The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Jailshell Security Hole?

Discussion in 'Security' started by Boboss, Oct 31, 2006.

  1. Boboss

    Boboss Active Member

    Joined:
    May 26, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I am not sure whether this is the appropriate place to post this, but this is something I notice with Jailshell, which in my opinion is a security hole.

    First, let me make a few remarks on what I think of WHM/CPanel. The security hole issue will come last.

    1) Jailshell is not actually jailing anyone. What I see is that Jailshelling someone under WHM/Cpanel actually gives them more power than is necessary. They get to be able to use so many command line functions that very little is left for them to be able to do. I say this in comparison with ENSIM, which I used previously, and which actually pretty much limits what a jailed (high security) user can do with the command line.

    Request: I would like someone who has used and knows ENSIM to guide me towards what can be done with WHM/Cpanel to reduce jaishell user permissions, so that they can be limited in the number and types of command line functions they can use.

    2) THE SECURITY HOLE:

    First of all, it seems the WHM/Cpanel jaishell system does the opposite of what it is supposed to do. Users with no normal shell and with no jailshell (disabled shell) are actually the only users that cannot roam freely beyonf their home directory via FTP. By contrast, users that are jailshelled are the ones who are able to go out of their home directory, and browse around.

    Now, I have read here and there that the areas that jailshelled users are able to roam are actually their own filesystem, made of mostly files copied over into their hail. However, that is where the security flaw lies.


    This is what I have seen:

    Description:

    Any jailshelled user can raom via command line or SFTP into this folder: /var/spool/mail. But as you can see, this folder shows all the main account usernames that carry with all the Web sites hosted on any WHM/Cpanel server.

    Granted: even though they can see these usernames, jailshelled users cannot do anything to these files. True. But that is not where the security whole lies.

    Why is this a security hole?

    Consequences:

    Any Jailshelled user can see what usernames are on any WHM/Cpanel server by going here: /var/spool/mail. And because they can see all the main users (those with rights on whole sites, this is what can happen:.

    1) Instead of having to guess these usernames, a crackers gets it easy and simply tried each of them to see if they can get into more accounts and wreak havoc.

    2) Where users do not have good passwords (if they use the same word for both the username and password), any ill-intentioned guy can get into their accounts very easily.'

    3) If any of the listed usernames is jailshelled and has a bad password, then it is easy for someone to do harm to their account.

    4) Knowing the number of usernames in this location /var/spool/mail allows a jailshelled user to know how many accounts/sites/main usernames are on a WHM/Cpanel Server.

    5) Knowing the usernames of a WHM/Capenl server would allow a spammer hosted on the same server to spam other users by simply sending email to each of these usernames from another spamming site somewhere on the Internet.

    I am sure someone else could find a few other things that can be done in this situation, but my take is that items 4 and 5, which are less serious than items 1, 2 and 3, should nevertheless never be allowed to happen on any server. If any attacker can be allowed to see who else is hosted ans spam them as a result, then that alone is enough of a security risk to me. And anyone hosted on any server deserves a minimal amount of protection, even against the possibility of spam.

    I hope this can be fixed some time soon.

    Thanks.

    Boboss.
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    While I have no Ensim experience, I have to agree jailshell is a joke. You can basically do whatever you want and don't have many restrictions. However, being able to see all the user accounts doesn't worry me, since this can be easily done by anyone who doesn't have shell at all and just has a simple PHP based script.
     
  3. Patiek

    Patiek Active Member

    Joined:
    May 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    I usually assume that usernames are known and are public. If you practice security on this policy it is a bit more difficult but at the same time it will ultimately allow for a more secure server. I agree that not releasing the usernames would be better (yet another layer), but at the same time it is possible to determine all of the domains hosted on a server, visit those domains, and exploit the scripts on those sites in some fashion to release the username (for example, getting PHP to error /home/username/.... if PHP errors are output as they are by default).

    You may want to install some brute force detection to help prevent attacks. Also, you could force stronger passwords by using config entries in /etc/login.defs I believe (CRACKLIB_DICTPATH)?
     
  4. Boboss

    Boboss Active Member

    Joined:
    May 26, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Which is why the Ensim naming convention is better. Ensim suppressed usernames from the script paths, allowing instead the domain names themselves to be used.

    For instance, instead of defining paths as: /home/username/wwww, ensim did this: /home/virtual/domain.com/var/www/html or , for jailed sites (high security), simply /var/www/html. As you can see, no usernames appear when scripts error out. And that adds just a smaller layer of security, even if as you said, there are ways to get the same info.

    My problem is that I hate spammers, and anything that will prevent detection of email addresses is good.
     
Loading...

Share This Page