'Re: [webmin-l] Sudo Authentication Module Restriction'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webmin-l
Subject:    Re: [webmin-l] Sudo Authentication Module Restriction
From:       Jason Ledford <jledford () biltmore ! com>
Date:       2008-10-23 21:15:22
Message-ID: 435CB3214F92FD4E8E5CEEB86A20440240CA9B04CB () MAILBOX ! tbcnet ! biltmore ! com
[Download RAW message or body]

Thanks Jamie, this does exactly what I want.

-----Original Message-----
From: Jamie Cameron [mailto:jcameron@webmin.com]
Sent: Thursday, October 23, 2008 2:40 AM
To: Webmin users list
Subject: Re: [webmin-l] Sudo Authentication Module Restriction

Hi Jason,

What you should do to allow members of some group access to Webmin is as
follows :

1) Go to Webmin -> Webmin Users, and create a user with access to the modules
   you want those group members to have.

2) Still in the Webmin Users module, click on 'Configure Unix user authentication'
   and select 'Allow Unix users listed below to login'. In the first row of the
   table, select 'Members of group', enter the group name in the adjacent field,
   and select the Webmin user you created in step 1 in the last column. The click
   Save.

Once this is done, any member of that group will be able to login to Webmin,
assuming that /etc/pam.d/webmin is setup to authenticate against LDAP and
also that LDAP users and groups are recognized by your system - this can be
configured in the LDAP Client module.

You don't need to involve sudo at all here, as Webmin's sudo integration isn't
related to this kind of setup.

 - Jamie

On 22/Oct/2008 18:16 Jason Ledford wrote ..
> Your right, the AD users I am allowing to connect all have     (ALL) ALL rights
> in sudo.  I have an AD group that I am allowing this access to the machine, sort
> of like a domain admins group, but it gives them rights on linux.  I would like
> to be able to make a group in Webmin or something and have these users in the group
> and only show the icons I want shown, but not sure how to do that.
>
> Actually, as I was typing this I figured it out.  I created a group in Webmin and
> gave it the rights I want.  I then created a Webmin user to match my ad username
> and set the password to unix authentication and added the user to the group and
> that's what I need :)
>
> Now it presents a new question, is there a way to make new users that login using
> sudo automagically be in this group?  Or would it be better to use usermin?
>
> -----Original Message-----
> From: Jamie Cameron [mailto:jcameron@webmin.com]
> Sent: Wednesday, October 22, 2008 8:33 PM
> To: Webmin users list
> Subject: Re: [webmin-l] Sudo Authentication Module Restriction
>
> On 22/Oct/2008 15:28 Jason Ledford wrote ..
> > I just installed Webmin on a debian machine and have configured it to allow anyone
> > who can sudo to be able to login to Webmin.   the users that will be sudo'ing
> are
> > also active directory users.  So when they log into Webmin they have full control
> > of all the modules.  How can I restrict what they have access to in Webmin?
> Do
> > I need to start with restricting sudo and Webmin will only allow them access
> to
> > what they can sudo or am I missing something?  I also looked under Webmin users
> > and the users aren't listed there.
>
> In a default install, Webmin will allow any user who can run any command via sudo
> to login as effectively root .. this is determined by running the 'sudo -l -S'
> command
> as the user, and checking if it outputs a line like :
>
>     (ALL) ALL
>
> What sudo permissions do your active directory users have? I would expect them
> not
> to be able to run any command, as that would allow them to SSH in and run something
> like "sudo bash" to get a root shell.
>
>  - Jamie
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> -
> Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> -
> Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic