How to limit shell access on virtual servers?

With the default settings, any virtual server user can seemingly view and access ALL data on the whole server, which is one hell of a serious security risk.
While they cannot actually change any data due to permission restrictions, it is perfectly possible to view system files, such as in /etc and probably others too.

How do I limit this? Basically I would like to see some kind of jailed shell, where a virtual server user only has access to his OWN server and cannot go outside of it.

It is only a “hell of a security risk” if your system is configured incorrectly. :slight_smile:

For proper shell operation (I’m leaving chroot jails and stuff out here, because those are a pain to set up), the user MUST have access to certain files in /etc and other directories.

After a fresh installation, a Linux system (provided you use a “usual” distro like Debian or Ubuntu or CentOS) is configured so that no security critical information can be accessed by users who should not access them.

So, instead of worrying about chroot jails, you should just make sure your file/directory access rights are set up properly, then you don’t need to worry about shell users being able to e.g. read /etc/fstab :slight_smile: It’s not a secret which partitions your server has - to users who you already trust sufficiently to give them shell login at all.

So if this troubles you, you should rather not give the server owners SSH login rights at all.

Also note that besides shells, users can easily set up a PHP based file manager in their hosting account, which in turn has similar read rights to the whole filesystem as an SSH user.