Security Problems with SSH

Discussion in 'Installation/Configuration' started by max06, Jan 16, 2009.

  1. max06

    max06 New Member

    Good evening,

    I just installed the last ISPConfig-Version (3) onto a fresh debian lenny installation. Then I created 2 Clients with 1 Website per Client.

    I enabled SSH-Access for both webpages. When I log in into the server as website1, i can read all files owned by other users. This shouldn't be possible. Even the /root-directory is readable.

    I don't want to use chroot-access.

    How can I prevent my users from reading in the directories of others?

  2. archerjd

    archerjd ISPConfig Developer ISPConfig Developer

    Unfortunately without chrooting, I don't believe there is another way of doing this.

    Scratch that, there might be a way by using mpm-itk and changing the permissions of their folders...

    WARNING: I have not tested this as this may have unforeseen consequences.
    Follow this at your own risk!

    Use the command below to reset the permissions so only the owner can read them.
    chmod -R og-rwx $web_root
    After doing this you will have to change pure-ftpd's default umask
    echo 077:077 >/etc/pure-ftpd/conf/Umask
    /etc/init.d/pure-ftpd-mysql restart
    This configures pure-ftpd to only allow the owner to read the files.

    Finally insert this code into /usr/local/ispconfig/server/conf/vhost.conf.master on line 96 and 192 before </VirtualHost> and after <tmpl_var name='apache_directives'>
    <IfModule mpm_itk_module>
      AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'>
    BTW, In my experience the above modifications don't update existing websites. only new websites will contain the new code.

    Question: Why don't you want to use a chroot configuration?:confused:
    Last edited: Jan 16, 2009
  3. max06

    max06 New Member

    Good morning,

    i tried to use chroot and jailkit, none of them prevented me from searching files in directories not owned by me. I could change into every directory I wanted and read every file... it isn't good, when somebody can read your ;)

    Now I try the mpm-itk-package, will post it here, if it works.

    Thank you
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    kailkit prevents the behaviour that you decribed above if it is installed properly. So if you see other directorys, kailkit is not installed properly on your system. make sure that you insall the latest jailkit version from source before you install ispconfig. If Jailkit is installed after ISPConfig, it will not work.

    apache mpm-itk is not supported with ISPConfig 3, you will have to apply the patches that are posted abocve but they will be overrideen on updates. I recommend to run php scipts with suphp or suexec + fcgi for example, which is both supported by ispconfig and gives you the same result.
    Last edited: Jan 16, 2009
  5. max06

    max06 New Member

    Hm... I don't want to prevent php-scripts from using foreign files. I need to secure the files and folders of my clients from accessing over ssh by other users.
  6. max06

    max06 New Member

    Hi again,

    Jailkit is working now. There are two questions left...

    Is it possible to allow normal users only to change their passwords? When I set the limit of the ssh-accounts to 0, the user can't add new one. But he can edit the options for his existing accounts, including disabling the jailkit.

    When I delete a ssh-account called "test_ssh", which was used with Jailkit and I create it again with Jailkit, there isn't any active chroot. Thinking there's a problem with removing the account from the Jailkit-configuration.

  7. till

    till Super Moderator Staff Member ISPConfig Developer

    It is planned to optionally force chrooting for all SSH users of a client.

    I've added this to the bugtracker.

Share This Page