Short Version:
I've written a secure alternative to webmin, and I'd like to make it available to the community. Does anyone want to help? Have interest? Want to throw tomatoes?
Long Version:
Webmin, as you may know, is a web utility that gives you the ability to administer your machine from the web. It does this by providing plugins for different administrative tasks such as DHCP admin, or DNS admin and so on.
A lot of people, myself included, avoid webmin because it's pretty darn scary from a security point of view. Specifically, it runs everything including it's own web server as root.
Over time, I've solved a number of problems specific to my workplace that would fall into the webmin domain and over time my solutions have become more generalized, pluggable, and generally more like a secure alternative to webmin. Here's why my thing is cool:
Before it can have any hope of being useful to anyone other than me, it needs a lot of work. There's a lot of stuff in the code that would need to live in configuration. It would need an installer. The plugin system needs to be standardized, the web ui part needs to be more pluggable. etc... etc... etc....
Does anyone want to help me bring this out into light of day? If you're interested, but don't want to spend a ton of time, even glancing over the code base and giving suggestions would be more than awesome. Even just asking me to clarify this post would probably help me improve my thinking and hence my alternative webmin thingy. Oh, and any help coming up with a name would be good too.
And now a short description of how my alternative webmin actually works:
I have a daemon process that runs as root. It has plugins for various tasks. At this time, those tasks are things like checking disk quota, requesting a higher quota etc.. It listens to a local unix socket and accepts commands over that socket.
The commands are very limited and well defined, so it's hard to trick it into doing something it's not intended to do. Specifically, a valid command is a YAML'ized hash containing details like:
{ command => 'get_quota', username => 'jdoe', password => 'secret', }
This is a good thing because it completely separates the privileged stuff from the user interface. You can use the web interface, or you can create any kind of interface you like. You could make a gui, or a text interface or anything.
On the user interface side, I have a Catalyst app that has a model that sends commands to the privileged daemon process. It's all pretty hard-coded at this point, but I've started heading toward using widgets, where new capabilities/jobs can add a little ui blob to a control panel.
That's about it for a basic description. If anyone's at all interested or curious, ask away.
--Pileofrogs
Update:
I've cobbled togeather a tar file of my privileged daemon. I had to give it a quick review to make sure I didn't have $root_password = "secret" in there anywhere. I'll do the same with the web front-end soon.
I've named it Sysadmin or Sysadmind for now, but a better name is definitely in order.
http://seattlecentral.edu/~dmartin/dist/Sysadmin.tar.gz
Again, this is not in anyway ready for public use, it has tons of site-specific hard-coded stuff that needs configifying.
In reply to Secure Webmin by pileofrogs
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |