“Because Webmin still runs with full root privileges even when used by a restricted user, it still has access to all the configuration files and commands that it needs.”

Due that they are not really convinced about that concept:

“You must be very careful when granting access to un-trusted Webmin users though, as even a small mistake in the access control configuration may allow the user to edit arbitrary files on your system or run commands as root. All it takes is a small hole for an attacker to sneak through and take total control of your system. Webmin’s access control capabilities give you the power to lock down users, but only if used properly.”

So Webmin has the same problem as YaST: The complete application runs with root privileges. So from the security side this is horrible and will be not
useful for a server product. That’s why we have not gone that way in YaST and that’s the reason why YaST does not have a user management.

Since the combination of pam,policyKit and DBUS we have the chance to close that gap.

Sorry, this is wrong since at least the year 2001. Webmin allows to define users and groups as known on Unix/Linux machines. These users/groups can get “acls” depending on the implementation in the used modules.

So – for example – it’s already possible with webmin to define a “usermanager” group, which is allowed to manage users on a machine, and add users to this group. It’s even possible to allow just to add users instead of deleting or modifying existing ones.

From this point of view, webmin is very useful for server products as it allows a fine granulary access management for each module (and even the submodules) – more useful than YaST in it’s current state.

That is why there is a web service and a web client.

On the desktop side the need is not that big like in the appliance market. Your own router usually requires turning it on and accessing it via a web browser to setup the basic stuff. People running appliances expect more or less the same.

However, on the desktop side, having a web service allows applications, scripts and frontends to use simple http requests to get and set configuration (the web client is actually that, a very thin application doing http get’s and post’s to the service), while YaST retains all the business logic, and in a secure manner. This opens a new door to the community. You can use http from any language/platform out there.

objectiv
==========
webmin runs with “root” rights and cannot run with other user accounts. There is
no user management and right access management.
So, from the security side it is not useful for server products.

I suppose that as long as it doesn’t run on startup out of the box, it wouldn’t be a bad idea. It’s always good to give people options.

You’ve made some real progress here, keep up the great work!

I really like fact that YaST will work with a terminal, and not require complicated client software like a web browser to function.

http://www.joelonsoftware.com/articles/fog0000000069.html

The YaST web service still reuses lot of knowledge encapsulated in the ycp modules. We are aiming for an evolution of YaST to the web world, an interoperable YaST.