Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Allow 'who' in jailed shell

Discussion in 'General Discussion' started by _jman, Aug 11, 2017.

Tags:
  1. _jman

    _jman Active Member

    Joined:
    Jan 17, 2007
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    153
    WHM 64.0 (build 36)

    All normal users are jailed. Don't want to change that.

    I run who and awk in a wrapup bash script on user ssh sessions to determine the source IP address of the login. This info is passed to mutt so I'll get an alert whenever a user shells into the server.

    Have not explicitly made any changes to jail settings, but after a recent update in June, who stopped working for normal users, whether running the default /usr/bin/who, or a copy of that program chmod'd to the user and placed in the user's home folder.

    How can a jailed user still run who, (via whitelisting the command, etc.), or if this is not possible, what alternative could a jailed user employ to get an SSH login's source IP?

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The use of the "who" binary is disabled in jailed shell because it can output a list of other users logged in via SSH. If the goal is only to get an alert when a user accesses SSH on the system, have you considered modifying your custom script to obtain the login information from the /var/log/secure file instead?

    Thank you.
     
  3. _jman

    _jman Active Member

    Joined:
    Jan 17, 2007
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    153
    Thanks for the reply. Sorry I missed it, didn't get a notification.

    Since it's a jailed user, permission to access /var/log/secure is denied.

    Permissions on that file are 600. I *could* make it world readable, but that doesn't sound very, uhm, secure. ;)

    I could also make a group and add all my users into it then chmod the file and change permission to 640, but that also sounds like work, and would need to be updated every time I added users. ;(

    Without running a cron job as root every minute to scrape /var/log/secure and send emails as needed, how else might a jailed user be able to determine the remote ip address when they connect via ssh?

    Perhaps a script that would be allowed to run as the jailed user, just piping who into a grep of the username before displaying the results?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you provide some more details about the purpose of this script? For instance, if it's only to provide you with a list of IP addresses used to connect via SSH, is there any reason you prefer to not run the script as the root user?

    Thank you.
     
  5. _jman

    _jman Active Member

    Joined:
    Jan 17, 2007
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    153
    Hi,

    The intention is to record the username and source IP address of anyone shelling into the server.

    Before all normal users got jailed during a WHM update, it used to work.

    It's not it's own "script" per se, merely part of the user's bash wrapup.

    The relevant portion of wrapup is:
    echo "SSH Login on: `date` `who`" | mutt -s "Alert: SSH Login ($(echo whoami)) from `who|awk '{print $6}'`" <EMAIL>

    (<EMAIL> above not shown, but it's the address to which the alert is sent.)

    Of course, if I shell in as root the same one-liner works fine, but as it's normally triggered by the user's login, running as root isn't applicable.

    So, any way for a jailed user to get access to the IP when shelling in?

    Simplest solution would seem to be if a jailed user could run one of your system scripts, it would just filter who by the logging in user piped into grep.

    Thanks!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm not aware of any other methods of obtaining that IP address when the account is assigned jailed shell. You may want to post to a website such as StackOverflow to receive additional user-feedback on possible alternatives. If you are open to using a third-party application, then I believe this functionality is included with CSF/LFD:

    ConfigServer Security & Firewall (csf)

    Thank you.
     
  7. _jman

    _jman Active Member

    Joined:
    Jan 17, 2007
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    153
    Hi,

    A) Not trying to get off on the wrong foot here, but as you, cPanel, are the ones that implemented jailing on your own product (WHM), the "You may wish to post" comment is spectacularly non-useful.

    Seriously, I'm asking about a solution to a product you wrote, and you point me to SO? That's just cray-cray.

    B) Am not thinking this will actually pan out, but please elaborate on using CSF/LFD for that functionality. We do employ the add-on, but shelling in then grepping lfd.log for my WAN IP produced no results. Yes, they have IP white & blacklists, but no log entries per se produced on a login-by-login basis that I could see.

    FWIW, jailing normal users is normally a pretty good idea. But there has to be a way around it when needed.

    Since you guys broke it (at least in my case you did break existing functionality, and I can't imagine there are zero other system maintainers that wouldn't want to know not only who's shelling in, but more importantly from *where*), am still percolating on a solution.

    Are there any system scripts that normal users can run? If so, this would be a good addition (again, simply piping who into grep to filter by user, so a jailed user could not see who else was logged in).

    Besides the obligatory call to #!/bin/bash, it would only take a single line of code, but as it's your system, you'd have to either A) write the script, B) allow it through the jail, or C) have a mechanism whereby I could whitelist jailed programs and scripts on an as-needed basis.

    Please advise. Thanks!
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The particular CSF option is:

    LF_SSH_EMAIL_ALERT

    Per its description:

    This should allow you to have an email notification sent any time a user accesses SSH.

    Just so I understand correctly, can you confirm if you want anyone other than the root user to receive the notification? If not, is there any reason you want the script ran as the account user if it's possible to obtain that information through other methods? For instance, I found some potential alternatives on the following URLs that you may find useful:

    Monitor all login attempts
    Email notification about each SSH connection to Linux server

    Thank you.
     
  9. _jman

    _jman Active Member

    Joined:
    Jan 17, 2007
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    153
    No, it's just so I can monitor who is able to successfully ssh into the server, so emails should only go to root.

    Thanks for the reply, using rsyslog may be helpful. Will have to play with it a little to get the logging-in username and IP into the email subject, but it appears to be workable.

    RTFM, didn't know about that portion of CSF, but rsyslog is probably a better option anyway as the former would require a little more maintenance (editing /etc/csf/csf.syslogusers and manually restarting csf whenever users are added), and its own docs say it can potentially block user-level cron reports (which are in use for showing success/failure on some user backup jobs).

    Take care!
     
    cPanelMichael likes this.
Loading...

Share This Page