.
Do you mean changing the default login for sudo-capable users to user@host:~$ rather than root@host:~# in the terminal?
I know I’ve already lost this but…
If you want this to be enterprise oriented software, keep the default as is because people expect to just be able to log in and work. The existing user base isn’t necessarily going to appreciate the change either. (If the user doesn’t want to be root then can’t they just su to another user just as simply?)
If you want desktop oriented behavior, where nanny mode is tolerated, then by all means change it.
Another option is if the user has sudo then offer a second ‘root’ terminal option. Probably more complicated and uglier to code but the user can decide on the fly.
I realize we are down to ‘nits’ here, but come long work days they can add up.
But again. I keep a terminal window (often multiple tabs) open to the server on an adjoining desktop.
Is it possible to have this use the users .bashrc
lol. Enterprise doesn’t use Virtualmin. We’d make a lot more money if they did.
And, enterprise customers are so much more stringent about stuff like this than y’all are. Right now at my day job, I’m dealing with a nightmare ssh proxy thing that one of our customers require us to use because it allows them to monitor who is logging in when. The idea that users login as “root” in the enterprise is crazy. Tracking which user did what is mandatory in enterprise environments, and that means you can’t become root; you don’t get the ability to sudo su -. You have to sudo whatever-command, so that it’s logged who did what when.
1 Like
That is what I am hoping, because the terminal in webmin as of now, uses the .bashrc located in /root.
I know this because that is how I immediately realized I was root in webmin terminal, I have set the PS line in .bashrc in /root to “scream red color to warn that you are root”.
Why are poeple so nervous having to use a password one more time ONLY in the terminal? (not on anything else within webmin, at least that is how I interpret what the devs are saying)
Why are you so nervous for something that is on ALL OTHER LINUX SYSTEMS?!?
Some in here even argues removing the sudo passwd check in sudoers file is better than requiring a user to manually take action to escalate to root in a terminal.
I don’t know what to say.
Also remember, sudo != root.
Agreed, and also one of the main reasons sudo was created in the first place.
I honesly hardly remember when I was user root on any system last time. 99.99% of all commands demanding root is runnable using sudo, no need to ever switch to root.
Because they don’t know how to configure sudo for that behavior, maybe? @ID10T look up NOPASS in sudoers. You can keep the behavior you have now.
And, no, this won’t effect anything else in Webmin/Virtualmin. It’s just making terminal behavior align with what all other terminal sessions would do, when logged in a non-root sudo-capable user. (At least, I assume/hope that’s what Ilia is implementing. We shouldn’t do something weird here. It needs to act like any other terminal.)
lol… I think this is what @bedna was complaining about because I quoted this is what I do
Is that actually true?
The only distro I have ever installed where a passwd check for sudo is not present at install was dietPi…
Sounds awfully insecure of redhat to give root access to users without a password check, just by being member of a group…
No, it is not. NOPASS does not get enabled by default for users in RHEL/Rocky/Alma/etc. You’d have to enable it.
1 Like
Although my last install of AlmaLinux 8 before I left it for Ubuntu was set by default.