http://qa.mandrakesoft.com/show_bug.cgi?id=5902
Product: webmin
Component: packaging
Summary: Upgrade deletes user configuration + security prbs
Product: webmin
Version: 1.100-2mdk
Platform: PC
OS/Version: All
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: packaging
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
I started Webmin today and found that during the upgrade from MDK9 to 9.2rc2 ALL
of the (MY) user configuration files for Webmin were deleted.
It should not do that.
( In this case, those files were in /usr/libexec/webmin. The location
/usr/libexec/webmin is where Webmin normally resides when upgraded/installed
from the author's SF site. )
It took me hours, days, ... to reorganize the Webmin initial (index) display
and remove unused program configurators(security risks). The installation
process killed all of that work in a few seconds.
Although it might be necessary to reset to default parameters during an upgrade
to insure a working Webmin it is NOT necessary to delete all the config files
that currently exist.
Of special interest is that the upgrade-installation destroyed my configuration
but it left all of the other files/dirs dangling in /usr/libexec/webmin.
Since the end user can get upgrades to Webmin from the Author's SF site, I
believe that the proper solution here is to change the default install location
of webmin to /usr/libexec/webmin and only
ln -s /usr/libexec/webmin /etc/webmin (if /etc/webmin must exist for some
reason), and, of course, do NOT ever delete user configuration files during an
upgrade; rename them if you must, but do NOT delete them! Please adjust the
spec file to move any existing config files to <configName>.rpmbak (or
something like that).
Since MDK is changing (has changed?) to Webmin from Linuxconf as the main
configurator in addition to the *drak* programs, it is _critical_ that
installation be handled properly.
[more]
BTW, the work I had done was primarily to eliminate possible security risks that
had been reported by the security scanner nessus. I just ran that scan again
and now I have OVER 1000 lines of warnings and even a security "hole" listed in
the report for Webmin. I'll attach a pic to illustrate the problem.
IOW, the default webmin install includes many useless configurators(i.e., the
corresponding programs are not installed). I suggest running nessus, taking a
look at the output for webmin and adjusting the default install accordingly.
(I also think Vincent needs to look at the nessus output for RC2 with webmin.)
--
Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
