user confinement

neox · September 1, 2009, 9:43pm

Hi,

I’m currently using webmin with virtualmin pro and usermin.

Here is my settings :
3 master admin (me and 2 friends) for general server management
2 resellers (my 2 friends)
lot of admins (one per website)

Here is my issue :
master admin can manage every virtual server : that is fine and quite normal
reseller can only manage their own client’s virtual server : that is fine too

BUT
every admin can manage every virtual server
where I would like them to manage only their own server.

What have I done wrong ?

Eric · September 2, 2009, 3:46am

BUT every admin can manage every virtual server where I would like them to manage only their own server.

Well, I’d expect that to be the case when dealing with a set of Sub-Servers.

That is, if you create example.com – and then create two Sub-Servers under example.com – the admins for any of those would be able to manage all of them.

Those admins should not, however, be able to edit top-level Virtual Servers that aren’t at all related to example.com and the Sub-Servers therein.

Does that help at all? Does it still sound like things aren’t working as you’d expect?

-Eric

neox · September 3, 2009, 12:05pm

type / domain / admin login

top / domain.com / domain_admin

sub / domain.fr / domain_admin

sub / domain.eu / domain_admin

top / testAdomain.fr / testAdomain_admin

top / testBdomain.com / testBdomain_admin

sub / sub1.testBdomain.com / testBdomain_admin

if I want testAdomain_admin to be able to manage email/ssh/ftp user for his domain, I give him virtualmin access

but if he has virtualmin access he can also manage testBdomain.com, domain.com and every domain available on my server

that’s weird

Eric · September 3, 2009, 1:59pm

Hrm.

That’s certainly not expected behaviour

Does the user in question by chance have sudo access setup in the /etc/sudoers file?

That’s the only thing I can think of that might cause what you’re seeing.

Otherwise, I’d probably need to take a look…

-Eric

neox · September 3, 2009, 2:22pm

well, each admin is in his own group

sudoer are only root or %admin (admin group)

but
groups testAdomain_admin

gives only
testAdomain_admin

not in admin group

Eric · September 3, 2009, 2:31pm

Alright, it’s really hard to say at this point;

I’m not sure if it’s a bug, feature, or configuration problem that you’re seeing

To be of much assistance, I’d probably need to see at least two top-level domains in question, and the info for the admins who are supposed to be able to control them.

What I’d be interested in is their /etc/passwd entries, everything relevant in /etc/group, and the full sudoers file.

However, that’s starting to get a bit complex to post in here – so I’m wondering if you’d mind if I logged into your system to take a peek.

If that’s okay, you can send an email to eric@virtualmin.com, including:

Root login details
A link to this forum thread in the message body.
Login information for two Virtual Server admins who should only have access to their own stuff, but instead can manage things they shouldn’t.

I think that about covers it!

Thanks,

-Eric

neox · September 3, 2009, 4:40pm

with 3 domains with theyr 3 admin account