The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

restricting allowed ssh commands

Discussion in 'Security' started by nshahzad, Mar 16, 2010.

  1. nshahzad

    nshahzad Member

    Joined:
    Mar 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi all,

    Been searching for this - I have users jailed, but they can still run free and top, and also browse around /. But I'd like to restrict commands to just:

    cd
    ls
    wget
    tar
    rm
    mkdir
    ln
    git
    svn

    And I guess maybe a few other essential commands. Is there a place to have an "allowed commands" list?
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Speaking as a security consultant first and systems administrator second, I would recommend that you do not under any circumstances allow your users SSH access whatsoever in any form.

    If you feel you must grant SSH access (though really not necessary usually), then I would at least make sure that you place the users in a jailshell but don't assume that because someone has a "jailed" login that your security worries are over because they most certainly are not.

    Regarding your question of restricting commands ---

    **SOME** commands you can restrict by setting to "root:root" with permissions of 700 or 754 but you cannot do that with every command as you will actually break your server if you restrict some commands

    In irony, of the commands you listed that you *DO* want to allow access, most of those commands are precisely the very commands that you reallly *DON'T* want users to access such as svn, wget, git, and ln as these are some of the most commonly abused commands.

    Again though, I personally wouldn't allow SSH access myself -- bad idea!
     
  3. nshahzad

    nshahzad Member

    Joined:
    Mar 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply. I'm actually doing some 'specialized' hosting, for some software I've been writing. I have deploy scripts which utilize wget/git. But I don't want them running free or top (it's still there in a jailed shell). IIRC, when I used to be with site5, they did it somehow.

    Is there a way to add 'scripts' into cpanel? IE, a client can go into the panel, and run a certain bash script or maybe a php/python script without having to go into SSH?
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Take a look at the Cpanel development site documentation ....

    It is very easy to turn most scripts into plugins or make your own auto-installer packages for Cpanel and you might look into either of those.

    Regarding what I said earlier about "root:root", you might look at setting "root:cpanel" and limiting to owner and group access in which case Cpanel would still have access but not end users.

    Outside of these things, I have at times used a trigger process where I have a cron process watching for a certain condition such as an install request inserted in a database or a file dropped into a certain location and then the system wakes up under root and performs whatever task I have pre-assigned. By doing things in this manner, there is no need to give end users SSH access for items like pre-installing scripts and since no commands or information is being passed over to the process actually performing the installations, it remains safe doing that and actually gives you an extra buffer layer there between the system and end user.

    Anyway though, there is a few ideas for you ....
     
  5. nshahzad

    nshahzad Member

    Joined:
    Mar 16, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the ideas. I actually use the entry in a db to trigger deployment processes here at work, but might be too complicated for end-users.

    I'll explore the dev documentation, though. I'm like the flexibility :)

    Cheers!
     

Share This Page