OT - WAY - OT
Bill Campbell
bill at celestial.com
Sat Mar 22 10:25:49 PDT 2008
On Sat, Mar 22, 2008, Kenneth Brody wrote:
>Quoting Howard Wolowitz (Fri, 21 Mar 2008 17:51:58 -0400):
>[...]
...
>(Actually, rereading the above, I realize that I combined information from
>several of the sites I tracked down. The web-based file manager was not
>on the same system as the world-readable data file, and so I was not able
>to erase the valid-looking data from the file.)
I *STRONGLY* suggest that people not use webmin/usermin on *nix systems
without very carefully restricting access to them. I have seen several
systems compromised via these, usually as a result of bad user-level
passwords. I have also seen root exploits via usermin of known Linux
security problems (the chfn command on some SuSE systems could be used to
gain root access).
Webmin has (had) some major issues in user administration where id doesn't
check home directories for reasonable things. It happily allowed somebody
to create a user's $HOME as /home, then when they went to change it to
/home/username, webmin created /home/usrname, then moved everything under
/home to /home/username.
While I have hacked webmin to eliminate these problems, and sent the
changes upstream, they had not been incorporated the last time I looked.
I cannot say anything nice about the quality of the perl code in either of
these products so, as my mother taught me, I won't say anything.
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
No matter how much I may exaggerate it, it must have a certain amount of
truth...Now rumor travels fast but it don't stay put as long as truth
Will Rogers
More information about the Filepro-list
mailing list