Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Control Panel that separate user home
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Control Panel that separate user home

Is there a free panel that has that feature? It's not necessarily Control Panel per se. Command Line works fine for me.

tl;dr. I don't want my whole server compromised just because one user use nulled theme or forget to update his WordPress.

Comments

  • lonealonea Member, Host Rep
    edited February 2020

    This is why cagefs was created. Separating doens't do anything. Shells scripts can still be used.

    Thanked by 1vimalware
  • Well... there is file/directory ownership and permissions.

    If one user is able to write into another user's home directory... that's kind of a permission issue.

    (Assuming you are talking about Linux)

  • lonealonea Member, Host Rep

    Back in the day before suPHP came out. Everything was running as apache. Which caused a whole lot of issues with mass defacing.

    @sparek said:
    Well... there is file/directory ownership and permissions.

    If one user is able to write into another user's home directory... that's kind of a permission issue.

    (Assuming you are talking about Linux)

  • Well, as you say, that was back in the day.

    Is anybody running PHP or CGI as the shared webserver user on shared hosting accounts these days? If so... then that's probably something you want to look into changing.

  • FlamesRunnerFlamesRunner Member
    edited February 2020

    @yokowasis

    Perhaps not, but it isn't entirely difficult to setup "relatively secure" jails on your own. This usually means:

    • Setting up a home directory with private directories containing the following:
      • Copying over essential configuration files from /etc
      • Using mounts to expose limited device nodes
      • Copying a subset of useful executables from /bin, /usr/bin, /sbin
      • Copying required libraries from /lib

    The setup of this jail should be done in an area that the user cannot access and have the appropriate permissions set before copying the files over to the user's home directory, then setting up an SSH (and/or SFTP) jail. For the web server, you can use Apache or NGINX and setup a private PHP-FPM process for each user and lock the process in the jail, or use something like suPHP.

    Another option is storing all configuration files and executables outside of the user directory and using a read-only mount into the user's home area.

    (The idea here is to provide as much separation as possible without actually setting up HAProxy and containers, but even this is an option too)

  • @FlamesRunner said:
    @yokowasis

    Perhaps not, but it isn't entirely difficult to setup "relatively secure" jails on your own.

    Hence the title. Looking for control panel / lamp script that has jailed functionality. I host a lot of wordpress sites to my clients. One or two of them bound to get their wordpress hacked.

  • nemnem Member, Host Rep

    @sparek said:
    Well, as you say, that was back in the day.

    Is anybody running PHP or CGI as the shared webserver user on shared hosting accounts these days? If so... then that's probably something you want to look into changing.

    Setup synthetic jails with a layered filesystem such as OverlayFS or aufs. Use systemd to spawn a jailed PHP-FPM service on socket activation, then further restrict device access and capabilities.

    It's not difficult to achieve, but most of the logic is rooted in lore.

    Thanked by 1vimalware
Sign In or Register to comment.