Domain ssh user security permissions vulnerabilty

auser · March 26, 2022, 9:19pm

Hi All,

This is a security vulnerability which needs patching, or a solution offered to harden my install.

I’ve been running Cyberpanel for a week now on ubuntu 20.04 lts, today i wanted to test the domain ssh, through the control panel i added a website, in its sub menu, i created ssh access to the website. As expected i got access to what was in my websites part of the server. I have open_basedir_protection enabled.
However when i run the command cd … to try to go up a directory, i get permission denied, (which is good) but it does go up a level to “home”. When i try this step again (cd …) it goes into the working directory of the server. (This is bad). I tested going to the folder etc, which it allowed, and then to edit the hosts file with nano, which it also allowed.

I see this as a big security risk, this lower level user which doesn’t have sudo rights (double checked) can access upper level server folders and files and can with a text editor edit files in the server. This could mean that if you were hosting other peoples websites on your server or someone gained access to the main cyberpanel control panel, they could create a ssh user on one of the websites, and then potentially wreak havoc on your server.

MyIDKaTePe · March 26, 2022, 9:44pm

can you test it with my cyberpanel ?
i sent you inbox about the login
in 24h i will delete the user

because it’s look like you just give wrong user permission or running multiple login on one browser
cmiiw

this is danger you know…
so i need you to test on my cyberpanel…

[edit]
since there is no confirmation
i close the test account now

MyIDKaTePe · March 26, 2022, 10:08pm

are you there ?
sir… ?
can you just say ok or no ? so i know you will test it or not

usmannasir · March 27, 2022, 7:18am

incba4896@ip-172-26-15-87:~$ cd /home
incba4896@ip-172-26-15-87:/home$ ls
ls: cannot open directory '.': Permission denied
incba4896@ip-172-26-15-87:/home$ cd cp.shereally.com
incba4896@ip-172-26-15-87:/home/cp.shereally.com$ ls
ls: cannot open directory '.': Permission denied
incba4896@ip-172-26-15-87:/home/cp.shereally.com$ cat /etc/hosts
127.0.0.1 localhost ip-172-26-15-87

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
incba4896@ip-172-26-15-87:/home/cp.shereally.com$ nano /etc/hosts
incba4896@ip-172-26-15-87:/home/cp.shereally.com$

I can see the hosts file but can’t edit the host file. And as you can see, cant enter into any other website directory either.

auser · March 27, 2022, 11:40am

Hi all, sorry but we must be in different time zones and countries, i haven’t been sitting in front of my computer all day.

auser · March 27, 2022, 12:13pm

Hi i used the command “cd …” not directly asking for the directory like your screen shot “cd /home” .

note that in pink in your code your user did go to home directory and if it was denied this it shouldn’t go up should it?

Yes I can confirm what you say i can’t edit the file, it says unwritable using nano.

0 updates can be applied immediately.


Last login: Sat Mar 26 20:51:57 2022 from 
chris7969@domserver:~$ cd ..
chris7969@domserver:/home$ ls
ls: cannot open directory '.': Permission denied
chris7969@domserver:/home$ cd ..
chris7969@domserver:/$ ls
bin		 dev   lib    libx32	  mnt	root  snap  tmp  webadmin.csr
boot		 etc   lib32  lost+found  opt	run   srv   usr
cyberpanel.swap  home  lib64  media	  proc	sbin  sys   var
chris7969@domserver:/$ cd boot
chris7969@domserver:/boot$ ls
config-5.4.0-104-generic      System.map-5.4.0-104-generic
config-5.4.0-105-generic      System.map-5.4.0-105-generic
grub			      vmlinuz
initrd.img		      vmlinuz-5.4.0-104-generic
initrd.img-5.4.0-104-generic  vmlinuz-5.4.0-105-generic
initrd.img-5.4.0-105-generic  vmlinuz.old
initrd.img.old
chris7969@domserver:/boot$

But a ssh user that was supposedly created for one domain only that should be in its own containter that can see other users by running cat /etc/passwd i don’t think i’ve set this up right, or there is something not set up right in the code.

Oh i see i haven’t enable CageFS on the system. That should fix it right?
Could that just be built into the install process, seems a simple yet big security risk.

Umm well maybe not im running ubuntu, not sure how to install it on this op,

“Set up SSH access and enable/disable CageFS for 111111111.com. CageFS require CloudLinux OS.”

usmannasir · March 27, 2022, 2:03pm

If you want each user in its own container then for sure you need Cloudlinux and Cagefs, what you are seeing above is normal linux behaviour.

However, CyberPanel won’t let you enter directories of other websites, which is how it should be. This way even without Cloudlinux and Cagefs if one website is hacked, they cant hack into other sites.

MyIDKaTePe · March 27, 2022, 3:30pm

i just reply not more than 20 minuetes after you post… verywell then… i hope your problem solved and can make cyberpanel more secure, and better

auser · March 28, 2022, 6:47am

Thanks for helping, yes you may have but i got up early on sunday did the post, got distracted, and went to church, got home, and did stuff with wife, and only checked in later that night. So um, well lets say i was concerned about it, but not in duress and just wanted to flag it, as i thought it should be more containerized. I’m pleased by usmannasir’s explanation, and I can sleep easy about it.