Control Web Panel

WebPanel => Updates => Topic started by: rtoutant on November 06, 2018, 09:54:24 AM

Title: Last Update - gave root access to all users via ssh
Post by: rtoutant on November 06, 2018, 09:54:24 AM

After the last update all users that access sftp via ssh now have access to root - with read/write capabilities

I did run the fix permissions however - that did not work ( did not change anything )

before the last update they were only able to see there home folder

Title: Re: Last Update - gave root access to all users via ssh
Post by: Jason on November 06, 2018, 10:34:53 AM

Quote from: rtoutant on November 06, 2018, 09:54:24 AM

After the last update all users that access sftp via ssh now have access to root - with read/write capabilities

I did run the fix permissions however - that did not work ( did not change anything )

before the last update they were only able to see there home folder

Hi I just tested this and I could not get ROOT with a normal SSH account.

Title: Re: Last Update - gave root access to all users via ssh
Post by: rtoutant on November 06, 2018, 10:49:07 AM

I am glad it did not occur for you.
----
It is very clear - since i only have 20 clients on my server - and no modifications made on basic install except for adding domains and mysql databases.

so i uploaded a file for one of my clients - next day update occurs - i go back to apply changes to the file for the client and there is all of the root. and read/write

Title: Re: Last Update - gave root access to all users via ssh
Post by: studio4host on November 06, 2018, 02:09:18 PM

why do you even give sftp/ssh to users?, you should do that only if you have cloudlinux and never in any other case if this are not your only accounts.

Title: Re: Last Update - gave root access to all users via ssh
Post by: rtoutant on November 06, 2018, 09:04:26 PM

sftp access is more secure

SFTP – SSH Secure File Transfer Protocol. SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. ... There is basically no reason to use the legacy protocols any more. SFTP also protects against password sniffing and man-in-the-middle attacks.

as i mentioned before everything worked perfectly until the last update.
users had access to there home folder - and that is it.

now they have root access to everything - with read/write to all folders

Title: Re: Last Update - gave root access to all users via ssh
Post by: rtoutant on November 06, 2018, 09:41:14 PM

The fix is too change /etc/passwd

good--> username:x:1009:1009::/home/domainname:/sbin/nologin
fullaccess-> username:x:1010:1010::/home/domainname:/bin/bash

after checking the users which received the full access - it appears to be the users that have '%' remote access to mysql
this could be a coincident -

I will have to wait until the next update to be sure

Title: Re: Last Update - gave root access to all users via ssh
Post by: studio4host on November 07, 2018, 12:10:45 PM

you are mixing sftp/ssh with FTP this are completely different service.

ssh/sftp use ssh port (default 22) *** this requires chroot or cloudlinux
ftp, ftps, ftpes port 21

If you need SSH/SFTP in secure way then you need to use cloudlinux or make a custom chroot system
If you need ssl for ftp then you need to check FTPs or FTPes

Title: Re: Last Update - gave root access to all users via ssh
Post by: adamjedgar on May 16, 2019, 09:12:44 AM

agreed, ssh is only more secure for the user...it is never more secure for the webserver itself!!!