Hello,
I am writing about this to try to find the best configuration for a cPanel v72 that has the Terminal feature enabled. For this to be enabled, you have to enable it in WHM -> Feature Manager -> SSH Access & Terminal and also enable shell or jailed shell for the user in WHM -> Manage Shell Access.
I use a server with Cloudlinux + cPanel v72 + CageFS. The recommendations from the CageFS docs and Cloudlinux threads say that if a user needs SSH access (and I'm guessing also Terminal access), the shell access has to be a normal shell, not a jailed shell:
https://cloudlinux.zendesk.com/hc/e...-changes-jailshell-to-regular-bash-on-cPanel-
The user is inside CageFS, as shown below:
And it has normal shell enabled:
The problem is that the available command from the cPanel -> Terminal window are not the same as the ones during the SSH login.
As an example, if I log into the server with the root user through SSH and issue the command "su - myuser1", the following commands aren't available for the user:
If I go to cPanel -> Terminal and issue the above commands in the Terminal windows, they produce output. I don't feel comfortable letting users see my server disk topology or anything hardware/software/system related. Also, to make matters worse, it can basically read all the files owned by root with 644 permission (meaning that the user can also read /etc/passwd and find all the other usernames on the system).
Keep in mind that this happens if I use the Normal Shell (as per CageFS recommendations). If I use Jailed Shell, the user has some command available, but not as much as with the normal shell.
During the normal shell and the jailed shell, the user can still print the contents of the /tmp directory through the cPanel -> Terminal interface, where sometimes filenames with usernames get created (for example, the "ls -al /tmp" command from the Terminal windows in cPanel can list a file named "myuser2_temp_file.txt" or whatever name that it has).
Another example: The listing of sockets (ss -ntlp) also works and shows the listening ports both with normal shell and jailed shell, except that it doesn't show the service name (but it does show all of my custom listening ports for my custom services like monitoring agents, etc.). If I issue the same command in the SSH connection, it shows "-bash: ss: command not found"
My question is the following: how can I get the new Terminal feature for myuser1 to behave exactly like the SSH access, permissions, etc for the same user - meaning that the user should have limited access to Linux system commands (like the ones available through CageFS -> SSH access).
Let me know what are your thoughts on this.
Best regards,
Andrei H.
I am writing about this to try to find the best configuration for a cPanel v72 that has the Terminal feature enabled. For this to be enabled, you have to enable it in WHM -> Feature Manager -> SSH Access & Terminal and also enable shell or jailed shell for the user in WHM -> Manage Shell Access.
I use a server with Cloudlinux + cPanel v72 + CageFS. The recommendations from the CageFS docs and Cloudlinux threads say that if a user needs SSH access (and I'm guessing also Terminal access), the shell access has to be a normal shell, not a jailed shell:
https://cloudlinux.zendesk.com/hc/e...-changes-jailshell-to-regular-bash-on-cPanel-
The user is inside CageFS, as shown below:
Code:
[[email protected] ~]# cagefsctl --list-enabled
1 enabled user(s)
myuser1
Code:
[[email protected] ~]# grep myuser1 /etc/passwd
myuser1:x:1000:1002::/home/myuser1:/bin/bashThe problem is that the available command from the cPanel -> Terminal window are not the same as the ones during the SSH login.
As an example, if I log into the server with the root user through SSH and issue the command "su - myuser1", the following commands aren't available for the user:
Code:
[[email protected] ~]$ df -h
df: cannot read table of mounted file systems: No such file or directory
[[email protected] ~]$ lsblk
-bash: lsblk: command not foundKeep in mind that this happens if I use the Normal Shell (as per CageFS recommendations). If I use Jailed Shell, the user has some command available, but not as much as with the normal shell.
During the normal shell and the jailed shell, the user can still print the contents of the /tmp directory through the cPanel -> Terminal interface, where sometimes filenames with usernames get created (for example, the "ls -al /tmp" command from the Terminal windows in cPanel can list a file named "myuser2_temp_file.txt" or whatever name that it has).
Another example: The listing of sockets (ss -ntlp) also works and shows the listening ports both with normal shell and jailed shell, except that it doesn't show the service name (but it does show all of my custom listening ports for my custom services like monitoring agents, etc.). If I issue the same command in the SSH connection, it shows "-bash: ss: command not found"
My question is the following: how can I get the new Terminal feature for myuser1 to behave exactly like the SSH access, permissions, etc for the same user - meaning that the user should have limited access to Linux system commands (like the ones available through CageFS -> SSH access).
Let me know what are your thoughts on this.
Best regards,
Andrei H.
