• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Customer access to command line utilities via SSH

J

Justin Buckkley

New Pleskian
Hello,

I have a developer/reseller who's requesting access to a number of command line utilities for his customers, like:
- php
- mysql
- mysqldump
- composer
- nano
- git

Does anyone have advice/experience on adding this functionality? Thanks in advance!
 
Thank you @IgorG! Could you advise/explain the difference between this and non-chrooted shell access? If working with a trusted developer, what exposure to the system does the user have with say /bin/bash?
 
The user has full root access to everything if you grant him access to /bin/bash, including the opportunity to erase the system or install malware.
 
Peter Debik said:
The user has full root access to everything if you grant him access to /bin/bash, including the opportunity to erase the system or install malware.
Click to expand...

When logging in as the subscription system user, and granted ssh access, surely there's some permissions that limit their access, no?
 
In theory, directories and files that do not provide group or anoymous read or write access seem to enjoy some protection. But I guarantee it is easy to circumvent this. It is definitely not recommended to grant root access to a subscription user unless the user is fully trusted. Granting shell access to the normal bash shell is like giving full access to the system, no matter what your file or directory permissions say. Plus, you can never be sure that these are all set correctly.
 
Peter Debik said:
In theory, directories and files that do not provide group or anoymous read or write access seem to enjoy some protection. But I guarantee it is easy to circumvent this. It is definitely not recommended to grant root access to a subscription user unless the user is fully trusted. Granting shell access to the normal bash shell is like giving full access to the system, no matter what your file or directory permissions say. Plus, you can never be sure that these are all set correctly.
Click to expand...

Thanks Peter! I really appreciate the explanations and advice. So to be clear: By enabling 'Can allow access to any type of shell' in the subscription', and then allowing access to server over SSH via this article, unless I select '/bin/bash/ (chrooted) I risk the chances mentioned above, correct?

Is there any other risk - say if one of those subscriptions/sites where hacked?

In my case, I have a trusted user that is a developer for a dozen or so of my customers. Each customer has their own subscription. Because there's not a way to set up a admin/webmaster with access to a defined list of subscriptions, my idea was to add him as a reseller - and then assign our shared customer's subscriptions to his account so that he'd have access to them without having to remember logins for each.

As mentioned above, he prefers to work via command line - and specifically wants to use Drush - thus the need to provide access to those programs.

Is adding access to these programs via chrooted environment the best option then?
 
You must log in or register to reply here.

Similar threads

G
Question Enable GIT from SSH (pub+private keys) to multiple users
Replies
0
Views
213
gianni.ravaioli
G
M
Question Update "Webspace settings - SSH access" using API
Replies
0
Views
328
mylesdk
M
A
Issue 500 Parse Error with Mail Importer
Replies
2
Views
758
Aslanj
A
E
Question Unable to log in to Plesk via SSH.
Replies
5
Views
1K
Peter Debik
P
A
Resolved How to access MySQL customer tables on Windows?
Replies
4
Views
843
AlexFye
A
Back
Top