• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Domain (SSH) user can see other directories

JogoVogo

JogoVogo

Basic Pleskian
Server operating system version
Debian 12.8
Plesk version and microupdate number
Plesk Obsidian v18.0.65_build1800241106.13
Hello everyone,

a customer has just pointed out to us that if he contacts Filezilla or SSH logs into his domain, goes up some directories and sees all vhosts (customers) there. A separate subscription is available.

SSH access is (/bin/bash (chrooted)

Write permission does not exist but it should not be able to read it either... Can this be changed!?

Cheers
Ron
 
The nature of a chrooted environment is that it must not be possible to breakout of the chrooted jail. Especially not via FTP or SFTP. I suggest disabling SSH access and in a second step re-enabling it with the chrooted option. If you are still able to breakout afterwards, please contact Plesk support on this.
 
Set to forbidden. Just to make sure that file permissions and internal permissions are updated.
 
We've seen this behavior in the past, and will try your suggestion as well. I personally like having the ability to SSH to a client site, but we turn it off for just this reason, there is to much uncertainty and confusion when enabling this option. I'd be curious to hear others opinion and experience with this, and also their take on even enabling client ssh from the outside to a plesk server....we specifically block port 22 to all plesk servers.
 
Other shells thank ``forbidden (/bin/false)`` and ``/bin/bash (chrooted)`` will give access to the entire file system. This means the system user can read all files that have read permissions for other users and access folders that have execute permissions for other users.
However, the actual webspaces/subscription folders can't be accessed by other users since they have 710 permissions. They can be accessed only by the system user associated with the webspace/subscription and the webservers group (psaserv)

If you wish to hide the webspace/subscription folders, run:
Code: 
chmod 710 /var/www/vhosts
This change will be reverted by plesk repair!

/bin/bash (chrooted) is the simplest way, but it gets more complicated when php access is required. The chrooted environment doesn't have any php.
 
Good day!

This is a serious problem because we have now switched to “/bin/bash (chrooted)”. Nevertheless, it is possible to wander in the directories. We absolutely need a solution for this!

Cheers
Ron
 
JogoVogo said:
Good day!

This is a serious problem because we have now switched to “/bin/bash (chrooted)”. Nevertheless, it is possible to wander in the directories. We absolutely need a solution for this!

Cheers
Ron
Click to expand...
That is how SSH is designed to work. You connect to the system and have access to your own files and other locations that have the permissions for other users to access.

The “/bin/bash (chrooted)” shell creates a Linux file system in the webspace/subscription (/var/www/vhosts/domain.tld). You ssh directly there and can't access anything above /var/www/vhosts/domain.tld or anywhere else in the file system. However, this creates the problem with special applications like PHP which need to be copied to the webspace in order to be able to use them.

> Nevertheless, it is possible to wander in the directories

In which directories when you have the /bin/bash (chrooted) shell?

/bin/bash (chrooted) or don't provide ssh access at all. You can also change the permissions on /var/www/vhosts but it can be reverted after a "plesk repair"!

> What should I do here, only Plesk himself can help...

Reach out to your hoster with this problem and your hoster can open a Plesk ticket with your problem.

P.S. system users can't see each other's files. Even though you can see what other websites are hosted by listing /var/www/vhosts or by checking /etc/passwd, you can't actually access /var/www/vhosts/otherDomain.tld.

P.P.S. I highly recommend enabling "Restrict the ability to follow symbolic links" in Apache & Nginx. It will prevent the webserver from accessing symbolic links to other webspaces/subscriptions if the source and destination owners don't match. This feature blocks the lateral movement of an attacker in case one of your websites gets compromised.
 
You must log in or register to reply here.

Similar threads

H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
512
Raul A.
R
JogoVogo
Question Need more SSH accounts, access only for the default (FTP) user
Replies
3
Views
620
Sebahat.hadzhi
Sebahat.hadzhi
A
Question Cant connect with SFTP user and login in Plesk ( amazon lightsail)
Replies
19
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
P
Question Best way to add sftp user to be jailed within an existing host
Replies
3
Views
893
TridentMarketing
T
J
Question Issue with Laravel on Plesk server - Domain not pointing to the correct directory
Replies
8
Views
10K
mauricekindermann
M
Back
Top