57.5. The acl_security.pl Access Control Script

As Chapter 52 explains, the Webmin Users module can be used to configure detailed access control settings for a particular user and module. The actual form for editing these settings is generated by the acl_security.pl script in the module's directory, covered in Section 56.1 “Module Access Control”. Because this module lets an administrator define which UNIX users a particular Webmin user can edit Cron jobs for, it has one of these scripts as well.

As you can see by opening the file in an editor, it contains the required acl_security_form and acl_security_save functions. The first prints HTML for form inputs in a 4-column table, with their current settings based on the contents of the hash reference passed in as a parameter. The second function checks the values in %in and uses them to fill in the hash reference from its parameter, which is saved by the Webmin Users module back to /etc/webmin/cron/username.acl upon exiting.

The ACL settings for this module let the administrator choose allowed UNIX users by several different means. He can either grant access to all of them, to just the one whose name matches the current Webmin user, to a specific list of users, to users with some primary group, or to users with UIDs within some range. Many other modules have similar options to specify allowed users of some kind. If your module deals with some kind of UNIX user-related configuration, its acl_security.pl script should have similar inputs.

On many systems (such as those used for virtual hosting), a single subadministrator may be responsible for many UNIX accounts—possibly those with a certain primary group or with UIDs within some fixed range. This kind of access control makes it possible to safely give such a subadministrator a Webmin login to manage only those UNIX users that “belong” to him.

All of the CGI programs in this module use the get_module_acl standard function to get the access control settings for the current Webmin user. The return value is generally stored in the %access hash, which is consulted to determine if the Webmin user can access Cron jobs for a particular UNIX user. This is mostly done by calling can_edit_user (explained above), and then calling error if access was denied.

Code in your module should do the same, and every CGI program should check to make sure that it is not being accessed inappropriately. One change that you might want to make is to put the call to get_module_acl into your module's library script so that the %access hash is available globally to every CGI program, instead of each of them having to call it explicitly.

When creating a module that can be set up to allow limited access like this, you must be very careful to stop the user from escaping its restrictions in any way. This means following all of the normal rules about programming CGI scripts, such as not passing user inputs directly to the system or open functions. Because a user who has full root privileges normally accesses Webmin modules, security holes like this would usually not matter. When the user has been given less privileges through the use of module access control, however, a bug could let him execute arbitrary commands or edit files as root.