SSH user can read root files?

[Scolpy]

Hello!

I saw that in default, normal ssh user can see files wit root ownership - how that is possible?

Also, I've watched this article:
http://help.directadmin.com/item.php?id=90

But I see that is effective just for PHP CGI and not for PHP CLI.

So in which way I can resolve that secure issue?

Thanks!

 

[ditto]

That is normal, and should not be a problem. Also, take a big shared hosting provider like Dreamhost.com for example - get a account there, and you will see that you can browse in root user folders.

But you should use something like suPHP, or thats alike.

 

[Scolpy]

That is normal, and should not be a problem. Also, take a big shared hosting provider like Dreamhost.com for example - get a account there, and you will see that you can browse in root user folders.

But you should use something like suPHP, or thats alike.

so there is no solution to PHP CLI?

 

[scsi]

What do you mean root user files?

Show an example of what files you mean.

 

[Scolpy]

What do you mean root user files?

Show an example of what files you mean.

I meant to files in directories like:

/root/*
/etc/*
/bin/*

and stuff...

 

[nobaloney]

You can set up ssh with chroot. Search these forums and elsewhere on the 'net.

Jeff

 

[Scolpy]

You can set up ssh with chroot. Search these forums and elsewhere on the 'net.

Jeff

Can you provide me some likes that might be help to me(I have CentOS 5.5 64bit) - all articles I found is for Debian or OpenBSD and the only thing I found for CentOS is rSSH(not good for me).

Thanks!

 

[scsi]

It is built into custombuild.

Check the custombuild section of the forum.

You should never be able to get into the /root folder though that is kinda weird.

Anyways you should never give out ssh access unless you absolutely need to.

 

[Scolpy]

http://www.directadmin.com/forum/showthread.php?t=29824

Where?

And I know that I shouldn't give an ssh access for no reason - but I want to be sure in 100% that there is no option that normal ssh user will have access to those paths.

 

[tomtom901]

Why would you let other users SSH to the box?

 

[scsi]

http://help.directadmin.com/item.php?id=90

 

[Scolpy]

Why would you let other users SSH to the box?

for some users is more comfortable & quickly to work through SSH.

 

[Scolpy]

http://help.directadmin.com/item.php?id=90

Look at my first post, I've already saw this article - this feature effective just for PHP CGI and not PHP CLI(what I have).

 

[scsi]

That guide almost seems outdated talking about customapache. I cant seem to find any other guides for setting it up and havent used it personally.

Try to get ahold of smtalk or wait from a post from him or directadmin support for a proper guide to using it.

 

[tomtom901]

You'd take a look at jailkit. I don't think the possibillity is included within DA.

 

[Scolpy]

You'd take a look at jailkit. I don't think the possibillity is included within DA.

I've installed it today, and unfortunately it doesn't work with DirectAdmin.

 

[tomtom901]

I've installed it today, and unfortunately it doesn't work with DirectAdmin.

You're right. Apologies, I did some digging up and it doesn't work. I'll look into this later, I've never done it before but I'm sure it possible.

 

[Scolpy]

You're right. Apologies, I did some digging up and it doesn't work. I'll look into this later, I've never done it before but I'm sure it possible.

You mean that is possible to merge Jailkit with DirectAdmin?

 

[tomtom901]

No, to implement the solutions as asked.

 

[DirectAdmin Support]

I meant to files in directories like:
/root/*
/etc/*
/bin/*

and stuff...

Hello,

DirectAdmin relies on the linux security model to help out with keeping important files safe. You mention your /root directory is readable. Since users are running as "username", then you'd simply make sure your /root folder is chowned to root:root, and is chmod to 700. If it's 755, then change it 700.

It is normal for the /bin and /etc folders to be readable by system accounts. For example, the /etc/passwd should be 644 (readable) so that clients can get proper uid numbers for files on disk. The /etc/shadow should be 600 (not readable) since it contains the crypted passwords. Clients can see the contents of the /etc folder, but it doesn't mean they can get the data in each file (depending on permissions of the file)

In any case, chroot ssh is safer.. or better yet, no ssh.
This guide would be the solution to jail ssh if you want. You don't need to use the cgi-bin jailing if you don't want to. It makes things a bit messy and the guide is for apache 1.3. The guide is eternally in beta testing due to the complexity of it, and because each OS is different and has libraries in different locations. It may or may not work for you.

There are other things you can use to increase security though. Many are listed here:
http://help.directadmin.com/item.php?id=247

One good one is the secure_access_group, setup by DA:
http://www.directadmin.com/features.php?id=961

which sets the /home/username folders to 750, chown username:access.. where the "access" group is a list of system usernames that can see in. Other ssh users will not be able to see in.

Tip #14 of the id=961 guide is also a creative way of blocking specific usernames from accessing files or folders. A new group called "users" could be created.. where all ssh Users are in it.. and you'd simply set the group of a file or folder to "users" and chmod it to 604 or 705 (respectively) and anyone in "users" won't be able to see in that folder.

For example, if you wanted to block "users" from seeing in the /etc directory, create the "users" group, add your ssh account names to it.. and type

chgrp users /etc
chmod 705 /etc

and then anyone in users won't be able to read /etc. Note, I have not tested this.. so it may be a bad example and could break things.. but it should get the point across as to what I mean about using the negation permission (0) on files/folders with respect to groups.

John