Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Pending Publication [CPANEL-20490] cPanel terminal feature and CageFS

Discussion in 'Security' started by Havri, Jul 16, 2018.

  1. Havri

    Havri Well-Known Member

    Oct 28, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    I am writing about this to try to find the best configuration for a cPanel v72 that has the Terminal feature enabled. For this to be enabled, you have to enable it in WHM -> Feature Manager -> SSH Access & Terminal and also enable shell or jailed shell for the user in WHM -> Manage Shell Access.

    I use a server with Cloudlinux + cPanel v72 + CageFS. The recommendations from the CageFS docs and Cloudlinux threads say that if a user needs SSH access (and I'm guessing also Terminal access), the shell access has to be a normal shell, not a jailed shell:

    The user is inside CageFS, as shown below:

    [root@server1 ~]# cagefsctl --list-enabled
    1 enabled user(s)
    And it has normal shell enabled:

    [root@server1 ~]# grep myuser1 /etc/passwd

    The problem is that the available command from the cPanel -> Terminal window are not the same as the ones during the SSH login.

    As an example, if I log into the server with the root user through SSH and issue the command "su - myuser1", the following commands aren't available for the user:

    [myuser1@server1 ~]$ df -h
    df: cannot read table of mounted file systems: No such file or directory
    [myuser1@server1 ~]$ lsblk
    -bash: lsblk: command not found
    If I go to cPanel -> Terminal and issue the above commands in the Terminal windows, they produce output. I don't feel comfortable letting users see my server disk topology or anything hardware/software/system related. Also, to make matters worse, it can basically read all the files owned by root with 644 permission (meaning that the user can also read /etc/passwd and find all the other usernames on the system).

    Keep in mind that this happens if I use the Normal Shell (as per CageFS recommendations). If I use Jailed Shell, the user has some command available, but not as much as with the normal shell.

    During the normal shell and the jailed shell, the user can still print the contents of the /tmp directory through the cPanel -> Terminal interface, where sometimes filenames with usernames get created (for example, the "ls -al /tmp" command from the Terminal windows in cPanel can list a file named "myuser2_temp_file.txt" or whatever name that it has).

    Another example: The listing of sockets (ss -ntlp) also works and shows the listening ports both with normal shell and jailed shell, except that it doesn't show the service name (but it does show all of my custom listening ports for my custom services like monitoring agents, etc.). If I issue the same command in the SSH connection, it shows "-bash: ss: command not found"

    My question is the following: how can I get the new Terminal feature for myuser1 to behave exactly like the SSH access, permissions, etc for the same user - meaning that the user should have limited access to Linux system commands (like the ones available through CageFS -> SSH access).

    Let me know what are your thoughts on this.

    Best regards,
    Andrei H.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello Andrei,

    We're tentatively planning to implement new functionality in cPanel & WHM version 74 that will provide an option to allow cPanel's Terminal feature to automatically execute from within CageFS. We're tracking this as part of internal case CPANEL-20490. I'll monitor this case and update this thread with more information as it becomes available. In the meantime, we recommend disabling the Terminal feature on accounts that utilize CageFS to avoid the issues that you noted.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice