Chrooting users to their home directory SSH

[ozzi4648]

With all the great features that Cpanel has incorporated I just cannot beleive that they not included the ability to chroot a user to their own home directory using SSH. While i can give my users the ability to ssh into the system, and they demand it, im a little uneasy about the fact that they can browse my system. I also dont feel comfortable in having them know how many accounts i have on my system and going places they shouldnt. This is a much needed feature and hopefully it will be included but what will it take to get them to realize this? This feature should be top priority and is not all that difficult to do, they can offer an ftp jail!

So right now im sitting here trying to figure out the best possible way of doing this without screwing up my entire virtual domains.

Does anyone have a solution?

 

[netarus]

I think this inquiry may be somewhat indentical to this post:

http://forums.cpanel.net/read.php?TID=5675

I am wondering myself.

 

[desario]

The Ensim panel does that... and what a nightmare it creates for you. I'm leaving an Ensim driven server now for a CPanel one and what a relief.

The top two issues w/ chroot'ing that I experienced w/ Ensim are:

1. Providing access to common programs on the machine in the chroot'ed environment (ie mysql, ssh, etc). A chroot'ed environment is very restricted usually unless you go through the trouble of hard linking every binary into the chrooted environment, but at that point, there isn't much point in chroot'ing.

2. Confusion for users over how to configure paths in CGI (Perl, PHP, etc). For example, in a shell the CWD might be /var/www/html , but when the script ran, the CWD would be /home/virtual/admin99/fst/var/www/html . Imagine as an end user running an automated installer on the command line and then trying to figure our why what you installed doesn't work.

This might just have been Ensim's implementation of a chroot'ed environment not being done well (I don't pretend to be any sort of expert on chroot'ing / jails), but it was not a good experience for me or my clients.

So I warn you... if you really want to do it, be careful and thorough about the chroot'ed environment you provide or you might tick off your customers.

 

[desario]

I just wanted to add that Ensim didn't give any choice about using a chroot'ed environment or not... you had to deal with it.

 

[paulo]

I have to disagree.

Chroot is very efective from the hosting admin prespective and Ensim has done a quite good job implmenting it. Althoug yes you can't use some commands like mysql or you have to install it or lynk them. Nevertheless it's a must! If the user does not like it. So be it.

This feature should existing in cpanel. That's a good advantage from ensim over cpanel.

For the record. I have servers with cpanel and some with ensim.

 

[dgbaker]

As someone who at onetime had a site on ensim box all I can say is &where is my get out of jail card?&

If you have demanding users who require a lot and the host does not do ch'rooting properly it can be a virtual nightmare (pun intended)

If Cpanel does implement this I wish for two things.

1. Option of on or off for a server.
2. Very customizable and easy to admin.

As for locking users down in Cpanel, there are a lot of simple chmod and chown tricks to limiting views and such. Granted they still can see a lot of things but that is the risk when giving shell access to people.

And remember that even with ch'rooting it is a false sense of security, one good user knowing what they are doing can break the jail with ease. Most users on systems don't snoop and don't care, except for their own stuff. The ones you have to watch are having users with our skill levels that would enjoy testing your skills at security or the server.

 

[Website Rob]

[quote:b8ad5a6cff][i:b8ad5a6cff]Originally posted by dgbaker[/i:b8ad5a6cff]And remember that even with ch'rooting it is a false sense of security, one good user knowing what they are doing can break the jail with ease. Most users on systems don't snoop and don't care, except for their own stuff. The ones you have to watch are having users with our skill levels that would enjoy testing your skills at security or the server.
[/quote:b8ad5a6cff]Gotta love those Clients that put our SysAdmin skills to the test. :p

Personally, I don't allow SSH unless requested and absolutely necessary. Thinking of going the &provide copy of License or other photo ID& route, for access, but seems like a hassle for all concerned.

Cannot see where or why, actually, a Client would &need& SSH other than just &wanting& it?

 

[dgbaker]

I've seen some interesting cgi scripts that allow you to execute shell commands from your browser. I've played with one or two of them and they have some merit.

One of them is called unixcmd.cgi. The usage is like unixcmd.cgi?unix command It would them display the info in the browser. One good thing is you cannot modify anything only browse.

 

[Website Rob]

Good point, David. There are lots of scripts (in any language) that allow for &cross-site scripting& and regardless SSH, can allow very nasty things to be done to the Server.

 

[Juanra]

Assuming that we could chroot the SSH sessions of a number of selected users in a secure way, what files do you suggest should be copied into their home directory so they could do something useful inside their jail? (I mean, things like ls, mkdir, libraries, etc.)