Disabled shell vs Jailed Shell with mod_ruid2

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
106.0.15
S

sjmnc

Registered
Jan 17, 2023
2
1
1
Australia
cPanel Access Level
Root Administrator
Trying to understand the best shell options and the difference between Disabled Shell and Jailed Shell.

As per security advisor recommendation

Apache vhosts are not segmented or chroot()ed. Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area.
Click to expand...
I've
  1. Enabled mod_ruid2
  2. Enabled EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell
However my users are already set to Disabled Shell. If I try to change them to Jailed Shell I get a Package conflict error because none of my packages have shell access enabled.

It seems counterintuitive to enable shell access in the packages just so I can apply the Jailed Shell setting - will doing this offer better security than keeping them at Disabled Shell?

Thanks.
 
Last edited by a moderator:
Nathan Lyle

Nathan Lyle

Member
Jul 9, 2018
18
6
3
Toledo, Ohio
cPanel Access Level
Reseller Owner
cPRex said:
Hey there! If the shell is disabled, that's as secure as you can make it. There's some additional details about this here:

Click to expand...
I would have thought that disabled was the most secure as well, but keep getting messages like this:

Apache vhosts are not segmented or chroot()ed. Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.

I have them disabled partially because I didn't want to enable an experimental feature on my main servers, but also because I thought it was the most secure and my clients don't typically need that access. Is this notification mostly an ad to promote CafeFS? It seems like it shouldn't be going out if I have no users set to a normal shell access.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
S Shell Fork Bomb Protection Disabled Security 8
S virtfs folder end though shell access is disabled Security 9
postcd shell_exec() has been disabled for security reasons in /usr/local/cpanel/whostmgr/.../logger.php Security 6
postcd Receiving SSH login alert emails for user that has shell access disabled Security 1
S Jailed Shell/Disabled Shell prevents Email Piping Security 26
Similar threads
Shell Fork Bomb Protection Disabled
virtfs folder end though shell access is disabled
shell_exec() has been disabled for security reasons in /usr/local/cpanel/whostmgr/.../logger.php
Receiving SSH login alert emails for user that has shell access disabled
Jailed Shell/Disabled Shell prevents Email Piping
Top Bottom