Chrooted SSH users persists in the system despite being deleted from the web interface

Discussion in 'Installation/Configuration' started by dbareiro, Jun 30, 2016.

  1. dbareiro

    dbareiro New Member

    Hi all!

    This is my first message on the forum.

    I'm starting to try ISPConfig 3 in Debian GNU/Linux Jessie (8.5).

    I've downloaded the ISPConfig-3-stable.tar.gz file, but I wonder if it is the latest stable version, since it seems that when I delete a chrooted ssh user, it appears as deleted in the web interface but still persists in /etc/passwd and /etc/shadow and that could be a security problem.

    There seems to be an open issue (#3196) for it two years ago. That's why I'm wondering if the version I installed was the latest stable.

    Thanks in advance.

    Kind regards,
    Daniel
     
    dbareiro, Jun 30, 2016
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The issue #3196 is about the passwd file inside the jail (/var/www/clients/client0/web1/etc/passwd), which is not used for authentication of the user, the user exists just there so that tools that read the file inside the jail can find it, so #3196 has no security implications regarding logins, it's just a matter that it should be cleaned up off course.

    So you have a problem that the user is not removed form /etc/passwd (the system passwd file)? If that's the case, then this is a different issue that has not been reported yet.
     
    till, Jun 30, 2016
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Jun 30, 2016
    #3
    ganewbie likes this.
  4. dbareiro

    dbareiro New Member

    Hi, Till.

    Thank you for your prompt reply and for your time to check this issue and post a fix. I appreciate it. I applied the patch and it works perfectly.

    Question: upcoming downloads to the ISPConfig-3-stable.tar.gz file will include this change?

    Kind regards,
    Daniel
     
    dbareiro, Jun 30, 2016
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPCnfig 3.1 is the next stable release and the fix is in the git stable branch, so it will be in the next release.
     
    till, Jul 1, 2016
    #5
  6. dbareiro

    dbareiro New Member

    Hi, Till.

    Thanks for your reply.

    When you said that the issue has been fixed already in git stable, I had thought that it was referred to the current stable release. Do you have an estimated release date for ISPConfig 3.1? I have seen that you have released the beta 2 for testing.

    Kind regards,
    Daniel
     
    dbareiro, Jul 1, 2016
    #6

Share This Page