jailshell - what's the point?

[D D]

Recently I needed to peruse my site's raw FTP log. Not finding this in the cpanel web interface, I fire up ssh, only to discover that the logs are inaccessible from the jailshell since they're symlinked to outside my home directory.

Not a problem -- a file upload and a browser click later,

<?php

passthru("cat ../apache-logs/redacted");

?>

gets me what I need.

But it leaves me wondering... what is the point of jailshell (besides annoying users)? It seems to me that if your server is securely configured, an ordinary shell is just as secure as jailshell... and if your server is not, jailing ssh connections does nothing to stop malicious customers from exploiting those vulnerabilities. Is there a security benefit I'm not grokking?

 

[Spiral]

I do not under any circumstances recommend giving non-administrative users any kind of shell access but if for some reason someone feels the need to ignore this recommendation and do so anyway then jailshell would be the recommendation to those server owners.

However, it should be well noted that jailshell only really restricts activity for the basic non-technical computer user and newbies. Anyone with any kind of experience (and this will be most anyone wanting to do anything harmful) will find it ridiculously trivial to bust out of the jailed session into full unrestricted shell, circumvent it's restrictions anyway, or even escalate to full root as I so very often do very easily when demonstrating these issues with many server owners.

Bottom line here ----

Avoid giving out shell access

If you must give out shell access, then use jailshell

(Just be fully aware that jailshell won't really protect you much )