Hello,

I posted this question on cpanel.net but still no response. I wonder if anyone here has any ideas or comments. Here is my dilemma ...

We want to provide our resellers with ssh acces. However, when a clinet ssh's in, he/she can move around the entire server. They can enter other clients' web folder. I tried to change the permissioon of the clients' home directory but there was nothing to change it to. It was already 711. Then, although when you enter a home directory fo another client you can't do an ls, if you have half a brain you could see basically everything. Well not everything, but loads of stuff. Every client has a www folder. So even if you can't see it you could cd to it. Once there you could examine everything. Basically jeapordizing the privacy of your code. Does anyone know of a way around this or is Cpanel just not the right solution to providing resellers with shell accounts?

Any ideas?

Andres

hm.. That's kinda the same with PLESK.

Originally posted by denisdekat
Hello,

I posted this question on cpanel.net but still no response. I wonder if anyone here has any ideas or comments. Here is my dilemma ...

We want to provide our resellers with ssh acces. However, when a clinet ssh's in, he/she can move around the entire server. They can enter other clients' web folder. I tried to change the permissioon of the clients' home directory but there was nothing to change it to. It was already 711. Then, although when you enter a home directory fo another client you can't do an ls, if you have half a brain you could see basically everything. Well not everything, but loads of stuff. Every client has a www folder. So even if you can't see it you could cd to it. Once there you could examine everything. Basically jeapordizing the privacy of your code. Does anyone know of a way around this or is Cpanel just not the right solution to providing resellers with shell accounts?

Any ideas?

Andres

That's not a Cpanel problem. That's the way shell accounts were meant to work. That's the way UNIX/Linux works. In fact, I think Cpanel is the best solution if you want to provide shell accounts that are actually useful. I don't know why people consider that a security problem, since you can do the same with CGI scripts. If a client doesn't want other people to be able to browse through their directories, they can chmod 711 their directories. You can chmod 711 all of the public_html and cgi-bin directories. You can chmod 711 /home so people can't list all of the home directories to snoop in, although they can still find usernames from /etc/passwd. If you really want to restrict them to their home directory, do a search for chroot, although I think it's more trouble than it's worth. I think Ensim does that, but I don't like that. Perhaps we should develop a web hosting operating system so this wouldn't be a problem. :D

nice reply Toasty......yea thats true....even I dont like the Ensim...I like Cpanel among Alabanza's DSM, ENSIM, Sphera, Plesk, Webmin, Hostgui, Hosting Controller etc...

Well thanks for your reply. I understand that it is not a cpanel problem and a shell problem really. I meant to mention cpanel only in case there was anything anyone knew specifically about how the system works and whether 7111 al the way down would distrupt access for some of the applications. Such as the file manager. I have looked into chroot, the thing that turns me off is all the literature on how easy is is to break out of it. Although I doubt any of my customers would do that, it seems that if it is easy to break out of it, then I'm not sure it's worth the trouble you mentioned in your response:)

In either case, I thank you for your comments and ideas :)

Regards,

Andres