New Virtual Server users have incorrect permission

AlexC · March 1, 2008, 2:10pm

Hey,

When creating a new Virtual Server, the user that is created is able to do things such as :

[ul]
[li]Start/Stop/Restart Apache[/li]
[li]Start/Stop/Restart MySQL[/li]
[li]View all MySQL databases and edit permissions[/li]
[li]Edit ‘DNS Options’ in Virtualmin[/li]
[/ul]

Why are they allowed to do this when created? O_o I can’t find anywhere in the Virtualmin config to limit this. (Virtualmin 3.53 + Webmin 1.4 btw)

Regards,

AlexC · March 2, 2008, 8:05am

Ok, seems the first 3 have fixed them selves with my playing around =3. The last one though, still stands.

The link ‘Server Configuration->DNS Options’ still exists, and users can edit. Why so?

cyrus · March 2, 2008, 8:56pm

Look in your Module Config under Webmin modules available to server admins. Say ‘No’ to BIND DNS Server (for DNS domain)

AlexC · March 3, 2008, 5:24am

Hum, that is what it’s currently set to.

Joe · March 3, 2008, 9:15pm

Note that almost all options in Module Configuration and Server Templates are applied to new virtual servers, and NOT existing virtual servers. You need to edit the virtual server(s) in question to disable this stuff.

Though, frankly, I can’t figure out how you ended up with permissions like you described in your first post to start with–I thought it was pretty hard to grant such wide-reaching privileges to virtual server owner accounts (not impossible, of course, as Virtualmin is very flexible and generally assumes you really want to do what you tell it to do).

AlexC · March 4, 2008, 11:16am

Hi Joe,

I have been deleting the virtual server and creating it again many times to test other things, yet the option still remains. I’ve also tried setting the option back to yes, then set to no again. Still no luck.

Regards,
Alex

Joe · March 4, 2008, 9:34pm

Hey Alex,

Sounds kinda bug-like, as it really should be difficult to grant limitless privileges in any of the Webmin modules to a Virtualmin virtual server user. I’ll ask Jamie to chime in here.

Joe · March 4, 2008, 9:43pm

At the moment, there’s no way to stop users from accessing the ‘DNS Options’ page. But it is pretty harmless, as all they can do is manage SPF records in their domain.

But in the next Virtualmin release, I won’t allow it if users are allowed to edit DNS records in general.

AlexC · March 6, 2008, 3:37am

Ok, thanks very much Joe and Jamie =)