The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

jailed shell access - how does it differ from normal shell?

Discussion in 'General Discussion' started by spaceman, Aug 4, 2004.

  1. spaceman

    spaceman Well-Known Member

    Mar 25, 2002
    Likes Received:
    Trophy Points:
    Hi All,

    Please can someone define the difference between jailed shell access and normal shell access? Educated guess is that jailed shell access is more restrictive/secure than normal, but I'd like to have the differences spelled out to me for future reference. WHM documentation was about as useful on the subject as a chocolate fire guard. :)
  2. chirpy

    chirpy Well-Known Member

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    That's about it in a nutshell. The purpose of a jailed shell environment is to offer a shell user a limited and restrictive environment within which they can perform whatever functions they want. The idea being that they can only do so much damage if they are restricted to the binaries and libraries provided ;)

    A normal shell environment gives a user full access to whatever the file system and server environment will allow for the user. It can expose your server to greater vulnerability because most binaries and libraries are available to user accounts.

    Here's my suggestions:

    1. Don't feel a false sense of security by disabling all shell accounts or by using jailed shell accounts. They do slow nefarious people down, but they aren't a panacea and breaking out of them can be trivial. You're also probably offering greater access through CGI access anyway.

    2. Just see it is one layer in a while raft of security measures.

    3. Treat them (jailed shells) as a way to prevent users doing any more accidental damage than they might with a full shell account.

    Most hosts these days either don't give shell access of any kind, or do so only on request for short periods of time, which they monitor. But do consider my point about CGI access being just as risky anyway.

Share This Page