A user can access all account :(

cosmin

Well-Known Member
Feb 6, 2002
154
1
318
Bucuresti
Hi!

A user send to me today a e-mail with how can access all account throught SSH.

Another user modify a mysql db from other account...

How can I stop this?
In WHM I have Enabled Shell Fork Bomb Protection :(((


Who can help me please?

Thanks!
 

hst

Well-Known Member
Feb 24, 2002
111
0
316
Set root password

Have you set the root password for MySQL with WHM. If not give that a try, since without it you will have problems like this.
 

itf

Well-Known Member
May 9, 2002
624
0
316
Don't permit SSH on your system to all of your clients, as well as you permit you would involve in risky operation like this!!!
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
Even if you permit one person on SSH (say a reseller), that one user can access almost everything. :p

How can I protect someones billing software being stolen? :-(

php-cgiwrap?

zend-optimzer (php), suexec (cgi) work fine. but not everyone has zend-encoder (php).

How about code inside cpanel themes?

zend-optimzer inside cpanel themes? will it work?

directory permissions on cpanel themes to only allow &cpanel& to read files? (tried it, didn't work)

any other ideas?
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:f014265911][i:f014265911]Originally posted by Dotcoms[/i:f014265911]

chmod 711 all of your important directories is one way.[/quote:f014265911]

Can’t help much more, when you permit someone to use SSH, it’s a bit like opening your front door while you have security alarms installed in your house. It changes to a heaven for hackers if you have mod_perl or PHP installed.

Shared Hosting is not as much secure as you think. :p
 

cosmin

Well-Known Member
Feb 6, 2002
154
1
318
Bucuresti
Sollutions?

Practicaly no sollutions?

I can't stop Shell access for my users. She need this...

Just Masood have a sollution?
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:5f5b252fb4][i:5f5b252fb4]Originally posted by cosmin[/i:5f5b252fb4]

How can I give/stop SSH access for an active account?[/quote:5f5b252fb4]
There are three ways you can use choose one of them to Enable/disable SSH

Method 1)
Modify your hosting package and then use Account Functions -& Upgrade/Downgrade

Method 2)
Use this command

chsh USERNAME

Then change it to /usr/local/cpanel/bin/noshell

Method 3)

pico /etc/passwd

in front of that certain user name change /bin/bash to /usr/local/cpanel/bin/noshell

If you want to enable SSH for a certain user change its shell to /bin/bash
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
[quote:1f8e322d8a][i:1f8e322d8a]Originally posted by TRAIN YARD SOFTWARE[/i:1f8e322d8a]

We are told this is how SSH works on UN*X[/quote:1f8e322d8a]

Nope. SSH or Shell on a system can be secured in a lot of ways. You just need the right permissions on files and directories.
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
[quote:16f4036415][i:16f4036415]Originally posted by cosmin[/i:16f4036415]

Practicaly no sollutions?

I can't stop Shell access for my users. She need this...

Just Masood have a sollution?[/quote:16f4036415]

:p What are your concerns on shell access?
 

ehsan

Well-Known Member
Dec 11, 2001
185
0
316
Masood,

You are right buy There are directories that you can not chmod them to what you want,

I personally dont even like to see ls /home by a reseller !:)

while i can not chmod for example /etc/passwd , so i better dont even give them shell access, specially when you have 100 domains on each box, you should think about your customers privacy too...

so, my advice is dont even give them shell access at all! dont offer it in your packages, tell them for security reasons and your own convenience, we dont offer it!
 

mesranet

Well-Known Member
May 6, 2002
132
0
316
Well ... its can do with so many solutions, two of it is 'Korn Shell Programming' & 'chroot jail'
 

ehsan

Well-Known Member
Dec 11, 2001
185
0
316
so can you disable users listing /home ?
or can you disable user pico so many of your scripts and files ?!

i am not talking about changing, just watching stuffs is too much for some pople :)
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
Well.. the shell access is required by advanced user anyway, and you can't tell them: &we do not provide shell access for security reason&.

If I'm a customer, I would wonder what kind of hosting company is this? :p

On shared hosting listing /home is no concern for me, but

a) reading files of other users (like config.php with db passwords)
b) reading php code in /usr/local/cpanel/base/frontend/my_super_cool_php_theme

IS A NIGHTMARE for me!!! :(

The solution is available, but looks like unfortunately Cpanel does not use it!! (Except suExec for cgi scripts)

SOLUTION:

for (a) php-cgiwrap
for (b) zend_optimizer or cpanel directories to be read only by &cpanel& user.

:-(

Nick what do you say?
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
ehsan,

Even if you just provide FTP account, all user files are open to read by anyone with an FTP account :p

that means all db passwords as well in php files :p
 

SHSaeed

Well-Known Member
May 9, 2002
245
0
316
[quote:3a4edcce68][i:3a4edcce68]Originally posted by masood[/i:3a4edcce68]

Even if you just provide FTP account, all user files are open to read by anyone with an FTP account :p

that means all db passwords as well in php files :p[/quote:3a4edcce68]

That's not true. If you set a users FTP root directory to /home/user then they can not read /home or any other directory outside of /home/user.
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
[quote:76a117f66b][i:76a117f66b]Originally posted by ehsan[/i:76a117f66b]

Masood,

You are right buy There are directories that you can not chmod them to what you want,

I personally dont even like to see ls /home by a reseller !:)

while i can not chmod for example /etc/passwd , so i better dont even give them shell access, specially when you have 100 domains on each box, you should think about your customers privacy too...

so, my advice is dont even give them shell access at all! dont offer it in your packages, tell them for security reasons and your own convenience, we dont offer it![/quote:76a117f66b]

and if a client ask you to back up his site via ssh ?
and if a client ask you to backup his mysql database via ssh ?

if we cannot provide ssh we cannot be competitive....
client will go away ....
 

SHSaeed

Well-Known Member
May 9, 2002
245
0
316
One thing you can do is if you have 2 different servers, put all clients that require SSH on one server and the rest on the other server. This way you can let your clients know about the riscs involved in everyone having SSH access.

[edit]
I'm also seen some web hosts offer SSH to clients that provide two types of identification.
[/edit]