The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Jailed SSH?

Discussion in 'Security' started by pixelstore, Jun 10, 2012.

  1. pixelstore

    pixelstore Member

    Joined:
    Jun 6, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hey guys! I'm currently trying out CPanel as I'm thinking about moving from Plesk.

    In Plesk I have a option under the settings for an account that says "Chrooted" for SSH access. When choosing this mode the user is jailed to his home directory and can't browse anything below it. Also the commands are very restricted and only allows about 100 of them.

    In Cpanel I've set the user account to "Jailed Shell" but I don't see any different really. I have 1257 commands to use, and when logged in as root I have 1279 commands. Also I can browse below my home directory and even list /.

    Isn't there any settings to jail the SSH user to a certain amount of commands and of course their home directory?

    I use GIT to update all my clients on the server so I need SSH access.
     
  2. pixelstore

    pixelstore Member

    Joined:
    Jun 6, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Anyone? This must be a common problem? Why would you like your clients to have such large access to your server?
     
  3. alexio

    alexio Registered

    Joined:
    Oct 30, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Am also experiencing this - and certainly pixelstore and myself can't be the only ones.

    A simple test for anyone allowing Jailed shell:

    Log into the (supposedly) jailed acocunt, and type:
    cd /var
    and then :
    ls

    You should now see the contents of the /var folder... e.g.:.

    ./ ../ cpanel/ lib/ log/ run/ spool/
    youraccount@whatevr.com [/var]#


    Jailed ... with Freedom
    A quizzical paradox.
    :confused:
     
  4. pixelstore

    pixelstore Member

    Joined:
    Jun 6, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yeah exactly, I don't see any different between jailed and a normal shell
     
  5. CharlesBoyd

    CharlesBoyd Member

    Joined:
    May 29, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Giving each user their own chroot would not be a very good idea and would not improve security on your server.

    (1) This is giving root access to each user, within their chroot, enabling them to install/remove packages within their chroot that could cause their account break completely and become impossible to recover/fix. Repairing mistakes done in public_html for 100 users on a webserver is bad enough, now imagine maintaining 100 separate complete Linux environments -- each running its own instance of Apache/Perl/SQL and anything else the user wants.

    (2) Sometimes daemon processes such as apache will run within their own chroot, the reason being that if Apache is compromised -- then only the chroot is at risk of being rooted, not the entire server. However, you would not want to have Apache serving files out of a million chroot environments (each of which, for all you know, could be running its own conflicting webserver software).

    (3) You don't get much added security from this, there are plenty of ways for users to escape from their chroot and (intentionally or otherwise) damage the host system for their chroot. For example, setting the hostname in a chroot will also change the hostname of the server and cause downtime. It is also a common problem in chroots that modifications to the kernel or core GNU system libraries (glibc) made within a chroot will also take place in the host environment.

    The intended uses of a chroot are:

    * To create a testing environment for software development in a clean isolated environment within a stable system, without making any changes to the host environment.

    * To "jail" certain background processes for security reasons or otherwise. (This is more common in the BSD world)

    * To cross-compile software for a system whose processor architecture is different from the host, without modifying the toolchain of the host. For example, to build an ARM binary on an x86_64 machine -- you could have a chroot with the gcc ARM toolchain installed and build a program in the chroot without potentially causing dependency or library version conflicts within your host system.

    That said, you can create custom jailed shells within cPanel/WHM -- but it is important to understand that this is *not* a chroot!

    Creating Custom Jailed Shell (Jailshell) Mounts

    Also, if your system is correctly configured, users should have write access only within their home directory and limited read access elsewhere in the file system. Unix is relatively secure by design.
     
  6. pixelstore

    pixelstore Member

    Joined:
    Jun 6, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks alot for the explanation!

    What I don't understand is, like in Plesk that I'm used to, you are also limited to the a certain amount of commands. There's only to standards like cd, ls, mkdir etc. And you are locked to your home dir. I can't understand how you could change hostname etc. But still, I see there's more disadvantages as well like with Apache running extra daemons. I don't know if Plesk has solved this, anyhow I haven't noticed any problems with it.

    And, yeah, unix is pretty safe as default, but I don't like the idea that a user can list my /home to see all my other clients I have.

    Any how, what I'm really after is to use GIT. So my plan was to jail the user to their home and then just limit them to the git-commands and maybe like cd, ls and mkdir. That's it. But maybe someone else has a total other solution for this?
     
  7. CharlesBoyd

    CharlesBoyd Member

    Joined:
    May 29, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The commands are probably disabled by using chmod to change their permissions, but this is usually trivial to bypass.

    Suppose "touch" is disabled for users other than root (meaning it has 0754 permissions). Here is how you can still create a file:

    Code:
    armadill[~]$ ls -l test
    ls: cannot access test: No such file or directory
    
    armadill[~]$ touch test
    bash: /bin/touch: Permission denied
    
    armadill[~]$ > test
    
    armadill[~]$ ls -l test
    -rw-rw-r-- 1 armadill armadill 0 Aug  4 10:23 test
    
    Suppose that /bin/chown also has 0754 permissions, here is a similar workaround:

    Code:
    armadill[~]$ ls -l /bin/chown
    -rwxr-xr-- 1 root root 53640 Jun 22 06:46 /bin/chown
    
    armadill[~]$ cp /bin/chown .
    
    armadill[~]$ chmod 0755 chown
    
    armadill[~]$ ./chown
    ./chown: missing operand
    Try `./chown --help' for more information.
    
    I think they set the permissions on programs other than 'ls' and 'cd' to prevent users from accidentally doing something dangerous to their own data, rather than under the (false) notion that this provides any additional security.

    (Thanks to cPanelJeff for this example!)

    http://forums.cpanel.net/f185/how-p...ks-non-root-users-202242-p11.html#post1194351

    From the 'chroot' man page:

    FreeBSD project came up with an improvement on chroot (called a "jail") that overcomes many of the fundamental limitations and problems one encounters with an old-fashioned chroot.

    Introduction

    From the FreeBSD handbook:

    A FreeBSD jail is similar in some ways to a virtual machine (except it does not do virtualization of hardware and runs on the same kernel as the host)

    Jails were one of the attractive features in FreeBSD and its variants, but it was ported to Linux pretty quickly.

    Jail - Gentoo Linux Wiki

    They should not be able to ls your /home directory, just their subdirectory of /home.

    Code:
    armadill[~]$ stat /home
      File: `/home'
      Size: 4096            Blocks: 8          IO Block: 4096   directory
    Device: 28h/40d Inode: 94666843    Links: 10
    Access: (0711/drwx--x--x)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2012-08-04 04:02:05.000000000 -0500
    Modify: 2012-08-04 01:21:10.000000000 -0500
    Change: 2012-08-04 01:21:10.000000000 -0500
    
    armadill[~]$ pwd
    /home/armadill
    
    armadill[~]$ ls
    access-logs  etc  mail  perl5  public_ftp  public_html  test  tmp  www
    
    armadill[~]$ ls /home
    ls: cannot open directory /home: Permission denied
    
    Permission is denied for the user to see the contents of home because the permissions are 0711 and it is owned by root.

    The user should not be able to write outside of their home directory, so they could only 'git clone' to their home directory.

    I am sure there are other threads on setting up git on a cPanel server.
     
Loading...

Share This Page