So a week or so ago I masked Webmin, because it dinged a lot on my tinderbox and I decided to take a look at it. The ChangeLog shows a very bleak story: webmin hasn’t had a dedicated maintainer since March 2008; that’s two and a half years ago; the last five versions were bumped by Patrick (who, if you should be reminded, rarely picks up the pieces of what he might break); last October, Victor “fixed” a bunch of sandbox violations in the 1.490 version.
Given the hits on the tinderbox and the above-noted history; I decided to mask it until somebody actually stepped up to maintain it; this was also positively acknowledged by the security team: having a package with the security issue of Webmin lacking a dedicated maintainer is calling for trouble.
Since then I received a long list of email messages of users using Webmin, either in production or for local environments, wondering why I masked it and insisting that it is in its design to access files owned by other packages anyway. I guess I’ll have to rephrase the masking reason given that, that wasn’t what I meant.
It is a common, enforced policy in Gentoo that all the packages are self-contained, and mess the least possible with the running system as they can, so that if you just emerge MySQL, it won’t start up right away, or even at the next reboot; this is one thing that put Gentoo drastically in contrast with most other distributions. And what a lot of people, me included, love the most.
If there are commands to execute to properly setup the package before making use of it, we have the special
pkg_config() function that can be called through
emerge --config — there aren’t many packages doing that though.
webmin-1.510.ebuild goes the totally wrong way: it tries to second-guess the user’s setup; it runs the setup step of Webmin directly within
src_install() which should be protected by the sandbox; but Victor’s “fixes” actually simply allowed the ebuild to access what it shouldn’t be, not at that state at least: real devices, kernel modules, and the cron configuration.
How did I notice that? Very simple, actually: the tinderbox, just like my own system, uses fcron as cron daemon. The fcron configuration file is not predicted within the ebuild, so it still triggered sandbox violation, and caused my tinderbox to start screaming at me like my mother when I come back at 6am .
Now, if that was the only problem it wouldn’t be much; but the ebuild also fail to actually provide a decent/stable PAM configuration, and a lot of the shell code in the ebuild file is just… icky.
What can be done to save webmin? Well, more than certainly it needs a new maintainer, one who does a lot more than copying a file and running
cvs add on it. The new maintainer will have to rewrite most of the ebuild, implement the good parts of it as
pkg_config and make sure that it respects the user’s settings.
For most other packages, like I did for Ruby packages, I would have said that I’m happy to be hired to take care of the problematic package, with a reasonable fee to keep maintaining it from then on. But given it’s Webmin we’re talking about.. I’m not sure if I’m ready to pick it up. If somebody else actually uses it, and feels like maintaining it, it’d be best. I’m still open to be the proxying maintainer if somebody feels like pick up the pieces of it all, but wants to have somebody else reviewing the ebuild before it get pushed to users.
I am willing to work on that and save it if possible but I would really need some help from the other developers or webmin users among the gentoo community. So if anyone is interested in saving this just send me an e-mail ( hwoarang[at]gentoo[dot].org ) so we can work together on thatThanks
Debian removed webmin a long time ago: http://bugs.debian.org/cgi-…I think you should do the same.
I’m using Webmin in production on a couple of servers, to let non-skilled sysadmin-assistants to do quick changes without too much troubles, but this time I agree with Debian folks: Diego, please remove that piece of crap from Portage.Apart the fact that Webmin is an over complex ecosystem of scripts, it’s an insane software to maintain/use on Gentoo systems (or distro with strong QA); there are better alternatives for Webmin, both commercial and open-source (and people running production servers can sustain a cost of few bucks to buy commercial solutions…).
So, what are some good open-source alternatives to Webmin, perchance it should disappear from Portage?
@equilibriumI use webmin for the same reasons – to safely allow non-*nix-skilled admins to simply edit very specific things…Webmin is really far too gigantic for the few basic modules I enable (and lock down) for my clients’ useAny recommendations to replace it? Open-source, free, commercial, proprietary or otherwise?Thanks–Bill ArlofskiReverse Polarity, LLC
Greetings,@Diego: Understood. And, good call on it. If there is no set maintainer (known and available), then yes, removing it is a good idea. Now, the question I have stemming from that is: Do you know or have you ever communicated with ‘swelljoe’ on the Gentoo Forums? He claims to be a current, active developer of webmin/Virtualmin. Now, that would cover the basic outside developer/maintainer requirement if it can be verified that he *is* in fact a current developer/maintainer and is available. And, as for a dedicated ebuild maintainer, well apparently we have a volunteer at the top of this thread. That being said…@Markos Chandras: Thanks, and my email is on the way to you. I’m not sure how much I will be able to help you out on this, but I am willing to help as I can.Now, overall, while it may be a dangerous package from a system security standpoint (since you can wreck a system with it faster than with the “9 Keystrokes Of Death”, if not careful), as a project, it goes a *LONG* way towards bringing linux into the mainstream. One of the most common complaints about running linux is how steep the learning curve is for administrating it. Now, I’m not saying that it is any more or less complicated than, say administrating a full Active Directory tree for a SMB with about 50 employees. I’m just pointing out that with today’s average user, administrative or end, they are more comfortable with a GUI. And, webmin provides that, rather well. But, if it’s making changes actively to the filesystem without regard to existing configurations, then yes… It NEEDS to be fixed!!And, yes, I know that if all else fails, we can always put it into an overlay. But, that brings up a rather pointed question: What would it take to at least get webmin off the “Slated for Removal” list? Then, what would it take to get it unmasked?We’ve got less than a month to get it done and still have to take into account the time needed for review, so where do we go from here…?
*@Diego*: I bet for the half of the time you’ve spent “testing” webmin and its ebuild wrong behaviour, answering all the bug requests for keeping it in portage, all emails connected to what you did etc. etc, you could have fixed the ebuild… Well.. of course that would not have brought you any “reasonable fee”… which seems to be part of the problem….Anyway let’s face it… this is not a Webmin problem… it is Gentoo devs’ problem, lacking whatever you may excuse with… like time, desire etc etc… And with removing this good piece of software just like that (sorry but the QA’s and yours excuses are just ridiculous)… especially without offering alternative… is at least unprofessional…Please do not start the “if you are so professional why don’t you spend time fixing this… etc etc etc”There is already someone that “did some job on a new ebuild”:https://bugs.gentoo.org/sho… but all he gets is a “duplicate bug”… :D*@equilibrium*: Anyone that says something like “a piece of crap” about a software so complex and widespread, whose developers have spent thousands of hours for improving, fixing etc… is not that far away from his own definition :)*@Bill Arlofski*: There are “alternatives”:http://en.wikipedia.org/wik… to some extent … but it depends on what you need… anyway all of them could be blamed they do not comply with Gentoo’s QA etc etc… i guess that is why most of them are out of portage…. As “Gadmintools”:http://gadmintools.flippedw… are out of it too :)…. It’s true that Gentoo is a kinda more tech users oriented distro… but even we sometimes need a quick and easy way to manage all servers… And Gentoo devs like Diego are not helping it :)Anyway do not get me wrong … i do not have anything to do with Webmin… i am just a user from its early stages and it did never let me down or did anything wrong to any of the systems i used it on… even when i was an inexperienced Linux user back in the 90 ties…All this is just my opinion on the removal… not necessarily to be accepted… But i think you should know it anyway…
Interesting article – albeit the problems you mentioned are noteworthy and important to some users… a hardened user is probably going to be safe enough anyway. As far as one click configuration and setup, I’m surprised that Webmin on Gentoo is even a focus. I would think a CentOS install with Webmin would be closer to the goal — and ClearOS would be a home-run.Compiling with stack smashing and using MAC from Grsec or SELinux and strong user passes is going to deter the high percentage of attackers even with webmin’s gaping security issues.Overall I think you detracted the value of a package which does its job quite well despite your howling for quality assurance etiquette, I believe this project is on a good track now (its more alive than alluded to in your article) and perhaps your suggestions are warranted for progression – but are misplaced in relation to the products applications.