security issues due to enabling normal shell access for cpanel user in VPS

[actived]

Hi,
If a cPanel user john1 who has his account in /home/john1, is given shell access (as john1, not root access) what would the primary security issues be - any howto's or articles for the same?

Anything important other than standard linux permissions issues to be remembered?

We have a VPS account with root access too, but running scripts as john1 is safer than logging in as root.
I just want to confirm that there are no glaring security issues I overlooked.

Also, how does one allow scripts running as john1 to access apache and mysql error logs?
I suspect adding john1 to the root group is a bad idea.

TIA,
Dave

 

[cPanelTristan]

Re: security issues due to enabling normal shell access for cpanel user in

For access to the Apache error logs, those can be read by a shell user even if that user isn't root at /usr/local/apache/logs/error_log location due to having 644 file permissions. MySQL logs are owned by the mysql:mysql user and group and cannot be read by another user other than MySQL and root due to having 660 file permissions.

I would recommend the user having jailed shell access unless it is really required to allow a non-jailed shell environment. A user with normal shell access could be a higher security risk than one with jailed shell access.

 

[actived]

[solved] Re: security issues due to enabling normal shell access

Thanks for the clarification.

So,
1. Jailed shell access
2. No chance of using php scripts to directly display httpd access, error / suphp / mysql logs in the browser.

The problem is that sometimes shell access is shaky, and sometimes, technical users who are not system admins (eg. php/mysql developers who aren't familiar with bash) have to refer to logs - so giving root access is risky - hence the browser log display solution is attractive.

3. My workaround now would be to run a shell script under cron (as root if possible?) to copy the logs to another secure location and then process from there - viewed in https only and viewed in a restricted part of the site.

Thanks again.
Dave

 

[cPanelTristan]

Re: security issues due to enabling normal shell access for cpanel user in

Hi Dave,

I would say copying the logs periodically to provide to those users would definitely be preferable as you've suggested.

Thanks!

 

[actived]

Re: security issues due to enabling normal shell access for cpanel user in

I stumbled upon the excellent cPanel module LogView ( LogView - cPanel add-on - LogView ) which removes the need to login to SSH just for seeing logs.
It's easy to install, free and works like a charm!