The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A user can access all account :(

Discussion in 'General Discussion' started by cosmin, Jun 22, 2002.

  1. cosmin

    cosmin Well-Known Member

    Joined:
    Feb 6, 2002
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucuresti
    Hi!

    A user send to me today a e-mail with how can access all account throught SSH.

    Another user modify a mysql db from other account...

    How can I stop this?
    In WHM I have Enabled Shell Fork Bomb Protection :(((


    Who can help me please?

    Thanks!
     
  2. hst

    hst Well-Known Member

    Joined:
    Feb 24, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Set root password

    Have you set the root password for MySQL with WHM. If not give that a try, since without it you will have problems like this.
     
  3. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Don't permit SSH on your system to all of your clients, as well as you permit you would involve in risky operation like this!!!
     
  4. masood

    masood Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Even if you permit one person on SSH (say a reseller), that one user can access almost everything. :p

    How can I protect someones billing software being stolen? :-(

    php-cgiwrap?

    zend-optimzer (php), suexec (cgi) work fine. but not everyone has zend-encoder (php).

    How about code inside cpanel themes?

    zend-optimzer inside cpanel themes? will it work?

    directory permissions on cpanel themes to only allow &cpanel& to read files? (tried it, didn't work)

    any other ideas?
     
  5. TRAIN YARD SOFTWARE

    TRAIN YARD SOFTWARE Well-Known Member

    Joined:
    Dec 20, 2001
    Messages:
    224
    Likes Received:
    0
    Trophy Points:
    16
    We are told this is how SSH works on UN*X
     
  6. Dotcoms

    Dotcoms Active Member

    Joined:
    Dec 17, 2001
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    chmod 711 all of your important directories is one way.
     
  7. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:f014265911][i:f014265911]Originally posted by Dotcoms[/i:f014265911]

    chmod 711 all of your important directories is one way.[/quote:f014265911]

    Can’t help much more, when you permit someone to use SSH, it’s a bit like opening your front door while you have security alarms installed in your house. It changes to a heaven for hackers if you have mod_perl or PHP installed.

    Shared Hosting is not as much secure as you think. :p
     
  8. cosmin

    cosmin Well-Known Member

    Joined:
    Feb 6, 2002
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucuresti
    Sollutions?

    Practicaly no sollutions?

    I can't stop Shell access for my users. She need this...

    Just Masood have a sollution?
     
  9. cosmin

    cosmin Well-Known Member

    Joined:
    Feb 6, 2002
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucuresti
    SSH access

    How can I give/stop SSH access for an active account?
     
  10. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:5f5b252fb4][i:5f5b252fb4]Originally posted by cosmin[/i:5f5b252fb4]

    How can I give/stop SSH access for an active account?[/quote:5f5b252fb4]
    There are three ways you can use choose one of them to Enable/disable SSH

    Method 1)
    Modify your hosting package and then use Account Functions -& Upgrade/Downgrade

    Method 2)
    Use this command

    chsh USERNAME

    Then change it to /usr/local/cpanel/bin/noshell

    Method 3)

    pico /etc/passwd

    in front of that certain user name change /bin/bash to /usr/local/cpanel/bin/noshell

    If you want to enable SSH for a certain user change its shell to /bin/bash
     
  11. masood

    masood Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    [quote:1f8e322d8a][i:1f8e322d8a]Originally posted by TRAIN YARD SOFTWARE[/i:1f8e322d8a]

    We are told this is how SSH works on UN*X[/quote:1f8e322d8a]

    Nope. SSH or Shell on a system can be secured in a lot of ways. You just need the right permissions on files and directories.
     
  12. masood

    masood Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    [quote:16f4036415][i:16f4036415]Originally posted by cosmin[/i:16f4036415]

    Practicaly no sollutions?

    I can't stop Shell access for my users. She need this...

    Just Masood have a sollution?[/quote:16f4036415]

    :p What are your concerns on shell access?
     
  13. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Masood,

    You are right buy There are directories that you can not chmod them to what you want,

    I personally dont even like to see ls /home by a reseller !:)

    while i can not chmod for example /etc/passwd , so i better dont even give them shell access, specially when you have 100 domains on each box, you should think about your customers privacy too...

    so, my advice is dont even give them shell access at all! dont offer it in your packages, tell them for security reasons and your own convenience, we dont offer it!
     
  14. mesranet

    mesranet Well-Known Member

    Joined:
    May 6, 2002
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Well ... its can do with so many solutions, two of it is 'Korn Shell Programming' & 'chroot jail'
     
  15. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    so can you disable users listing /home ?
    or can you disable user pico so many of your scripts and files ?!

    i am not talking about changing, just watching stuffs is too much for some pople :)
     
  16. masood

    masood Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Well.. the shell access is required by advanced user anyway, and you can't tell them: &we do not provide shell access for security reason&.

    If I'm a customer, I would wonder what kind of hosting company is this? :p

    On shared hosting listing /home is no concern for me, but

    a) reading files of other users (like config.php with db passwords)
    b) reading php code in /usr/local/cpanel/base/frontend/my_super_cool_php_theme

    IS A NIGHTMARE for me!!! :(

    The solution is available, but looks like unfortunately Cpanel does not use it!! (Except suExec for cgi scripts)

    SOLUTION:

    for (a) php-cgiwrap
    for (b) zend_optimizer or cpanel directories to be read only by &cpanel& user.

    :-(

    Nick what do you say?
     
  17. masood

    masood Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    ehsan,

    Even if you just provide FTP account, all user files are open to read by anyone with an FTP account :p

    that means all db passwords as well in php files :p
     
  18. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    [quote:3a4edcce68][i:3a4edcce68]Originally posted by masood[/i:3a4edcce68]

    Even if you just provide FTP account, all user files are open to read by anyone with an FTP account :p

    that means all db passwords as well in php files :p[/quote:3a4edcce68]

    That's not true. If you set a users FTP root directory to /home/user then they can not read /home or any other directory outside of /home/user.
     
  19. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:76a117f66b][i:76a117f66b]Originally posted by ehsan[/i:76a117f66b]

    Masood,

    You are right buy There are directories that you can not chmod them to what you want,

    I personally dont even like to see ls /home by a reseller !:)

    while i can not chmod for example /etc/passwd , so i better dont even give them shell access, specially when you have 100 domains on each box, you should think about your customers privacy too...

    so, my advice is dont even give them shell access at all! dont offer it in your packages, tell them for security reasons and your own convenience, we dont offer it![/quote:76a117f66b]

    and if a client ask you to back up his site via ssh ?
    and if a client ask you to backup his mysql database via ssh ?

    if we cannot provide ssh we cannot be competitive....
    client will go away ....
     
  20. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    One thing you can do is if you have 2 different servers, put all clients that require SSH on one server and the rest on the other server. This way you can let your clients know about the riscs involved in everyone having SSH access.

    [edit]
    I'm also seen some web hosts offer SSH to clients that provide two types of identification.
    [/edit]
     
Loading...

Share This Page