The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

su = free reign?

Discussion in 'General Discussion' started by host95, Jan 24, 2003.

  1. host95

    host95 Member

    Joined:
    Jan 21, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Will allowing your users to su to the server allow them free access to peek at the /home directories of everyone else on the server? If so, is there a way to prevent this? Maybe suexec? Anu way at all?
     
  2. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    su is a command which allow's a user to enter a password and to gain UID0 or root privs.

    I assume you ment SSH. Well this is the problem today with shared hosting. Unless your client is in a chroot enviorment and if they are smart enough they will be able to see other users files. You'd be supprised how much access ssh gives the users. They cant really do much but they have alot of viewing access :)

    my recommendation... have your clients use perms 0733 on directorys where nobody needs to write. 0733 will allow write but unless the person knows the name of the file they will not be able to access the file in that dir... I'm getting ahead of my self...
     
  3. host95

    host95 Member

    Joined:
    Jan 21, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    [quote:1fcaec5b7b][i:1fcaec5b7b]Originally posted by shaun[/i:1fcaec5b7b]

    su is a command which allow's a user to enter a password and to gain UID0 or root privs.

    I assume you ment SSH. Well this is the problem today with shared hosting. Unless your client is in a chroot enviorment and if they are smart enough they will be able to see other users files. You'd be supprised how much access ssh gives the users. They cant really do much but they have alot of viewing access :)

    my recommendation... have your clients use perms 0733 on directorys where nobody needs to write. 0733 will allow write but unless the person knows the name of the file they will not be able to access the file in that dir... I'm getting ahead of my self...
    [/quote:1fcaec5b7b]

    How would one chroot ssh remote shell users into their corresponding home directories so they can only update their own web pages and access other /home directories that are owned by them? Is there a simple click with Cpanel?

    Thanks
     
  4. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    at the moment i dont think you really can... i mean you probably could but it would be nothing but a big headache.
     
  5. host95

    host95 Member

    Joined:
    Jan 21, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Looks like the best option is NOT to offer SSH. Agree?
     
  6. s3kk3y

    s3kk3y Well-Known Member

    Joined:
    Oct 12, 2002
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    [quote:a4530c0ec3][i:a4530c0ec3]Originally posted by shaun[/i:a4530c0ec3]

    at the moment i dont think you really can... i mean you probably could but it would be nothing but a big headache.
    [/quote:a4530c0ec3]

    While that definitely is true, it is not acceptable. I just lost a client because I do not offer SSH. When I had ensim, it did give user access in SSH pretty well.
     
  7. host95

    host95 Member

    Joined:
    Jan 21, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I've heard chroot() is a good way to increase the security of the software provided that secure programming guidelines are utilized and chroot() system call limitations are taken into account. Chrooting will prevent an attacker from reading files outside the chroot jail and will prevent many local UNIX attacks (such as SUID abuse and /tmp race conditions).

    In other words, Cpanel should have a way to put /home directories &in jail& to both limit potential server compromise while maximizing client satisfaction.
     
  8. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Using chroot() is a good idea, unfortunately, it doesn't work well with Cpanel -- at this point in time anyway. With all the other features and ease-of-use, for both myself and my Clients, denying SSH to everyone -- even my Resellers -- it may not be the most secure of measures, but does prevents majority of people from causing problems; un-intentionally or otherwise.

    I lose potential Clients because of it, but it doesn't worry me -- I lose potential Clients because of other safeguards I enforce, as well. As I do not sell on price, but quality, uptime, support, etc. I have very little problems or turn-over and lots of long term Clients.
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Also chroot is extremly easy to break out of if not setup perfectly and maintained. There are several sites around that show you how to exploit chroot.
     
  10. host95

    host95 Member

    Joined:
    Jan 21, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Those responses just about tell the tale...su is for the owner/administrator only. This may be for another thread, but here goes.... what else should new WHM users NOT activate in packages they offer clients?

    Thanks...
     
  11. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    What is availabe to offer within Cpanel depends upon what is available with the WHM. Presuming we are referring to Resellers and their WHM, this is what I found to be good for both, Server Admin and Reseller.

    Normally, within the Reseller Center & Edit Reseller Privileges/Nameservers, I base their limits on Resource Usage and do not include or allow, the following:

    Allow Creation of Packages with Unlimited Diskspace (new)
    Allow Creation of Packages with Unlimited Features (ie. unlimited pop accounts) (new)
    All Features (warning: root access)
    Allow Creation of Packages with Shell Access
    Rearrange Accounts (used to free up disk space)
    Restart Services
    Turn an account into a demo account

    This means the checkbox is left blank for all of the above and checked off for everything else.

    In their &Resource& allocation, I then setup their &Max Allowed& and allow &Overselling Allowed& -- the overselling allows their WHM to show &Web Space and Data Transfer& allotments (available & used) more correctly.

    This I have found works well for myself while still providing Resellers with lots of options.
    Your milage may vary. :)
     
  12. host95

    host95 Member

    Joined:
    Jan 21, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    As Website Rob says on his own website's resellers section:

    &Create packages with the features you want to offer, knowing you are only limited by how much Web Space & Data Transfer you have. Offering &Unlimited& anything is not allowed, as there is no such thing. Exception: how much Support you want to offer.&

    Gotta' love it!

    Question: What features, i.e., frontpage, commerce scripts, etc., generate too many problems? Are there ones you do not offer to retail or reseller clients because they are more trouble than they're worth? (THis question of course is directed to ALL readers.)
     
Loading...

Share This Page