This past Sunday, after being kicked out of my ssh session several times (unusual in itself) I found that I was unable to log back in and that my shell access had been disabled.

After figuring out that it was just one of my two accounts, I was able to verify through the second that my shell had, indeed, been turned off. /etc/passwd showed
username:x:32029:530::/home/username:/usr/local/cpanel/bin/noshell
No explanation - no warning. Nothing.

After, several emails and a trouble ticket, I was told
"Due to some security reasons, we were checking a few accounts and hence the shell access had to be removed for a while." Nothing more.

Futher emails and trouble tickets requesting an explanation have yielded nothing other than a request for my username (a field in every trouble ticket) and my password.

I am still pressing my demand for an reason for this action, but I have a couple of questions regarding this incident.

I have spent time doing ISP tech support (a thankless job if there ever was one) and I never, ever had to ask for someone's password. Is it normal for a hosting company to ask for a users password to resolve any problem? Is su a lost art?

Am I justified in requiring an explanation for this action? Remember, my account was disabled while I was logged in, and without any warning.

I chose not to name my hosting company at this time as I'm not sure how relavent it is. And I am continuing to press for an answer, but I wanted to see what everyone here thought.

peabody

If the TOS says they can, they can. If not, then complain some more :) If anything, they might give you a few months free.

/etc/passwd showed
username:x:32029:530::/home/username:/usr/local/cpanel/bin/noshell
No explanation - no warning. Nothing.


What you did right there was reason enough to remove shell access from ALL of your accounts. Do you have permission to go prowling around that server like that? I doubt it.

In my opinion you have no right to a shell account if you cannot be trusted. :mad:

Originally posted by Dotcomsnz



What you did right there was reason enough to remove shell access from ALL of your accounts. Do you have permission to go prowling around that server like that? I doubt it.

In my opinion you have no right to a shell account if you cannot be trusted. :mad:

Prowling around? What does that mean? /etc/passwd is world readable. Do you really know nothing about unix?

Peabody,

Shell access is provided to the wrong hands can be a big source of headache for the hosters.

Probably the host got hacked into by someone who was trusted with the shell account and thus as they say, they are suspending all shell access because of the security risk and vulnerability which the access provides in terms of server abuse.

They probably taking this time to investigate and plug the security hole and remove the abusive user trace before reopening Shell access.

As for the password request, there might be two reasons for this. To verify your identity and probably also that they might not have your updated password to check your account. My web hosters do request for them when I submit some support ticket, so it should be safe provided you can verify that it is your hoster.

Actually yes I do... and if you were looking at files outside of your allocated directories, ie: user directory, then yes I would have a problem with that.

Thats the reason users don't get shell access.. period.

Have a look at the ownership permissions.. I think you'll find it says ROOT on /etc/passwd :D

Shell access should be limited. You'll never know what will happen if your users can read your scripts' config/setting file (especially for some well-known scripts, it 's not hard to know where you store these files unless you change default name/path). Check .bash_history frequently to see what your users have done with their shell accounts.

Originally posted by Dotcomsnz
Have a look at the ownership permissions.. I think you'll find it says ROOT on /etc/passwd :D


root@rum [~]# ll /usr/bin/pico
-rwxr-xr-x 1 root root 193239 Apr 17 16:07 /usr/bin/pico*
root@rum [~]#

Well since pico is owned by root, no one should use it.... :rolleyes:


If you don't want something read by a user then you shouldn't grant that file permission for read... Simple as that...

Well since pico is owned by root, no one should use it....

yes.. I saw the "picky" arguements coming.. Just don't allow shell access and the problems of users viewing things they shouldn't goes away (OK not goes away.. but is restricted further :)

Do you think users viewing files outside of their user directory acceptable?

Is there even an arguement for letting users view what they want on your server?

lol dotcomsnz,
he performed a cat /etc/passwd, big deal? everyone does it..
doesn't compromise the system in any way.
- Ross

Originally posted by Dotcomsnz


yes.. I saw the "picky" arguements coming.. Just don't allow shell access and the problems of users viewing things they shouldn't goes away (OK not goes away.. but is restricted further :)

Do you think users viewing files outside of their user directory acceptable?

Is there even an arguement for letting users view what they want on your server?

Actually - as the system admin/owner - whatever you have the right to set the rules however you want....

However - this particular host having granted access to SSH should then *expect* that users will nose around... Having granted that access the admin/owner should take the needed steps to insure that users don't get overly frisky and start breaking things.... If they do - then you squash them like a bug and disable/delete their account...

You made a choice to not allow shell access - good idea form the stability side.... This particular incident though started at a host that knowingly (I hope) allowed their customers to have it..... In this case - If I was the customer I would probably understand it if they shut it down on a "emergency" basis while they tracked down a trouble maker - but then - I'd want it turned back on - or I'd want a adjustment to my billing to reflect that part of the service I was paying for had been taken away...

My $0.02

Originally posted by Dotcomsnz

In my opinion you have no right to a shell account if you cannot be trusted. :mad:

I never thought I would use this phrase, but it fits:

ROTFL!

Thanks :)

Kevin

However - this particular host having granted access to SSH should then *expect* that users will nose around...

That too is an assumption.. not seeing their warning message and not knowing their particular policies regarding shell access, I make the assumption that they would be none too happy with
users viewing files to which they have no right of access.

I still don't see an arguement for viewing files outside of the user directory. :)

Thats the whole point.. exactly, irresponsible users.

I never thought I would use this phrase, but it fits:

ROTFL!

Thanks

Kevin

So where does the line begin and end? I think I know clearly where it starts and ends but do you?

In my opinion you have no right to a shell account if you cannot be trusted.

Still valid :D


everyone does it..

No they don't :D

Originally posted by Dotcomsnz


That too is an assumption.. not seeing their warning message and not knowing their particular policies regarding shell access, I make the assumption that they would be none too happy with
users viewing files to which they have no right of access.

I still don't see an arguement for viewing files outside of the user directory. :)

OK - so now we are both guilty of making assumptions. I'm sorry...

As a admin I *assume* that users *will* (on purpose or by accident) end up looking at files that they do not own or that is not in their user directory. If you put a file on any computer anywhere and leave it's permissions set so that anybody on the machine can read those files - if you don't make this assumption you are only fooling yourself and you *will* eventually be very sorry...

Back to the topic at hand now...

The starter of this thread (If I may make one more assumption) was making no overt attempt to harm the system and if I read it right didn't go poking around till they suddenly lost access they were accustomed to having.

And once again I'll state that - in my opinion - if the user was granted shell access then they should have it back as soon as whatever problem the host was having is resolved...

The only exception I can see here would be if this particular user was found to be abusing the system in some way... Then the host could rightly decide not to re-enable the service.

How does the admin know when something is going to be harmed.. how does he know that all the user was doing was "harmlessly" looking at files?

The user could be gathering other user names up and attempting to access their directories at a later date.. again thats an assumption too.

Where does the line begin and where does it end?

I think it bad practice to allow the harm to be done before acting but thats my way of thinking. :D

Steve, I think you are being paranoid here and jumping to conclusions. The user did cat /etc/password, which reads his OWN password. We have no evidence that he was snooping. Since you don't even allow Shell access, you are obviously biased.

I 've been with only 2 hosts in the past that thought like you... Hypermart and VirtualAve. 'nuff said :)

Where does the line begin and where does it end?

How do you know he wasn't doing harm.. from an admins view?
All the admin sees is user blah accessing /etc/passwd hmm...

Again, where is the line... does he have to cause harm before anything is done? Not saying he was going to, but how do you or anyone else know that?

We have no evidence that he was snooping.

He was snooping, by viewing files that he had no right to.
Just because something is world readable by default does not give 'anyone' the right to view them.

There is no reason a user should need to view any file other than those that they are entitled to.. within their user directory.

I still don't see an arguement against that :D


cat /etc/password

Thats not what he posted.

You just can't seem to grasp that these measures are implemented to protect your's and other user files on a server.

Oh, I grasp it OK! I just don't agree with you. :)

Oh, I grasp it OK! I just don't agree with you.

OK, so if a host advertised that they would allow shell access to anyone and didn't mind that they looked at files outside of their directories .. ie. /etc/passwd /home/yoursite/www/etc .. you would think that to be OK?

If you do, I think it misguided :) IMHO

Steve,

Give it a rest. If you allow shell users then expect them to go wandering. It's what they do. You should nail them if they play with something they shouldn't but in most cases they're just testing the waters, or finding out information they need to use their own account.

If you don't allow shell access to your servers I'm not really sure why you're all worked up about it.

You should be comfortable that your servers are tight enough to prevent shell users interfering with others, and have plans in place to terminate users who abuse the access they have.

Greg Moore

Originally posted by Dotcomsnz


OK, so if a host advertised that they would allow shell access to anyone and didn't mind that they looked at files outside of their directories .. ie. /etc/passwd /home/yoursite/www/etc .. you would think that to be OK?

If you do, I think it misguided :) IMHO

Of course not. But it's the host responsibility to have other users' info blocked. However, even if they don't, permissions should be set up by the host to prevent damage to others' files.

Yes, users will snoop. I try cd'ing and reading others directories all the time. Why? To check the security of my host, and to see what others can see. Am I going to damage someone else's site? No. I don't think 99% of shell users are crackers. Most are just inquisitive.

Originally posted by akashik
Steve,
If you allow shell users then expect them to go wandering. It's what they do. You should nail them if they play with something they shouldn't but in most cases they're just testing the waters, or finding out information they need to use their own account.



Exactly and perfectly said! :D

But it's the host responsibility to have other users' info blocked

No I'm sorry but thats not the case.. users create new directories and files everyday.. and they don't always set the permissions on those correctly. While a host can protect the www and the user directory, he/she has no control over those added directories and therefore it would be possible for anyone who knew the directory name to access it via shell /home/user/www/directory for example...


Steve,
If you allow shell users then expect them to go wandering. It's what they do. You should nail them if they play with something they shouldn't but in most cases they're just testing the waters, or finding out information they need to use their own account.

Based on that arguement, you'd have to say that shell access should never be allowed to anyone then.

:D

If you don't allow shell access to your servers I'm not really sure why you're all worked up about it.

So why does everyone get all worked up about not having it then.... are you guys the only ones to have your say? :)

not sure what you're driving at... All our shell users have provided us with photo ID, so in many cases we not only know there face and address, but even their blood group, and if they're an organ donor. It's explained to them that if they do something they shouldn't (if they can do that at all), then we'll come down like a mountain on them.

In all the time we've had users with shell access (a small percent of the over all customer base), we've never had an issue with a single one of them.

Provide it to your users, or don't provide it - it makes an ounce less than no difference to me. I was asking why it seems to be a bumblebee down your panties - considering your posts in this thread.

Greg Moore

No. I don't think 99% of shell users are crackers.

Yep, unfortunately, it's the 1% that spoil things for everyone as usual :)

then we'll come down like a mountain on them.

And then it will be too late usually :D The damage has been done.

There are plenty of hosts with horror stories.. just putting my views forward and discussing some of the points raised by you guys. Thanks, I've enjoyed it :D

Originally posted by Dotcomsnz


No I'm sorry but thats not the case.. users create new directories and files everyday.. and they don't always set the permissions on those correctly. While a host can protect the www and the user directory, he/she has no control over those added directories and therefore it would be possible for anyone who knew the directory name to access it via shell /home/user/www/directory for example...


I'm talking about something different here. A host can block users' root directories, if they know how, so that other people cannot view the directory/files of others. Few hosts seem to do it, though. Futurequest is one that has accomplished it. There's an old thread where we discussed this about a month ago. You might want to search for it and read it. Try using search words "script" and "command line" to find it. I forget what I named it.

Provide it to your users, or don't provide it - it makes an ounce less than no difference to me. I was asking why it seems to be a bumblebee down your panties - considering your posts in this thread.


The bumblebee came about because of posts that said users are "expected to go wandering" - "everyone does it" LOL - Sorry but if that's how you think, it makes me all bumblebee'd :D

I think I validated my side.. I still don't see a valid arguement for allowing users to view files outside of their user directory.. Thats all I was saying :)


I'm talking about something different here. A host can block users' root directories,

Any directory can and is blocked, but once someone uploads a directory doesn't set the permissions correctly, then they are accessable. Maybe contains some db or other important info.. anything really. You should make sure that all your own files are protected.. it's not all the hosts job :)

You can jail a user.. but that is another story..

All he wanted was some answers to why he couldn't do what he had payed for, when it will be turned on again, and why it was turned off.

If he had been "snooping around" where he wasn't supposed to, then the host should say so.

Customer service - answer your customer whether or not they do something stupid or against policy.

I chose not to name my hosting company at this time as I'm not sure how relavent it is. And I am continuing to press for an answer, but I wanted to see what everyone here thought.

So he chose to come to wht and see what everyone here thought... so I have had my say on my thoughts :D

lol dotcomsnz,
he performed a cat /etc/passwd, big deal? everyone does it..
doesn't compromise the system in any way.

Steve, I think you are being paranoid here and jumping to conclusions. The user did cat /etc/password, which reads his OWN password. We have no evidence that he was snooping. Since you don't even allow Shell access, you are obviously biased.


Oops I missed this one..

No actually he logged in as a different user (As his account wasn't working) and viewed /etc/passwd to see his other user info.. thats how he found that he didn't have shell access enabled on his other account. A quick email to support asking the question would maybe have achieved the same thing and in a responsible manner... :)

Steve,
I agree with you that users should not be able to view others files and directories, but as has been discussed here before, shell is NOT the only way!

However, IF people are able to view others files and directories, I firmly believe it's the host's responsibility to have something in place to prevent damage at the user's home directory level.

As far as someone stealing a cgi file because a user had it readable at something like 766, that would be the user's fault. The host can only protect the user at their home directory level. Below that, it's the user's responsibility to give their files the proper permissions, etc.

I agree with you that users should not be able to view others files and directories, but as has been discussed here before, shell is NOT the only way!

Agreed.. just one less thing to worry about :)

However, IF people are able to view others files and directories, I firmly believe it's the host's responsibility to have something in place to prevent damage at the user's home directory level.

Agreed.. :)

/home/user /home/user/www etc all protectable and accountable by the host :)
Anything below that then .. it's your responsibility :)

:D

Originally posted by reptilian-fe
All he wanted was some answers to why he couldn't do what he had payed for, when it will be turned on again, and why it was turned off.

If he had been "snooping around" where he wasn't supposed to, then the host should say so.

Customer service - answer your customer whether or not they do something stupid or against policy.

This was really the point of my question. I felt like it was a customer service issue. And I feel that I may not have been clear about some of the circumstances. Shell access was restored within hours.

The point of my story was I was receiving what I felt like was questionable customer service.

I also feel that it's never appropriate to ask for a password. Just my opinion.

peabody

Originally posted by Dotcomsnz

No actually he logged in as a different user (As his account wasn't working) and viewed /etc/passwd to see his other user info.. thats how he found that he didn't have shell access enabled on his other account. A quick email to support asking the question would maybe have achieved the same thing and in a responsible manner... :)

I did email support several times, and either got no answer, or an out right lie. I just wanted a real answer. "We think we've been hacked/cracked" would have been a real answer. However, support should not just don't ignore me.

One other point, both accounts, the one disabled and the one that still worked (which, strangely enough, was never affected) are paid for by the same credit card and have the same real name (mine) on the accounts. There is no attempt to hide any identities here.

peabody (except here... peabody is not my real name) ;)

Fair enough.. I never said that you were trying to hide or do anything though :)

I was simply trying to get it into everyones minds that having access to shell is a priveledge that shouldn't be abused - Sticking to your user directory, however hard that may be, is what you should really be doing - failing to stick to that is asking for your shell access to be removed at least anyway :D

Anyway I think thats enough for one day.

Originally posted by Dotcomsnz
I was simply trying to get it into everyones minds that having access to shell is a priveledge that shouldn't be abused - Sticking to your user directory, however hard that may be, is what you should really be doing - failing to stick to that is asking for your shell access to be removed at least anyway It shouldn't be -- unless that particular host has stated that doing so is against the rules. There's no reason a user should assume by default that if he's been given shell access doing something as innocuous as running cat would be cause for discipline or be considered "abuse of the priviledge" (personally, by the way, I wouldn't agree that it's a "priviledge;" it's a service, and I'm paying for it). And I say that as someone who's paid for shell access since the late 80's -- and has never been faced with an "only look in your own user directory" rule. That doesn't mean that there aren't systems that have such a rule, but they should certainly let users know if they have such an extraordinary expectation.

as innocuous as running cat

He didn't do that... :)

If the host charges extra.. fair enough.. most don't.