sftp/ ssh web user can read whole system

Discussion in 'Installation/Configuration' started by nopanic, Aug 9, 2022.

  1. nopanic

    nopanic Member

    Hello all,

    Im on ubuntu 20.04 and the latest ispconfig version.
    I play around with filestash:
    https://www.filestash.app

    I enables sftp and did a login. I noticed that I can walk through the whole system with the sftp user.

    I tried it with ssh- console and it goes there also.
    I tried then the ftp user and ftp works as expected.
    AFAIK it was not possible with the ssh user earlier?!
    Did I do something wrong ?!
    How to prevent the ssh user to read the system?

    Can someone help?

    tia
    Stefan
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Take care to create ssh users as jailed users. non-jailed users can read the whole filesystem on Linux (not ispconfig specific btw). And just to mention it, a jail contains files and folders like /etc, /bin and so on and some users that are not aware of how jails work and look like on the shell think they can read the whole system when they see copies of such folders inside the jail, but in fact, they can not see the root filesystem, they just see their local jails which looks very similar.
     
  3. nopanic

    nopanic Member

    Hello till,

    thanks for your quick answer.
    Is it possible to configure only jails in ispconfig?
    In the moment when I choose none for chroot-shell during creating the ssh Im having the filesystem read user. I dont want it.
    Every customer can see the other...
    Can I disable it?

    thanks!
    Stefan
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Sure, you can set the ssh user options that are available for a client in the client limits.
     
  5. nopanic

    nopanic Member

    ahh okay thanks. I never did a check in the "limit settings" to configure those settings ;)

    than all is okay
    great work!! :)

    Stefan
     

Share This Page