Re: Discovery of Potential Security Problem

Hello Everyone,

  I am not sure if it's me and the way I created the domain or server, However I just noticed that When I create a user on said domain.tld the account for email is created in this fashion

lcooper@domain.tld however when that person logs in to the said email account they login with their username such as lcooper.admin <- bad problem

see where the problem with security is.

When I created the domain it ask me for an admin username so I put admin now any user accounts I create for this domain be it email or what have you, have to have .admin in the login name.

This is a very troubling problem for me as I do not need every user on my server knowing the admin name and this could be a potential security threat.

If I am wrong fine show me how to fix this but I set this up exactly as the documentation showed me to set it up. Most panels use the email address as the login, Why does this have the admin name in the login/Username? (Doesn’t make sense to me at all.) To me this is a huge security risk.

Thanks,<br><br>Post edited by: houstonpcguy, at: 2008/02/02 11:36

Howdy Michael,

I’m not sure how someone knowing the admin name for the virtual server is a “huge security risk”. Everybody knows you have a “root” account…that doesn’t make it a security risk to have a “root” account.

Couple of things, that will hopefully make things more clear:

Usually, the username for the virtual server admin is the first part of the domain name–you’ve chosen to use something else. So, our administrative account for the virtualmin.com virtual server is “virtualmin”. Note that I’m not at all nervous about posting that username publicly. A strong password means it would take years to brute force that account based on the username alone. :wink:

You can choose different styles for usernames. It is configurable in the server templates. You can even choose to use the user@domain.tld style, though I recommend you read the FAQ on the topic before making that decision:

http://www.virtualmin.com/faq/cat/virtualmin/68/#faq30

Most panels use the email address as the login, Why does this have the admin name in the login/Username? (Doesn't make sense to me at all.) To me this is a huge security risk.

It’s not the admin name. It’s actually the group name, but because you’ve changed the admin name (and it’s group) to “admin”, that’s what shows up in the username. It would ordinarily be “user.domain”, which is just what I happened to prefer. But it is wholly configurable in Server Templates and the Module Configuration.

Hello Joe,

  Well maybe it's a misunderstanding on my part I didn't realize I should use the domain as part of the name which is fine that makes perfect sense unfortuantely I have already got these domains up and running. My bad I wasn't trying to cause a problem. Just thought it needed mentioning. My bad. Thanks for your clarification. I should probably leave them at default for now one when I create them.

I appreciate all your hard work I really do. I love the software as well clean clear and concise.

Good job Joe, thanks again.