• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question SSH access with more restricted permissions

C

cool_sh

Basic Pleskian
Hi guys,

Regarding SSH access for customers you can choose between allowing only acces in/as "bin/bash (chrooted)" or the other types. As the chrooted can nearly do nothing except some very basic functionality like copy and move I would switch to 'usr/bin/bash'.

The problem is that with that option users can change directory to higher levels and so see vhosts and domains of other customers. They can not change into it, but see them already. Is there a way to restrict the permissions like configuring different ACLS for that ?

Another problem I see is, when not restricting to chrooted only, users can change between all other types and so can have the right to install or update centos libraries! Am I wrong with that?

I was wondering if anyone of you has a solution for me or a tip.

Regards
cool_sh
 
If you use an unrestricted shell then the user has access to all the commands on the system. If these commands can be run by a user then that user could do so. They may have difficulty changing root files, but with some work they could/probably compromise the system. It's not a good idea to give shell access to customers in a shared environment generally speaking.

In short using chroot to force the root directory structure to the users home dir is a screen door for security. A program can also break out of a chroot jail if it can gain root privilege and use chroot() to change its current working directory to the real root directory. For this reason, you should ensure that a chroot jail does not contain any setuid or setgid executables that are owned by root.

Commands will not run unless you have copied their binaries and any required shared libraries to the chroot jail.
 
Hi,

it's been a while..
I fully understand the security risks but the chrooted has nearly no possibility and so giving SSH to a user is like having FTP still.
E.g. the easiest tools and commands do not work like: date, vim, make, using php and so on.

Do you all have extended the chrooted with every single command you will allow your users?
 
Adding new command to chrooted in shared hosting can be risky.

Consider offering VPS Plans to customers require to run many command in shell.

I have a smililar issue with Magento 2. Required Shell access with lots of commands to run.
 
Hi all,

thanks for the answers but my questions was, are you really patching the chrooted with so many commands? No easier way?
Offering VPS is not really a solution, expecially when it comes to reseller-accounts. A reseller has a big VPS and so he has customers with sub-accounts and can not offer shared hosting with SSH. Instead the only way is to have lots of VPS for every single one :(

Regards
 
You must log in or register to reply here.

Similar threads

A
Resolved Unable to modify a subscription's SSH access
Replies
4
Views
702
Kaspar
K
F
Question What is the difference between options 'Access to the server over SSH' parameter in Plesk?
Replies
2
Views
657
FutureX
F
S
Resolved XML API Proxmox Acme Plugin Failure
Replies
1
Views
795
seek1338
S
S
Resolved Access to the server over SSH: doesn't appear dropdown menu
Replies
15
Views
2K
Peter Debik
P
D
Question Sendmail behaviour change after 18.0.55 Update 1
Replies
0
Views
567
davidweb
D
Back
Top