Question Customer access to command line utilities via SSH

[Justin Buckkley]

Hello,

I have a developer/reseller who's requesting access to a number of command line utilities for his customers, like:
- php
- mysql
- mysqldump
- composer
- nano
- git

Does anyone have advice/experience on adding this functionality? Thanks in advance!

 

[IgorG]

Consider this KB article as a possible solution to your question - How to add new programs to a chrooted shell environment template?

 

[Justin Buckkley]

Thank you @IgorG! Could you advise/explain the difference between this and non-chrooted shell access? If working with a trusted developer, what exposure to the system does the user have with say /bin/bash?

 

[Bitpalast]

The user has full root access to everything if you grant him access to /bin/bash, including the opportunity to erase the system or install malware.

 

[Justin Buckkley]

The user has full root access to everything if you grant him access to /bin/bash, including the opportunity to erase the system or install malware.

When logging in as the subscription system user, and granted ssh access, surely there's some permissions that limit their access, no?

 

[Bitpalast]

In theory, directories and files that do not provide group or anoymous read or write access seem to enjoy some protection. But I guarantee it is easy to circumvent this. It is definitely not recommended to grant root access to a subscription user unless the user is fully trusted. Granting shell access to the normal bash shell is like giving full access to the system, no matter what your file or directory permissions say. Plus, you can never be sure that these are all set correctly.

 

[Justin Buckkley]

In theory, directories and files that do not provide group or anoymous read or write access seem to enjoy some protection. But I guarantee it is easy to circumvent this. It is definitely not recommended to grant root access to a subscription user unless the user is fully trusted. Granting shell access to the normal bash shell is like giving full access to the system, no matter what your file or directory permissions say. Plus, you can never be sure that these are all set correctly.

Thanks Peter! I really appreciate the explanations and advice. So to be clear: By enabling 'Can allow access to any type of shell' in the subscription', and then allowing access to server over SSH via this article, unless I select '/bin/bash/ (chrooted) I risk the chances mentioned above, correct?

Is there any other risk - say if one of those subscriptions/sites where hacked?

In my case, I have a trusted user that is a developer for a dozen or so of my customers. Each customer has their own subscription. Because there's not a way to set up a admin/webmaster with access to a defined list of subscriptions, my idea was to add him as a reseller - and then assign our shared customer's subscriptions to his account so that he'd have access to them without having to remember logins for each.

As mentioned above, he prefers to work via command line - and specifically wants to use Drush - thus the need to provide access to those programs.

Is adding access to these programs via chrooted environment the best option then?