SSH Access for users

develop

Verified User
Joined
Jun 9, 2016
Messages
147
Location
Istanbul, TR
Hello,

When I try to SSH Access "enabled" for user I see this user be able to read /etc /home .... etc.
Is it secure? Everybody can read all root level files with this.

How to set users each be able to access only their own domain folder.

Thanks.
 

DanielP

Verified User
Joined
Jun 28, 2019
Messages
82

ikkeben

Verified User
Joined
May 22, 2014
Messages
705
Location
Netherlands Germany
1. You can do this it is discontunied but will work
https://help.directadmin.com/item.php?id=90

Note, that the jail_user.sh isn't going to be very speedy as it has to transfer over all program binaries and libraries that would be needed inside the jail. This takes time. It also takes a huge amount of space that will not be counted in the users total disk usage.
So that one is not so good also i think this is for option2 the same problem.

Why users need SSH ask first if really needed.

FOR FTP use better if possible SFTP and look at user rights where they can read and so on with testing.
 

develop

Verified User
Joined
Jun 9, 2016
Messages
147
Location
Istanbul, TR
So that one is not so good also i think this is for option2 the same problem.

Why users need SSH ask first if really needed.

FOR FTP use better if possible SFTP and look at user rights where they can read and so on with testing.
Hello ikkeben,

Nice question but, most web developers are using git and composer today via ssh. Fast setup and version control working with teams all goes via ssh. It will be very important for all.

Thanks
 

DanielP

Verified User
Joined
Jun 28, 2019
Messages
82
Hello ikkeben,

Nice question but, most web developers are using git and composer today via ssh. Fast setup and version control working with teams all goes via ssh. It will be very important for all.

Thanks
Well you can invest in cloud linux then it is not just cagefs, it has the selector with php modules to choose from, patched old php versions, python selector and resource control

Or

point 2 It will be hard first couple of times then you got the process and you will have new skill + you can charge your customers small one time fee for the setup :) some companies even charge that monthly on their smaller plans
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,054
Location
Bulgaria
When I try to SSH Access "enabled" for user I see this user be able to read /etc /home .... etc.
Is it secure? Everybody can read all root level files with this.
Each file in Linux/BSD have three general permissions:

User, Group, Other

The first number represents what the owner of the file (whoever created it or is later changed to own it), the second number represents what the other users from the same group can do with it and the Other is for everybody else.

The numbers can be anything form 1 to 7. And they are calculated by the following math:

4 - r (Read)
2 - w (Write)
1 - x (eXecute)

So here they go:

0 - nothing
1 - execute
2 - write
3 (2+1) - execute and write
4 - read
5 (4+1) - read and execute
6 (4+2) - read and write
7 (4+2+1) - read, write and execute.

If you check the permissions of the files in your OS, you will notice that most of them are "read only" or "read and execute" for "Other" and the owner is "root" with group "wheel". Your users are running as user "username" and group "username" (so different group than the root user) - they fall under the permissions of "Other".

For example they can eventually run programs and read some configuration files, but they cannot modify them and change the server software.

Some files however are dangerous and your users must NOT have access to. That's for example the /etc/master.passwd file (contains hashed passwords of all users in the system) or /etc/proftpd.passwd (contains all FTP passwords), etc. These files are with permissions "0" for the "Other" which means that your users will not be able to access them. Usually all permissions are set like that by default - important files which could cause security risk are not readable for your users.

Furthermore you do not want your users to read each other files. You don't want the users to be able to download the source code of the websites of other users - they can not only contain copyrighted or private information, but also configuration files with plain text passwords for databases for example. Well here everything is fine thanks to DirectAdmin - if you check your /home directory, you will see that every user folder is with user "username" and group "access" where the permissions are 710:

- The user can do whatever he wants in his own directory
- Only execute is given to the "access" group
- Others can't do anything

The user "username" is created himself with group "username" and he is not a member of the "access" group. This means that one user is "Other" for another. So one user can't do anything inside another user directory. Try it.

Now... "is it secure". Usually yes. If you don't make any mistakes (like messing with permissions of important files) it should be OK. The modern systems however have hardware vulnerabilities - Meltdown and Spectre. There are still no many practical demonstrations for tools which can do much damage... but who knows...

So do NOT give SSH access to everybody by default. Make it an "exceptional service" - only to valuable customers which are people you know well. Tell others that they should invest in VPS.
 
Last edited:

Aar

Verified User
Joined
Feb 10, 2005
Messages
97
Location
Netherlands
To comment on this ....
What is the reason that DirectAdmin does not offer 'jailing' as standard?
 
Top