Jail Shell!

[ciphervendor]

Originally posted by dgbaker
Just make sure NOT to do root.

That should go without saying, but I guess I shouldn't neglect certain details when dealing with a cPanel crowd.

[ellijay]

Originally posted by dgbaker
Just make sure NOT to do root.

hahaha

i'd like to have an option to maybe have this as a package feature...or on by default. but yes, this works great!

[dgbaker]

Originally posted by ciphervendor
chmod them to 750; don't expect cPanel/WHM to do everything for you.

I never said I expected them to do everything.

I actually would prefer they did less in some cases. Like with this jail. I want more control of what is available and what is not.

I'm not asking for them to remove files, I'm asking for them to give us the control on our servers to do it they we want to.

Unlike some, I am more than qualified to manage my servers. Doing chmod is not a answer, doing chmod and leaving the files is not only messy looking, it will cause support tickets for us, like "why can't I run this command?", "why is that there if I cannot use it". It can also leave you open to possible security issues in some instances.

I am not asking darkorb to do my job, I want them to LET me do my job, and stop deciding what files I should and should not be able to work with.

[cpanelnick]

Originally posted by dgbaker
I never said I expected them to do everything.

I actually would prefer they did less in some cases. Like with this jail. I want more control of what is available and what is not.

I'm not asking for them to remove files, I'm asking for them to give us the control on our servers to do it they we want to.

Unlike some, I am more than qualified to manage my servers. Doing chmod is not a answer, doing chmod and leaving the files is not only messy looking, it will cause support tickets for us, like "why can't I run this command?", "why is that there if I cannot use it". It can also leave you open to possible security issues in some instances.

I am not asking darkorb to do my job, I want them to LET me do my job, and stop deciding what files I should and should not be able to work with.

rpm -e strace ..


cpanel could care less if you remove it

[dgbaker]

Hi BRADCO - Thanks for the reply.

I do not want to remove from the server, just from the jailed accounts. I use strace fairly often for diagnosing issues.

All I wanted was to be able to dictate which files get loaded in the jail. For example we have an issue with VI in the jail.

Cannot open termcap file
'vt100' not known. Available builtin terminals are:
builtin_ansi
builtin_xterm
builtin_iris-ansi
builtin_dumb
defaulting to 'ansi'

But since we cannot modify the jails, we cannot correct this and have no choice but to rely on darkorb to correct.

[Radio_Head]

There is nothing good with jailshell except of the client seems to be restricted on /home/user .

But , in reality he can do a lot of things .

he can use all the 1400 linux commands , for example he can use wget without limit moving your bandwidth usage to the maximum..

he can execute more /etc/passwd .... or similar programs

But the most important problem seems to be the usage of wget , snarf and similar linux programs . Monitoring the usage of 1400 linux commands could be a nightmare .

Uhm ... jailshell will be good when It will provide very limited linux commands but at this time it seems really a big problem.

[Tos]

Originally posted by Radio_Head
There is nothing good with jailshell except of the client seems to be restricted on /home/user .

I have setup 2 test jailshells on users now, and they are dumped to the / (system root) directory. They are not confined to /home/user. They are limited on what dirs they see, but /var/cpanel and many other dirs they should not be able to see are still sitting there for them.

Between this, and all the commands they can execute, how is this any better than the standard SSH shell?

[dgbaker]

That's my point as well. You cannot implement a "jail" that still gives access to almost everything. Especially things that are not required.

Also where are the ps limits? A proper jail also limits the output of certain commands.

I am not knocking this idea, I just feel that it is not ready for primetime as too many things still need to be done for this to become an effective jailing solution.

[Radio_Head]

I agree Dgbaker .

On the world of web hosting in the last years I able to found only 1 company that was able to create a proprietary shell , limited to /home/user and limited to about 100 linux commands .

I have still some account with that company . That shell was very similar to jailshell but the user was limited to use about 100 linux commands or less.

Providing over 1 thousand linux commands to clients on a shared server .... uhmmm .... these kind of shells are a palestra for hackers ...

[cpanelnick]

Originally posted by dgbaker
Hi BRADCO - Thanks for the reply.

I do not want to remove from the server, just from the jailed accounts. I use strace fairly often for diagnosing issues.

All I wanted was to be able to dictate which files get loaded in the jail. For example we have an issue with VI in the jail.

Cannot open termcap file
'vt100' not known. Available builtin terminals are:
builtin_ansi
builtin_xterm
builtin_iris-ansi
builtin_dumb
defaulting to 'ansi'

But since we cannot modify the jails, we cannot correct this and have no choice but to rely on darkorb to correct.

If you open a ticket about this it should be easy to correct. Some things still have to go, and some things have to be added to the virtual filesystem. The best thing to do was get the idea out there so it can be improved upon.

[dgbaker]

Bdraco - That I agree with. In what fashion should we gather the "what we feel needs to improve" information so that it most effective for you to deal with and comment on?

[trakwebster]

Sorry to be ignorant ... but I am.

I don't quite understand what jail is *spozed* to do. I would have thought it would keep a user from wandering around and looking in other directories. However, it does not seem to do that on my system.

Here are the problems. Please tell me if I'm doing something wrong --

1. Under 'Accounts' | 'Manage shell access' I get a list of accounts in a table with buttons for disable and jail. Using my Netscape 6.2 browser, and an account named 'testacct', I click on jail. The button disappears and nothing else happens. I try clicking the one below it. The screen moves, and tells me:

Changing shell for testacct.
Warning: "/usr/local/cpanel/bin/jailshell" is not listed in /etc/shells
Shell changed.

Now I go and ssh in as Mr. Testacct. Still can go visit other directories, still can see the files there.

What am I doing wrong? Or am I just expecting the wrong result? What should I expect to be different after an account is 'jailed'?

[cpanelnick]

Originally posted by dgbaker
Bdraco - That I agree with. In what fashion should we gather the "what we feel needs to improve" information so that it most effective for you to deal with and comment on?

As long as it makes sense in the ticket I should be able to figure it out

[sexy_guy]

Originally posted by ciphervendor
Find & replace in /etc/passwd

Very simple.

Oh come on!

[dgbaker]

Originally posted by sexy_guy
Oh come on!

What do you mean "Oh come on!" ?

This is a standard unix practice when dealing with multiple changes. Search and Replace is part of normal life in the *nix world. This is not a cpanel thing. You would have to do this for any mass change to the shell or any other jailing software.