su is a command which allow's a user to enter a password and to gain UID0 or root privs.
I assume you ment SSH. Well this is the problem today with shared hosting. Unless your client is in a chroot enviorment and if they are smart enough they will be able to see other users files. You'd be supprised how much access ssh gives the users. They cant really do much but they have alot of viewing access
my recommendation... have your clients use perms 0733 on directorys where nobody needs to write. 0733 will allow write but unless the person knows the name of the file they will not be able to access the file in that dir... I'm getting ahead of my self...
I assume you ment SSH. Well this is the problem today with shared hosting. Unless your client is in a chroot enviorment and if they are smart enough they will be able to see other users files. You'd be supprised how much access ssh gives the users. They cant really do much but they have alot of viewing access
my recommendation... have your clients use perms 0733 on directorys where nobody needs to write. 0733 will allow write but unless the person knows the name of the file they will not be able to access the file in that dir... I'm getting ahead of my self...
[quote:1fcaec5b7b][i:1fcaec5b7b]Originally posted by shaun[/i:1fcaec5b7b]
su is a command which allow's a user to enter a password and to gain UID0 or root privs.
I assume you ment SSH. Well this is the problem today with shared hosting. Unless your client is in a chroot enviorment and if they are smart enough they will be able to see other users files. You'd be supprised how much access ssh gives the users. They cant really do much but they have alot of viewing access
my recommendation... have your clients use perms 0733 on directorys where nobody needs to write. 0733 will allow write but unless the person knows the name of the file they will not be able to access the file in that dir... I'm getting ahead of my self...
[/quote:1fcaec5b7b]
How would one chroot ssh remote shell users into their corresponding home directories so they can only update their own web pages and access other /home directories that are owned by them? Is there a simple click with Cpanel?
Thanks
su is a command which allow's a user to enter a password and to gain UID0 or root privs.
I assume you ment SSH. Well this is the problem today with shared hosting. Unless your client is in a chroot enviorment and if they are smart enough they will be able to see other users files. You'd be supprised how much access ssh gives the users. They cant really do much but they have alot of viewing access
my recommendation... have your clients use perms 0733 on directorys where nobody needs to write. 0733 will allow write but unless the person knows the name of the file they will not be able to access the file in that dir... I'm getting ahead of my self...
[/quote:1fcaec5b7b]
How would one chroot ssh remote shell users into their corresponding home directories so they can only update their own web pages and access other /home directories that are owned by them? Is there a simple click with Cpanel?
Thanks
at the moment i dont think you really can... i mean you probably could but it would be nothing but a big headache.
[quote:a4530c0ec3][i:a4530c0ec3]Originally posted by shaun[/i:a4530c0ec3]
at the moment i dont think you really can... i mean you probably could but it would be nothing but a big headache.
[/quote:a4530c0ec3]
While that definitely is true, it is not acceptable. I just lost a client because I do not offer SSH. When I had ensim, it did give user access in SSH pretty well.
at the moment i dont think you really can... i mean you probably could but it would be nothing but a big headache.
[/quote:a4530c0ec3]
While that definitely is true, it is not acceptable. I just lost a client because I do not offer SSH. When I had ensim, it did give user access in SSH pretty well.
I've heard chroot() is a good way to increase the security of the software provided that secure programming guidelines are utilized and chroot() system call limitations are taken into account. Chrooting will prevent an attacker from reading files outside the chroot jail and will prevent many local UNIX attacks (such as SUID abuse and /tmp race conditions).
In other words, Cpanel should have a way to put /home directories &in jail& to both limit potential server compromise while maximizing client satisfaction.
In other words, Cpanel should have a way to put /home directories &in jail& to both limit potential server compromise while maximizing client satisfaction.
Using chroot() is a good idea, unfortunately, it doesn't work well with Cpanel -- at this point in time anyway. With all the other features and ease-of-use, for both myself and my Clients, denying SSH to everyone -- even my Resellers -- it may not be the most secure of measures, but does prevents majority of people from causing problems; un-intentionally or otherwise.
I lose potential Clients because of it, but it doesn't worry me -- I lose potential Clients because of other safeguards I enforce, as well. As I do not sell on price, but quality, uptime, support, etc. I have very little problems or turn-over and lots of long term Clients.
I lose potential Clients because of it, but it doesn't worry me -- I lose potential Clients because of other safeguards I enforce, as well. As I do not sell on price, but quality, uptime, support, etc. I have very little problems or turn-over and lots of long term Clients.
Also chroot is extremly easy to break out of if not setup perfectly and maintained. There are several sites around that show you how to exploit chroot.
What is availabe to offer within Cpanel depends upon what is available with the WHM. Presuming we are referring to Resellers and their WHM, this is what I found to be good for both, Server Admin and Reseller.
Normally, within the Reseller Center & Edit Reseller Privileges/Nameservers, I base their limits on Resource Usage and do not include or allow, the following:
Allow Creation of Packages with Unlimited Diskspace (new)
Allow Creation of Packages with Unlimited Features (ie. unlimited pop accounts) (new)
All Features (warning: root access)
Allow Creation of Packages with Shell Access
Rearrange Accounts (used to free up disk space)
Restart Services
Turn an account into a demo account
This means the checkbox is left blank for all of the above and checked off for everything else.
In their &Resource& allocation, I then setup their &Max Allowed& and allow &Overselling Allowed& -- the overselling allows their WHM to show &Web Space and Data Transfer& allotments (available & used) more correctly.
This I have found works well for myself while still providing Resellers with lots of options.
Your milage may vary.
Normally, within the Reseller Center & Edit Reseller Privileges/Nameservers, I base their limits on Resource Usage and do not include or allow, the following:
Allow Creation of Packages with Unlimited Diskspace (new)
Allow Creation of Packages with Unlimited Features (ie. unlimited pop accounts) (new)
All Features (warning: root access)
Allow Creation of Packages with Shell Access
Rearrange Accounts (used to free up disk space)
Restart Services
Turn an account into a demo account
This means the checkbox is left blank for all of the above and checked off for everything else.
In their &Resource& allocation, I then setup their &Max Allowed& and allow &Overselling Allowed& -- the overselling allows their WHM to show &Web Space and Data Transfer& allotments (available & used) more correctly.
This I have found works well for myself while still providing Resellers with lots of options.
Your milage may vary.
As Website Rob says on his own website's resellers section:
&Create packages with the features you want to offer, knowing you are only limited by how much Web Space & Data Transfer you have. Offering &Unlimited& anything is not allowed, as there is no such thing. Exception: how much Support you want to offer.&
Gotta' love it!
Question: What features, i.e., frontpage, commerce scripts, etc., generate too many problems? Are there ones you do not offer to retail or reseller clients because they are more trouble than they're worth? (THis question of course is directed to ALL readers.)
&Create packages with the features you want to offer, knowing you are only limited by how much Web Space & Data Transfer you have. Offering &Unlimited& anything is not allowed, as there is no such thing. Exception: how much Support you want to offer.&
Gotta' love it!
Question: What features, i.e., frontpage, commerce scripts, etc., generate too many problems? Are there ones you do not offer to retail or reseller clients because they are more trouble than they're worth? (THis question of course is directed to ALL readers.)
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| G | copy cpanel account without much free space | Account Administration | 3 | |
| V | Need to Free Up Disk Space | Account Administration | 2 | |
| M | edit package freezes | Account Administration | 7 | |
| R | Freeing up disk space when disk quota exceeded | Account Administration | 1 | |
| C | Creating an account via API freeze | Account Administration | 1 |