CloudLinux vs BetterLinux vs Jailshell?

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
Hi all :)

I've found the comparison of CloudLinux & BetterLinux (default settings) at Rack911's blog an interesting read.

https://blog.rack911.com/hosting-control-panels/cloudlinux-vs-betterlinux-security-default-settings/

While the intent seems to be to quickly compare the two out of the box I'd be interested in knowing where the capabilities built into WHM with jailshell come into such a comparison (or to play devils advocate, that they don't...)

Currently cPanel jailshell in tweak settings is not the default (not sure why) although jailshell IS now default for user cronjobs and when exim executes aliases or filters. This seems to have caused some confusion going by recent threads on these forums but seems to have been done with the best of intentions ;)

Ref: VirtFS (Jailed Shell)

Ref: Tweak Settings

Process Isolation

How many processes users can view. From shell by default under jailshell all processes can be viewed if CentOS5 /xenpv is in use)

Relevant tweak setting: Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) is the default

This can be changed to: Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv) if desired.

There is more information on this at http://forums.cpanel.net/f185/jailshell-users-not-seeing-processes-ps-top-351271.html a good point made in this thread is that the jail is not "complete" unless using some of the new experimental apache options (so that cgi for example is also controlled)

Jailed Environment

Access to / is directly denied. A number of directories are available in the jail. I'm unsure if this is as restricted as CloudLinux. /var/ being accessible suggests not...

Code:
>[email protected] [~]# ls /
/bin/ls: /: Permission denied
Mounted directories on the CentOS5 system in front of me:

/var/spool
/usr/sbin
/etc/mail
/var/tmp
/lib64
/sbin
/lib
/usr
/opt
/var
/bin
/tmp
/dev
/home/user

Information available to untrusted users

Jailshell seems to show only system users and the users's own under /etc/passwd

Code:
 cat /etc/passwd | tail -n5
mailman:x:32006:32006::/usr/local/cpanel/3rdparty/mailman/mailman:/usr/local/cpanel/bin/noshell
cpaneleximfilter:x:32007:32009::/var/cpanel/userhomes/cpaneleximfilter:/usr/local/cpanel/bin/noshell
username:x:507:503::/home/username:/usr/local/cpanel/bin/jailshell
View domains on the server / dns cluster

Jailshell as with cloudlinux seems to protect the dns server configuration file.

Code:
[email protected] [~]#  cat /etc/named.conf
cat: /etc/named.conf: No such file or directory
Access to log files

Files under /var/log are accessible, including dmesg and last logs. Seemingly therefore inferior to protection offered under CloudLinux.

suid binaries

This one is difficult to test, as Rack911 are using their own exploit for demonstration purposes...from the docs I'm unsure if their suggested scenario of an exploit possible in exim would apply under jailshell. From what Rack911 have said, It would appear that for most binaries however the included jailshell is superior to Betterlinux defaults...

From blog post:
The final comparison will be the most important one. Which software will stop an attacker from exploiting a SUID binary to ultimately gain root access on the server. So many of our security vulnerabilities work with SUID binaries, so it is extremely important for us to use software that prohibits allowing a normal user to escalate their privileges.
From cPanel docs
As of 11.38, in a jailshell, all filesystems are mounted with the nosuid option by default. The nosuid option blocks the operation of setuid and setgid commands, such as crontab and ping. This does not apply to the /usr/sbin/ directory for Exim.
Conclusions?

It would be interesting to see a discussion of jailshell on Rack911's blog alongside CloudLinux / BetterLinux, I'd like to know what Stephen thinks of the current implementation. From questions I've seen I don't think the differences between the three are well understood to the extent that they should be (being different pieces of software with different implementations and goals).

It'd also be interesting to have a matrix of jailshell features on the cPanel docs vs Cloudlinux which has become something of a "you really should have this installed" - if not mentioning CloudLinux by name perhaps where Jailshell is limited by what the 'standard' kernel provides?

Sorry for the waffle, be interested to hear others thoughts.
 

iseletsk

Well-Known Member
Verifed Vendor
Let me explain the differences, and what drew us to do it in a particular way.
1. VirtFS & Web -- Unlike CageFS, VirtFS will not work for cgi/php unless you are using mod_ruid2. mod_ruid2 (IMHO) is a problem in itself, as bug in something like imagemagick extension would allow hacker to gain root on a server -- given mod_ruid2.
Anyway -- web is unprotected by VirtFS. And you can do everything through CGI, that you can do through cron/ssh
2. VirtFS is a chroot. It is possible to break out of chroot.
3. SUID is a problem. It doens't matter much which one, as quite often it is not the bug in SUID itself that is being exploited, but a bug in one of the libraries that it uses. Like glibc library Two glibc vulnerabilities [LWN.net]. It all usually circles around using LD_PRELOAD and suid binary. It is quite easy/classic way to exploit bugs to escalate priveledges. Once SUID programs removed - same bugs are no longer dangerous.