Hi all 
I've found the comparison of CloudLinux & BetterLinux (default settings) at Rack911's blog an interesting read.
https://blog.rack911.com/hosting-control-panels/cloudlinux-vs-betterlinux-security-default-settings/
While the intent seems to be to quickly compare the two out of the box I'd be interested in knowing where the capabilities built into WHM with jailshell come into such a comparison (or to play devils advocate, that they don't...)
Currently cPanel jailshell in tweak settings is not the default (not sure why) although jailshell IS now default for user cronjobs and when exim executes aliases or filters. This seems to have caused some confusion going by recent threads on these forums but seems to have been done with the best of intentions
Ref: VirtFS (Jailed Shell)
Ref: Tweak Settings
Process Isolation
How many processes users can view. From shell by default under jailshell all processes can be viewed if CentOS5 /xenpv is in use)
Relevant tweak setting: Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) is the default
This can be changed to: Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv) if desired.
There is more information on this at http://forums.cpanel.net/f185/jailshell-users-not-seeing-processes-ps-top-351271.html a good point made in this thread is that the jail is not "complete" unless using some of the new experimental apache options (so that cgi for example is also controlled)
Jailed Environment
Access to / is directly denied. A number of directories are available in the jail. I'm unsure if this is as restricted as CloudLinux. /var/ being accessible suggests not...
Mounted directories on the CentOS5 system in front of me:
/var/spool
/usr/sbin
/etc/mail
/var/tmp
/lib64
/sbin
/lib
/usr
/opt
/var
/bin
/tmp
/dev
/home/user
Information available to untrusted users
Jailshell seems to show only system users and the users's own under /etc/passwd
View domains on the server / dns cluster
Jailshell as with cloudlinux seems to protect the dns server configuration file.
Access to log files
Files under /var/log are accessible, including dmesg and last logs. Seemingly therefore inferior to protection offered under CloudLinux.
suid binaries
This one is difficult to test, as Rack911 are using their own exploit for demonstration purposes...from the docs I'm unsure if their suggested scenario of an exploit possible in exim would apply under jailshell. From what Rack911 have said, It would appear that for most binaries however the included jailshell is superior to Betterlinux defaults...
From blog post:
It would be interesting to see a discussion of jailshell on Rack911's blog alongside CloudLinux / BetterLinux, I'd like to know what Stephen thinks of the current implementation. From questions I've seen I don't think the differences between the three are well understood to the extent that they should be (being different pieces of software with different implementations and goals).
It'd also be interesting to have a matrix of jailshell features on the cPanel docs vs Cloudlinux which has become something of a "you really should have this installed" - if not mentioning CloudLinux by name perhaps where Jailshell is limited by what the 'standard' kernel provides?
Sorry for the waffle, be interested to hear others thoughts.
I've found the comparison of CloudLinux & BetterLinux (default settings) at Rack911's blog an interesting read.
https://blog.rack911.com/hosting-control-panels/cloudlinux-vs-betterlinux-security-default-settings/
While the intent seems to be to quickly compare the two out of the box I'd be interested in knowing where the capabilities built into WHM with jailshell come into such a comparison (or to play devils advocate, that they don't...)
Currently cPanel jailshell in tweak settings is not the default (not sure why) although jailshell IS now default for user cronjobs and when exim executes aliases or filters. This seems to have caused some confusion going by recent threads on these forums but seems to have been done with the best of intentions
Ref: VirtFS (Jailed Shell)
Ref: Tweak Settings
Process Isolation
How many processes users can view. From shell by default under jailshell all processes can be viewed if CentOS5 /xenpv is in use)
Relevant tweak setting: Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) is the default
This can be changed to: Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv) if desired.
There is more information on this at http://forums.cpanel.net/f185/jailshell-users-not-seeing-processes-ps-top-351271.html a good point made in this thread is that the jail is not "complete" unless using some of the new experimental apache options (so that cgi for example is also controlled)
Jailed Environment
Access to / is directly denied. A number of directories are available in the jail. I'm unsure if this is as restricted as CloudLinux. /var/ being accessible suggests not...
Code:
>user@host [~]# ls /
/bin/ls: /: Permission denied/var/spool
/usr/sbin
/etc/mail
/var/tmp
/lib64
/sbin
/lib
/usr
/opt
/var
/bin
/tmp
/dev
/home/user
Information available to untrusted users
Jailshell seems to show only system users and the users's own under /etc/passwd
Code:
cat /etc/passwd | tail -n5
mailman:x:32006:32006::/usr/local/cpanel/3rdparty/mailman/mailman:/usr/local/cpanel/bin/noshell
cpaneleximfilter:x:32007:32009::/var/cpanel/userhomes/cpaneleximfilter:/usr/local/cpanel/bin/noshell
username:x:507:503::/home/username:/usr/local/cpanel/bin/jailshellJailshell as with cloudlinux seems to protect the dns server configuration file.
Code:
user@host [~]# cat /etc/named.conf
cat: /etc/named.conf: No such file or directoryFiles under /var/log are accessible, including dmesg and last logs. Seemingly therefore inferior to protection offered under CloudLinux.
suid binaries
This one is difficult to test, as Rack911 are using their own exploit for demonstration purposes...from the docs I'm unsure if their suggested scenario of an exploit possible in exim would apply under jailshell. From what Rack911 have said, It would appear that for most binaries however the included jailshell is superior to Betterlinux defaults...
From blog post:
From cPanel docs
Conclusions?
It would be interesting to see a discussion of jailshell on Rack911's blog alongside CloudLinux / BetterLinux, I'd like to know what Stephen thinks of the current implementation. From questions I've seen I don't think the differences between the three are well understood to the extent that they should be (being different pieces of software with different implementations and goals).
It'd also be interesting to have a matrix of jailshell features on the cPanel docs vs Cloudlinux which has become something of a "you really should have this installed" - if not mentioning CloudLinux by name perhaps where Jailshell is limited by what the 'standard' kernel provides?
Sorry for the waffle, be interested to hear others thoughts.
