Managing Linux® Systems

with Webmin™

PRENTICE HALLPROFESSIONAL TECHNICAL REFERENCE

UPPER SADDLE RIVER, NJ 07458WWW.PHPTR.COM

Managing Linux® Systems

with Webmin™

System Administration and Module Development

Jamie Cameron

Library of Congress Cataloging-in-Publication Data

Cameron, Jamie.Managing Linux systems with Webmin / Jamie Cameron.

p. cm. ISBN 0-13-140882-8 1. Linux. 2. Operating systems (Computers). I. Title.QA76.76.O63 C3545 2003005.4’32—dc22

2003016330

Editorial and production services: TIPS Technical Publishing, Inc.Cover design director: Jerry VottaCover design: Nina ScuderiManufacturing buyer: Maura ZaldivarExecutive Editor: Jill HarryEditorial assistant: Brenda MulliganMarketing manager: Dan DePasquale

© 2004 by Jamie Cameron

Published by Pearson Education, Inc.Publishing as Prentice Hall Professional Technical ReferenceUpper Saddle River, New Jersey 07458

This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Prentice Hall PTR offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.þ For more information, please contact: U.S. Corporate and Government Sales, 1-800-382-3419, corpsales@pearsontechgroup.com. For sales outside of the U.S., please contact: International Sales, 1-317-581-3793, international@pearsontechgroup.com.

Company and product names mentioned herein are the trademarks or registered trademarks of their respective owners.

Printed in the United States of America

First Printing

ISBN 0-13-140882-8

Pearson Education LTD.Pearson Education Australia PTY, LimitedPearson Education Singapore, Pte. Ltd.Pearson Education North Asia Ltd.Pearson Education Canada, Ltd.Pearson Educación de Mexico, S.A. de C.V.Pearson Education—JapanPearson Education Malaysia, Pte. Ltd.

Contents at a Glance

I INTRODUCTION

1 Introduction to Webmin .......................1

2 Installing Webmin ................................6

3 Securing Your Webmin Server ..........14

II SYSTEM MODULES

4 Users and Groups ...............................19

5 Disk and Network Filesystems...........39

6 NFS File Sharing ................................53

7 Disk Quotas ........................................60

8 Partitions, RAID, and LVM ...............68

9 Bootup and Shutdown ........................84

10 Scheduled Commands ........................93

11 Process Management ..........................99

12 Software Packages............................105

13 System Logs .....................................113

14 Filesystem Backups ..........................121

15 Internet Services ...............................129

16 Network Configuration.....................144

17 Network Information Service ...........154

18 PPP Server Configuration.................165

19 Firewall Configuration .....................173

20 Setting the Date and Time ................191

21 Boot Loader Configuration...............195

22 Printer Administration ......................205

23 Voicemail Server Configuration.......215

24 Remote Shell Login..........................220

25 Running Custom Commands............224

26 Webmin’s File Manager ...................232

27 Perl Modules.....................................244

28 Status Monitoring with Webmin ......250

III SERVER MODULES

29 Apache Web Server Configuration ..264

30 DNS Server Configuration ...............315

31 CVS Server Configuration ...............354

32 DHCP Server Configuration.............361

33 Downloading Email with Fetchmail ..........................................378

34 Managing Majordomo Mailing Lists ................................................388

35 The MySQL Database ......................405

36 The PostgreSQL Database................428

37 Configuring Sendmail ......................448

38 Configuring Qmail ...........................476

39 Analyzing Log Files .........................491

40 The ProFTPD Server ........................500

41 The WU-FTPD Server......................525

42 SSH Server Configuration................544

43 Windows File Sharing with Samba ...............................................554

44 Configuring the Squid ProxyServer................................................577

45 Filtering Email with Procmail ..........605

46 Creating SSL Tunnels ......................615

47 Usermin Configuration.....................620

IV CLUSTER MODULES

48 Cluster Software Management .........643

49 Cluster User Management ................649

50 Cluster Webmin Configuration ........660

V WEBMIN MODULES

51 Webmin Configuration.....................669

52 Webmin Access Control...................688

53 Webmin Servers ...............................700

54 Logging in Webmin..........................707

VI DEVELOPER’S GUIDE

55 Webmin Module Development ........710

56 Advanced Module Development......721

57 Inside the Scheduled Cron Jobs Module..............................................734

58 Creating Webmin Themes................741

59 Inside the MSC Theme.....................747

60 The Webmin API..............................751

ContentsI INTRODUCTION

1 Introduction to Webmin 1

What is Webmin? 1Who Should Use Webmin? 2How and Why Was it Developed? 3What is this Book About? 4Who Should Read this Book? 4Conventions Used in this Book 5Acknowledgments 5

2 Installing Webmin 6

Downloading Webmin for Your System 6Installing the RPM Package 7Installing the tar.gz Package 8Installing the Solaris Package 10The Webmin User Interface 10Uninstalling Webmin 13Summary 13

3 Securing Your Webmin Server 14

Network Security 14SSL Encryption 15Requesting a Valid SSL Certificate 17Summary 18

II SYSTEM MODULES

4 Users and Groups 19

Introduction to UNIX Users and Groups 19The Users and Groups Module 20Creating a New User 21Editing an Existing User 23Deleting a User 24Creating a New Group 25Editing an Existing Group 26Deleting a Group 27Viewing Recent and Current Logins 27Reading Users’ Email 28Creating Users from Batch Files 28Configuring the Users and Groups

Module 30

Before and After Commands 34Module Access Control 34Other Operating Systems 37Summary 38

5 Disk and Network Filesystems 39

Introduction to Filesystems 39The Disk and Network Filesystems

Module 40Mounting an NFS Network Filesystem 40Mounting an SMBFS Windows

Networking Filesystem 43Mounting a Local ext2 or ext3 Hard Disk

Filesystem 44Mounting a Local Windows Hard Disk

Filesystem 45Adding Virtual Memory 46Automounter Filesystems 47Editing or Removing an Existing

Filesystem 48Listing Users of a Filesystem 48Module Access Control 49Configuring the Disk and Network

Filesystems Module 50A Comparison of Filesystem Types 50Other Operating Systems 51Summary 52

6 NFS File Sharing 53

Introduction to File Sharing with NFS 53The NFS Exports Module 54Exporting a Directory 54Editing or Deleting an NFS Export 55NFS on Solaris 56NFS on BSD, MacOS X and

OpenServer 57NFS on Irix 59Summary 59

7 Disk Quotas 60

Introduction to Disk Quotas 60The Disk Quotas Module 61Enabling Quotas for a Filesystem 62Disabling Quotas for a Filesystem 62

viii Contents

Setting Quotas for a User or Group 63Copying Quotas to Multiple Users 63Setting Grace Times 64Setting Default Quotas for New Users 65Other Operating Systems 66Configuring the Disk Quotas Module 66Module Access Control 66Summary 67

8 Partitions, RAID, and LVM 68

Introduction to Hard Disk Partitions 68The Partitions on Local Disks Module 69Adding and Formatting a New Partition 70Creating a New Filesystem 70Partition Labels 71Deleting or Changing a Partition 72Module Access Control 73Other Operating Systems 74Introduction to RAID 74The Linux RAID Module 75Introduction to LVM 77The Logical Volume Management

Module 78Creating a New Volume Group 79Adding and Removing a Physical

Volume 80Creating and Deleting a Logical

Volume 80Resizing a Logical Volume 81Creating a Snapshot 82Summary 83

9 Bootup and Shutdown 84

Introduction to the Linux Boot Process 84The Bootup and Shutdown Module 85Configuring an Action to Start at

Bootup 85Starting and Stopping Actions 86Adding a New Action 87Rebooting or Shutting Down Your

System 89Configuring the Bootup and Shutdown

Module 89Other Operating Systems 89The SysV Init Configuration Module 91Summary 92

10 Scheduled Commands 93

Introduction to Cron Jobs 93The Scheduled Cron Jobs Module 93Creating a New Cron Job 94Editing a Cron Job 95Controlling Users’ Access to Cron 96Module Access Control Options 96Configuring the Scheduled Cron Jobs

Module 96Other Operating Systems 97The Scheduled Commands Module 97Creating a New Scheduled Command 98Summary 98

11 Process Management 99

Introduction to Processes 99The Running Processes Module 99Viewing, Killing, or Reprioritizing a

Process 101Searching for Processes 102Running a Process 103Module Access Control Options 103Other Operating Systems 104Summary 104

12 Software Packages 105

Introduction to Packages 105The Software Packages Module 107Installing a New Package 107Finding and Removing a Package 109Updating on Debian Linux 110Updating on Red Hat Linux 111Other Operating Systems 111Summary 112

13 System Logs 113

Introduction to Logging 113The System Logs Module 115Adding a New Log File 115Editing or Deleting a Log File 117Module Access Control 118Other Operating Systems 119Summary 120

Contents ix

14 Filesystem Backups 121

Introduction to Backups with Dump 121The Filesystem Backup Module 121Adding a New Backup 122Making a Backup 124Editing or Deleting a Backup 125Restoring a Backup 125Configuring the Filesystem Backup

Module 126Other Operating Systems 128Summary 128

15 Internet Services 129

Introduction to Internet Services 129The Internet Services and Protocols

Module 130Enabling an Internet Service 133Creating Your Own Internet Service 133Creating and Editing RPC Programs 135Configuring the Internet Services and

Protocols Module 136Other Operating Systems 138The Extended Internet Services

Module 139Enabling or Editing an Extended Internet

Service 140Creating an Extended Internet Service 141Editing Default Options 142Summary 143

16 Network Configuration 144

Introduction to Linux Networking 144Viewing and Editing Network

Interfaces 146Adding a Network Interface 147Configuring Routing 149Changing the Hostname or DNS Client

Settings 150Editing Host Addresses 151Module Access Control 152Other Operating Systems 153Summary 153

17 Network Information Service 154

Introduction to NIS 154Becoming an NIS Client 155

Setting Up an NIS Master Server 157Editing NIS Tables 159Securing Your NIS Server 160Setting Up an NIS Slave Server 163Configuring the NIS Client and Server

Module 163NIS on Solaris 163Summary 164

18 PPP Server Configuration 165

Introduction to PPP on Linux 165Configuring a PPP Server 166Managing PPP Accounts 169Restricting Access by Caller ID 171Module Access Control 172Summary 172

19 Firewall Configuration 173

Introduction to Firewalling with IPtables 173

The Linux Firewall Module 175Allowing and Denying Network

Traffic 177Changing a Chain’s Default Action 181Editing Firewall Rules 182Creating Your Own Chain 182Setting Up Network Address

Translation 183Setting Up a Transparent Proxy 184Setting Up Port Forwarding 185Firewall Rule Conditions 186Configuring the Linux Firewall

Module 189Summary 189

20 Setting the Date and Time 191

The System Time Module 191Changing the System Time 192Change the Hardware Time 192Synchronizing Times with Another

Server 193Module Access Control 193Other Operating Systems 193Summary 194

x Contents

21 Boot Loader Configuration 195

Introduction to Boot Loaders 195The Linux Bootup Configuration

Module 196Booting a New Kernel with LILO 197Booting Another Operating System with

LILO 198Editing Global LILO Options 199The GRUB Boot Loader Module 200Booting a New Linux Kernel or BSD with

GRUB 201Booting Another Operating System with

GRUB 202Editing Global GRUB Options 202Installing GRUB 203Configuring the GRUB Boot Loader

Module 203Summary 203

22 Printer Administration 205

Introduction to Printing on Linux 205The Printer Administration Module 206Adding a New Printer 206Editing an Existing Printer 209Managing Print Jobs 210Configuring the Printer Administration

Module 211Module Access Control 212Other Operating Systems 213Summary 214

23 Voicemail Server Configuration 215

The Voicemail Server Module 215Configuring Your System as an Answering

Machine 216Listening to Recorded Messages 218Setting a Greeting Message 219Summary 219

24 Remote Shell Login 220

The SSH/Telnet Login Module 220Configuring the SSH/Telnet Login

Module 220The Command Shell Module 222

The Shell In A Box Module 223Summary 223

25 Running Custom Commands 224

The Custom Commands Module 224Creating a New Command 225Parameter Types 227Creating a New File Editor 229Module Access Control 230Configuring the Custom Commands

Module 231Summary 231

26 Webmin’s File Manager 232

The File Manager Module 232Navigating Directories and Viewing

Files 232Manipulating Files 234Creating and Editing Files 234Editing File Permissions 235Creating Links and Directories 236Finding Files 237Editing EXT File Attributes 237Editing XFS File Attributes 238Editing File ACLs 239Sharing Directories 240Module Access Control 242Summary 243

27 Perl Modules 244

Introduction to Perl Modules 244Perl Modules in Webmin 245Installing a Perl Module 245Viewing and Removing a Perl Module 247Configuring the Perl Modules Module 248Summary 248

28 Status Monitoring with Webmin 250

The System and Server Status Module 250Adding a New Monitor 252Monitor Types 253Setting Up Scheduled Monitoring 260Module Access Control 262Configuring the System and Server Status

Module 262Summary 263

Contents xi

III SERVER MODULES

29 Apache Web Server Configuration 264

Introduction to Apache 264The Apache Webserver Module 265Starting and Stopping Apache 268Editing Pages on Your Web Server 268Creating a New Virtual Host 269Setting Per-Directory Options 273Creating Aliases and Redirects 276Running CGI Programs 279Setting Up Server-Side Includes 282Configuring Logging 284Setting Up Custom Error Messages 287Adding and Editing MIME Types 288Password Protecting a Directory 289Restricting Access by Client Address 293Encodings, Character Sets, and

Languages 294Editing .htaccess Files 297Setting Up User Web Directories 299Configuring Apache as a Proxy Server 301Setting Up SSL 304Viewing and Editing Directives 308Module Access Control 310Configuring the Apache Webserver

Module 311Summary 314

30 DNS Server Configuration 315

Introduction to the Domain Name System 315

The BIND DNS Server Module 318Creating a New Master Zone 321Adding and Editing Records 322Record Types 325Editing a Master Zone 330Creating a New Slave Zone 332Editing a Slave Zone 334Creating and Editing a Forward Zone 336Creating a Root Zone 337Editing Zone Defaults 338Configuring Forwarding and Transfers 340Editing Access Control Lists 341Setting Up Partial Reverse Delegation 342Using BIND Views 344

Module Access Control 346Configuring the BIND DNS Server

Module 347The BIND 4 DNS Server Module 347Summary 353

31 CVS Server Configuration 354

Introduction to CVS 354The CVS Server Module 354Setting Up the CVS Server 355Using the CVS Server 356Adding and Editing Users 356Limiting User Access 358Configuring the CVS Server 359Browsing the Repository 359Configuring the CVS Server Module 359Summary 360

32 DHCP Server Configuration 361

Introduction to the Dynamic Host Configuration Protocol 361

The ISC DHCP Server 362The DHCP Server Module 363Adding and Editing Subnets 365Viewing and Deleting Leases 369Editing Global Client Options 370Adding and Editing Fixed Hosts 370Adding and Editing Shared Networks 372Adding and Editing Groups 373Module Access Control 374Configuring the DHCP Server Module 375Summary 377

33 Downloading Email with Fetchmail 378

Introduction to Fetchmail 378The Fetchmail Mail Retrieval Module 379Adding a New Mail Server to Check 381Downloading Email 384Running the Fetchmail Daemon 384Editing Global Settings 385Module Access Control 386Configuring the Fetchmail Mail Retrieval

Module 386Summary 386

xii Contents

34 Managing Majordomo Mailing Lists 388

Introduction to Mailing Lists and Majordomo 388

The Majordomo List Manager Module 389Using Other Mail Servers 391Creating a Mailing List 391Managing List Members 392Editing List Information, Headers, and

Footers 393Editing Subscription Options 395Editing Forwarded Email Options 396Editing List Access Control 397Moderating and Maintaining a Mailing

List 398Deleting a Mailing List 399Creating a Digest List 399Editing Digest Options 400Editing Global Majordomo Options 401Module Access Control 401Configuring the Majordomo List Manager

Module 402Summary 402

35 The MySQL Database 405

Introduction to MySQL 405The MySQL Database Server Module 406Creating a New Database 407Creating a New Table 408Adding and Editing Fields 409Field Types 412Viewing and Editing Table Contents 412Deleting Tables and Databases 416Executing SQL Commands 417Backing Up and Restoring a Database 417Managing MySQL Users 419Managing Database, Host, Table, and Field

Permissions 421Module Access Control 423Configuring the MySQL Database Server

Module 424Summary 427

36 The PostgreSQL Database 428

Introduction to PostgreSQL 428The PostgreSQL Database Server

Module 429Creating a New Database 431Creating a New Table 431Adding and Editing Fields 433Deleting a Field 433Field Types 434Viewing and Editing Table Contents 436Deleting Tables and Databases 436Executing SQL Commands 437Backing Up and Restoring a Database 437Managing PostgreSQL Users 439Managing PostgreSQL Groups 441Restricting Client Access 441Editing Object Privileges 442Module Access Control 443Configuring the PostgreSQL Database

Server Module 444Summary 447

37 Configuring Sendmail 448

Introduction to Internet Email 448The Sendmail Configuration Module 449Editing Local Domains and Domain

Masquerading 451Managing Email Aliases 452Configuring Relaying 455Managing Virtual Address Mappings 456Configuring Domain Routing 457Editing Global Sendmail Options 458Viewing the Mail Queue 460Reading Users’ Email 461Adding Sendmail Features with M4 463Creating Autoreply Aliases 465Creating Filter Aliases 466Sendmail Module Access Control 468Configuring the Sendmail Configuration

Module 469Summary 475

38 Configuring Qmail 476

Introduction to Qmail 476The Qmail Configuration Module 477Editing Local Domains 478Managing Email Aliases 479

Contents xiii

Configuring Relaying 480Managing Virtual Mappings 481Configuring Domain Routing 483Editing Global Qmail Options 484Editing Mail User Assignments 484Viewing the Mail Queue 486Reading Users’ Email 486Configuring the Qmail Configuration

Module 488Summary 490

39 Analyzing Log Files 491

The Webalizer Logfile Analysis Module 491

Editing Report Options 492Generating and Viewing a Report 496Reporting on Schedule 496Adding Another Log File 497Editing Global Options 498Module Access Control 498Summary 499

40 The ProFTPD Server 500

Introduction to FTP and ProFTPD 500The ProFTPD Server Module 501Running ProFTPD from inetd or

xinetd 503Using the ProFTPD Server Module 504Creating Virtual Servers 505Setting Up Anonymous FTP 506Restricting Users to Their Home

Directories 507Limiting Who Can Log In 508Setting Directory Listing Options 510Message and Readme Files 511Setting Per-Directory Options 512Restricting Access to FTP Commands 514Configuring Logging 517Limiting Concurrent Logins 519Restricting Clients by IP Address 520Limiting Uploads 521Manually Editing Directives 523Configuring the ProFTPD Server

Module 523Summary 524

41 The WU-FTPD Server 525Introduction to WU-FTPD 525The WU-FTPD Server Module 526Limiting Who Can Log In 528Setting Up Anonymous FTP 529Managing User Classes 531Denying Access to Files 532Setting Up Guest Users 534Editing Directory Aliases 535Message and Readme Files 536Configuring Logging 538Limiting Concurrent Logins 540Restricting Clients by IP Address 541Restricting Access to FTP Commands 541Configuring the WU-FTPD Server

Module 542Summary 543

42 SSH Server Configuration 544Introduction to SSH 544The SSH Server Module 545Restricting Access to the SSH Server 545Network Configuration 547Authentication Configuration 549Editing Client Host Options 551Setting Up SSH for New Users 552Configuring the SSH Server Module 553Summary 553

43 Windows File Sharing with Samba 554

Introduction to SMB and Samba 554The Samba Windows File Sharing

Module 556Managing Samba Users 556Adding a New File Share 559Adding a New Printer Share 560Viewing and Disconnecting Clients 562Editing Share Security Options 563Editing File Permission Settings 564Editing File Naming Options 565Editing Other File Share Options 566Editing Printer Share Options 567Editing Share Defaults 568Configuring Networking 568Configuring Authentication 571Configuring Printers 572

xiv Contents

Accessing SWAT from Webmin 573Module Access Control 573Configuring the Samba Windows File

Sharing Module 574Summary 576

44 Configuring the Squid Proxy Server 577

Introduction to Proxying and Squid 577The Squid Proxy Server Module 578Changing the Proxy Ports and

Addresses 580Adding Cache Directories 581Editing Caching and Proxy Options 583Introduction to Access Control Lists 584Creating and Editing ACLs 586Creating and Editing Proxy

Restrictions 592Setting Up Proxy Authentication 593Configuring Logging 595Connecting to Other Proxies 596Clearing the Cache 598Setting Up a Transparent Proxy 599Viewing Cache Manager Statistics 599Analyzing the Squid Logs 600Module Access Control 601Configuring the Squid Proxy Server

Module 601Summary 604

45 Filtering Email with Procmail 605

Introduction to Procmail 605The Procmail Mail Filter Module 606Setting Up Sendmail 606Creating and Editing Actions 608Creating and Editing Variable

Assignments 611Conditional Blocks and Include Files 612Filtering Spam with SpamAssassin 613Configuring the Procmail Mail Filter

Module 614Summary 614

46 Creating SSL Tunnels 615

Introduction to SSL and STunnel 615The SSL Tunnels Module 616Creating and Editing SSL Tunnels 617

Configuring the SSL Tunnels Module 618Summary 619

47 Usermin Configuration 620

Introduction to Usermin 620The Usermin Configuration Module 621Starting and Stopping Usermin 621Restricting Access to Usermin 622Changing the Port and Address 623Configuring the Usermin User

Interface 623Installing Usermin Modules 624Changing the Default Language 625Upgrading Usermin 625Configuring Authentication 626Editing Categories and Moving

Modules 628Changing and Installing Themes 629Turning on SSL 630Configuring Usermin Modules 631Restricting Access to Modules 632Limiting Who Can Log In 636About the Usermin Modules 638Configuring the Usermin Configuration

Module 641Summary 642

IV CLUSTER MODULES

48 Cluster Software Management 643

Introduction to Webmin Clustering 643The Cluster Software Packages

Module 644Registering a Server 645Installing a Package 646Searching for Packages 646Deleting a Package 647Exploring and Removing a Server 647Refreshing the Package List 648Configuring the Cluster Software Packages

Module 648Summary 648

49 Cluster User Management 649

The Cluster Users and Groups Module 649Registering a Server 650Creating a New User 651

Contents xv

Editing an Existing User 652Deleting a User 653Creating a New Group 654Editing an Existing Group 654Deleting a Group 656Refreshing User and Group Lists 656Synchronizing Users and Groups 656Listing and Removing a Server 658Configuring the Cluster Users and Groups

Module 659Summary 659

50 Cluster Webmin Configuration 660

The Cluster Webmin Configuration Module 660

Registering a Server 661Creating a New Webmin User 662Editing or Deleting a Webmin User 662Creating a New Webmin Group 664Editing or Deleting a Webmin Group 664Editing the User or Group ACL for a

Module 665Installing a Module or Theme 666Viewing and Deleting a Module or

Theme 667Refreshing User and Module Lists 667Listing and Removing a Server 668Configuring the Cluster Webmin

Configuration Module 668Summary 668

V WEBMIN MODULES

51 Webmin Configuration 669

The Webmin Configuration Module 669Restricting Access to Webmin 669Changing the Port and Address 670Setting Up Logging 671Using Proxy Servers 672Configuring the Webmin User

Interface 672Installing and Deleting Webmin

Modules 673Cloning a Webmin Module 674

Changing Your Operating System 675Editing the Program Path and Environment

Variables 676Changing Webmin’s Language 676Editing Main Menu Settings 677Upgrading Webmin 678Installing Updates to Webmin 679Configuring Authentication 681Editing Categories and Moving

Modules 682Changing and Installing Themes 683Referrer Checking 684Allowing Unauthenticated Access to

Modules 685Turning on SSL 686Setting Up a Certificate Authority 686Summary 687

52 Webmin Access Control 688

Introduction to Webmin Users, Groups, and Permissions 688

The Webmin Users Module 689Creating a New Webmin User 689Editing a Webmin User 691Editing Module Access Control 692Creating and Editing Webmin Groups 694Requesting a Client SSL Key 695Viewing and Disconnecting Login

Sessions 697Module Access Control 697Configuring the Webmin Users

Module 698Summary 699

53 Webmin Servers 700

The Webmin Servers Index Module 700Adding a Webmin Server 701Editing or Deleting a Webmin Server 703Using Server Tunnels 703Broadcasting and Scanning for Servers 704How RPC Works 704Module Access Control 705Configuring the Webmin Servers Index

Module 706Summary 706

xvi Contents

54 Logging in Webmin 707

Introduction to Logging 707The Webmin Actions Log Module 708Displaying Logs 708Summary 709

VI DEVELOPER’S GUIDE

55 Webmin Module Development 710

Introduction 710Required Files 711Module CGI Programs 712Module Configuration 715Look and Feel 717Design Goals 718Online Help 718Module Packaging 719Summary and Learning More 720

56 Advanced Module Development 721

Module Access Control 721User Update Notification 723Internationalization 723File Locking 725Action Logging 726Pre- and Post-Install Scripts 728Functions in Other Modules 728Remote Procedure Calls 730Creating Usermin Modules 732Summary 733

57 Inside the Scheduled Cron Jobs Module 734

Module Design and CGI Programs 734The cron-lib.pl Library Script 735Module Configuration Settings 737The lang Internationalization

Directory 738The acl_security.pl Access Control

Script 738The log_parser.pl Log Reporting

Script 739The useradmin_update.pl User

Synchronization Script 740Summary 740

58 Creating Webmin Themes 741

Introduction to Themes 741Overriding Images and Programs 743Theme Functions 744Summary 746

59 Inside the MSC Theme 747

Theme Design and Graphics 747The index.cgi Program 748The theme_header Function 748The theme_footer Function 749Summary 750

60 The Webmin API 751

API Functions 751Summary 765

Index............................................ 767

1

PA

RT

II

NT

RO

DU

CT

IO

N

C H A P T E R 1

Introduction to Webmin

his chapter explains what Webmin is, why it was written, and what youcan expect from this book.

1.1 What is Webmin?Webmin is a program that simplifies the process of managing a Linux or UNIX system. Tradi-tionally, you have needed to manually edit configuration files and run commands to createaccounts, set up web servers, or manage email forwarding. Webmin now lets you perform thesetasks through an easy-to-use web interface, and automatically updates all of the required config-uration files for you. This makes the job of administering your system much easier.

Some of the things that you can do with Webmin include:

• Creating, editing, and deleting UNIX login accounts on your system• Exporting files and directories to other systems with the NFS protocol• Setting up disk quotas to control how much space users can take up with their files• Installing, viewing, and removing software packages in RPM and other formats• Changing your system's IP address, DNS settings, and routing configuration• Setting up a firewall to protect your computer or give hosts on an internal LAN access to

the Internet• Creating and configuring virtual web sites for the Apache Web server• Managing databases, tables, and fields in a MySQL or PostgreSQL database server• Sharing files with Windows systems by configuring Samba

These are just a few of the available functions. Webmin lets you configure almost all of the com-mon services and popular servers on UNIX systems using a simple web interface. It protects you

T

2 Chapter 1 • Introduction to Webmin

from the syntax errors and other mistakes that are often made when editing configuration filesdirectly, and warns you before potentially dangerous actions.

Because Webmin is accessed though a web browser, you can log in to it from any system thatis connected to yours through a network. There is absolutely no difference between running itlocally and running it remotely, and it is much easier to use over the network than other graphicalconfiguration programs.

Webmin has what is known as a modular design. This means that each of its functions is con-tained in a module that can generally be installed or removed independently from the rest of theprogram. Each module is responsible for managing some service or server, such as UNIX users,the Apache Web server, or software packages.

If you have been manually configuring your system up till now, any existing settings will berecognized by Webmin. It always reads the standard configuration files on your system andupdates them directly, instead of using its own separate database. This means that you can freelymix Webmin, manual configuration, and other programs or scripts that work in the same way.

Even though this book is written for Linux users, Webmin can be used on many other flavorsof UNIX as well, such as Solaris, FreeBSD, and HP/UX. One of its biggest strengths is its under-standing of the differences between all these operating systems and the way it adjusts its user inter-face and behavior to fit your OS. This means that it can often hide the underlying differencesbetween each UNIX variant and present a similar or identical interface no matter which one youare using.

Webmin on its own is not particularly useful though—it is only a configuration tool, so youmust have programs installed for it to configure. For example, the Apache module requires that theactual Apache Web server be installed. Fortunately, all of the services and servers that Webminmanages are either included with most Linux distributions as standard, or can be freely down-loaded and installed.

1.2 Who Should Use Webmin?Webmin was written for use by people who have some Linux experience but are not familiarwith the intricacies of system administration. Even though it makes the process of creatingUNIX users or managing the Squid proxy server easy, you must first have some idea of what aUNIX account is and what Squid does. The average Webmin user is probably someone runningit on their Linux system at home or on a company network.

The program assumes that you are familiar with basic TCP/IP networking concepts, such as IPaddresses, DNS servers, and hostnames. It also assumes that the user understands the layout of theUNIX filesystem, what users and groups are, and where user files are located. If you use Webminto manage a server like Apache or Sendmail, you should first have an idea of what they can do andwhat kind of configuration you want completed.

Webmin itself runs with full UNIX root privileges, which means that it can edit any file andrun any command on your system. This means that it is quite possible to delete all of the files onyour system or make it un-bootable if you make a mistake when using the program, especially ifyou are configuring something that you don't understand. Even though Webmin will usually warnyou before performing some potentially dangerous action, there is still plenty of scope for causingdamage.

How and Why Was it Developed? 3

Even though it can be used on a system with no connection to the Internet, Webmin does ben-efit if your Linux system is on a network. It can download new software packages, Perl modules, oreven new versions of Webmin for you, if connected. A permanent high-speed connection is best,but even a dial-up connection is good enough for most purposes.

Because Webmin runs with root privileges, you must be able to log in to your system asroot to install and start it. This means that it cannot be used on a system on which you have only anormal UNIX account, such as a virtual web server that is shared with other people. You might,however, be able to get your system administrator to install and configure it for you.

If you are already an experienced UNIX system administrator, Webmin may not feel like thetool for you because using it is generally slower than directly editing configuration files and run-ning commands. However, even the experts can benefit from its automatic syntax checking and theactions that it can perform automatically.

It is also possible to give different people different levels of access to Webmin, so that an expe-rienced administrator can use it to safely delegate responsibility to less-skilled subordinates. Forexample, you might want someone to be only able to manage the BIND DNS server and nothingelse, while giving yourself full access to the system and all of Webmin's functions.

1.3 How and Why Was it Developed?Webmin, the program, was designed and created by me, Jamie Cameron—the author of thisbook. I started it back in 1997 and released the first version (0.1) in October of that year. Sincethat time, its user interface, features, and appearance have changed dramatically, and almost allof the code has been re-written. The basic concept of a web-based administration tool, however,has been the same since that very first release.

I started writing it when I was the administrator for a system running a DNS server and wasspending a lot of time updating the server's configuration files to add new host records requested byusers. Giving them the root password was not an option—they did not have the experience toproperly edit the zone files and re-start the server. The solution was a simple web interface thatwould display existing DNS records and allow them to be edited, created, and deleted. Users couldthen safely be given access to this interface to make the changes that they needed.

DNS management was just the start though. Once I saw the possibilities for simplifying theconfiguration of a UNIX system though a web interface, I started adding other features to the pro-gram and putting them into modules. Next came modules for UNIX users, Samba, mounting file-systems, NFS, and Cron jobs. I thought up the name Webmin, made it available for anyone todownload, and announced it on a few mailing lists. The initial feedback was good, so I kept onwriting.

Over the years, the program has gone through three different user interfaces, grown to 83modules, added support for non-English languages, provided advanced access control, includedlots more operating systems, and offered many other features. The Linux distribution companiesCaldera and MSC.Linux have supported the project financially, and many users have made contri-butions of code patches, modules, translations, and suggestions. In addition to the standard mod-ules, over 100 have been written by other people and are available to be added to Webmin on yoursystem once you have installed the program.

4 Chapter 1 • Introduction to Webmin

1.4 What is this Book About?This book explains how to install Webmin, how to use almost all of its modules, and how towrite your own. The book focuses on the standard modules that come with the Webmin package,not those written by other people. Not all of the 83 standard modules are covered, however, assome are not very useful to the average administrator.

Although this book is written primarily for Linux users, the program behaves almost identi-cally on other operating systems. Each chapter also lists any differences between Linux and otherUNIX variants in their “Other Operating Systems” sections. This means that it is still very useful ifyou are running Webmin on FreeBSD, Solaris, MacOS X, or some other variety of UNIX.

Each chapter in the book covers the use of Webmin for managing a particular service orserver, such as NFS exports, Sendmail, or the ProFTPD FTP server. Most chapters only discuss asingle module, but some cover two or three that have similar or related purposes. Each chapter ispretty much self-contained, so there is no need to read through the entire book in sequence if youjust want to find out how to configure one server. Chapters 2, 3, and possibly Chapter 52, however,should be read first as they explain how to install Webmin, how to secure it, and how to limit whatother users can do with a module, respectively.

Each chapter is broken up into sections, and most sections explain how to perform a specifictask. A section will generally contain an introduction to the task explaining why you might want todo it, followed by a list of steps to follow in the Webmin user interface to carry it out. At the begin-ning of each chapter are sections that introduce the server being configured and the conceptsbehind it, and list the underlying configuration files that get modified when you use the modulecovered in that chapter.

Chapters 55 to 60 cover the development of your own Webmin modules and themes, andtherefore have a different style. The average user does not need to read them, but if you have anidea for a module that is not currently available, they provide all the information that you need toimplement it.

1.5 Who Should Read this Book?

This book should be read by anyone wanting to use Webmin to manage their Linux or UNIXsystems. It was written for readers with a basic knowledge of UNIX commands and concepts—people who have installed Linux and have used it for a while.

Each chapter starts with an introduction to the service being configured so that readers havesome idea of what the DNS protocol is for or how a firewall works. Even so, a complete noviceshould not try to set up a server until he understands how it works and what he wants it to do. Thebest way to learn is to use the service on some other system as a user. For example, if you haveused a proxy server before on some other network, then you will have the background knowledgeneeded to use this book to set up the Squid proxy on your own system.

The development chapters, on the other hand, are written for someone who already under-stands how to write Perl scripts and CGI programs on a UNIX system. This means that they aremore complex than the rest of the book, and assume some knowledge of programming and manualsystem administration. They can be skipped, however, if you just want to learn how to use Webminrather than how to extend it.

Conventions Used in this Book 5

1.6 Conventions Used in this BookThe following special text styles are used in this book:

Bold Used for text that appears in Webmin itself, such as error messages, iconnames, buttons, and field labels.

Fixed width This style is used for the names of shell commands, UNIX users,directories and files. Also used for text in configuration files, program code and APIfunctions.

Italics Used to indicate example input entered by the user into Webmin, examplecommands, or directories. Also used in Chapter 60 “The Webmin API” for thenames of parameters to functions.

1.7 Acknowledgments

This book could not have been written without the support of Jill Harry and the others at Pren-tice Hall, Robert Kern for suggesting the idea, my wife Foong Ching for her constant support,and all the members of the Webmin mailing list for their ideas and suggestions over the years.

6

C H A P T E R 2

Installing Webmin

his chapter explains how to download the appropriate Webmin pack-age for your operating system, how to install it, and what you will see

after logging in for the first time.

2.1 Downloading Webmin for Your SystemThe latest version of Webmin can always be downloaded from www.webmin.com/. At the time ofwriting, the latest release was Version 1.100, but new versions come out frequently. All of theinstructions below, however, will use Version 1.100 for the filenames. If you download a laterrelease, the version number in all the filenames and paths will have changed.

Some Linux distributions, such as Mandrake and Caldera, include Webmin as a standard fea-ture, so it may already be installed on your system. The version that they include, however, maynot be the latest official version that is available for download. If you are happy with the releasethat you already have, however, you can skip this chapter.

Other Linux distributions, like Debian and Gentoo, include Webmin as a package that can bedownloaded and installed automatically. On Debian, the command apt-get install webminwill install the latest version available in the Debian APT repository. This can sometimes be a fewversions behind the newest official release, however, so you may want to download fromwww.webmin.com/ instead. On Gentoo Linux, the command emerge webmin will install the latestversion from the Gentoo Portage repository, which should be the same as the newest officialrelease.

If you are upgrading from an older Webmin version, the process is exactly the same as install-ing for the first time. Any changes that you have made to the configuration of Webmin itself, or toother servers like Apache or Sendmail, will be left unharmed by the upgrade.

While Webmin supports a wide variety of UNIX variants, it does not cover all of them.Because it deals with system configuration files that differ in location and format between different

T

Installing the RPM Package 7

kinds of UNIX operating systems, it has been written to behave differently depending on the typeof operating system that it is running on. To see a complete list of supported operating systems,visit the web page www.webmin.com/support.html. If your operating system is not on the list, youcannot use Webmin.

Before downloading Webmin for installation on your system, you have to choose a packageformat in which to download it. The available formats are:

RPM If you are running Red Hat, SuSE, Mandrake, Caldera, MSC, or any otherLinux distribution which supports the RPM packaging format, then the RPMpackage is your best choice.

tar.gz The tar.gz packaged version of Webmin will work on any operating system,but is slightly harder to install than the RPM and Solaris packages.

Solaris package If you are running Solaris on Sparc or x86, then this is thepackage format for you.

For instructions on installing your chosen package type, see Section 2.2 “Installing the RPMPackage” below.

2.2 Installing the RPM Package

In the top-right corner of every Webmin website page is a link for the RPM package. A link canalso be found on the page www.webmin.com/download.html. Once you have downloaded it, youshould have a file on your Linux system named something like webmin-1.1.100-1.noarch.rpm. To install, run the following command as root:

rpm –U webmin-1.1.100-1.noarch.rpm

The RPM install can only fail if you do not have Perl installed, or if Webmin cannot identifyyour operating system. If that occurs and your Linux distribution is on the list of supported operat-ing systems, you should install the tar.gz version instead. Because all Linux distributions areslightly different, the Webmin install process has to positively identify the exact distribution andversion that you are running, such as Red Hat 7.3. This can fail if one of the files that contain thedistribution name (such as /etc/issue) has been modified.

Assuming the RPM install successfully completes, you will be able to login to Webmin imme-diately. Open a web browser, and go to the URL http://localhost:10000/ if you are running thebrowser on the same Linux system on which Webmin was installed, or http://your-systems-host-name:10000/ if the browser is being run on another PC. Either way, a web form will appearprompting for a username and password, as shown in Figure 2.1.

You should be able to login as root, using the same password as the root UNIX user on yourLinux system. If the password is changed using the command-line passwd command or the Usersand Groups module, your Webmin password will change too.

If the OpenSSL library and the Net::SSLeay Perl module have already been installed on yoursystem, Webmin will automatically start in SSL mode. This means that you should use a URL start-ing with https:// instead of http:// to connect to it. Attempting to connect with the non-SSL URL willonly bring up a page with a link to the https:// URL on it, which you should follow to log in.

8 Chapter 2 • Installing Webmin

2.3 Installing the tar.gz Package

In the top-right corner of every Webmin website page there is a link for the tar.gz package. Alink can also be found on the page www.webmin.com/download.html. Once you have down-loaded it, you should have a file on your system named something like webmin-1.1.100.tar.gz. To install the package, follow these steps:

1. Login to your system as root.2. Choose a directory under which you want Webmin installed. This is usually /usr/local, but can be /opt or any other location that you prefer. The instructions below willuse /usr/local for simplicity.

3. Copy the webmin-1.1.100.tar.gz file to the /usr/local directory.4. Run the following commands to uncompress and extract the tar.gz file and run the fol-

lowing setup script:

cd /usr/local

gunzip webmin-1.1.100.tar.gz

tar xf webmin-1.1.100.tar

cd webmin-1.1.100

./setup.sh

5. After running the setup.sh script, you will be asked a series of questions that controlthe installation process. The questions and their meanings are:

Figure 2.1 The Webmin login page.

Installing the tar.gz Package 9

Config file directory [/etc/webmin] This is the directory in whichWebmin will store all of its own configuration files. It is best just to hit Enter toaccept the default of /etc/webmin. If this directory already exists from an olderversion of Webmin that you are upgrading from, this is the only question that willbe asked.

Log file directory [/var/webmin] This is the directory in whichWebmin’s log and process ID files will be stored. Just hit Enter to accept thedefault of /var/webmin for this one as well.

Full path to perl This is the location of the Perl executable on your system. Ifit is at /usr/bin/perl or /usr/local/bin/perl, then you can just type enter toaccept the default. Otherwise, you must enter the full path to the Perl interpreter.

Operating system This question will only be asked if Webmin cannotautomatically identify your operating system. You must enter the number next toone of the operating system names that appears in the list before the question.

Version Like the question above, this will only be asked if Webmin cannotidentify your operating system. Again, you must enter the number next to one ofthe version numbers displayed.

Web server port (default 10000) This is the HTTP port on whichWebmin listens. It is best to stick with the default, unless you are running someother network server on port 10000.

Login name (default admin) This is asking for the username that you willuse for logging into Webmin. admin is the traditional username, but anything canbe used.

Login password This is the password that must be entered along with theusername. You must enter this twice, to verify that you haven’t accidentally made amistake.

Use SSL (y/n) This question will only be asked if you have already installedthe OpenSSL and Net::SSLeay libraries on your system, as explained in Chapter 3.If you enter y, Webmin will use SSL right from the start. If you enter n now,however, you can still turn it on later.

Start Webmin at boot time (y/n) This question controls whetherWebmin will be starting when your system boots up, which means that you do nothave to re-start it yourself manually every time you reboot. If you want to have itstarted at boot, just enter y. If not, enter n.

6. After all the questions have been answered, the install process will finish, and a messageshowing the URL that you can use to log in will appear. You can now delete the oldwebmin-1.1.100.tar file if you no longer need it. Do not delete the /usr/local/webmin-1.1.100 directory that was created when the tar file was extracted, however.This contains all the scripts that Webmin needs to run.

Now that the package has been installed, you can open a web browser, and go to the URL http://localhost:10000/ if you are running the browser on the same Linux system on which Webminwas installed, or http://your-systems-hostname:10000/ if the browser is being run on another

10 Chapter 2 • Installing Webmin

PC. Either way, a web form will appear prompting for a username and password as shown inFigure 2.1. Log in using the username and password that you chose before in response to theLogin name and Login password questions.

If you answered yes to the SSL question, you should use a URL starting with https:// insteadof http:// to connect. If Webmin detects a non-SSL connection when it is in SSL mode, it will dis-play a page with a link to the correct URL.

2.4 Installing the Solaris Package

The Solaris version of Webmin is only available for download from www.webmin.com/down-load.html. Once you have downloaded it, you should have a file on your Solaris system namedsomething like webmin-1.1.100-1.pkg.gz. To install, run the following commands as root:

gunzip webmin-1.1.100.pkg.gzpkgadd –d webmin-1.1.100.pkg.gz WSwebmin

The Solaris package can only fail if you already have Webmin installed, or if you do not havethe Perl executable at /usr/local/bin/perl. If you have Perl installed somewhere else on your sys-tem, you should create a symbolic link from /usr/local/bin/perl to the real location.

Assuming the Solaris package install completes successfully, you will be able to log in toWebmin immediately. Open a web browser, and go to the URL http://localhost:10000/ if you arerunning the browser on the same Linux system on which Webmin was installed, or http://your-sys-tems-hostname:10000/ if the browser is being run on another PC. Either way, a web form willappear prompting for a username and password, as shown in Figure 2.1.

You should be able to login as root, using the same password as the root UNIX user on yourSolaris system. If you change the UNIX root password down the road, however, the Webminroot user will not change. This is because the package install just copies the current passwordfrom the /etc/shadow file.

2.5 The Webmin User Interface

Assuming the installation process and login were successful, your browser should show the Web-min main menu with the Webmin category selected, as shown in Figure 2.2. You can switch toother categories by clicking on the icons along the top of the page, such as System, Servers, orOthers. Every module is a member of one category, and a table of icons for each module in theselected category will appear in the body of the page. To enter a module, just click on its icon.

To log out of Webmin, just click on the Logout link that appears in the top-right corner ofevery page. To send feedback to the author (that’s me), click on the Feedback link that is next tothe Logout button. To visit www.webmin.com/, click on the Webmin logo in the top-left corner ofany page.

If you are using a different theme, the user interface will appear different to the screen, asshown in Figure 2.2. Some versions of Webmin that come with Linux distributions use a differenttheme by default, such as Mandrake and Caldera. The main menu, however, will still show catego-ries and modules, maybe using different sized icons in a different on-screen layout. All the screenshots in this book were captured using the default theme, so you may want to switch to it now (seeChapter 52 for instructions on how to change the current theme).

The Webmin User Interface 11

All Webmin modules have a common layout and user interface, in order to make navigationeasier. When you click on a module icon from the main menu, the main page of the module willappear. For example, Figure 2.3 shows the main page of the Disk Quotas module.

At the top are the category icons that appear on every Webmin page, so that you can easilyswitch to another module. Below are links for Help, Module Config, and Search Docs. Not everymodule will display all of these links, but where they appear they have common purposes:

Help This link opens a pop-up window containing an overview of the module andthe options available on the main page.

Module Config This link displays a form containing configurable options for thecurrent module. See Figure 2.4 for an example of the options available in the DiskQuotas module. Each module has its own set of options, but all use a similarinterface for editing them. In most cases, you will not need to change any of theseconfiguration options for normal use of a module.

Search Docs This link displays a list of UNIX man pages, packagedocumentation, HOWTO files, and websites related to the server or program that themodule is configuring. This can be useful for finding out additional informationabout the underlying configuration files and commands that Webmin is using.

Other pages below the first page in each module also have a common layout. Figure 2.5 shows asample page from the Disk Quotas module. Below the list of category icons is a link labeledModule Index, which will always return you to the module’s main page. This can be found onalmost every page of every module. Next to it is another Help link that pops up a window dis-

Figure 2.2 Modules in the Webmin category.

12 Chapter 2 • Installing Webmin

Figure 2.3 The Disk Quotas module main page.

Figure 2.4 The configuration page for the Disk Quotas module.

Uninstalling Webmin 13

playing information on the current page. Not all pages have online help, so this link will notalways appear. Finally, at the bottom of the page is a link, whose label starts with Return to, thatwill take you back one level in the module’s hierarchy of pages.

2.6 Uninstalling Webmin

If, for some unimaginable reason, you want to remove Webmin from your system, you can justlog in as root and run the command:

/etc/webmin/uninstall.sh

This command will ask if you are sure you want to uninstall, and if you do it will delete theWebmin scripts and configuration directories. This means that any configuration you have done toWebmin itself, such as changing IP access control, switching themes, or creating new Webminusers will be lost. There will, however, be no harm done to the configuration of other servers suchas Apache or Sendmail, even if they were done using Webmin.

2.7 Summary

After reading this chapter, you should understand how to install Webmin for the first time on aserver, or upgrade an existing installation to the latest release. You should also know the differ-ences between the three package formats, and which one is suitable for your operating system.Because this entire book is about Webmin, it should definitely be installed before reading on!

Figure 2.5 An example page from the Disk Quotas module.

14

C H A P T E R 3

Securing Your Webmin Server

his chapter covers the necessary steps for adding additional security toWebmin on your system once it has been installed. It explains both IP

address restrictions and the use of SSL.

3.1 Network SecurityUnless you are running Webmin on a system that is never connected to any other network, it is awise idea to restrict which client network addresses are allowed to log in. Because Webmin is sopowerful, anyone who manages to log in will have total control over your system—as thoughthey had root shell access. Even though a username and password is always required to log in,it is always good to have an additional layer of security in case an attacker guesses (or somehowdiscovers) your password. IP access control also protects you from any bugs in Webmin thatmay show up in future that will allow an attacker to log in without a password—some olderreleases have had just this problem.

To restrict the IP addresses and networks from which Webmin will accept connections, followthese steps:

1. In the Webmin category, click on the icon for the Webmin Configuration module.2. Click on the icon for IP Access Control. The form shown in Figure 3.1 will appear for

restricting client IP addresses.3. Select the option Only allow from listed addresses, and enter the IP addresses or host-

names of client systems in the text box from which you will allow access. If you want toallow access from an entire IP network, enter the address of the network with 0 for thefinal octet. For example, if you wanted to allow all clients with IP addresses from192.168.1.0 up to 192.168.0.255, you would enter 192.168.1.0.

T

SSL Encryption 15

Networks can also be entered in the standard network/netmask format, like192.168.1.0/255.255.255.0. You can also grant access from an entire domain byentering a wildcard hostname like *.foo.com, assuming that reverse IP addressresolution has been set up for that domain.

4. When done, click the Save button to apply your changes. Webmin will warn you if therestrictions will prevent the client system on which you are currently running yourbrowser from logging in so you do not accidentally lock yourself out!

3.2 SSL Encryption

If you are accessing your Webmin server over an untrusted network such as the Internet, youshould be aware that, by default, an attacker can capture your login and password by listening inon network traffic. This is particularly easy if you are using a non-switched Ethernet networkshared by people that you do not fully trust, such as those in offices or universities.

Fortunately there is a solution that is relatively easy to set up—switching Webmin to use SSLso that all network traffic between your web browser and the server is encrypted. The RPM pack-age of Webmin will run in SSL mode by default if the OpenSSL library and Net::SSLeay Perlmodule are installed. Most systems, however, do not meet these requirements so you will need tofollow the steps below to enable SSL:

1. Install the OpenSSL library, if you do not already have it. Most recent Linux distribu-tions will include it as standard, but you may have to install it from your distribution CD.

Figure 3.1 The IP access control form.

16 Chapter 3 • Securing Your Webmin Server

If there are separate packages for openssl and openssl-devel, make sure both areinstalled. If your operating system does not come with OpenSSL, you can download itfrom www.openssl.org/ instead.

2. Install the Net::SSLeay Perl module, if it is not already installed. If your system is con-nected to the Internet, the easiest way to do this is to enter the Perl Modules module ofWebmin (under the Others category), enter Net::SSLeay into the From CPAN field andclick the Install button.After the Perl module has finished downloading, click on Continue with install to haveWebmin automatically compile and install it.

3. Once both are installed, go to the Webmin Configuration module and click on SSLEncryption. The form shown in Figure 3.2 will appear.

4. On the top part of the page, change the Enable SSL if available? option to Yes, andclick Save. If all goes well, Webmin will be switched to SSL mode and your browser willconnect to it securely.

5. If this is the first time you have connected to Webmin in SSL mode, your browser willdisplay a warning about the certificate being invalid. For now, you can ignore this warn-ing and choose to accept the certificate. For more details, see Section 3.3 “Requesting aValid SSL Certificate”.

6. From now on, when logging into Webmin you must use a URL starting with https://instead of just http://. Once in SSL mode, it will no longer accept insecure connections.

7. Go back to the SSL Encryption page and scroll down to the second form. If a warningstarting with Because you are currently using the default Webmin SSL key… is dis-played, you definitely should continue following these steps to create your own privateSSL certificate and key. If, however, it does not appear, then a private key was created atinstallation time and there is no need to go on reading.

8. If your system is always accessed using the same hostname in the URL, enter it into theServer name in URL field, such as www.example.com. This will cause the generatedcertificate to be associated only with that hostname. Otherwise select Any hostname toallow the certificate to be used with any URL hostname. This is more convenient, butslightly less secure.

9. In the Email address field, enter your email address—such as joe@example.com.10. If appropriate, fill in the Department field with the name of the department or group

within the organization to which this system belongs, such as Network Engineering. Thiscan be left blank if inappropriate, such as on a home system.

11. In the Organization field, enter the name of the company or organization that owns thissystem, such as Foo Corporation. Again, this can be left blank if it makes no sense.

12. In the State field, enter the name of the state that your system is in, such as California.13. In the Country code field, enter the two-letter code for the country in which the system

resides, such as US.14. Leave the Write key to file field unchanged, and the Use new key immediately field set

to Yes.15. Hit the Create Now button to generate a new key and certificate, write them to /etc/

webmin/miniserv.pem and immediately activate them. Your browser will probablyprompt you again to accept the new certificate.

Requesting a Valid SSL Certificate 17

Older versions of Webmin just used a fixed SSL key that was included as part of the package.This, however, was completely useless for securing network traffic because anyone with a copyof that key can decrypt the data that is supposedly protected with SSL! For this reason, recentWebmin versions create a new private key at installation time if possible, and warn you if the oldfixed SSL key is being used.

3.3 Requesting a Valid SSL Certificate

If you want to use a valid SSL certificate and do not have one for your hostname, it is possible togenerate one using the openssl command and a certificate authority. A valid certificate is onethat is recognized by all browsers because it was signed by a recognized authority. Those createdby Webmin itself, by following the steps in Section 3.2 “SSL Encryption”, do not meet this crite-ria and will trigger a warning in all browsers when they connect to the Webmin server.

Unfortunately, certificate authorities charge money for signing and verifying that the owner ofthe server in the hostname actually matches the company details in the certificate. For this reason,most people do not bother to use a signed certificate with Webmin, as there is no real advantage insecurity once you have accepted an unsigned certificate into your browser for the first time.

If you do want to obtain a real valid certificate, however, the steps to follow are:

1. At the shell prompt, run the openssl genrsa -out key.pem 1024 command. Thiswill create the key.pem file, which is your private key.

Figure 3.2 The SSL activation form.

18 Chapter 3 • Securing Your Webmin Server

2. Run the openssl req -new -key key.pem -out req.pem command. When itasks for the common name, be sure to enter the full hostname of your server as used inthe URL, like www.yourserver.com. This will create the req.pem file, which is the cer-tificate signing request (CSR).

3. Send the CSR to your certificate authority by whatever method they use. They shouldsend you back a file that starts with —BEGIN CERTIFICATE— which can be put in thecert.pem file.

4. In Webmin, enter the Webmin Configuration module and click on SSL Encryption.5. In the SSL Encryption form (shown in Figure 3.2), enter the path to your key.pem file

into the Private key file field, and the path to your cert.pem file into the Certificatefile field.

6. Click the Save button to switch to the new certificate.

From now on, your browser should no longer display a warning when connecting to Webmin inSSL mode.

3.4 SummarySecuring your Webmin server to prevent unauthorized access is critical, as there are many poten-tial attackers on the Internet who would love to use it to take over your system. This chapter hascovered the two different types of security configuration (IP access control and SSL) that shouldbe performed where possible. Because some versions of Webmin have had remotely exploitablesecurity holes, it is also advisable to always upgrade to the latest version as soon as it becomesavailable to ensure your system's security.

19

PA

RT

II

SY

ST

EM

MO

DU

LE

S

C H A P T E R 4

Users and Groups

his chapter is devoted to the Users and Groups module, which allowsyou to create and manage UNIX user accounts and UNIX groups.

4.1 Introduction to UNIX Users and GroupsOn Linux and other UNIX operating systems, a user is a person who can login to the system viaSSH, telnet, FTP or at the console. Users can also receive email and own files on the server'slocal filesystems. Each user has a login name, a password, and a home directory in which all itsfiles are stored. Users also have several additional attributes, such as a real name, shell (the pro-gram that is run when the user logs in), and expiry date.

Each user is a member of at least one group, called a primary group. In addition, a user can bea member of an unlimited number of secondary groups. Group membership can be used to controlthe files that a user can read and edit. For example, if two users are working on the same projectyou might put them in the same group so they can both edit a particular file that other users cannotaccess.

Every system will have several standard user accounts like root and nobody that are createdwhen the system is installed—although most of these (except for root) cannot be used to login. Ifyour server will be used by more than one person, you will need to create an additional useraccount for each person to keep their files and email separate. Even if you are the only person whouses your machine, it is a good idea to create a user account for yourself that you use to login withinstead of using the root account.

Depending on your operating system, user and group information will be stored in differentfiles in the /etc directory. On modern versions of Linux, /etc/passwd and /etc/shadow areused to store user details, and /etc/group for group details. The Users and Groups module worksby directly editing those files, not by calling any external programs or functions. This means that ifyou are using NIS or storing users in an LDAP server, this module is not for you.

T

20 Chapter 4 • Users and Groups

4.2 The Users and Groups ModuleThe Webmin module Users and Groups that is found under the System category (as shown inFigure 4.1) can be used to create, edit, and delete all the UNIX users and groups on your system.You should always be careful when using this module to edit existing system users like rootand daemon because changing or deleting them could stop your system from working. Someusers have their home directory set to / (the root directory). Deleting such a user would cause allthe files on your system to be deleted!

In addition to managing the UNIX users on your system, this module can also affect user set-tings in other modules. For example, Samba has its own list of users and passwords that should bekept in sync with the UNIX password list. Webmin can handle this for you automatically using theother modules option that appears on the user creation, editing, and deletion forms. You must,however, enable this in every other module that you want automatically updated. The module also

has options for synchronizing UNIX groups in a similar way, such as with Samba groups. How-ever, since this feature only works with Samba 3.0, which is still under development, it is not cov-ered in this chapter.

Once you enter the module, the main page lists all the users that currently exist on your systemin one table (Figure 4.2), and all the groups in another (Figure 4.3). If there are too many users orgroups to sensibly display in a table, then a small form allowing you to search for a user or groupwill be displayed instead.

Figure 4.1 The Users and Groups module icon.

Creating a New User 21

4.3 Creating a New User

To create a new UNIX user, complete the following steps:

1. Click on the Create a new user link above or below the table of existing users. A formfor entering the details of the new user will appear, as shown in Figure 4.4.

2. At this point you have to decide on a username for the new user, which should be some-thing simple without spaces in it—like jcameron or jamie—and not used by any otheruser. If your server is receiving email, the username determines the part of the user’semail address to the left of the @. Enter your choice in the Username field.

3. The User ID field should generally be left unchanged, as it is worked out for you byWebmin. If you set it to the same user ID as another user, they will be able to access eachother’s files. This is generally not a good idea.

4. In the Real name field, you should enter the user’s full name, such as Jamie Cameron.5. Every user has a home directory, in which the user stores his personal documents and

preference files. In the Home directory field, you should enter a directory that does notexist yet, such as /home/jcameron. When the user is created, this directory will be createdand its ownership granted to the new user.

If Webmin on your system offers an Automatic option for the home directory, it isgenerally best to stick with that.

6. The user's shell is a program that is run when he makes a text mode login of some kind(via SSH, for example), or opens a shell prompt after logging in graphically at the con-

Figure 4.2 List of existing users.

22 Chapter 4 • Users and Groups

sole. The shell is responsible for running the commands that you type (such as ls andcat), running scripts on login and logout, and providing an interface for command edit-ing. Shells like bash and tcsh are easier for users to use, because they allow the up anddown arrows to be used to scroll through previous commands, and the tab key to auto-complete commands and filenames.

In some cases, you might not want a user to be able to make a shell login at all, as inwhen the user is only meant to be able to read and send email. In that case, his shellshould be set to /bin/false, which is a program that does nothing and exitsimmediately.

You should select whatever shell you want the user to have from the list in the Shell field.If your choice is not on the list, select the Other option and enter the path to the shell inthe field below.

7. For the Password field, you have four choices:

No password required The user can login without needing to enter any password.

No login allowed The user can never login.

Normal password You get to enter the user’s password.

Pre-encrypted password You must enter a password that is already encrypted, such asone taken from the /etc/shadow file on another system.

Generally you will want to use the Normal password option. Note that on manyoperating systems, only the first eight characters of the password are actually used.

Figure 4.3 List of existing groups.

Editing an Existing User 23

8. On most systems, a set of inputs under the heading Password options will be available.The first of these is the Expiry date—if you want the user to be unable to login after aparticular date, fill in this field.

9. The Minimum days field is the number of days after the user is created or the passwordis last changed that the user must wait before changing it again. Leave it blank to allowchanging as soon as the user wants.

10. The Maximum days field is the number of days after the user is created or the passwordis last changed that the password will expire and need to be changed. A user with thisoption set will be forced to change his password periodically, which is good for systemsecurity. Leave it blank to prevent the password from ever expiring.

11. The Warning days field is the number of days before the password expiry date that theuser will be warned at login that his password is about to expire. If left blank, the userwill not know that his account has expired until he tries to log in and is forced to choosea new password.

12. The Inactive days field is the number of days after the password expires that the entireaccount will be disabled if the user has not chosen a new password. If left empty, theaccount will never expire.

13. For the Primary group, either select an existing group or enter the name of a new onethat Webmin will create for you.

14. If you want the user to be a member of more than one group, select some of the groupsfrom the Secondary group list.

15. If you want the user’s home directory to be created, select the Create home directory?option. If the directory does not already exist, you should select this as well as Copy filesto home directory? so that the user gets a basic set of preference files like .profileand Desktop.

16. To create the user in other modules that you have configured for such action, select Cre-ate user in other modules? It is possible to set up the Samba module to automaticallycreate a user in its user list, and the MySQL module to create a new database user, amongothers.

17. To create the user, click the Create button. After a short delay, you will be returned to thelist of existing users, which should include your newly created user.

Once the Create button has been clicked, the new user will be able to login via SSH, telnet, orwhatever other services you have set up

4.4 Editing an Existing User

You can change any of the details of any user that already exists on your system by followingthese steps:

1. Click on the user you want to edit from the existing list. A form containing all the detailsof the user will appear, as shown in Figure 4.5.

2. Change any of the details that you want to modify, including the username. The fieldshave the same meanings as described inSection 4.3 “Creating a New User”.

3. If you have modified the User ID or changed the Primary group, files owned by theuser may need to be updated to use the new IDs. The options at the bottom of the page

24 Chapter 4 • Users and Groups

labeled Change user ID on files? and Change group ID on files? control which direc-tories will be searched for files with the old IDs.

4. If you have changed the user’s home directory, you can have Webmin rename it to thenew path. However, if the new home directory already exists, this may not always bewhat you want. The Move home directory if changed? option determines if it is movedor not.

5. To have the user updated in other modules where this has been set up, select Modifyuser in other modules? If you are changing the username, this will also rename theuser’s Sendmail mail file and Cron jobs.

6. Click the Save button to have Webmin update the user. Once it is complete, you will bereturned to the lists of users and groups.

4.5 Deleting a User

You should always be careful when deleting a user, as important files in the user’s home direc-tory may be lost. It is generally never a good idea to delete any of the users that are created whenyour system is first installed—especially root! Even normal users that you have created can bedisabled by editing the user and setting the password option to No login allowed.

If you still want to go ahead and delete a user, follow these steps:

1. Click on the user you want to edit from the existing list. A form containing all the detailsof the user will appear, as shown in Figure 4.5.

Figure 4.4 The user creation form.

Creating a New Group 25

2. Click the Delete button at the bottom of the page. This will bring up a form asking you toconfirm the deletion, with buttons to delete just the user or his home directory as well.The amount of disk space used by the user’s home directory will be shown.

3. Select the Delete user in other modules? option if you want the user to be deleted fromother modules in which deletion has been set up. Any Cron jobs belonging to the userwill be deleted, as will his Sendmail mail file.

4. Click either the Delete User or Delete User and Home Directory button to delete theuser. A page showing the progress of the deletion will be displayed while it is takingplace.

4.6 Creating a New Group

A new UNIX group can be added by following these steps:

1. Click on the Create a new group link at the top or bottom of the existing list of groups.A form for entering the details of the group will appear, as shown in Figure 4.6.

2. Choose a name for the new group, and enter it into the Group name field. The namemust not be used by any other group, and should be short and contain no spaces.

3. The Group ID field should be left alone, as it is automatically determined by Webmin. Iffor some reason you change it, make sure that it is not the same as any existing group’s ID.

4. The Password field can be ignored, as group passwords are never used.

Figure 4.5 The user editing form.

26 Chapter 4 • Users and Groups

5. In the Members field, enter the names of any existing users that you want included inthis group. You can use the button to the left of the field to pop up a selection window ofall existing users.

6. Click the Create button to have Webmin create the new group. Once it is complete, youwill be returned to the lists of users and groups.

Once the new group has been created, you can edit users to make it their primary group or one oftheir secondary groups.

4.7 Editing an Existing Group

You do not often need to edit an existing group, as users can be added to or removed from it byediting them directly. However, if you do want to edit a group, follow these steps:

1. Click on the name of the group that you want to edit from the list of existing groups. Thiswill bring up the group editing form, as shown in Figure 4.7.

2. Change any of the details such as the group ID or member list. It is not possible tochange the name of an existing group.

3. If you are changing the group ID, files owned by the group may need to be updated touse the new ID. Use the Change group ID on files? option to control which directorieswill be searched for files that need updating.

4. Click on the Save button to make the changes active. Once they are complete, you will bereturned to the lists of users and groups.

Figure 4.6 The group creation form.

Deleting a Group 27

4.8 Deleting a Group

You can safely delete a group at any time, but Webmin will only let you do so if there are nousers who have selected it as their primary group. To delete, follow these steps:

1. Click on the name of the group you want to delete from the list of existing groups. Thiswill bring up the group editing form as shown in Figure 4.7.

2. Click the Delete button at the bottom of the page. A page asking if you really want todelete the group will appear.

3. Click the Delete Group button to confirm the deletion. A page showing the progress ofthe deletion will be displayed.

4.9 Viewing Recent and Current LoginsAll UNIX systems keep track of recent logins made by users using SSH, telnet, or at the console.Some also track FTP logins as well. You can display recent user logins that include the date,time, and source address by following these steps:

1. Below the lists of users and groups, enter the username of the one you want to track intothe Display logins by field, and click the button. If you want to see logins by ALL users,just leave the field blank.

Figure 4.7 The group editing form.

28 Chapter 4 • Users and Groups

2. A page listing recent logins by the user or users will be displayed. The list may not coverall logins from the date your system was first installed, as many operating systems auto-matically truncate the log file periodically in order to save disk space.

It is also possible to display a list of users who are currently logged in by clicking the Logged InUsers button below the lists of users and groups. If a user is logged in graphically at the console,he may be listed multiple times—once for each shell window he has open.

4.10 Reading Users’ EmailWhen editing a user, you can view mail in the user’s mailbox by clicking on the Read Emailbutton at the bottom of the page. This will take you directly to the mailbox viewing page ofeither the Sendmail, Qmail, or Postfix module, depending on what you have chosen for the Dis-play user email from option in the module configuration. For more documentation on using themail interface, see Chapter 37.

4.11 Creating Users from Batch FilesSometimes you may want to create a large number of users at once without having to go throughthe process of filling out the user creation form over and over again. You will often have thedetails of these users in a text file of some kind containing their usernames, passwords, and realnames. Fortunately, Webmin has a feature that automates this task for you.

If you click on the Create, modify and delete users from batch file link above or below thelist of existing users, a form will appear that allows you to upload a file containing the details ofusers to create, as shown in Figure 4.8. Your file must contain one line of text for each user that youwant to create, and the format of each line must match the format shown on the batch file page.

The exact file format depends on what information your system stores about each user, but onmost systems each line must follow this format:

create:username:passwd:uid:gid:realname:homedir:shell:min:max:warn:inactive:expire

An example line to create a user with the user ID automatically assigned by Webmin would be:

create:jcameron:mysecret::3001:Jamie Cameron:/home/jcameron:/bin/bash:::::

As you can see, the line is made up of a series of fields, each separated by a colon (:). Whencreating a user, the first field must be the create field. The meanings of the other fields are shownin Table 4.1.

Once you have created a file containing the details of users to create, select it using either theUpload batch file or Local batch file fields, and click the Execute batch button. A page display-ing each user created and any errors encountered will be displayed. The most common error is amissing field in one of the lines—each must have exactly the right number of fields, and even if afield is blank the colon separator next to it must still be included.

Creating Users from Batch Files 29

Figure 4.8 The batch file execution form.

Table 4.1 Batch File Fields and Their Meanings

username The user’s login name. This cannot be left blank.

passwd The user’s password. If this field is left blank, then no password will be needed for the user. If it contains just the letter x, then the user will be locked and no login allowed.

uid User ID for the new user. This should be left blank, so Webmin can assign one automatically.

gid ID of the user’s primary group. This cannot be a group name, and cannot be left blank. If more than one GID is entered, the user will be added as a secondary mem-ber to all of those listed after the first one as well.

realname The user’s real name. Not mandatory, but should not be left blank.

homedir A directory that is created with ownership assigned to the user. You can leave this blank if the module has been configured to assign home directories automatically.

30 Chapter 4 • Users and Groups

4.12 Configuring the Users and Groups ModuleLike other Webmin modules, Users and Groups has several options that can be configured byclicking on the Module Config link above the lists of users and groups, as shown in Figure 4.9.The options that you can safely change and their meanings are shown in Table 4.2.

shell The user’s login shell. This field cannot be left blank.

min The number of days after the user is created or the password is last changed that the user must wait before changing it again. Can be left blank to allow changing as soon as the user likes.

max The number of days after the user is created or the password is last changed that the password expires and must be changed again. If left blank, the password will never expire.

warn The number of days before the password expiry date that the user will be warned at login that his password is about to expire. If left blank, the user will not know that his password has expired until it happens.

inactive The number of days after the password expires that the entire account will be dis-abled, if the user has not chosen a new password.

If left empty, the account will never expire.

expire The date on which this account will expire. Unfortunately, you must enter this as a number of days since January 1, 1970!

Table 4.2 Module Configuration Options

Command to run before making changes

Whatever shell command you enter into this field will be run just before any action is performed, such as adding, deleting, or modifying a user or group. It can be useful for doing things like making a backup copy of the /etc/passwd file before Webmin makes any changes.

The command can determine exactly what Webmin is about to do by checking environment variables, as explained in the Section 4.13 “Before and After Com-mands”.

Command to run after makin