File browser lets people see other files

4 posts / 0 new
Last post
#1 Tue, 04/25/2006 - 09:20
tabletguy

File browser lets people see other files

I have Virtualmin pro installed. When I log with Usermin to an account, and select the file browser java applet, it let's me select other account names in the file browser (left side), and let's me see file and directory names. This exposes other site's email addresses, etc.

Virtualim was set up by Virtualmin staff. I'm not strong on Unix, but I understand what permissions are to some extent.

So, two questions

1) Can I (and how do I) change permissions so that this file browser doesn't see other accounts and files?

2) What should I do in general setup so that new accounts get correct permissions.

Tue, 05/23/2006 - 18:06
tabletguy

Does anyone from Virtualmin have a comment on this?

When I log in with an EMAIL account only, they are allowed to change shell access types, see ALL the system files (which exposes all user names / email names), as well as a number of other items which shouldn't be allowed.

Wed, 05/24/2006 - 11:32 (Reply to #2)
Joe
Joe's picture

Hi Stephan,

The file manager can be configured to not allow access to see others files (though default permissions should never permit actually seeing into others files, unless you have users who routinely hit "chmod 777 filename" when something isn't working...which suexec will then insure definitely doesn't work, leading to further frustration...but that's another story). I believe this is now the default on fresh installs, but I'll check.

To configure it:

Click the Webmin link in the right corner of the left-hand menu (assuming you're using the Virtualmin Framed Theme).

Browse to Webmin:Usermin Configuration.

Click on the Module Configuration icon.

The very first option is:

Limit user to home directory?

Set it to "Allow access to home and directories below.."

Save it.

--

Check out the forum guidelines!

Wed, 05/24/2006 - 11:40 (Reply to #3)
Joe
Joe's picture

Hi Stephan,

I forgot to reply to this bit:

<i>When I log in with an EMAIL account only, they are allowed to change shell access types, see ALL the system files (which exposes all user names / email names), as well as a number of other items which shouldn't be allowed.</i>

We hadn't actually thought of the shell type. That'll have to be locked down a bit tighter, and it should probably be subject to Server Templates, in order to continue the theme of extreme flexibility (or maybe not--folks already find Server Templates intimidating...and sometimes more options is a bug rather than a feature...maybe we'll just tighten up the defaults and wait until a few people actually say they want Usermin configuration features in Server Templates). In the meantime, you can remove any modules that you don't want your users to have by clicking on the Available Modules icon in the Usermin Configuration page. If there's a module you want them to have access to, but not all of the features, you may be able to use the Module Configuration page to tighten it down a bit. If there's an aspect of the module that isn't configurable, but you think should be, file a wish in the bug tracker and we'll see what we can do.

--

Check out the forum guidelines!

Topic locked