Web App SSH User Can Peek Other Users at /home

Steps to reproduce:

  • Create a new web app users in dashboard (Don’t need to be Sudo user)
  • Add SSH key for that user
  • Create a new web app and assign to that user
  • SSH to server newuser@server-ip
  • Type cd /home
  • That user can peek all other users in the server, although he will get Permission Denied when trying to entering

Can we prevent the user to peek others? Or can we prevent the user to access /home?

Oh btw, I also found that the web app user can also access root / directory and can use cat command to read the content. For example: cat /etc/nginx/nginx.conf

If only the user owns the entire server for his own site, this will not be an issue, but for admin who has several sites who wants to give each web app users access only to his own files, I think this will be problem.

Hi @fin -

That is correct, that’s how we designed site isolation given how other similar solutions implement it and what appears to be industry standards.

We’re not opposed to changing it up as you mention. Though, we’ll want to do additional discovery before implementing any changes.

Thanks for asking the question!

Thanks for your clarification Adam