Facebook
Twitterhardypotato
New Pleskian
- Server operating system version
- Debian 11.3
- Plesk version and microupdate number
- Plesk Obsidian 18.0.66 Update #2 Web Host Edition
Hey everyone,
I’m administering several domains and subdomains on a shared IP in Plesk. Each domain, and subdomain has its own subscription (I assumed this would isolate each one). When I create a new system user for a specific WordPress subdomain (e.g., test.a.be) and enable “chrooted” SSH access, that user can still navigate up in the folder hierarchy levels and see the other subdomain directories, even if they can’t enter them. He can also see the root folder of the webserver.
Here’s the setup/process:
1. I create a new system user (e.g., test_user) under the specific subscription for test.a.be.
2. I set the home directory to httpdocs (the WordPress doc root). Though, when connecting, he ends up in the root folder of the subdomain.
3. I enable SSH access using “bin/bash (chrooted).”
4. I create public/private keys and add the public one to authorized_keys in that home directory.
5. Everything works, but the user can still do go up in folder hierarchy and see a directory listing of other subdomains (though not necessarily enter them). He can go up until the root of the webserver.
My questions:
1. Is this expected behavior for a chrooted shell in Plesk that the user can see other directories’ names but not access their contents? Is this supposed to be secure? To my understanding, subscriptions isolate the subscribed domain or subdomain by creating a container of that subdomain. Does that mean that if he were to delete another subdomain folder somehow, that it won't be deleted in the webserver?
2. If it is not secure, what is the correct way to configure it so that a user is truly restricted to their own subdomain’s home directory?
3. Are there specific settings (e.g., permissions, groups, or something in the service plan) I need to adjust so the user can’t even see other subdomains’ folders?
4. Anything else I should double-check regarding how subscriptions and chrooting are supposed to work together?
I see the files and directories using psaserv and psacln groups, which might be a factor. I’d love any pointers on what I might be missing or misconfiguring.
My bad for the bombardement of questions. I've been on this task for much longer than I'd like to admit. I believe it's time for some external help now.
Thanks in advance for you valuable input!
I’m administering several domains and subdomains on a shared IP in Plesk. Each domain, and subdomain has its own subscription (I assumed this would isolate each one). When I create a new system user for a specific WordPress subdomain (e.g., test.a.be) and enable “chrooted” SSH access, that user can still navigate up in the folder hierarchy levels and see the other subdomain directories, even if they can’t enter them. He can also see the root folder of the webserver.
Here’s the setup/process:
1. I create a new system user (e.g., test_user) under the specific subscription for test.a.be.
2. I set the home directory to httpdocs (the WordPress doc root). Though, when connecting, he ends up in the root folder of the subdomain.
3. I enable SSH access using “bin/bash (chrooted).”
4. I create public/private keys and add the public one to authorized_keys in that home directory.
5. Everything works, but the user can still do go up in folder hierarchy and see a directory listing of other subdomains (though not necessarily enter them). He can go up until the root of the webserver.
My questions:
1. Is this expected behavior for a chrooted shell in Plesk that the user can see other directories’ names but not access their contents? Is this supposed to be secure? To my understanding, subscriptions isolate the subscribed domain or subdomain by creating a container of that subdomain. Does that mean that if he were to delete another subdomain folder somehow, that it won't be deleted in the webserver?
2. If it is not secure, what is the correct way to configure it so that a user is truly restricted to their own subdomain’s home directory?
3. Are there specific settings (e.g., permissions, groups, or something in the service plan) I need to adjust so the user can’t even see other subdomains’ folders?
4. Anything else I should double-check regarding how subscriptions and chrooting are supposed to work together?
I see the files and directories using psaserv and psacln groups, which might be a factor. I’d love any pointers on what I might be missing or misconfiguring.
My bad for the bombardement of questions. I've been on this task for much longer than I'd like to admit. I believe it's time for some external help now.
Thanks in advance for you valuable input!
