SYSTEM INFORMATION
OS type and version
Rocky Linux 9.4
Virtualmin version
7.20.2
If I add xterm module to a webmin user under “Edit Owner Limits”, the “Terminal” module will be displayed in sidebar, but clicking this button or going through Webmin menu then Terminal, the user got root access. How can I make sure this user will no gain root user? This user can’t gain root access via sudo.
Did you login as that user and then check?
Yes I do, clicking the button (alt + K) still open up as root even though the user is not sudoers.
If I click this menu, the user in terminal is correctly set to current user as it’s contain this link:
https://server:1000/xterm/index.cgi?user=thisuser&dir=%2Fhome%2Fthisuser
But I also can change it to root, which is dangerous.
https://server:1000/xterm/index.cgi?user=root
All of this happens inside thisuser
login, which is not sudoers
Ilia
August 14, 2024, 5:20pm
7
That’s not how you should do it for the users, instead use System Settings ⇾ Server Templates: Edit Server Template / Administrator’s Webmin modules page.
Joe
August 14, 2024, 5:26pm
8
Is that one of the Server Template items that applies immediately to existing servers? (I hate that Server Templates are sometimes “only on creation” and sometimes “applies to all servers created with this template”).
Ilia
August 14, 2024, 5:34pm
9
Yes, it is.
Agreed! Though, this is the only section in Templates that “mis-behaves” … Still, @Jamie , we should move everything from under Templates / Administrator’s Webmin modules to Edit Owner Limits page, to a new accordion …
1 Like
This works! Thank you. I was scorching trough documentation but found no luck.
Joe
August 14, 2024, 5:50pm
11
Terminal is quite new. It hasn’t had a chance to get docs coverage.
Ilia
August 14, 2024, 5:59pm
12
I’d say it should be more intuitive. Needing documentation for every step is not ideal. It’s not obvious that Administrator’s Webmin modules are in templates, as templates should serve different purpose.
It would make much more sense to place it under Edit Owner Limits .
1 Like
maybe tie this in with make features read from the plan and not copied.
Templates / Administrator’s Webmin modules
is behaving exactly as I would expect for a features section. You make a change and it the change is instant, it does not need to be pushed to accounts.
What happens now!
Currently when you setup a new Virtual server, you select your ‘Account Plan’ and a ‘Server Template’, these settings are copied and installed into the new server and then the ‘Account Plan’ is not used anymore, even though it is listed as the ‘Account Plan’ in ‘Edit Virtual Server → Configurable settings → Account plan’
Read directly from ‘Account Plans’
‘Account Plan’ settings should be read directly from the plan which will allow ‘Account Plans’ to be updated by admins an…
opened 06:03PM - 16 Nov 23 UTC
## What is the issue
The `Account Plans` suffers from an issue where if a user … clicks on `Save and Apply` when he updates an `Account Plan`, it will wipe out any custom overrides he has applied to his accounts under this plan. Some people have got use to changing the permissions and options on a virtual server rather than updating an `Account Plan`.
If an admin just uses the `Save` button then the changes on the plan will only affect new users and therefore the tight sync between the `Account Plan` and `Accounts` becomes greater.
The use of the word `Defaults` on the account plan page is confusing and not correct after the initial creation of the virtual server, yet the functionality does not change.
The `Save` and `Save and Apply` options were introduced to allow users to keep customizations on certain accounts but this came at the cost of keeping accounts and the plans in sync.
## What do I propose, an Overview
Firstly, we need to get rid of the `Save` button as it will be pointless so we will just be left with `Save and Apply` button and it's logic.
We need to add checkboxes to the 2 pages (`Edit Account Plan` / `Server Owner Limits`) to define whether the plan settings can be overridden.
We can either have 1 check box on each page to cover all of the settings (A), or each section can have their own check box to allow for fine grained overriding (B). (B) is my preferred option.
*The images below assume the relevant pages have been updated as submitted in #686 and while this is preferable it is not required*
The checkboxes have a slightly different function on the different pages as outlined below:
**Edit Account Plan**
![Edit-Account-Plan-Override](https://github.com/virtualmin/virtualmin-gpl/assets/319997/c00d3875-420d-490b-b901-19b4159a3ad8)
- Allow all of these settings to be overridden / Allow these settings to be overridden
- When this option is ticked, this will allow accounts via `Edit Owner Limits` to override these plan settings. If it is not ticked then the option to override will be greyed out and they will not be able to change anything in this section.
- When this option is ticked and the admin clicks on `Save and Apply` accounts where plan members have `override these settings` on the corresponding section in `Edit Owner Limits` set to ticked, then these settings will not be overridden.
- If this option is not ticked, this section of the plan will be pushed to all member accounts irrespective of their settings and their `override these settings` will be unticked and the options greyed out as the permission to override have been removed.
- These settings define if they can be overriden in `Edit Owner Limits`
**Server Owner Limits**
![Server-Owner-Limits-Override](https://github.com/virtualmin/virtualmin-gpl/assets/319997/1602a5c9-4282-48a3-a21f-69a596407ce4)
- If allowed these checkboxes will allow an account owner to override a particular section of Plan settings and these settings and would not get overridden by a plan update as long as the permissions were maintained in the plan to allow overriding for this section
- if the account owner is not allowed to change a section of settings then they will all be greyed out can cannot be changed by them.
**Save and Apply routine**
The save and reply routine would need to be upgraded to take into account the booleans in the `Account Plan` and the `Server Owner Limits` so it can determine whether it can push settings to that particular account and it's various sections.
**Additional**
- you could add per account quota overrides.
- the tooltip text will need changing to remove the word default and maybe make them more relevant.
- I would rename `Edit Owner Limits` to `Edit Plan` or `Override Plan`. but limits is the wrong one.
- on the `Edit Account Plan` I would remove the word default from
- Default available features
- Default editing capabilities
and leave the server templates to be exactly that. Server templates are a unique and powerful feature that is well developed for custom apps but it does need some work on it done.
Ilia
August 14, 2024, 8:48pm
14
Yeah, pre-defined in “Account Plans” and later controlled in “Edit Owner Limits”.
system
Closed
August 22, 2024, 8:48pm
15
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.