The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

jailshell - what's the point?

Discussion in 'General Discussion' started by D D, Apr 16, 2010.

  1. D D

    D D Registered

    Apr 16, 2010
    Likes Received:
    Trophy Points:
    Recently I needed to peruse my site's raw FTP log. Not finding this in the cpanel web interface, I fire up ssh, only to discover that the logs are inaccessible from the jailshell since they're symlinked to outside my home directory.

    Not a problem -- a file upload and a browser click later,

    passthru("cat ../apache-logs/redacted");
    gets me what I need.

    But it leaves me wondering... what is the point of jailshell (besides annoying users)? It seems to me that if your server is securely configured, an ordinary shell is just as secure as jailshell... and if your server is not, jailing ssh connections does nothing to stop malicious customers from exploiting those vulnerabilities. Is there a security benefit I'm not grokking?
  2. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    I do not under any circumstances recommend giving non-administrative users any kind of shell access but if for some reason someone feels the need to ignore this recommendation and do so anyway then jailshell would be the recommendation to those server owners.

    However, it should be well noted that jailshell only really restricts activity for the basic non-technical computer user and newbies. Anyone with any kind of experience (and this will be most anyone wanting to do anything harmful) will find it ridiculously trivial to bust out of the jailed session into full unrestricted shell, circumvent it's restrictions anyway, or even escalate to full root as I so very often do very easily when demonstrating these issues with many server owners.

    Bottom line here ----

    Avoid giving out shell access

    If you must give out shell access, then use jailshell

    (Just be fully aware that jailshell won't really protect you much :rolleyes:)

Share This Page