Jailshell users not seeing processes in ps or top

[santrix]

Hi,

The recent 11.38 update (or possibly earlier, recent updates) have led to jailshell users not seeing all of their processes on top or ps. It's an improvement over how it used to be, where they would see all processes, but now in top all they see is the top process itself and their bash session.

I have tested by running a number of scripts than run for a good 20 seconds or so, and updating top or ps only ever shows these two processes and nothing else.

Jailed /proc mount method - Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) default

I found that by selecting the "Always mount a full /proc" once more allowed users to see it as it used to be. However, it would be nice if they were restricted to seeing their own processes. Any clues as to how the above behaviour can be corrected, so they can be restricted to seeing only their own processes, but be able to see ALL of their own processes?

 

[cPanelMichael]

Hello

I am not aware of any existing options within cPanel/WHM to allow for that type of functionality. However, you are welcome to open a feature request for this at:

Submit A Feature Request

Thank you.

 

[santrix]

Hi Michael. So, are you saying that with the option "Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) " selected, that the user will not be able to see even their own processes in Centos 6 ? and this is normal?

 

[cPanelMichael]

Hi Michael. So, are you saying that with the option "Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) " selected, that the user will not be able to see even their own processes in Centos 6 ? and this is normal?

I can not reproduce the behavior you describe when using the "top" command as a user with jailed shell access. I tested on a CentOS 6 machine, with each of the following options enabled for "Jailed /proc mount method":

Always mount a full /proc
Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) default
Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv)

In all three cases, the "top" command produced the same output of all processes running on the system, even processes not owned by the account username (e.g. Apache, crond, dovecot). Are you using any other security applications/modifications, or a third-party application such as CageFS on this system?

Thank you.

 

[santrix]

Odd - the server is a pretty vanilla Centos 6.4 box with nothing installed that would affect this as far as I can tell. So, just to clarify, when it is configured with Always mount a full /proc then the user sees all processes. But for the other two, he will only see his bash session and the top application itself. I have found this behaviour to be the same on our other Centos 6 machines too.

 

[cPanelMichael]

So, just to clarify, when it is configured with Always mount a full /proc then the user sees all processes. But for the other two, he will only see his bash session and the top application itself. I have found this behaviour to be the same on our other Centos 6 machines too.

That's not the behavior I see on a test machine with CentOS 6. I see no difference in the output from "ps" or "top" when each of those options are enabled. Feel free to open a support ticket so we can check your specific server:

Submit A Ticket

You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[DaVinciDigital]

I have the same issue in my setup: jail user cannot see owned processes, but only those started in the running shell.

Another change that happened, is that now a jailed user cannot start a process in the background (as a daemon), but any and all process by the user are shut down once the shell gets closed. This behaviour is quite welcome, but to my knowledge it was not documented.

 

[cPanelNick]

In 11.38 jailshell now uses CLONE_NEWPID to create a new pid namespace.

When you choose mount a limited /proc., users are not be permitted to see processes running outside of the jail in /proc as they could use this escape the jail. If you are not using the jailed apache setup, this may not matter to you since you could already bypass the jail system with a cgi process (unless the user has cgi disabled).

For more information please see: clone(2) - Linux manual page.

I will provide more detailed information in my next post:

 

[cPanelNick]

I have the same issue in my setup: jail user cannot see owned processes, but only those started in the running shell.

Another change that happened, is that now a jailed user cannot start a process in the background (as a daemon), but any and all process by the user are shut down once the shell gets closed. This behaviour is quite welcome, but to my knowledge it was not documented.

Thanks for letting us know about the missing documentation. I have alerted the team responsible for adding this to the release notes.

We have switched to using the more secure clone (CLONE_NEWPID) method (please see my previous post) for creating jail.

When jailshell exits, the pid namespace is destroyed by the kernel since jailshell is the first process in the pid namespace. This will cause all processes running in that namespace to be terminated (please see the man page for the system clone() call posted above).

If you need to create a log running process inside of the jail, you can use /usr/local/cpanel/bin/jailexec as it will wait for subprocesses to exit before it terminates which preserves the pid namespace until all children exit.

 

[cPanelNick]

Odd - the server is a pretty vanilla Centos 6.4 box with nothing installed that would affect this as far as I can tell. So, just to clarify, when it is configured with Always mount a full /proc then the user sees all processes. But for the other two, he will only see his bash session and the top application itself. I have found this behaviour to be the same on our other Centos 6 machines too.

Thats the indented behavior. Please see my posts above for more information about why it works this way. The short version is that we are limited to what the linux kernel can support, and the 11.38 prefers the most secure way of doing this by default.

 

[DaVinciDigital]

Nick,
thanks for clarifying.

I shall stress that this behaviour is absolutely welcome. It is just that it would have been lovely to read about it before getting the patch through the update. It is not my case, but this change may have broken paid service for some sellers.

 

[blogbytes]

I can not reproduce the behavior you describe when using the "top" command as a user with jailed shell access. I tested on a CentOS 6 machine, with each of the following options enabled for "Jailed /proc mount method":

Always mount a full /proc
Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) default
Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv)

In all three cases, the "top" command produced the same output of all processes running on the system, even processes not owned by the account username (e.g. Apache, crond, dovecot). Are you using any other security applications/modifications, or a third-party application such as CageFS on this system?

Thank you.

I am sitting in a similar boat.
I have multiple servers, all running the same build, all running the same security setup. On one of the servers when the user logs in via shell, using top and ps, he will see all running processes from all users on the server, even root!
This happens on any account I give shell access to. So this means it has to be a server setting.
On another server, I am unable to reproduce this. The user only see's his own active processes.

This is baffling me and driving me nuts at the same time, as I am unable to figure out what setting/configuration this might cause.
The /proc settings did not do anything on my side.

Any ideas?

 

[blogbytes]

Anyone who could share some light on this?

 

[Sys Admin]

@blogbytes Are you using cloudlinux or having a grsecurity kernel installed?

 

[blogbytes]

@Sys Admin / None of the above.