-1

I'm still fairly new to all of this, so please be gentle. I'm currently running the Webmin/Virtualmin combo on Centos 7 (linux). I was looking for a simple solution to allow someone to upload files, and Filemin seemed like an easy way to do that.

I've been trying to create a user through Webmin(logged in at root), set their "root directory for file chooser" manually to the directory I want(they're only uploading pictures for ads), and left everything pretty much default. (Browse files as Unix user option is checked as 'same as webmin login'). The only module I give them is Filemin as that's all they need.

I've then made sure to go in under Usermin Config => 'Access Control Options' and made sure 'User's home directory' is checked under root directory for file choose just in case. On paper, everything should work as intended, but when logging in as their account to check it out, they get the full root directory and can pretty much do whatever they want. No restrictions, and full view.

On a side note, I've played around with some of the basic options, and noticed that Webmin doesn't save what I changed sometimes. It'll default it back to the root directory and change the browsing files back to root. Other times it does. I want to say maybe there's a permissions or access issue or something? Either way, no change once I log in to check. Ideas?

Aric
  • 1
  • 3

1 Answers1

1

It looks like you're confusing which software you're interacting with here. So, let me see if I can clear up some things for you, and I think once you understand how these pieces fit together you'll be able to get your settings right and the behavior you want.

Usermin is a completely separate program, running on a different port. A Webmin user is, in no way, effected by what you do with the Usermin configuration. Webmin users are not Usermin users (though either could be a system user, and one user could have both Webmin and Usermin access). So, to be clear: If you are wanting to limit a Webmin user, you do not do it in the Usermin Configuration module (that's for Usermin users). You do it in the Webmin Users module.

So, at this point, you may be asking, "Well how do I configure permissions for a Webmin user?"

Browse to Webmin->Webmin Users and then click on the username of the user you want to edit.

Then, open up the Available Webmin Modules section.

Click on "File Manager" in the Others category (or Filemin File Manager, if you've installed the third party version on github, though I think we can't recommend that one at the moment, as it has gone in a weird direction lately, and seems to not interact very nicely with Webmin current versions).

Now you can choose how to restrict this user's use of this module. The options are quite fine-grained, and most are pretty intuitive, I think.

To limit the user to a specific directory, you can fill in the "Allow access to directories" field with the directories you want available.

To have Webmin perform the file actions as the user, rather than as root, you can edit the "Access files as Unix user" option and set it to "Save as Webmin login".

In short: Forget about Usermin. It isn't related to what you're trying to do. Also, it doesn't sound like Virtualmin is in the picture at all (though for web hosting related tasks, you probably should be using Virtualmin rather than just Webmin by itself, and it does create website owner user accounts with the kind of permissions you're talking about, by default and without any extra hoop jumping required).

On this question:

On a side note, I've played around with some of the basic options, and noticed that Webmin doesn't save what I changed sometimes. It'll default it back to the root directory and change the browsing files back to root. Other times it does. I want to say maybe there's a permissions or access issue or something? Either way, no change once I log in to check. Ideas?

You're going to have to be more specific. That is not an issue we've heard about (and we'd probably hear about it pretty quick). Which options? Where are you configuring the thing that you don't think is saving? What makes you believe it isn't saving?

Anyway, I kinda suspect that the problems are all related to just not knowing how all the pieces fit together and what is doing what.

Here's a quick description of the three projects you've mentioned:

Webmin - General purpose web-based systems management UI for Linux and UNIX systems. It is like a GUI version of ssh; it is intended for systems management tasks, and is not usually an end-user tool, though there can be some overlap of tasks that are useful to delegate (and Webmin has fine-grained access controls in a lot of modules to make that possible). A Webmin user can have privileges beyond what the user has at the command line, up to and including root-level privileges.

Usermin - Webmail and more. It is not an administrative tool at all, and runs as the user that is logged in, and only with their privileges. A Usermin user cannot be granted more access than they have on the command line, because it drops privileges and literally runs as that user. It does not run inside of Webmin, and is a wholly separate program that runs on a different port and uses different/separate user accounts.

Virtualmin - A web hosting control panel (runs inside of Webmin, and uses ACLs and other features of Webmin, and a Virtualmin user is a special type of Webmin user). It does things like automate the creation of Apache VirtualHosts, databases, mailboxes, BIND name records, configuration of spam/AV scanning, etc. It's a handful of Webmin modules, and a bit of extra configuration on the system, designed to make web hosting with many accounts and many websites easier. Virtualmin users have some administrative privileges via Webmin ACLs, but they are not "root" level users.

Disclaimer: I work on Webmin, Virtualmin, and Usermin.

swelljoe
  • 1,415
  • 8
  • 12
  • Thanks for the tips for clarification. The hard part about talking about things you don't understand is finding the right way to state it that makes sense to those that do. I installed virtualmin right on to my Centos 7 via the install.sh through SSH, so I have the Webmin/VIrutalmin combo running on it. I assumed the purposes for each project, and did have the right idea. When trying to edit a Webmin user, I am clicking directly on them from the Webmin users and going right into the options. This is the part that isn't sticking. – Aric Feb 04 '16 at 06:52
  • It is here that I'm having the issues. Create a new Webmin user, and assign them only the filemin module. Save. Go back and select their name from the Webmin user list, and put in the folder I want as their browsing folder, and check off to make sure they're browsing same as their Webmin user name. Save. Log in with their credentials, hit filemin, and they have full access to the file system and root capability. On paper, that's not even supposed to be possible, but it is for me. – Aric Feb 04 '16 at 07:00
  • I did figure out that if that user was part of a group I assigned (while trying to find another way to restrict their directory as a default of the group) that the individual changes I made would not save at all, and instead would default back to "/" as their initial folder and ability browse at root even though I would save something different once I went back in to check. Usermin only came into the picture once I'd exhausted everything else I could think of. Now that I know the packages are all separate, it was useless to even attempt this. – Aric Feb 04 '16 at 07:02
  • Which leads me back to my initial problem and frustration. Creating a new Webmin user and defining their directory as I want it to be viewed using filemin has no effect. They still log in, have full access to the file system, and can change and upload files as 'root'. ---- The user that was created by default when running through the initial virtualmin wizard does seem to be different, but I haven't dared change anything there to test it out. I would venture that changes will stick with them (possibly because they're attached to a database?) but I can't be sure. – Aric Feb 04 '16 at 07:10
  • Which Filemin are you using? The one that came with Webmin, or the one installed from the original author's github? The one is Webmin I know works. I haven't tested the one in github lately, and it's gone through some changes. Group settings can override individual user permissions (though user settings should still save, they just won't be applied if a group setting conflicts with it). Are there any errors in the miniserv.error log? (/var/webmin/miniserv.error) or other logs? In short, not saving settings without warning would be a bug, and we'd need to reproduce it to fix it. – swelljoe Feb 04 '16 at 17:30
  • It was the one that came with Webmin. I have yet to install anything that didn't really come with whole install package. That makes sense about the group setting, and that it'll override conflicting user permissions. I did take a look at the miniserv.error log right after I applied changes to one. I'm too green to know what I'm looking at though. Here's what popped up over multiple lines: "Use of uninitialized value in string eq at /usr/libexec/webmin/acl/edit_user.cgi line 345." – Aric Feb 04 '16 at 20:26
  • Side note. Still learning. The web server running in SSL mode wouldn't be any sort of factor, would it? I realize it's just a basic security thing, but I wanted to make sure you had all the information I could provide. I get multiple lines of "Document follows : This web server is running in SSL mode. Try the URL.. " as well. I've been mainly a front end dev, and this is my foray into back end. I looked at other logs, and nothing jumped out to me (although I have no idea what I'm really looking at anyway). Happy to check anything else out for you. – Aric Feb 04 '16 at 20:36
  • Actually, if I were to venture a guess, maybe that's just all the attempts to log in or something since reading the rest of the error is something I get hit with when I log in. – Aric Feb 04 '16 at 20:38