SOLVED [CPANEL-20490] cPanel terminal feature and CageFS

Havri

Well-Known Member
Oct 28, 2013
86
19
8
cPanel Access Level
Root Administrator
Hello,

I am writing about this to try to find the best configuration for a cPanel v72 that has the Terminal feature enabled. For this to be enabled, you have to enable it in WHM -> Feature Manager -> SSH Access & Terminal and also enable shell or jailed shell for the user in WHM -> Manage Shell Access.

I use a server with Cloudlinux + cPanel v72 + CageFS. The recommendations from the CageFS docs and Cloudlinux threads say that if a user needs SSH access (and I'm guessing also Terminal access), the shell access has to be a normal shell, not a jailed shell:

https://cloudlinux.zendesk.com/hc/e...-changes-jailshell-to-regular-bash-on-cPanel-

The user is inside CageFS, as shown below:

Code:
[[email protected] ~]# cagefsctl --list-enabled
1 enabled user(s)
myuser1
And it has normal shell enabled:

Code:
[[email protected] ~]# grep myuser1 /etc/passwd
myuser1:x:1000:1002::/home/myuser1:/bin/bash

The problem is that the available command from the cPanel -> Terminal window are not the same as the ones during the SSH login.

As an example, if I log into the server with the root user through SSH and issue the command "su - myuser1", the following commands aren't available for the user:

Code:
[[email protected] ~]$ df -h
df: cannot read table of mounted file systems: No such file or directory
[[email protected] ~]$ lsblk
-bash: lsblk: command not found
If I go to cPanel -> Terminal and issue the above commands in the Terminal windows, they produce output. I don't feel comfortable letting users see my server disk topology or anything hardware/software/system related. Also, to make matters worse, it can basically read all the files owned by root with 644 permission (meaning that the user can also read /etc/passwd and find all the other usernames on the system).

Keep in mind that this happens if I use the Normal Shell (as per CageFS recommendations). If I use Jailed Shell, the user has some command available, but not as much as with the normal shell.

During the normal shell and the jailed shell, the user can still print the contents of the /tmp directory through the cPanel -> Terminal interface, where sometimes filenames with usernames get created (for example, the "ls -al /tmp" command from the Terminal windows in cPanel can list a file named "myuser2_temp_file.txt" or whatever name that it has).

Another example: The listing of sockets (ss -ntlp) also works and shows the listening ports both with normal shell and jailed shell, except that it doesn't show the service name (but it does show all of my custom listening ports for my custom services like monitoring agents, etc.). If I issue the same command in the SSH connection, it shows "-bash: ss: command not found"


My question is the following: how can I get the new Terminal feature for myuser1 to behave exactly like the SSH access, permissions, etc for the same user - meaning that the user should have limited access to Linux system commands (like the ones available through CageFS -> SSH access).

Let me know what are your thoughts on this.

Best regards,
Andrei H.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello Andrei,

We're tentatively planning to implement new functionality in cPanel & WHM version 74 that will provide an option to allow cPanel's Terminal feature to automatically execute from within CageFS. We're tracking this as part of internal case CPANEL-20490. I'll monitor this case and update this thread with more information as it becomes available. In the meantime, we recommend disabling the Terminal feature on accounts that utilize CageFS to avoid the issues that you noted.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

To update anyone watching this thread, case CPANEL-20490 is tentatively planned for publication next week as part of new builds of versions 72 and 74. I'll update this thread again once it's published.

Thank you.

Update 2: Version 74.0.6 is now published to the EDGE and CURRENT release tiers:

Fixed case CPANEL-20490: The cPanel Terminal feature will now use CageFS for CloudLinux users.

Update 3: Version 72.0.12 is now published to the STABLE release tier and includes the above case.