The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

users can download any file by SFTP

Discussion in 'Security' started by Mise, Dec 13, 2011.

  1. Mise

    Mise Member

    Joined:
    May 15, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I have checked that any user can connect by SFTP with Filezilla using the short name account. And they can see the whole server and downloading /etc/passwd or any other file.

    I have all the users jailed inside the Tweak Settings. All them also are jailed in the accounts configuration. No one has shell permission. However, it seems Cpanel by default lacks of a line "AllowUsers root" inside /etc/sshd_config. And in this way, any user can download any file from any folder (/etc, /dev...).

    After including that line, now the SSH connections are not possible except for root. But now, ¿How can I give access to SFTP to some users who need this?. ¿Users with a dedicated IP they will be jailed by default, or they will see the whole server?

    ¿How can I give SFTP access to some account avoiding the seeing of the server folders?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    SFTP is enabled without giving any users escalated privileges (jailshell).
     
  3. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    What is "the short name account"?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where do you see this referenced, exactly? Can you be more specific?
     
  5. Mise

    Mise Member

    Joined:
    May 15, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    any account@mydomain.com can be logged with SFTP using "account" and he will see the server folder and will be able to download any file /etc/passwd or whatever.

    Please, try with Filezilla to check it. Go to the root folder and up, and you will see all the folders. Try to download /etc/passwd.

    Now I have all my Jailed users passed to "NoShell", rebooting the server, and still happen the same thing.
    My only solution is to forbid the use of SFTP to all users including "AllowUsers root" inside /etc/sshd_config :(

    Please, give some help so the people can use SFTP without this high risk.
     
  6. slim

    slim Well-Known Member

    Joined:
    May 27, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    I think what he means is this:

    1. Connect using SFTP to a standard cpanel user account using the normal account name and password.
    2. The user is automatically placed in /home/username
    3. Traverse back up the directory structure to / and you can see a complete listing of files on the server. You can then navigate into say etc and view the contents of the files.

    cPanel has allowed this for quite some time (ive seen it before).
     
  7. Mise

    Mise Member

    Joined:
    May 15, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    thanks slim. Yes it is.

    I have discovered this utility for this exact purpose:

    /http://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html

    Is there any problem to install this in CPanel?
     
  8. Mise

    Mise Member

    Joined:
    May 15, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    ok, this a solution using Jailkit to add a user jail for SFTP

    It works. Also after rebooting the server.

    Tested with Filezilla. It works. The user remains inside the /srv/jail structure without
    access to other folders.

    Inside /srv/jail/home you can see the directory /userjailed created for this new user.

    Using a SSH terminal, the user is suddenly disconnected. Still I don't know why.
    Some configuration issue, I suppose.

    To me this solution is enough. Maybe somebody can build a configuration for the CPanel /home so any user can be jailed inside his own /home/user space. It would be the ideal way, I think

    Hope it helps.
     
    #8 Mise, Dec 15, 2011
    Last edited: Dec 15, 2011
  9. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    Simply change your SSH port and don't tell your users what the new port is.

    For further security, limit access to SSH to your own IP / IP range
     
Loading...

Share This Page