30.16. Module Access Control

Like others, the BIND DNS Server module allows you to control which of its features are available to a particular Webmin user or group. This can be useful for giving people the rights to manage only records in their own zones and nobody else's. Even though this would normally require root access to the records files, with Webmin it can be granted to people without giving them level of power that a root login would allow.

Once you have created a user with access to the module as explained in Chapter 52, the steps to limit his access to only certain zones are:

Click on the BIND DNS Server next to the name of the user in the Webmin Users module. This will bring up a page of access control options.

Change the Can edit module configuration? field to No, so that the user is not allowed to change the paths that the module uses to named.conf and other files.

For the Domains this user can edit field, choose Selected zones and select the ones that you want him to have access to from the list to its right. If you want him to be able to edit almost all zones, it may be better to choose All except selected and select only those that he should not be allowed to manage records in. If your DNS server uses views, you can use the Zones in view options to allow or deny access to all zones in a view as well.

Change the fields Can create master zones?, Can create slave/stub zones?, Can create forward zones? and Can edit global options? to No.

If you want Reverse Address records in zones that the user does not have access to to be updated by changes to Address records in zones that he does, set the Can update reverse addresses in any domain? field to Yes. This may not be a good idea from a security point of view though, as he would be able to change almost any existing Reverse Address record on your system. For that reason, I suggest that this field be set to No.

To stop the user creating more than one Address record with the same IP, set the Can multiple addresses have the same IP? field to No. Even though creating multiple records is harmless, you may want to set this to No to prevent the user allocating the same IP twice.

Leave the Read-only access mode? field set to No. If it is changed to Yes, the user will only be able to view zones and records using the module, and not change anything. This might be useful for creating a different kind of restricted user though—one who can see all settings, but not edit them.

Leave the Can apply changes? field set to Yes, so that he can use the Apply Changes button to make his additions and modifications active.

Unless you want the user to be able to edit his records file manually, change the Can edit records file? field to No. Most untrusted users are not smart enough to perform manual editing.

The Can edit zone parameters? field determines if the user can see and use the Edit Zone Parameters icon for his domains. Setting this to Yes is quite safe, as the user can only harm his own zones by setting the parameters to silly values.

Similarly, the Can edit zone options? field determines if the Edit Zone Options icon is visible or not. You should set this to No, as it is possible for a user to create a syntax error in named.conf by improper use of the zone options form.

Unless you want the user to be able to delete his own domains, change the Can delete zones? field to No. Users should contact the master administrator instead if they want to delete zones.

The Can edit record generators? field can be left set to Yes, as it simply allows the creation of multiple records at once. However, some users may get confused by this feature so it might be a good idea to change the field to No.

The Can lookup WHOIS information? And Can search for free IP numbers? fields can also be left on Yes, as those features merely display information to the user.

Change the Can create and edit views? field to No, so that the user cannot manage BIND 9 views. If the user is allowed to create zones, you can use the Views this user can edit and add zones to field to limit those that he can create zones in.

Can create slave zones on remote servers? should be set to No, but this doesn't really matter as the user is not going to be allowed to create master or slave zones anyway.

Finally, click the Save button to make the new restrictions for the user active.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.