JailShell Users Escape Jail Over SFTP
I'm using Pure-FTPd, and when I log in via SFTP client as a user, I can only go to my /home/user directory and one level up to /home. When I try to navigate one level up to the /, it doesn't allow me, but if I type the location in the address bar manually, like /etc or /var, I'm allowed to browse everything, even though I'm not allowed to edit. How is that possible? Isn't this a security risk?
-
I just figured out that I was using SFTP, which is why Pure-FTPd's "ChrootEverybody yes" wasn't working, because SFTP is SSH, not FTP.
But still, how come users can freely browse the entire server via SFTP? Would this work to chroot users?
Subsystem sftp internal-sftpMatch Group sftpusersChrootDirectory /home/%uForceCommand internal-sftpAllowTcpForwarding noX11Forwarding no
0 -
Hey hey! As far as I can tell this is normal behavior through file permissions. If the file has "read" access, such as having 644 permissions any user on the server would be able to see it.
I can't say if that specific change would work as that isn't something we test on our end.
0 -
I figured that out for permissions, but why aren't users chrooted by default on SFTP? What's the use of users browsing outside of their home directory, where only root should be doing something?
0 -
Now *that's* a good question. Since it's not happening by default, would you like me to make a feature request for this? That would likely help get to the bottom of things or at least get the team thinking.
1 -
Please do. Here is the complete request with two important things:
- SFTP is tied to the SSH feature by default. If you disable SSH, SFTP will also be disabled. In my opinion, SFTP is superior to FTPS, since it supports key logins. 95% of users will never use Shell access, and 100% of users will need FTP, so why not give them SFTP, while disabling Shell? This is not that hard to do in the SSH configuration. Just add another toggle in the WHM > Tweak Settings > Leave SFTP enabled if Shell is disabled, or better yet, make this option a column in the WHM > Manage Shell Access table for each user to enable/disable SFTP.
- Like in an FTP server, where you can chroot all users simply by adding ChrootEverybody yes to the config file (and this is present by default), you should be able to do this for SFTP. Since JailedShell is used by default, this should be the default as well. Without this, ALL USERS can wander around your entire server via their SFTP client, browsing everything, and reading a lot of files. Your only line of defense is a hope that you set your file permissions properly.
I don't know how these two are not present by default. They are so obvious and not that hard to implement.
0 -
I've added this to the list for discussion!
1 -
I got this in just in time and I was able to talk about it with the team this morning.
In general, FTP is a deprecated feature in cPanel as we don't enable the FTP service by default, so we likely won't be adding additional FTP features. It's also worth noting that any user with FTP access can upload a PHP script that will easily print a list of readable files, whether or not they have sFTP enabled.
This seems to be working as intended and isn't a security concern - BUT - if you wanted additional restrictions on what users can view this is something that CloudLinux takes care of through CageFS: https://cloudlinux.com/getting-started-with-cloudlinux-os/41-security-features/934-cagefs-tenant-isolation/
0 -
Thanks for the input, but how is this an FTP feature? I was talking about SSH and SFTP; I was just comparing it to FTP.
0 -
I was just throwing that part in for additional details.
1 -
You can see system folders because read access is allowed, but you can’t change anything so it’s not a security risk.
1
Please sign in to leave a comment.
Comments
10 comments