diff --git a/makedebian.pl b/makedebian.pl
index e3279716f..d8975dacb 100755
--- a/makedebian.pl
+++ b/makedebian.pl
@@ -334,7 +334,11 @@ if [ "$product" = "webmin" ]; then
 	fi
 fi
 rm -f /var/lock/subsys/$baseproduct
-
+if [ -d /etc/webmin/$product ]; then
+	if [ ! -f /etc/webmin/$product/defaultacl ]; then
+		echo 'disallow=upgrade' > /etc/webmin/$product/defaultacl 2>/dev/null
+	fi
+fi
 if [ "\$inetd" != "1" ]; then
 	productucf=Webmin
 	if [ "$product" = "usermin" ]; then
diff --git a/makerpm.pl b/makerpm.pl
index 49017b70a..aec1f892e 100755
--- a/makerpm.pl
+++ b/makerpm.pl
@@ -230,6 +230,11 @@ export config_dir var_dir perl autoos port login crypt host ssl nochown autothir
 ./setup.sh >\$tempdir/webmin-setup.out 2>&1
 chmod 600 \$tempdir/webmin-setup.out
 rm -f /var/lock/subsys/webmin
+if [ -d /etc/webmin/webmin ]; then
+	if [ ! -f /etc/webmin/webmin/defaultacl ]; then
+		echo 'disallow=upgrade' > /etc/webmin/webmin/defaultacl 2>/dev/null
+	fi
+fi
 cd /usr/libexec/webmin
 if [ "\$inetd" != "1" ]; then
 	if [ "\$1" == 1 ]; then
diff --git a/usermin/usermin-lib.pl b/usermin/usermin-lib.pl
index 37d0b0558..3763c3dff 100755
--- a/usermin/usermin-lib.pl
+++ b/usermin/usermin-lib.pl
@@ -13,7 +13,9 @@ BEGIN { push(@INC, ".."); };
 use WebminCore;
 &init_config();
 %access = &get_module_acl();
-$access{'upgrade'} = 0 if (&is_readonly_mode());	# too hard to fake
+$access{'upgrade'} = 0
+	if (&is_readonly_mode() ||
+	    $access{'disallow'} =~ /upgrade/);	# too hard to fake
 &foreign_require("webmin");
 &foreign_require("acl");
 %text = ( %webmin::text, %text );
diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 54e78906a..3b1f8d675 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -4520,8 +4520,9 @@ $m ||= "";
 my $mdir = &module_root_directory($m);
 my %rv;
 if (!$nodef) {
-	# Read default ACL first, to be overridden by per-user settings
+	# Read default ACLs first, to be overridden by per-user settings
 	&read_file_cached("$mdir/defaultacl", \%rv);
+	&read_file_cached("$config_directory/$m/defaultacl", \%rv);
 
 	# If this isn't a master admin user, apply the negative permissions
 	# so that he doesn't un-expectedly gain access to new features
diff --git a/webmin/webmin-lib.pl b/webmin/webmin-lib.pl
index b5d9ee1eb..a0b9a38ec 100755
--- a/webmin/webmin-lib.pl
+++ b/webmin/webmin-lib.pl
@@ -1264,14 +1264,11 @@ if (&foreign_check("acl")) {
 	}
 
 # New Webmin version is available, but only once per day
-my %raccess = &get_module_acl('root');
-my %rdisallow = map { $_, 1 } split(/\s+/, $raccess{'disallow'} || "");
 my %access = &get_module_acl();
 my %disallow = map { $_, 1 } split(/\s+/, $access{'disallow'} || "");
 my %allow = map { $_, 1 } split(/\s+/, $access{'allow'} || "");
 if (&foreign_available($module_name) && !$gconfig{'nowebminup'} &&
-    !$noupdates && ($allow{'upgrade'} ||
-		    (!$disallow{'upgrade'} && !$rdisallow{'upgrade'}))) {
+    !$noupdates && ($allow{'upgrade'} || !$disallow{'upgrade'})) {
 	if (!$config{'last_version_check'} ||
 	    $now - $config{'last_version_check'} > 24*60*60) {
 		# Cached last version has expired .. re-fetch