diff --git a/xterm/acl_security.pl b/xterm/acl_security.pl
new file mode 100644
index 000000000..f14c49e93
--- /dev/null
+++ b/xterm/acl_security.pl
@@ -0,0 +1,20 @@
+
+require 'xterm-lib.pl';
+
+# acl_security_form(&options)
+# Output HTML for editing security options for the xterm module
+sub acl_security_form
+{
+my ($o) = @_;
+
+print &ui_table_row($text{'acl_user'},
+	&ui_opt_textbox("user", $o->{'user'} eq '*' ? undef : $o->{'user'},
+			20, $text{'acl_sameuser'}));
+}
+
+sub acl_security_save
+{
+my ($o) = @_;
+
+$o->{'user'} = $in{'user_def'} ? '*' : $in{'user'};
+}
diff --git a/xterm/index.cgi b/xterm/index.cgi
index 62d6351ce..fd1c3af28 100644
--- a/xterm/index.cgi
+++ b/xterm/index.cgi
@@ -5,6 +5,7 @@
 # XXX don't grant to new users
 # XXX ACL to run as remote user
 # XXX Virtualmin integration?
+# XXX how to launch a login shell?
 
 require './xterm-lib.pl';
 
@@ -46,6 +47,10 @@ if (!-r $shellserver_cmd) {
 	&cron::create_wrapper($shellserver_cmd, $module_name, "shellserver.pl");
 	}
 my $user = $access{'user'};
+if ($user eq "*") {
+	$user = $remote_user;
+	}
+getpwnam($user) || &error(&text('index_euser', $user));
 my $tmpdir = &tempname_dir();
 $ENV{'SESSION_ID'} = $main::session_id;
 &system_logged("$shellserver_cmd $port $user >$tmpdir/ws-$port.out 2>&1 </dev/null &");
diff --git a/xterm/lang/en b/xterm/lang/en
index 66db61aab..b3c06dfc2 100644
--- a/xterm/lang/en
+++ b/xterm/lang/en
@@ -1,2 +1,6 @@
 index_title=Interactive Shell
 index_cpan=The Perl module <tt>$1</tt> needed to accept Websockets connections is not available, but you can install it automatically using Webmin's <a href='$2'>Perl Modules</a> module.
+index_euser=User $1 to run the shell as does not exist!
+
+acl_user=Run shell as Unix user
+acl_sameuser=Same as Webmin login