[BUG OR What?]FTP acc for logined SSH

raptor666 · February 2, 2022, 4:55pm

Hello!
My OS: Debian 11 64Bit
Hestia version: v1.5.7

I’ve tried proftpd and vsftpd and find that a plain ftp user can be accessed via SSH. More importantly, you can go out of your home directory with the ftp account by logging in to ssh. How can this be disabled? Or is it a bug?

It would be best if you could not even log in to SSH with an ftp account.
I was wondering if you could create an account in mysql, for example, that there might be a limit to not being able to log in, can that be fixed somehow? No matter how, I just can’t log in to SSH with an ftp account.

You may be interested in a solution that is not overwritten when updating a hestia.

eris · February 2, 2022, 5:07pm

jaapmarcus@Jaaps-MacBook-Pro hestia-build-drone % ssh [email protected]

jaap_test@dev's password:

Linux dev.xxx 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
This account is currently not available.
Connection to dev.xxxx closed.

Also /etc/passwd should look like this:

jaap_test:x:1006:1006::/home/jaap/web/xxxx:/usr/sbin/nologin

Is it a new install?

raptor666 · February 2, 2022, 5:30pm

Where I first encountered the bug is an old server, debian has been upgraded from 9 to 11. or I have 1 test server, which I installed about 1.5 months ago.

older server (main)
proftpd
cat /etc/passwd

probe_probe:x:1001:1001::/home/probe/web/my.website.com:/usr/sbin/nologin

test server:

probe2_probe2:x:1001:1001::/home/probe/web/my.website2.com:/usr/sbin/nologin
vsftpd

Alternatively, you can log in with SSH via SSH. And there is nologin there too.

eris · February 2, 2022, 5:42pm

Please send me the login details of your test server if you want. It should not be possible…

eris · February 2, 2022, 5:50pm

You might want to try to rebuild the web domains (And there for the ftp accounts)

raptor666 · February 2, 2022, 6:14pm

I’m send test server, you private messages.

raptor666 · February 2, 2022, 6:16pm

I tried to rebuild, the problem is the same.

falzo · February 2, 2022, 6:52pm

you might want to check, what other software you installed or things you changed by possibly following other installation procedures or tutorials.

if Hestia is deployed on a standard minimal install of Debian or Ubuntu, this won’t happen. But of course if something else interferes for instance with the settings of sshd_config or sudo or user permissions in general it is possible that things are elevated in an unintended way.

that said, this is not an issue caused by Hestia. the default permissions are very strict and as @eris pointed out above ftp-users will have no ssh access as their shell gets set to nologin.

I suggest checking if this is still set like it is supposed to be and if it shows nologin but you indeed can login I be afraid that your system has been compromised and tempered with in a way you for sure don’t want…

eris · February 2, 2022, 7:20pm

It looks like there is a bug somewhere…

raptor666 · February 2, 2022, 8:04pm

The test system is a debian 11 live standard cd install and hestiacp has been installed. Nothing else has been modified on it.

eris · February 2, 2022, 8:39pm

@raptor666 see DM

raptor666 · February 2, 2022, 9:04pm

Thanks Eris! Working for patch!