I am a beginner on virtualmin and webmin, and I wanted to add the feature to my clients’ various accounts to be able to use the shell available on virtualmin in the lower left menu.
I would have expected that by adding this capability my clients accessing the shell would find themselves logged in with their own account, and with the limitation of being able to browse only their domain folders, but instead by accessing the shell they find themselves logged in as ROOT, being able to do any command through the shell as root (edit any files within the machine, restart the machine… everything)
To add the shell permissions I performed the following steps:
"Virtualmin menu with affected domain selected → Administration Options → Edit Owner Limits → Other restrictions → Extra Webmin Modules → add “shell”
The same problem exists even if instead of the shell module I use the xterm module.
Did I do something wrong, or did it actually create a problem?
(I apologize in advance for any grammatical errors)
Domain owners already have shell access as the default access is for Email, FTP and SSH.
While it allows them to view stuff outside of their domain, it doesn’t allow eg file edits to be saved or reboot etc commands to be run.
Personally I am curious why you want to allow clients to have shell access?
So you logging in on webmin with there own username not root. Normal behavour in there Teminal Login is that user and locked into there location.
Shell (not terminal) access is logging in with a client like putty.
I know it sounds strange, but in my case, using the terminal button of virtualmin, the user is logged directly as root, and doing tests can do anything.
By logging in with the domain “prova” you can clearly see that it says that I am the root user (root@alessiohhproject, instead it should be prova@alessiohhproject), and by doing tests, I was even able to reboot the machine by simply typing “reboot” (when it says that the connection has been closed, by checking the status of the vps through my provider’s control panel, it is really rebooting).
using a client (putty) this does not happen, and the user logs in with his user with all its limitations. however, I wanted to offer the possibility to use the terminal directly from the site, and I would also like to solve this problem.
I attach screenshot (unfortunately, I can’t attach more than one screenshot yet, sorry).
Webmin modules are root access tools, by default. Some can be locked down, but in this case, Virtualmin already has support for granting users Terminal access. You should not grant them access to the Terminal Webmin module. They don’t need it.
From the help popup for that option: Be very careful with this option, as most Webmin modules default to providing dangerously complete control over the services they manage.
If you use the button in the left menu as you recommended, the user logs in directly with his account, as he should. the problem is that if he uses the terminal that opens from the little button at the bottom (or uses the alt+k combination), he still logs in as root, and I don’t think I have the ability to remove that button without also removing the one that works properly.
And then regardless, it shouldn’t be able to log in as root, that’s the problem.
Exactly, from the left terminal button the user logs in correctly. it has all the limitations it should have and cannot execute any commands as root, it is perfect.
Instead, using the bottom button automatically logs in as root.
I even tried recreating a new domain from scratch by adding the terminal as explained in the initial post, but the problem persists.
I’m a beginner so maybe I’m doing something wrong, but I really don’t understand, also because I haven’t touched any configuration or anything inside the server.
User prova is not allowed to run sudo on localhost.
but if you see something like
Matching Defaults entries for prova on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
User prova may run the following commands on localhost:
(ALL : ALL) ALL
use ‘prova’ has root privilege and this privilege should be removed
I have no idea what setting is not correct, but I ran a new instance of UB 22.04, installed virtualmin (via the virtualmin installer and not apt install webmin then install the virtualmin module), created a domain, switched to that user & everything works as expected (no root access) Have you edited a template or account plan ? Have you altered any setting (virtualmin or webmin) away from the defaults ?