The easy answer is you cannot, but since virtual hosting users still want it what can be done to improve security, other than installing the usual patches?

Some hosts provide a control panel rather than telnet/SSH that shows the error log when a script is run over the web, so the user can correct the script. Do these web interfaces equal the capability of Telnet/SSH for user needs? Which of the web interfaces come close?

basically vet your clients and only give me ssh access if they REALLY need it.
For example we have a number of developers that actually need SSH for testing purposes, but the majority of people don't.
If the client asks for it, ask them why they need it...if they don't give you a good explanation refuse access.

You can also log access errors to a directory just under the web tree of their account, so they can log in via ftp and view the error log.

hope this helps.

regards,

Simon

Some hosts provide a control panel rather than telnet/SSH that shows the error log when a script is run over the web, so the user can correct the script. Do these web interfaces equal the capability of Telnet/SSH for user needs? Which of the web interfaces come close?

No solution can be as powerful or replace Telnet/SSH. Some developers just like being able to use vi. Some clients like using unix based mail clients such as pine.

The only "good" reason to offer a selected few access to ssh is because they need to compile C scripts.

uh, guys, if people can create cgi scripts it doesn't matter if you give them shell access. Anything you can do from a shell you can do from a cgi script.

Thank you for saving me the typing, cperciva. :)

Originally posted by cperciva
uh, guys, if people can create cgi scripts it doesn't matter if you give them shell access. Anything you can do from a shell you can do from a cgi script.

Right. But it requires some programing knowledge. That at least guarentees that you will not be hacked by a newbie script kiddie :)

Originally posted by vizi
Right. But it requires some programing knowledge. That at least guarentees that you will not be hacked by a newbie script kiddie :)

Yes, but unless you are wildly behind the times as far as security patches go newbie script kiddies aren't a problem anyway.

What is this thread doing in this forum anyway? Isn't this why the "Web Security" forum was created?

There are ways to limit CGI capabilities to work as they usually would, yet deny them anything that's too much like shell access. You can still deny their user, or a global user access to certain or all functions, or filter, wrap and control them. Of course, this isn't an easy task for most people, but it's one worth while in doing, wherein you allow the client's all the access they could want or need via CGI, PHP, etc., yet still not allow them the same access they'd have in shell.

I'll post here in a couple of days, when I have some free time and attempt to explain, cover the issues, aspects and theories and at least outline a solution that can be implemented, as well as try and explain exactly what and how to. However, as the other user said, unless these things are done, you are basically giving them shell access, although it can be controlled a little easier when denying them, whereas shell restrictions prove more difficult for the most part. Of course, some things are easier to restrict in shell, than they are in CGI too.