'Re: Webmin with multiple sysadmins?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webmin-l
Subject:    Re: Webmin with multiple sysadmins?
From:       Carlton Thomas <carlton () gifford ! co ! uk>
Date:       2002-11-24 15:34:55
[Download RAW message or body]

On Sat, 23 Nov 2002, Jamie Cameron wrote:

> Webmin does have some locking to prevent two people changing
> the same configuration file at the same time. However, this locking
> is only at the file level, so if you and some other guy both edit
> the same Unix user, both make changes and then both click save, only one
> person's changes will end up in the /etc/passwd file.
> 
> Solving this would mean implemented a higher level of locking,
> done at the 'object' level - for example, if you have a user open for
> editing, nobody else would be allowed to open that same user.
> The same could apply to groups, virtual servers, nfs exports and so on ..
> 
> I did look into adding this, but it would be tough to implement in
> a web-based app like webmin. For example, what happens if you open
> the page for editing a user and then quit your browser - there is no
> way for webmin to know that the page should not still be locked, apart
> from timing out after a while..

Hi,

I believe that this is going to be a very difficult problem to solve and
I cant see how it will be possible to modify webmin to enforce a level
of integrity without doing a great deal of work. First, one needs to
consider all the possible sources of an update. These may be running
programs, system commands, webmin, remote access etc. Second, you need
to determine the level at which integrity must be protected, ie. what do
you consider to be an atomic operation. It may be that on your system
one atomic operation may involve updating more that one configuration
file, plus issuing a number of system commands and finally restarting
a daemon. The important thing to note is that this will be different
for each operating environment.

I was corresponding with Jamie recently about a similar problem. We
have some programs/scripts which are able to dynamically ceate firewall
rules. Somehow, I need to get webmin to coexist with these scripts such
that no rules are lost. I only mention this to illustrate the magnitude
of the problem.

The ultimate solution for integrity protection is to implement some
sort of system-wide or even company-wide manual or automated process
which controls access to your servers. This should allow you to define
atomic operations and lock out other users until an atomic operation
is complete. This would be similar to SCCS, the source code control
system. These sort of systems are available off-the-shelf and are used
by many companies to limit access, to implement referential integrity
and for audit trails. It may be possible to integrate webmin into some
of these systems to actually implement the admin functions.

The current webmin project is aimed at low-level system administration
tasks and the fact that it is allowing admin access via the stateless 
HTTP protocol adds another layer of complication.

I think that webmin is a great product and maybe it could be modified
to provide integrity protection facilities. However, I do not believe
that a suitable framework could be developed within webmin to suitably
define atomic operations for most environments and implement the
appropriate level of locking and protection. I believe you should look
at using tools which have been designed from the ground up to provide
that sort of functionality.

Just my $0.02 worth.

Regards !

--
Carlton
=============================
GIFFORD INTERNET SERVICES
Bristol, United Kingdom 
Tel: 0845 111 0032
Tel: 0117 939 7722
Fax: 0845 111 0033
Email: admin@gifford.co.uk
Web: http://www.gifford.co.uk
=============================



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic