I would like to suggest that calling your thing a "secure Webmin" unfairly implies that Webmin is insecure...when, in fact, it has an excellent security history. The last serious exploit was over three years ago, and the security history in general is roughly on par with OpenSSH. Webmin's security history is public: http://www.webmin.com/security.html

Only a small percentage of security issues in Webmin would have been prevented by having a privilege separation model, and none in the past three years fir that description. Most recent issues have been XSS-related issues rather than direct exploits of the root-level nature of Webmin's web server...and XSS could hit your privsepped model just as well (being careful of XSS is, of course, good practice, but there's nothing inherent about your model that makes XSS easier to avoid).

But, I would be curious to know more about the privilege separation...and how your root-level daemon is more secure than Webmin's root-level daemon while still being able to perform arbitrary configuration. (Webmin's root daemon happens to be the web server that runs the modules. But it's pretty simple as web servers go, and has 11+ years worth of battle-testing in millions of deployments. I'd happily wager that your code can be broken more easily than Webmin, just by virtue of its age and how many security researchers and crackers have tried to break Webmin over the years.)

And, have you considered lending some of your security expertise to Webmin itself rather than reinventing the wheel (and the 100+ standard modules, and several hundred third party modules)?

Anyway, it sounds like an interesting project...but if security is your primary beef with Webmin, it seems like somewhat misplaced effort.

Full disclosure: I'm one of the Webmin/Usermin/Virtualmin developers. And I find it irritating when folks imply or state emphatically that Webmin is insecure. The facts simply do not justify the accusation.

In reply to Re: Secure Webmin by SwellJoe
in thread Secure Webmin by pileofrogs

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.