SSH

[purplepaws]

Hi,

I am strating to sell reseller accounts but am concerned about SSH access.

Is it correct that when you give SSH access to an account they can move around the entire server via SSH? This way they can see all the other account on the server!

I know there isnt a way of removing the option for resellers to enable SSH for a resold account but is there a way to disable tlenet/SSH access server wide except for the root user?

Sorry if I am being a bit thick here.

Cheers.

 

[kosmo]

I have chmod 711 /home/

All new accounts /home/user are automaticallly chmod 711.

Other users still can read any public file if they know the exact /path/to/file.ext (for example /home/user/public_html/index.html).

But they get a \"permission denied\" if they try to get another user\'s directory listed. And if they use wildcards trying to guess filenames, it won\'t work either.

kosmo

 

[Craig]

Just edit the /etc/passwd and change all users that you don\'t wish to grant ssh access to:
/usr/local/cpanel/bin/noshell

Other than that, the only thing to do is to do what kosmo said and chmod the home dir\'s.

C.

 

[purplepaws]

Hi,

Okay I can see how to edit the etc/passwd file.

I dont really understand about CHMOD\'ing the /home. Do I have to do this to just the /home dir?

 

[hedgehog]

All you need to do is login SSH and then

# chmod 711 /home/

That should get the trick done.

Hedgy

 

[purplep]

Hi,

CHMOD'ing the home dir.

Do I need to do this just once or everytime an account is created?

Thanks.

 

[ehsan]

guys, if we do chmod 711 for /usr /home /xxx /boot /sbin /bin /var /etc /lib /....
it wont make any problem for scripts or users ?
we want to limit the access of users in SSH, right now they can look around and that makes me afraid...
or is there any other better way to limit the user to stay just in his root ?

 

[feanor]

IMHO, you will have problems.
You can tighten down certain areas, but if you meddle with the contents of /etc, and /usr and var.... and things within, you will damage the functionality of vital services unless you do a VERY thorough job.

This is always a catch-22
If you are going to allow users to ssh in, your best defense is to have diligent admins running around your shared hosting machines with them.

Keep an eye on the kidz and wall threatening things every so often and then you'll be the scariest creature in the galaxy.

 

[ehsan]

So there is no way to force them to stay just in their dir ?
I wont give shell access to any body in that case!
one client in his first day was trying to run all scripts in /sbin

 

[moronhead]

[quote:7ae2426f2d][i:7ae2426f2d]Originally posted by ehsan[/i:7ae2426f2d]

So there is no way to force them to stay just in their dir ?
I wont give shell access to any body in that case!
[/quote:7ae2426f2d]
Let's be honest... Of course there are ways to force users to stroll strictly in their home dir, but you may not be able to get that info in this forum. It is a kind of well-guarded secret. I don't think people will be willing to give away that type of competitive data.

Put a search in Google or try to visit the Linux tutorial sites for an answer.

 

[zex]

Well only way to keep users from looking around the system is to implement few methods of securing system like patching kernel
with grsecurity patches and put users in chrooted enviroment (they will see only they dir and nothing else) or giving users Restricted Bash shell (rbash) actualy that is normal bash but started with options -r.

Making of chrooted enviroment is very dificult and in the most situations is not worth of time that will you spend for something like that. Not to mention what all kind of problems will you have to make rest of services/deamons to work.

In the other way restricted bash is preaty efficient way to stop users from snooping around, in combination with proftpd with
DefaultRoot ~ is definitly one of the best way's to prevent someone to see how much domains do you have.
On the other hands that will probobly not stop some user script that is executed to list directory's or to cat /etc/passwd
BTW puting chmod 711 on /etc/ /home and /usr dir will not harm cpanel. I'v already check that.