client SSH access can view top level files

ethaniel86

cam across Enhance recently been playing around with the features then i realized when enabling SSH to user account and i can SSH into the server and list the server's root / files and folders, although they have no permission to read/write.
is this expected behavior?

cPFence

ethaniel86

Yes, that’s expected. Starting from v12, users with SSH access are heavily restricted and can’t do or access anything outside their container, making it fairly secure. However, we do believe that, ideally, they shouldn’t be able to list anything outside their container at all.

xyzulu

I believe what you are seeing is default Ubuntu behaviour.

Adam

cPFence

Nothing has changed in version 12.0.0 in relation to user level SSH. Customers have access to a heavily restricted shell which runs inside their website container. They cannot see or list other websites on the server but they do have access to shared libraries, PHP interpreter, etc. It's very similar to what you would see on a cPanel server with CloudLinux, for example.

cPFence

Adam

Yes, I understand, I was specifically referring to the /etc/passwd- file and also the additional directories hidden starting in v12.0.20, which is definitely a plus.

We recently compared CloudLinux CageFS and the latest Enhance versions side-by-side, and I can confidently say they're now very similar in terms of security isolation. Enhance clearly matches the top solutions available in the market now, which is great.

My only additional wish was to see a complete prevention of listing files outside the container. But I realize that implementing this might introduce technical challenges and complications. We previously tried to play with CloudLinux's own file- and directory-hiding features (excluding files and hiding directories) to achieve that goal, but ended up with a broken CageFS instead! , so I completely understand why this isn't straightforward.