http://qa.mandrakesoft.com/show_bug.cgi?id=5902
------- Additional Comments From [EMAIL PROTECTED] 2003-22-09 01:43 ------- Created an attachment (id=879) --> (http://qa.mandrakesoft.com/attachment.cgi?id=879&action=view) Security risks with RC2 According to the nessus security scanner, RC2 Security risks are primarily from items in the default install of Webmin. -- Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. ------- Reminder: ------- assigned_to: [EMAIL PROTECTED] status: UNCONFIRMED creation_date: description: I started Webmin today and found that during the upgrade from MDK9 to 9.2rc2 ALL of the (MY) user configuration files for Webmin were deleted. It should not do that. ( In this case, those files were in /usr/libexec/webmin. The location /usr/libexec/webmin is where Webmin normally resides when upgraded/installed from the author's SF site. ) It took me hours, days, ... to reorganize the Webmin initial (index) display and remove unused program configurators(security risks). The installation process killed all of that work in a few seconds. Although it might be necessary to reset to default parameters during an upgrade to insure a working Webmin it is NOT necessary to delete all the config files that currently exist. Of special interest is that the upgrade-installation destroyed my configuration but it left all of the other files/dirs dangling in /usr/libexec/webmin. Since the end user can get upgrades to Webmin from the Author's SF site, I believe that the proper solution here is to change the default install location of webmin to /usr/libexec/webmin and only ln -s /usr/libexec/webmin /etc/webmin (if /etc/webmin must exist for some reason), and, of course, do NOT ever delete user configuration files during an upgrade; rename them if you must, but do NOT delete them! Please adjust the spec file to move any existing config files to <configName>.rpmbak (or something like that). Since MDK is changing (has changed?) to Webmin from Linuxconf as the main configurator in addition to the *drak* programs, it is _critical_ that installation be handled properly. [more] BTW, the work I had done was primarily to eliminate possible security risks that had been reported by the security scanner nessus. I just ran that scan again and now I have OVER 1000 lines of warnings and even a security "hole" listed in the report for Webmin. I'll attach a pic to illustrate the problem. IOW, the default webmin install includes many useless configurators(i.e., the corresponding programs are not installed). I suggest running nessus, taking a look at the output for webmin and adjusting the default install accordingly. (I also think Vincent needs to look at the nessus output for RC2 with webmin.)
