What can DA user do with SSH?
- Thread starter klo
- Start date
toml
Verified User
I think what klo is trying to say, is that you need root permissions to do a lot of damage on a *nix server. Allowing ssh access to a *nix server is not too bad, as long as you have everything locked down.
The biggest threat that it allows, is that some exploits rely on having shell access to a server. Once exploited, that user now has root permissions to anything they wish to the server.
Unless you know the users, I would wait at least until jailed ssh is fully implemented.
The biggest threat that it allows, is that some exploits rely on having shell access to a server. Once exploited, that user now has root permissions to anything they wish to the server.
Unless you know the users, I would wait at least until jailed ssh is fully implemented.
toml said:
YES, i have tired!
I can access the httpd.conf. This was surprised.
I cannot modify but can see what the SEVER setting and who have using [Virtual SEVER HOSE].
I afraid of I can open the other user file permeate SSH, as I havent 2 account that I cant confirm.
BUt if ADMIN not use SSH access the SERVER, What can I use ?
Last edited:
chatwizrd
Verified User
- Joined
- Jul 3, 2005
- Messages
- 2,005
There are not many reasons users need to be on the ssh shell. Unless your user justifys a reason for needing shell access I would deny ssh access.
Under some circumstances users do need ssh access for things, but most users just like to have it because they think they are powerful. Also users may use it for attempts at getting and looking at files where they dont belong.
Under some circumstances users do need ssh access for things, but most users just like to have it because they think they are powerful. Also users may use it for attempts at getting and looking at files where they dont belong.
gcypher
Verified User
i believe users do not need access to ssh,
i also believe in this could help secure your system as there are alot of local exploits which give a user root or atleast some more access then you was supposed to give.
just thinking with security in mind
i also believe in this could help secure your system as there are alot of local exploits which give a user root or atleast some more access then you was supposed to give.
just thinking with security in mind
hostpc.com
Verified User
Files that are not owned by your userid (httpd.conf) etc can not be changed/edited except by server admin/root.
This begs the question why were you trying?
This begs the question why were you trying?
hostpc.com
Verified User
not unless they're logged in as the owner of that file (username) .. otherwise most all they can see is a directory list
Now, I'm not sure about files owned by Apache, but I dont think they can see those either.
Now, I'm not sure about files owned by Apache, but I dont think they can see those either.
the link is here: http://help.directadmin.com/item.php?id=90
nobaloney
NoBaloney Internet Svcs - In Memoriam †
First I want to make clear that koh's understanding was incorrect; that users do NOT have the rights to do anything an admin can do, just because they have ssh.
Second I want to explain that the big problem is that many files in a linux system must be world-readable, and anyone with shell access can read any of those files. Under certain circumstances these files could include mysql passwords, even login passwords for your credit card merchant account.
How you ask? You may have (because a client asked you to) given chmod 777 to a client's files so his/her improperly designed php and/or cgi file would work. Or you may be running a DA server installed long ago, in which users were created with world-readable directory paths. While this is no longer the case, there may be some accounts on the server that still allow this.
Third, even without a specific exploit, any user with shell access can read your /etc/passwd and /etc/group directories. While modern distributions don't include passwords in these files, the user with shell access can see the complete list of unix users on the server, and perhaps even if you've created any users with root privileges. And knowing usernames makes it a lot easier to begin a brute-force attack.
Fourth, and perhaps most common, many users wan't ssh access so they can set up their own outgoing email server that doesn't write logs, for spamming... or their own chat servers they don't want you to find, or whatever.
There was a time on the 'net when most ISPs offered shell accounts to their users. Then most of us (I was an access ISP in those days) stopped because of what our users were doing with their shell accounts.
If you allow shell access most of your users won't abuse it. But you may just attract some of those malicious (or just annoying users) who want to look around your system to see what they can see and do.
That said, we've had good results giving shell access to users who've expressed a valid need for it.
Jeff
Second I want to explain that the big problem is that many files in a linux system must be world-readable, and anyone with shell access can read any of those files. Under certain circumstances these files could include mysql passwords, even login passwords for your credit card merchant account.
How you ask? You may have (because a client asked you to) given chmod 777 to a client's files so his/her improperly designed php and/or cgi file would work. Or you may be running a DA server installed long ago, in which users were created with world-readable directory paths. While this is no longer the case, there may be some accounts on the server that still allow this.
Third, even without a specific exploit, any user with shell access can read your /etc/passwd and /etc/group directories. While modern distributions don't include passwords in these files, the user with shell access can see the complete list of unix users on the server, and perhaps even if you've created any users with root privileges. And knowing usernames makes it a lot easier to begin a brute-force attack.
Fourth, and perhaps most common, many users wan't ssh access so they can set up their own outgoing email server that doesn't write logs, for spamming... or their own chat servers they don't want you to find, or whatever.
There was a time on the 'net when most ISPs offered shell accounts to their users. Then most of us (I was an access ISP in those days) stopped because of what our users were doing with their shell accounts.
If you allow shell access most of your users won't abuse it. But you may just attract some of those malicious (or just annoying users) who want to look around your system to see what they can see and do.
That said, we've had good results giving shell access to users who've expressed a valid need for it.
Jeff