Re: [cobalt-users] SSH security issues.

["Carrie Bartkowiak" <ravencarrie@xxxxxxxx>]

> I run web hosting, and I give users access to SSH, the problem is
they
> are able to READ all files on the server including phpmyadmin on our
> main domain which has the mysql user/pass.

This will also happen if you give users access to CGI or PHP.

> That is a pretty large security issue, but everyone seems to think
its
> unfixable (if so I geuss telnet is no longer a option for customers)

Exactamundo. Don't give out shell accounts - you're increasing your
risk for being hacked, and you're putting everyone's web site security
at risk. Mysql passwords, password-protected directories, etc -
someone with a shell account can go anywhere on the server.
I sure hope none of your clients (or you) keep credit card numbers
anywhere on the server...

> Also a privacy issue, because people can view everyone who is hosted
by
> us on the server.

That's the least of your problems.  ;)

A chroot jail is an option, but there are plenty of walkarounds for
this:
http://www.google.com/search?sourceid=navclient&q=chroot

Best bet is to just not give users a shell account. What do they need
it for anyway? There are plenty of programs that will allow them to
chmod files, check a perl file as if they were on the command line,
and they can always get Godezip for tar'd or gz'd files and unzip on
their home machine before FTPing to their directory.
If there's something that they can't do without a shell prompt, then
you can do it for them - a small price to pay for the added security,
and it keeps them sensible when they know that you'd have to implement
that strange-looking cron job and would probably check the file
they're running before doing so.

CarrieB