Does anyone know of a simple way to prevent SSH shell users from snooping in directories other than their individual site space (on a raq 3/4). I have read some comments on the general security forums, but they went way over my head at the moment :). Any advice you can give me is really appreciated.

DK

Originally posted by hitspot
Does anyone know of a simple way to prevent SSH shell users from snooping in directories other than their individual site space (on a raq 3/4). I have read some comments on the general security forums, but they went way over my head at the moment :). Any advice you can give me is really appreciated.

DK

Hi,

I just can give you an advice: Never give Shell-Access to your customers! Never ever.

In fact, the cobalt seems to be a special case, a customer shouldn't be able to access the other users directories at all, but even if he couldn't, he had access to all system directories (The most read only of course).

I know, there are many Linux Gurus out there and they say that a properly configured system has less security risks but in the most cases the first step to break in is the shell access.

If you still need a solution, I suggest searching around for how to make a chrooted shell. In this case the users shell works more or less in a sandbox. But this is also not a secure solution, the best one is not granting shell access.

Regards,
Felix-Gabriel

What's the big deal about shell access? I, for one, cannot live without shell access. Anyway, if someone really wanted to, they can break into a system without shell access by using CGI to provide shell access. Anyway, if you don't want home directories to be snoopable, just chmod 711 the home directory.

Originally posted by ToastyX
What's the big deal about shell access? I, for one, cannot live without shell access. Anyway, if someone really wanted to, they can break into a system without shell access by using CGI to provide shell access. Anyway, if you don't want home directories to be snoopable, just chmod 711 the home directory.

YES! Thats a very nice try, but because apache acts as user httpd it will not work. By the way, on the cobalt are more programs which need to access to the users home directory.
And there is the Cobalt Admin-Interface of course, chmodding the users directory every time after inserting a new virtual account isn't the best solution.

Regards,
Felix-Gabriel

Originally posted by phuture
And there is the Cobalt Admin-Interface of course, chmodding the users directory every time after inserting a new virtual account isn't the best solution.
He didn't say to chmod the user's home directory, he said to chmod the home directory (/home). And I agree.

You can certainly find other ways to find out what's in that /home directory, but the average user will try to list the dirs, not be able to, and move on. Shouldn't be the only thing done to secure a box, but certainly a step in the right direction, shell access or no shell access.

Originally posted by phuture


YES! Thats a very nice try, but because apache acts as user httpd it will not work.

Actually, it will work. I've done it before. :look: Remove execute permission from /usr/bin/chsh to prevent someone from doing this.