The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CloudLinux vs BetterLinux vs Jailshell?

Discussion in 'CloudLinux' started by ThinIce, Jul 5, 2013.

  1. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Hi all :)

    I've found the comparison of CloudLinux & BetterLinux (default settings) at Rack911's blog an interesting read.

    https://blog.rack911.com/hosting-control-panels/cloudlinux-vs-betterlinux-security-default-settings/

    While the intent seems to be to quickly compare the two out of the box I'd be interested in knowing where the capabilities built into WHM with jailshell come into such a comparison (or to play devils advocate, that they don't...)

    Currently cPanel jailshell in tweak settings is not the default (not sure why) although jailshell IS now default for user cronjobs and when exim executes aliases or filters. This seems to have caused some confusion going by recent threads on these forums but seems to have been done with the best of intentions ;)

    Ref: VirtFS (Jailed Shell)

    Ref: Tweak Settings

    Process Isolation

    How many processes users can view. From shell by default under jailshell all processes can be viewed if CentOS5 /xenpv is in use)

    Relevant tweak setting: Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) is the default

    This can be changed to: Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv) if desired.

    There is more information on this at http://forums.cpanel.net/f185/jailshell-users-not-seeing-processes-ps-top-351271.html a good point made in this thread is that the jail is not "complete" unless using some of the new experimental apache options (so that cgi for example is also controlled)

    Jailed Environment

    Access to / is directly denied. A number of directories are available in the jail. I'm unsure if this is as restricted as CloudLinux. /var/ being accessible suggests not...

    Code:
    >user@host [~]# ls /
    /bin/ls: /: Permission denied
     
    Mounted directories on the CentOS5 system in front of me:

    /var/spool
    /usr/sbin
    /etc/mail
    /var/tmp
    /lib64
    /sbin
    /lib
    /usr
    /opt
    /var
    /bin
    /tmp
    /dev
    /home/user

    Information available to untrusted users

    Jailshell seems to show only system users and the users's own under /etc/passwd

    Code:
     cat /etc/passwd | tail -n5
    mailman:x:32006:32006::/usr/local/cpanel/3rdparty/mailman/mailman:/usr/local/cpanel/bin/noshell
    cpaneleximfilter:x:32007:32009::/var/cpanel/userhomes/cpaneleximfilter:/usr/local/cpanel/bin/noshell
    username:x:507:503::/home/username:/usr/local/cpanel/bin/jailshell
    
    View domains on the server / dns cluster

    Jailshell as with cloudlinux seems to protect the dns server configuration file.

    Code:
    user@host [~]#  cat /etc/named.conf
    cat: /etc/named.conf: No such file or directory
    
    Access to log files

    Files under /var/log are accessible, including dmesg and last logs. Seemingly therefore inferior to protection offered under CloudLinux.

    suid binaries

    This one is difficult to test, as Rack911 are using their own exploit for demonstration purposes...from the docs I'm unsure if their suggested scenario of an exploit possible in exim would apply under jailshell. From what Rack911 have said, It would appear that for most binaries however the included jailshell is superior to Betterlinux defaults...

    From blog post:
    From cPanel docs
    Conclusions?

    It would be interesting to see a discussion of jailshell on Rack911's blog alongside CloudLinux / BetterLinux, I'd like to know what Stephen thinks of the current implementation. From questions I've seen I don't think the differences between the three are well understood to the extent that they should be (being different pieces of software with different implementations and goals).

    It'd also be interesting to have a matrix of jailshell features on the cPanel docs vs Cloudlinux which has become something of a "you really should have this installed" - if not mentioning CloudLinux by name perhaps where Jailshell is limited by what the 'standard' kernel provides?

    Sorry for the waffle, be interested to hear others thoughts.
     
  2. iseletsk

    iseletsk Well-Known Member

    Joined:
    Mar 3, 2010
    Messages:
    163
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Princeton, New Jersey, United States
    Let me explain the differences, and what drew us to do it in a particular way.
    1. VirtFS & Web -- Unlike CageFS, VirtFS will not work for cgi/php unless you are using mod_ruid2. mod_ruid2 (IMHO) is a problem in itself, as bug in something like imagemagick extension would allow hacker to gain root on a server -- given mod_ruid2.
    Anyway -- web is unprotected by VirtFS. And you can do everything through CGI, that you can do through cron/ssh
    2. VirtFS is a chroot. It is possible to break out of chroot.
    3. SUID is a problem. It doens't matter much which one, as quite often it is not the bug in SUID itself that is being exploited, but a bug in one of the libraries that it uses. Like glibc library Two glibc vulnerabilities [LWN.net]. It all usually circles around using LD_PRELOAD and suid binary. It is quite easy/classic way to exploit bugs to escalate priveledges. Once SUID programs removed - same bugs are no longer dangerous.
     
Loading...

Share This Page