One Chrooted Shell user for all sites of the client

Discussion in 'Tips/Tricks/Mods' started by zion, Nov 7, 2013.

  1. zion

    zion New Member

    I would like to give to our clients a Jailkit, which could be useful for all of her/his sites.
    As I see we can give new Jailkit for each site in default, for example /home/clients/client4/web18 dir.
    But if
    1st I create a new Shell User without Chroot shell,
    2nd modify the directory from /home/clients/client4/web18 to /home/clients/client4,
    3rd modify the Chroot shell to Jailkit,
    then the client can use all of her/his sites with one Shell user.

    After these modifications the system sends me an email "WARNING - Directory of the shell user is outside of website docroot."
    So I would like to ask you: Is there a security risk if I do this?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    he can see them, but its not a usable setup. Each website has its own user, apache sueexec tests othe user ermissions of websites against this user. So when you would upload a file by ssh with your setup, then it will work only in the website were the shell user originally belonged to, on other websites, you will get a security warning.

    Yes. Websites with cms systems ccan get hacled and they will get hacked, so if you would run everal websites under the same user, then your client will loose all sits when one site gets hacked. Example:

    your customer has a shop site which saves credit card data in its database and a blog with wordpress in a different site. With your setup, a simple wordpress hack would allow the attacker to get the credit card details of the shop, even if the shop site itself is secure.
     
  3. zion

    zion New Member

    Is there an other way?

    Thank you for yout quick reply!
    I understand, and now I see that this is not a secure setup.

    So we have to create a new chroot shell for every site where we want to give ssh access for our clients and we want better security, haven't we?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig does this automatically when you add the first ssh user to a new site. Just ensure that the you set in client limits that shell users are jailed.
     

Share This Page