Author Topic: Last Update - gave root access to all users via ssh  (Read 9382 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Last Update - gave root access to all users via ssh
« on: November 06, 2018, 09:54:24 AM »
After the last update all users that access sftp via ssh now have access to root - with read/write capabilities

I did run the fix permissions however - that did not work ( did not change anything )

before the last update they were only able to see there home folder

Offline
*
Re: Last Update - gave root access to all users via ssh
« Reply #1 on: November 06, 2018, 10:34:53 AM »
After the last update all users that access sftp via ssh now have access to root - with read/write capabilities

I did run the fix permissions however - that did not work ( did not change anything )

before the last update they were only able to see there home folder

Hi I just tested this and I could not get ROOT with a normal SSH account.

Offline
*
Re: Last Update - gave root access to all users via ssh
« Reply #2 on: November 06, 2018, 10:49:07 AM »
I am glad it did not occur for you.
----
It is very clear - since i only have 20 clients on my server - and no modifications made on basic install except for adding domains and mysql databases.

so i uploaded a file for one of my clients - next day update occurs - i go back to apply changes to the file for the client and there is all of the root. and read/write


Offline
*
Re: Last Update - gave root access to all users via ssh
« Reply #3 on: November 06, 2018, 02:09:18 PM »
why do you even give sftp/ssh to users?, you should do that only if you have cloudlinux and never in any other case if this are not your only accounts.
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: Last Update - gave root access to all users via ssh
« Reply #4 on: November 06, 2018, 09:04:26 PM »
sftp access is more secure

SFTP – SSH Secure File Transfer Protocol. SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. ... There is basically no reason to use the legacy protocols any more. SFTP also protects against password sniffing and man-in-the-middle attacks.

as i mentioned before everything worked perfectly until the last update.
users had access to there home folder - and that is it.

now they have root access to everything - with read/write to all folders

Offline
*
Re: Last Update - gave root access to all users via ssh
« Reply #5 on: November 06, 2018, 09:41:14 PM »

The fix is too change /etc/passwd

good--> username:x:1009:1009::/home/domainname:/sbin/nologin
fullaccess-> username:x:1010:1010::/home/domainname:/bin/bash

after checking the users which received the full access - it appears to be the users that have '%' remote access to mysql
this could be a coincident -

I will have to wait until the next update to be sure


Offline
*
Re: Last Update - gave root access to all users via ssh
« Reply #6 on: November 07, 2018, 12:10:45 PM »
you are mixing sftp/ssh with FTP this are completely different service.

ssh/sftp use ssh port (default 22) *** this requires chroot or cloudlinux
ftp, ftps, ftpes port 21

If you need SSH/SFTP in secure way then you need to use cloudlinux or make a custom chroot system
If you need ssl for ftp then you need to check FTPs or FTPes
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
***
Re: Last Update - gave root access to all users via ssh
« Reply #7 on: May 16, 2019, 09:12:44 AM »
agreed, ssh is only more secure for the user...it is never more secure for the webserver itself!!!