Virtualmin/Webmin Security

I have been using webmin+Virtual for about 2 years now and using Virtualmin Pro since last week :slight_smile:

I think security still get very little attention by Virtualmin/Webmin developer.

For example:
When I install Virtualmin on Centos, any user can read some of config and acls files (file mode 0644, folder mode 0755) in /etc/webmin. Some config files contain user password and mysql access password.

Another concern, it is better if Webmin/Virtualmuin have security hardening module by default to improve OS security in general.

Post edited by: ishobr@ladangnet.com, at: 2008/03/15 00:31<br><br>Post edited by: ishobr@ladangnet.com, at: 2008/03/15 00:58

For example: When I install Virtualmin on Centos, any user can read some of config and acls files (file mode 0644, folder mode 0755) in /etc/webmin. Some config files contain user password and mysql access password.

What file can a non-root user read that contains passwords? That’d be a bug. I’m unaware of any that meet that description.

Another concern, it is better if Webmin/Virtualmuin have security hardening module by default to improve OS security in general.

If you’re aware of a security issue, let us know and we’ll fix it quick. As I mentioned, I’m unaware of any at this time.

Ok.
All of domain-name.acl files in /etc/webmin/mysql is world readable. There are password and db user there. For standar virtualmin dbuser and dbpasswd exactly same as virtualmin user and password.

I think /ect/webmin at least should be 0750 or 0700 if there are no non-root need read access to the directory.

Somethink like Bastille Linux hardening script should be also integrated as webmin module.

All of domain-name.acl files in /etc/webmin/mysql is world readable. There are password and db user there. For standar virtualmin dbuser and dbpasswd exactly same as virtualmin user and password.

Those files are not accessible to non-root users on any of my systems. Are you sure these files are actually reachable by non-root users on your system? Just because they have the read bit set, doesn’t mean that a user can see them–the directory also needs to have rx permissions.

For example:

-bash-3.00$ less /etc/webmin/mysql/virtualmin.acl
/etc/webmin/mysql/virtualmin.acl: Permission denied

If they are actually accessible on your system, something is wrong, as that is not the default.

Somethink like Bastille Linux hardening script should be also integrated as webmin module.

I would disagree with this. I’ve talked about Bastille and similar projects in the past. I believe they provide a false sense of security, distract administrators from more effective security practices (strong passwords, keeping software up to date, don’t run unnecessary services), and often break conventions that cause mysterious failures. I can’t stop anyone from implementing a Bastille Linux module, but I certainly won’t be pushing for it.

Again, if there are security issues in Webmin or Usermin or Virtualmin, we want to know about it, and we want to fix it.

Those files are not accessible to non-root users on any of my systems. Are you sure these files are actually reachable by non-root users on your system? Just because they have the read bit set, doesn't mean that a user can see them--the directory also needs to have rx permissions.

For example:

-bash-3.00$ less /etc/webmin/mysql/virtualmin.acl

/etc/webmin/mysql/virtualmin.acl: Permission denied

If they are actually accessible on your system, something is wrong, as that is not the default.

Yes, i am sure about it.
I can reproduce this in Fedora 8. installing Webmin/Virtualmin GPL manually using RPM packages from webmin.com.
I also can reproduce this on Centos 4/5 in an OpenVZ VN using install script install.sh.

This is screenshoot on one of my OpenVZ VN:

[root@server ~]# ls -ltr /etc/ | grep webmin
drwxr-xr-x 121 root root 3072 Mar 16 07:10 webmin

[root@server etc]# ls -ltr /etc/webmin/
total 134
-rw-r–r-- 1 root root 12 Mar 16 07:06 var-path
-rwxr-xr-x 1 root root 159 Mar 16 07:06 stop
-rwxr-xr-x 1 root root 237 Mar 16 07:06 start
drwxr-xr-x 2 root root 1024 Mar 16 07:06 spam
drwxr-xr-x 2 root root 1024 Mar 16 07:06 software
drwxr-xr-x 2 root root 1024 Mar 16 07:06 smf
drwxr-xr-x 2 root root 1024 Mar 16 07:06 smart-status
drwxr-xr-x 2 root root 1024 Mar 16 07:06 shorewall
drwxr-xr-x 2 root root 1024 Mar 16 07:06 shell
drwxr-xr-x 2 root root 1024 Mar 16 07:06 servers
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sentry
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sendmail
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sarg
drwxr-xr-x 2 root root 1024 Mar 16 07:06 samba
-rwxr-xr-x 1 root root 48 Mar 16 07:06 restart
-rwxr-xr-x 1 root root 166 Mar 16 07:06 reload
drwxr-xr-x 2 root root 1024 Mar 16 07:06 raid
drwxr-xr-x 2 root root 1024 Mar 16 07:06 quota
drwxr-xr-x 2 root root 1024 Mar 16 07:06 qmailadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pserver
drwxr-xr-x 2 root root 1024 Mar 16 07:06 proftpd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 procmail
drwxr-xr-x 2 root root 1024 Mar 16 07:06 proc
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pptp-server
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pptp-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ppp-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 phpini
-rw-r–r-- 1 root root 14 Mar 16 07:06 perl-path
drwxr-xr-x 2 root root 1024 Mar 16 07:06 passwd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pap
drwxr-xr-x 2 root root 1024 Mar 16 07:06 pam
drwxr-xr-x 2 root root 1024 Mar 16 07:06 openslp
drwxr-xr-x 2 root root 1024 Mar 16 07:06 nis
drwxr-xr-x 2 root root 1024 Mar 16 07:06 net
drwxr-xr-x 2 root root 1024 Mar 16 07:06 mount
drwxr-xr-x 2 root root 1024 Mar 16 07:06 mon
-rw------- 1 root bin 9 Mar 16 07:06 miniserv.users
-rw------- 1 root bin 1437 Mar 16 07:06 miniserv.pem
drwxr-xr-x 2 root root 1024 Mar 16 07:06 man
drwxr-xr-x 2 root root 1024 Mar 16 07:06 majordomo
drwxr-xr-x 2 root root 1024 Mar 16 07:06 mailcap
drwxr-xr-x 2 root root 1024 Mar 16 07:06 lvm
drwxr-xr-x 2 root root 1024 Mar 16 07:06 lpadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 logrotate
drwxr-xr-x 2 root root 1024 Mar 16 07:06 lilo
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ldap-server
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ldap-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 krb5
drwxr-xr-x 2 root root 1024 Mar 16 07:06 jabber
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ipsec
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ipfw
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ipfilter
drwxr-xr-x 2 root root 1024 Mar 16 07:06 inittab
drwxr-xr-x 2 root root 1024 Mar 16 07:06 inetd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 idmapd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 htaccess-htpasswd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 heartbeat
drwxr-xr-x 2 root root 1024 Mar 16 07:06 grub
drwxr-xr-x 2 root root 1024 Mar 16 07:06 fsdump
drwxr-xr-x 2 root root 1024 Mar 16 07:06 frox
drwxr-xr-x 2 root root 1024 Mar 16 07:06 firewall
drwxr-xr-x 2 root root 1024 Mar 16 07:06 filter
drwxr-xr-x 2 root root 1024 Mar 16 07:06 file
drwxr-xr-x 2 root root 1024 Mar 16 07:06 fetchmail
drwxr-xr-x 2 root root 1024 Mar 16 07:06 fdisk
drwxr-xr-x 2 root root 1024 Mar 16 07:06 exports
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dovecot
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dnsadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dhcpd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 dfsadmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 custom
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-webmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-usermin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-useradmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-software
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-shell
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-passwd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-cron
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cluster-copy
drwxr-xr-x 2 root root 1024 Mar 16 07:06 change-user
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cfengine
drwxr-xr-x 2 root root 1024 Mar 16 07:06 burner
drwxr-xr-x 2 root root 1024 Mar 16 07:06 bandwidth
drwxr-xr-x 2 root root 1024 Mar 16 07:06 bacula-backup
drwxr-xr-x 2 root root 1024 Mar 16 07:06 backup-config
drwxr-xr-x 2 root root 1024 Mar 16 07:06 at
drwxr-xr-x 2 root root 1024 Mar 16 07:06 adsl-client
drwxr-xr-x 2 root root 1024 Mar 16 07:06 acl
drwxr-xr-x 2 root root 1024 Mar 16 07:06 xinetd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 wuftpd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 webminlog
drwxr-xr-x 2 root root 1024 Mar 16 07:06 webmin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 webalizer
drwxr-xr-x 2 root root 1024 Mar 16 07:06 vgetty
-rw-r–r-- 1 root root 6 Mar 16 07:06 version
drwxr-xr-x 2 root root 1024 Mar 16 07:06 usermin
drwxr-xr-x 2 root root 1024 Mar 16 07:06 updown
drwxr-xr-x 2 root root 1024 Mar 16 07:06 tunnel
drwxr-xr-x 2 root root 1024 Mar 16 07:06 time
drwxr-xr-x 2 root root 1024 Mar 16 07:06 telnet
drwxr-xr-x 2 root root 1024 Mar 16 07:06 syslog-ng
drwxr-xr-x 2 root root 1024 Mar 16 07:06 syslog
drwxr-xr-x 2 root root 1024 Mar 16 07:06 stunnel
drwxr-xr-x 2 root root 1024 Mar 16 07:06 status
drwxr-xr-x 2 root root 1024 Mar 16 07:06 sshd
drwxr-xr-x 2 root root 1024 Mar 16 07:06 squid
drwxr-xr-x 2 root root 1024 Mar 16 07:06 init
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cpan
drwxr-xr-x 2 root root 1024 Mar 16 07:06 cron
-rwxr-xr-x 1 root root 196 Mar 16 07:06 uninstall.sh
drwxr-xr-x 2 root root 1024 Mar 16 07:06 ldap-useradmin
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-mailman
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-dav
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-registrar
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-svn
drwxr-xr-x 2 root root 1024 Mar 16 07:08 security-updates
drwxr-xr-x 2 root root 1024 Mar 16 07:08 php-pear
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-awstats
drwxr-xr-x 2 root root 1024 Mar 16 07:08 virtualmin-htpasswd
drwxr-xr-x 2 root root 1024 Mar 16 07:09 ruby-gems
-rw------- 1 root root 1059 Mar 16 07:09 webmin.acl
drwxr-xr-x 2 root root 1024 Mar 16 07:09 virtualmin-init
-rw------- 1 root bin 823 Mar 16 07:10 miniserv.conf
-rw-r–r-- 1 root root 452 Mar 16 07:10 config
drwxr-xr-x 2 root root 1024 Mar 16 07:10 postfix
drwxr-xr-x 2 root root 1024 Mar 16 07:10 virtual-server
drwxr-xr-x 2 root root 1024 Mar 16 07:10 useradmin
drwxr-xr-x 2 root root 1024 Mar 16 07:10 postgresql
drwxr-xr-x 2 root root 1024 Mar 16 07:10 mysql
drwxr-xr-x 2 root root 1024 Mar 16 07:10 mailboxes
drwxr-xr-x 2 root root 1024 Mar 16 07:10 bind8
drwxr-xr-x 2 root root 1024 Mar 16 07:11 apache

Additional screenshot after adding new domain in virtualmin:

[admin@server ~]$ ls -l /etc/webmin/mysql/
total 2
-rw-r–r-- 1 root root 391 Mar 16 07:10 config
-rw-r–r-- 1 root root 140 Mar 16 07:37 mytestdomain.acl
[admin@server ~]$ cat /etc/webmin/mysql/mytestdomain.acl
create=0
noconfig=1
pass=test08 <-----
stop=0
dbs=mytestdomain mytestdomain
buser=mytestdomain
edonly=0
bpath=/
delete=0
user=mytestdomain <-----
perms=0

indeed he does have a point … tested on centos

-sh-3.1$ cat /etc/webmin/mysql/domain.acl
create=0
noconfig=1
pass=12345 *******
stop=0
dbs=domain domain1
buser=domain
edonly=0
bpath=/
delete=0
user=domain *******
perms=0


this was from a normal user created with virtualmin…

altho on my end ls -l /etc/webmin/mysql/ does not work

-sh-3.1$ ls -l /etc/webmin/mysql/
ls: /etc/webmin/mysql/: Permission denied