The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Jailshell users not seeing processes in ps or top

Discussion in 'Security' started by santrix, Jun 18, 2013.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    The recent 11.38 update (or possibly earlier, recent updates) have led to jailshell users not seeing all of their processes on top or ps. It's an improvement over how it used to be, where they would see all processes, but now in top all they see is the top process itself and their bash session.

    I have tested by running a number of scripts than run for a good 20 seconds or so, and updating top or ps only ever shows these two processes and nothing else.

    Jailed /proc mount method - Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) default

    I found that by selecting the "Always mount a full /proc" once more allowed users to see it as it used to be. However, it would be nice if they were restricted to seeing their own processes. Any clues as to how the above behaviour can be corrected, so they can be restricted to seeing only their own processes, but be able to see ALL of their own processes?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I am not aware of any existing options within cPanel/WHM to allow for that type of functionality. However, you are welcome to open a feature request for this at:

    Submit A Feature Request

    Thank you.
     
  3. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Hi Michael. So, are you saying that with the option "Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) " selected, that the user will not be able to see even their own processes in Centos 6 ? and this is normal?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I can not reproduce the behavior you describe when using the "top" command as a user with jailed shell access. I tested on a CentOS 6 machine, with each of the following options enabled for "Jailed /proc mount method":

    Always mount a full /proc
    Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) default
    Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv)


    In all three cases, the "top" command produced the same output of all processes running on the system, even processes not owned by the account username (e.g. Apache, crond, dovecot). Are you using any other security applications/modifications, or a third-party application such as CageFS on this system?

    Thank you.
     
  5. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Odd - the server is a pretty vanilla Centos 6.4 box with nothing installed that would affect this as far as I can tell. So, just to clarify, when it is configured with Always mount a full /proc then the user sees all processes. But for the other two, he will only see his bash session and the top application itself. I have found this behaviour to be the same on our other Centos 6 machines too.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    That's not the behavior I see on a test machine with CentOS 6. I see no difference in the output from "ps" or "top" when each of those options are enabled. Feel free to open a support ticket so we can check your specific server:

    Submit A Ticket

    You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. DaVinciDigital

    DaVinciDigital Registered

    Joined:
    Jun 25, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have the same issue in my setup: jail user cannot see owned processes, but only those started in the running shell.

    Another change that happened, is that now a jailed user cannot start a process in the background (as a daemon), but any and all process by the user are shut down once the shell gets closed. This behaviour is quite welcome, but to my knowledge it was not documented.
     
  8. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    In 11.38 jailshell now uses CLONE_NEWPID to create a new pid namespace.

    When you choose mount a limited /proc., users are not be permitted to see processes running outside of the jail in /proc as they could use this escape the jail. If you are not using the jailed apache setup, this may not matter to you since you could already bypass the jail system with a cgi process (unless the user has cgi disabled).

    For more information please see: clone(2) - Linux manual page.

    I will provide more detailed information in my next post:
     
  9. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Thanks for letting us know about the missing documentation. I have alerted the team responsible for adding this to the release notes.

    We have switched to using the more secure clone (CLONE_NEWPID) method (please see my previous post) for creating jail.

    When jailshell exits, the pid namespace is destroyed by the kernel since jailshell is the first process in the pid namespace. This will cause all processes running in that namespace to be terminated (please see the man page for the system clone() call posted above).

    If you need to create a log running process inside of the jail, you can use /usr/local/cpanel/bin/jailexec as it will wait for subprocesses to exit before it terminates which preserves the pid namespace until all children exit.
     
    #9 cPanelNick, Jun 26, 2013
    Last edited by a moderator: Jun 26, 2013
  10. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Thats the indented behavior. Please see my posts above for more information about why it works this way. The short version is that we are limited to what the linux kernel can support, and the 11.38 prefers the most secure way of doing this by default.
     
  11. DaVinciDigital

    DaVinciDigital Registered

    Joined:
    Jun 25, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Nick,
    thanks for clarifying.

    I shall stress that this behaviour is absolutely welcome. It is just that it would have been lovely to read about it before getting the patch through the update. It is not my case, but this change may have broken paid service for some sellers.
     
  12. blogbytes

    blogbytes Member

    Joined:
    Jul 11, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I am sitting in a similar boat.
    I have multiple servers, all running the same build, all running the same security setup. On one of the servers when the user logs in via shell, using top and ps, he will see all running processes from all users on the server, even root!
    This happens on any account I give shell access to. So this means it has to be a server setting.
    On another server, I am unable to reproduce this. The user only see's his own active processes.

    This is baffling me and driving me nuts at the same time, as I am unable to figure out what setting/configuration this might cause.
    The /proc settings did not do anything on my side.

    Any ideas?
     
  13. blogbytes

    blogbytes Member

    Joined:
    Jul 11, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Anyone who could share some light on this?
     
  14. Sys Admin

    Sys Admin Well-Known Member

    Joined:
    Apr 29, 2007
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    @blogbytes Are you using cloudlinux or having a grsecurity kernel installed?
     
  15. blogbytes

    blogbytes Member

    Joined:
    Jul 11, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    @Sys Admin / None of the above.
     
Loading...

Share This Page