The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

disable jail shell commands like w/ and who

Discussion in 'General Discussion' started by hostmedic, Jul 16, 2009.

  1. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    Is there an easy way to disable users who are jail shelled - from using the who and w command ?

    and for that matter making other changes - ie - blocking top / etc ?
     
    #1 hostmedic, Jul 16, 2009
    Last edited: Jul 16, 2009
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The simplest way would be to use good old file permissions, so that only root can run them if that is what you want. Do take care which binaries you alter, though, as some might be needed/used by other scripts/processes other than root.
     
  3. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    that was the concern

    that was my concern -
    what binaries are safe to chmod only to the root group.

    or worse case - is there a default "cpanel" group perhaps that we could give cpanel to use ... but not the user

    any idea which binary runs the top and who and w commands

    will google as well.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Some commands might be accessed by any user such as "chmod" but some commands should only be accessed by root and cpanel under normal circumstances such as "wget" and a few others but you need to be very careful what commands you set to what permissions.

    For commands you want root and cpanel to access, you can chmod to "root:cpanel" and chmod to 750 and that will limit access to those only.

    If you are in doubt as to what may use a particular command, you can move that command to some other name and then create a wrapper script in it's place to call the renamed script and log details about when and what called it to a log file someplace like /var/log. If you set this up and find that only root calls a particular script after a fair amount of time then it is probably alright but this will give you a better idea on how commands are used.

    As for the topic of "jail shell", it is no secret that I am not a big fan of it! Far too many people are lulled into a false sense of security believing (quite wrongly) that they are somehow "safer" because clients have "jail" shell access instead of regular shell access and the truth could not be any further. Jail shell is dangerous and I would avoid giving clients access to any shell including jail shell.
     
    #4 Spiral, Jul 24, 2009
    Last edited: Jul 24, 2009
Loading...

Share This Page