The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to limit Shell/SSH2 usage

Discussion in 'General Discussion' started by Radio_Head, Apr 17, 2002.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Hello ,

    I am still new to cpanel and whm . I noticed just now that a client with shell access is able to go around all the server (!) and he is free to execute programs like mc , midnight commander (!).

    What I have to do to limit every to client in their /home/user directory ?? What I have to do to limit execution/usage of mc only to root ? .


    Thank you !!
     
  2. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    anyone can help me ?
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    is there anyone there which can reply ?
    So with cpanel every client with shell access has the power
    to go around the server ?
     
  4. Mat

    Mat Well-Known Member

    Joined:
    Sep 26, 2001
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    [quote:d726f0531d][i:d726f0531d]Originally posted by Radio_Head[/i:d726f0531d]

    is there anyone there which can reply ?
    So with cpanel every client with shell access has the power
    to go around the server ?[/quote:d726f0531d]


    No, thats how linux generally is..... As long as you have the correct permissions setup, users won't be able to write to anything not belonging to them....

    You could chroot them to their own dir, but that is alot of hassle for hundreds of users.....
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:93456e4885][i:93456e4885]Originally posted by Mat[/i:93456e4885]

    [quote:93456e4885][i:93456e4885]Originally posted by Radio_Head[/i:93456e4885]

    is there anyone there which can reply ?
    So with cpanel every client with shell access has the power
    to go around the server ?[/quote:93456e4885]


    No, thats how linux generally is..... As long as you have the correct permissions setup, users won't be able to write to anything not belonging to them....

    You could chroot them to their own dir, but that is alot of hassle for hundreds of users.....[/quote:93456e4885]


    THANK YOU , for reply :) .
    My cpanel distibutor , told me that is NOT possible to restrict users in their directory (!!!!) and I have to suggest this feature to cpanel developers (!).
    Can you explain better this &You could chroot them to their own dir& . ? What I have to do ? I used ch-mod 711 on /home dir but it's not exactly what I want.

    Thanks
    Radio
     
  6. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    the solution seems to be a well configured
    .bash_profile file place in each /home/user dir ....
     
  7. DHL

    DHL Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    [quote:793491246f][i:793491246f]Originally posted by Radio_Head[/i:793491246f]

    the solution seems to be a well configured
    .bash_profile file place in each /home/user dir ....

    [/quote:793491246f]

    I want to do this too, can you provide more info on the latter way?

    Thanks

    Steve
     
  8. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    [quote:4b6b2ca173][i:4b6b2ca173]Originally posted by Radio_Head[/i:4b6b2ca173]
    My cpanel distibutor , told me that is NOT possible to restrict users in their directory (!!!!) and I have to suggest this feature to cpanel developers (!).
    [/quote:4b6b2ca173]

    http://web.cpanel.net/bugzilla/show_bug.cgi?id=452

    [quote:4b6b2ca173]
    the solution seems to be a well configured
    .bash_profile file place in each /home/user dir ....
    [/quote:4b6b2ca173]

    Not really the solution, from what I have read...
    See this thread:
    http://support.cpanel.net/obb/read.php?TID=1270
     
  9. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    sorry me , double post , please read belowe
     
  10. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    To disable over 1 thousand of dangerous commands (wget , ftp , mc and so on) , I created a bash profile in the /home/user with 1000 and over alias commands like this :

    # disable wget
    alias wget=&echo This command is not available&
    # disable midnight commander
    alias mc=&echo This command is not available&

    and so on , all commands (over 1000) are aliased .

    At the end of my bash profile I inserted also ;

    alias unalias=&echo This command is not available&
    alias alias=&echo This command is not available&



    Well , in this way I limit the user to use ONLY some command ,
    for example cd, ls , tar , mysql , pico , pine , and some other (the essential for a shared account). If the user try to
    use an aliased command it receives the message
    This command is not available


    However there is always ANOTHER problem .
    How to mantain the user in their directory ?

    711 permission on home dir is useful , but it's NOT enough of course.

    User MUST stay in their /home/user dir if you want sleep better ;)

    Perhaps I am near to find a solution to do it, however if anyone has just found the solution please report here , thanks.
     
  11. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Hi Radio_Head,

    Any chance we can get that list of commands ? :)
     
  12. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I finished just now to work !

    I create a bash profile (it must be placed in the dir
    of the user) and it does the following ;

    1) The user cannot move UP from /home/user . He can use cd but he cannot go outside of /home/user !!! ;)

    2) I limited bin commands to around 30 essentials . Client can debug/edit perl php and python script , can do back ups
    and use mysql . ;)

    these are the commands that I activated

    sum , sleep , date, htpasswd , nslookup
    mysql,msql2mysql,touch, kill, unzipsfx, unzip, whois
    fwhois,perl,ls,chmod , mv, cp, find,finger, rm,rmdir
    gzip, tar, gunzip,mkdir,awk,dirname, du, echo, head,
    jobs, more,printf,sort, tail, time, compress, uncompress
    zcat,nice, java, diff,sed, test, asp2php,php,phptar, uuencode,
    mysqldump, true, false, expr,
    basename, hostname, uname,clear,tput,crontab, tr, pico,pine,
    man, ps, tbl,lynx, file,cmp,python1.5, python,
    perl ,perldoc,cut,php, g++,gcc,less,top,whereis,ps
    help, make,as, ar,arch,ranlib,commands,history


    3) I can add or remove commands in seconds ;)


    4) Disabled double tab (client is not able to retrieve a list of available commands)

    All done, and works perfectly (currently testing it to find vulnerability) . No chroot needed , I only written a
    bash profile ! I will pass code only to cpanel developers if interested (email graziano@ecosse.net) .
     
  13. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    how did you make bash profile and can you please send me list of the scripts or even one of you bash profiles?
    Thanks,

    support@bigmaster.org
     
  14. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    how did you make bash profile and can you please send me list of the scripts or even one of you bash profiles?
    Thanks,

    support@bigmaster.org
     
  15. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    updated

    bash_profile updated . New features (*):

    1) The user cannot move UP from /home/user . He can use cd but he cannot go outside of /home/user !!!

    * Now this limitation works on ls and pico too !
    User cannot read for example /etc/passwd or any other
    file outside their dir with pico
    Commands such as ls /root does not work for the user

    2) I limited bin commands to around 30 essentials . In brief client can debug/edit perl php and python script , can do back ups
    and use mysql , can read email with pico .

    these are the commands that I activated

    sum , sleep , date, htpasswd , nslookup
    mysql,msql2mysql,touch, kill, unzipsfx, unzip, whois
    fwhois,perl,ls,chmod , mv, cp, find,finger, rm,rmdir
    gzip, tar, gunzip,mkdir,awk,dirname, du, echo, head,
    jobs, more,printf,sort, tail, time, compress, uncompress
    zcat,nice, java, diff,sed, test, asp2php,php,phptar, uuencode,
    mysqldump, true, false, expr,
    basename, hostname, uname,clear,tput, tr, pico,pine,
    man, ps, tbl,lynx, file,cmp,python1.5, python,
    perl ,perldoc,cut,php, g++,gcc,less,top,whereis,ps
    help, make,as, ar,arch,ranlib,commands,history

    3) I can add or remove commands for the user in seconds.

    4) Disabled Double Tab !!
    (client is not able to retrieve a list of available commands
    using double tab)

    5) No chroot needed , there is only a .bash_profile to be placed on /home/user dir .


    Still searching for other shell vulnerability...


    ***************************
    Please don't ask me the code , I will pass code only to cpanel developers if interested (email graziano@ecosse.net) . In this way I hope they will insert it on whm available for all soon.
     
  16. AngeliaT1

    AngeliaT1 Registered

    Joined:
    May 17, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Script post possibly?

    Everything here sounds just like what i've spend hours looking for. Since users can still browse up above their own directory, would you consider posting a copy of your script here? Or, do you have any particular resources that we can reference.

    I have to do this for one client who wants 8 shell accounts...that is how they edit their web pages. I would not normally do this, but it is a friend of mine. Any references would be appreciated. Thanks!
     
  17. nothsa

    nothsa Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    If you want to restrict a user's shell to that user's directory, you can use the Jailshell option provided. Go to "WHM -> Account Functions -> Manage Shell Access" and select "Enable Jailed Shell" for the user.
     
  18. esh

    esh Member

    Joined:
    Jun 8, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    definitely use the jail shell... very simple and more secure than your bash profile method.
     
  19. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    If you are that worried about it, just disable SSH access completely .... End of story.

    We don't allow SSH where where I am at ....

    1. Killed the terminal interface in Cpanel
    2. Used iptable rules to block SSH to all but known admin IPs
    3. Put in PHP restrictions on shell related commands, etc.

    Usually don't have any problems --- users can't telnet, cron, ssh, etc.

    It would be very rare for any user to legitimately need any of that functionality
    and if they actually did (doubtful) then they could just ask for us to do those
    things for them -- they still don't need to be doing it themselves.
     
Loading...

Share This Page