Hello,
Today I installed virtualmin 3.86.gpl and I am very excited with all the features provided! I have a question about the way that I can limit what a server owner can do.
First of all I would like to disable SSH access for virtual server owners by default and be able to allow only some of them to login using SSH.
Also where can I change what configuration options are available to a server owner through his control panel? Basically I would like to allow him to only create mail (and maybe ftp) users and aliases, see stats (but not configure stats), (maybe add some DNS records if this can be done without abilty to edit or delete the predefined ones). Where can I configure these things?
I have found some options in the Default Settings Server Template that disable access to webmin modules but I guess this happens for all the virtual servers that use this template.
Take a peek at the Account Plan settings (in System Settings -> Account Plans).
There’s a number of screens in there that allow you to tweak what exactly a user has access to when you create a Virtual Server for them.
You could also make different Account Plans – one with certain options disabled, and another with all those options enabled.
As far as SSH goes – the key there would be to make sure users who should not have SSH access don’t have a login shell.
To disable SSH by default, you can go into System Customization -> Custom Shells, and look for the shell where both “Admin” and “Default” is set. Chances are, that shell is “/bin/bash” or perhaps “/bin/sh”.
Uncheck “Default”, look for the “/bin/false” shell, and make sure it has “Admin” and “Default” checked. That will prevent SSH logins by default.
thank you for your reply!
By following your instructions I was able to disallow access to SSH by default but leave the option (for some server owners) to have Email, FTP and SSH access
You just forgot to mention that I had to check “Enable” in the new custom shell but it was clear anyway
Regarding the configuration options available to the server owner it seems that even if I uncheck all boxes many options remain available to the server owner
everything below the webmin modules is still active.
can i disable these for specific server owners?
also i am not sure if the checkboxes under “Default available features” in “Edit Owner Limits” control whether the server owner will be able to configure these services or if these check boxes enable and disable these services for the virtual server!
You just forgot to mention that I had to check “Enable” in the new custom shell but it was clear anyway
Nuts I’m glad you figured it out though!
everything below the webmin modules is still active. can i disable these for specific server owners?
Those are configurable within the Server Templates… that’s in System Settings -> Server Templates -> Default -> Administrators Webmin modules.
If you’d like to give access to some folks, and not to others – what you could do is setup a second template.
i am not sure if the checkboxes under “Default available features” in “Edit Owner Limits” control whether the server owner will be able to configure these services or if these check boxes enable and disable these services for the virtual server!
The help text for that particular option may assist in making that more clear… if you go into System Settings -> Account Plan -> Default -> Allowed virtual server features, click the text named “Default available features” for a description of how that works.
Basically though – those should be what features the Virtual Server owner has access to.
Whether or not they’re checked by default I believe is purely governed by System Settings -> Features and Plugins, where you can set “Default”.
thank you for all this information!
It seems that through the options you mentioned many things are cofigurable but not everything.
Regarding webmin modules I disabled all of them in
System Settings -> Server Templates -> Default -> Administrators Webmin modules
and the server owner i created using this template could still see some options under the “webmin” tab but these options where generally another link to pages that were accessible through the virtualmin tab.
So no problem about extra unwanted priviledges but a little confusing for the server owner.
note:
If i enable a webmin module in a server template then the server owners that have this template will get access to this webmin module. If I disable a webmin module from a server template the access is removed from the server owners but the links on his virtualmin tab remain for some minutes after the disabling (following the links produces an error stating that they have no access to the module). Is this normal?
So it would be nice to have the webmin tab hidden (to avoid the confusion mentioned above).
In Root’s main page (the system information page) there is a link on top-right that says “configure this page”. If I click this then at the bottom there is an option where you can choose if the webmin tab will be visible to everyone or nobody or only master admin.
Well there must be a bug with this option because when I set it to “only master admin” the server owners could still see the webmin tab and when I set it to “no” (not visible to anyone) the tab was hidden from master admin (after logout and login again) but not from the server owners!
note:
When the webmin tab was hidden from the root user i tried to paste this url https://virmin.netplug.gr:10000/left.cgi?mode=webmin
in the browser address bar and i was able to access all webmin modules so i guess that the “hide” does not mean “disable”!
Regarding virtual server features and permissions about them for the server owner I believe I am starting to get how things work
From the Master Administrators point of view:
In [Edit Virtual Server -> Enabled features] are the features that are currently active for the main domain of the virtual server
In [Administration Options -> Edit Owner Limits -> Allowed capabilities and features -> Allowed features for servers] are the features that the server owner can provide to sub-servers that he creates
In [Administration Options -> Edit Owner Limits -> Allowed capabilities and features -> Edit capabilities for virtual servers] are the permissions that the server owner has for configuring things.
please correct me if any of the above is wrong!
Now for a virtual server with ALL features enabled, NO capabilities enabled and owner NOT allowed to create subservers the server owner can:
view awstats reports but not webalizer reports (why not webalizer?)
configure awstats (perhaps there should be an option in capabilities to disable this)
configure protected directories (maybe a checkbox in capabilities could allow this or not)
preview the website (this is ok)
configure mailing lists (another option in capabilities would be nice)
configure DAV (also an option in capabilities would be usefull)
exclude directories from a backup even though he has no ability to do a backup which might seem confusing so this option should be enabled together with the “Can make backups” option
I could not find a way to configure these capabiliteis for the server owners
I’m glad you figured it out though!