Verifying enhanced security


#1

What script can I run to verify that all my users have ‘enhanced security’ set?

Thanks in advance for any help.
~Tom


#2

Note to Dreamhost: I’m not trying to do anything evil!

Try this:

If you see any of your users in the list, then your home folder security is open. This will only work for users which have a web app that uses phpsessions.

You can also use the access logs, but it means that only users which you have logged into recently will be checked:

63 users on my server have permissive settings. Considering that there are only 93 unique users with phpsession temp files, I’d say that most people have too permissive settings, but I’m not an expert.


#3

Thank you!

I have tried out your second script (the one which issues the ‘last’ command).

As a minor comment, I was a little worried about what would happen if there is a user named ‘cannot’. However, when I tried to create a user named ‘cannot’, the system prevented me from testing it by cunningly claiming that the name is already taken.

As a mid-level comment, it needs (for fully automatic verification) a way of weeding out the false positive which appears for the user which is actually running the script.

But more seriously, there seems to be a problem with user names which have more than 8 characters. Apparently the ‘last’ command only returns the first 8 characters of the user names which it lists, so in such cases I think the rest of your script is not working properly.

~Tom


#4

Then perhaps you just do the most obvious thing and check the permissions of the home directory of each of your users?


#5

Do you mean like this?

(replace ‘MYKEY’ with your dreamhost API key)

I am appalled that Dreamhost should expect its customers to write that kind of gobbledygook.

~Tom


#6

No, I mean ssh into each of your users and [font=Courier]ls -al | head -2[/font]

If you insist on doing it that way, why not go for something much easier?

for u in $(wget -q -O - 'https://api.dreamhost.com/?key=API_KEY&cmd=user-list_users_no_pw&format=tab' \ | awk '$3!~/(type|backup)/{print $2}') do if [ -f /home/$u/.bashrc ] then echo $u fi done


#7

Hi, no I’m not insisting on doing it “that way”! I am trying to illustrate the fact that it is crazy for Dreamhost customers to write these kinds of scripts when Dreamhost could perfectly easily put a column in

https://api.dreamhost.com/?key=6SHU5P2HLDAYECUM&cmd=user-list_users_no_pw&format=html

to say whether the user has enhanced security set.

~Tom

P.S. by the way, your suggestion “ssh into each of your users and ls -al | head -2” is nice but the resulting script would be quite complicated I think:

obtain the list of users, pick out the SHELL users and do what you say, pick out the SFTP-only users and do the equivalent in SFTP, collect all the results and verify that they are all drwx–x— … how many lines of script do you think it would need?


#8

i didn’t suggest using a script. I offered a solution based on your requirements. I just use the panel and take responsibility not to undo the settings and, when in doubt, use ls -al to check the settings.


#9

Hi I tried your suggestion “ssh into each of your users and ls -al | head -2” and it works mostly but not 100%.

For one user, even though enhanced security is set, the result of ‘ls -al | head -2’ is ‘drwxr-xr-x’.

~Tom


#10

Ok, Tom, you are on your own. You keep moving the goal posts. You asked to verify the enhanced security setting. You have now found (partially, you need to check the group assignment), that one of your user’s permissions is not ideal. Just because you have set each user to enhanced security in the panel doesn’t mean that you can’t screw it up on your own later. If you check the wiki on enhanced security, you can see what it should be and how to repair it yourself.

Good luck.


#11

“You keep moving the goal posts.” No I’m not doing that, and I’m not asking for help with sorting out my users.

I’m inviting suggestions for a script that will verify that all the users on an account have enhanced security set.

This won’t necessarily be useful for everyone, of course; as has been explained, some users need not to have enhanced security. But it should be useful for a large number of people.

Especially based on what we’ve seen here over the last few weeks. We’ve had even long-time experts admitting they got hacked recently because of something they did wrong years ago and never bothered to tidy up. In general it’s unrealistic to expect people to manually log in to each of their users and check things that could easily be checked automatically, if there were a script to do it.

I’m even ready to put in effort helping write such a script, but I’m definitely not the right person to do it as I have no experience in this area. I’ve tried a few approaches and they have problems. I could bring these to the forum and ask for suggestions, but before I do that, it would be better to see if any experts would like to provide reliable scripts and solve the problem for everyone. What I can do is try out people’s suggestions and see if they work correctly.

So as I mentioned, I tried your suggestion, “ssh into each of your users and ls -al | head -2”

… and found that it does not work correctly. Your assumption that it returns information about the user’s home directory breaks when the home directory contains files or directories preceding ‘.’ in collating sequence.

~Tom